In XenDesktop 5.0 you can configure HDX policies to block or allow certain types of USB devices. For example, you could block flash drives but allow USB printers or webcams. Unfortunately, Citrix doesn’t give you an easy to to discover class IDs, vendor IDs, or other identifiers that can be used in their policies. Citrix has a good article here on USB filtering in XenDesktop 5.0.
Instead of digging through the registry to discover this critical USB data, I found a great tool that makes it a snap. Nirsoft has a free USBÂ viewer you can download here.
To create the appropriate rules I did the following process:
1. In Citrix Desktop Studio open the Users HDX policy and navigate to USB DevicesClient USB device redirection. Edit the policy and change the value to Allowed.
2. Using the Citrix receiver connect to a virtual desktop, then from the menu bar click on the USB button.
3. In my case I have a flash drive connected to my physical computer, so I selected that from the drop down menu. I then heard the Windows USB disconnect/connect sounds and saw my flash drive ready to use in the VM.
4. Download the USB viewer tool and run it inside the VM. In the list of USB devices, locate your connected device and double click on it. Here’s what comes up for my USB stick:
5. Take note of the USB class ID and USB subClass IDs, as you will need these for the HDX rules.
6. Back in Citrix Desktop Studio open the Users HDX policy and navigate to USB DevicesClient USB device redirection rules. Edit the policy and create a new rule, for example:
7. Accept the rule, then log out of your virtual desktop then log back in. If you try and connect your thumb drive now, nothing happens. Unfortunately XD5 doesn’t provide the user any feedback why you can’t connect the device. It would be most useful if a warning popped up saying that device was administratively prohibited, so the user didn’t call the help desk wondering why it wasn’t working.
You can use the same basic procedure to build up allow or deny device lists as required. Some devices can be tricky, such as multi-function USB printers/scanners/fax machines. So a single composite device might need a few allow entries to make it properly function. But using USB device view, you can pretty easily figure out what you need to do.
