AppSense AM : Detect remote XenDesktop sessions

In one of our recent AppSense implementation projects, there was a need to restrict access to applications when users are logged on to the VDI environment from home. However, to make it more complex, these restrictions should be in place only when they work from and not when they use the exact same VDI machine from within the office.  Furthermore, users with these restrictions are a member of a specific AD group, others can use all applications whether or not they are working from home or in the office.
To summarize, we would need an application manager rule that is applied when :

a) Users are remotely connected to XenDesktop using a NS Gateway
b) Users are a member of a specific AD group

When both conditions are valid, the list of accessible applications will be locked down and heaviliy whitelisted.

The answer is an Application Manager scripted rule based on a powershell script. Scripted rules are extremely powerful and flexible. The script should exit with an exit code 0 to make the rule apply. All other exit codes are parsed as a FALSE.

The following script checks the two conditions. To check for remote connectivity we are checking a registry key called “ConnectedViaIPAddress” which is populated by the XenDesktop VDA running on the VDI or Hosted Shared Desktop environment.

# The AD Group to check for
$group = “my_ad_Group_Name”

# The NS Gateway IP address users are connected via
$gwip = “”

$user  = $Env:Username
$domain = $env:UserDomain

# Get the user’s SID
$objUser = New-Object System.Security.Principal.NTAccount($domain,$user)
$sidt = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $sidt.Value

# Get Session ID
$x = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$strKeyName = “HKU:” + $sid + “\Volatile Environment”
$list = @(gci $strKeyName)
$sessionid = $list[0].PSChildName

# Get ConnectedViaIP
$strKeyName2 = “HKLM:\Software\Citrix\ICA\Session\$sessionid\Connection”
$strValueName = “ConnectedViaIPAddress”
$IPt = Get-ItemProperty -Path $strKeyName2 -Name $strValueName
[string]$IP = $IPt.ConnectedViaIPAddress
if($IP -ne $null) {

# check if valid gateway

# Check AD Group Membership
$memberOf = [ADSISEARCHER]”samaccountname=$($env:Username)”).FindOne().Properties.memberof -replace ‘^CN=([^,]+).+$’,’$1′

if($memberOf -Contains $group){
exit 0

# Not a member..



# If your script is unsuccessful…

exit 1

2016-12-11T18:06:01+00:00 April 16th, 2016|