Endpoint policies

Endpoint Analysis (EPA) is a process that scans a user’s device and detects information, such as the presence and version level of operating system updates, antivirus, firewall, and web browser software. Endpoint Analysis allows you to determine if a user’s device meets your requirements before it connects to your network. It can also be configured to periodically check for any changes while the user remains connected. You can check files, processes, and registry entries on the user device during the user session to ensure that the device continues to meet the requirements.


  • Endpoint Analysis is intended to analyze the user device against pre-determined compliance criteria and does not enforce or validate the security of end-user devices. It is recommended to use endpoint security systems to protect devices from local admin attacks.
  • The EPA client is available as a standalone client and is also bundled along with the Citrix Secure Access client. The Citrix EPA client and Citrix Secure Access client are independent from each other.

How Endpoint policies work

You can configure Citrix Gateway to check if a user device meets certain requirements before a user logs on. This is called a pre-authentication policy. You can configure Citrix Gateway to check a user device for antivirus, firewall, antispam, processes, files, registry entries, Internet security, or operating systems that you specify within the policy. If the user device fails the pre-authentication scan, users are not allowed to log on.

To verify other requirements that are not used in a pre-authentication policy, you can configure a session policy and bind it to a user or group. This type of policy is called a post-authentication policy, which runs during the user session to ensure the required criteria, such as antivirus software or a process, remains compliant.

When you configure a pre-authentication or post-authentication policy, Citrix Gateway downloads the Endpoint Analysis plug-in and then runs the scan on the users’ device. Each time a user logs on, the Endpoint Analysis plug-in runs automatically.

You can use the following three types of policies to configure endpoint policies:

  • Preauthentication policy that uses a Yes or No parameter. The scan determines if the user device meets the specified requirements. If the scan fails, the user cannot enter credentials on the logon page.
  • Session policy that is conditional and can be used for SmartAccess.
  • Client device check expression within a session policy. If the user device fails to meet the requirements of the Client device check expression, you can configure users to be placed into a quarantine group. If the user device passes the scan, users can be placed into a different group that might require other checks.

You can incorporate the detected information into policies, enabling you to grant different levels of access based on the user device. For example, you can provide full access with download permission to users who connect remotely from user devices that have current antivirus and firewall software requirements. For users connecting from non-compliant devices, you can provide a more restricted level of access that allows users to edit documents on remote servers without downloading them. All devices running EPA are considered as non-compliant devices.

Endpoint Analysis performs the following basic steps:

  • Examines an initial set of information about the user device to determine which scans to apply.
  • Runs all applicable scans. When users try to connect, the Endpoint Analysis plug-in checks the user device for the requirements specified within the pre-authentication or session policy. If the user device passes the scan, users are allowed to log on. If the user device fails the scan, users are not allowed to log on. Note: Endpoint Analysis scans complete before the user session uses a license.
  • Compares the property values detected on the user device with desired property values listed in your configured scans.
  • Produces an output verifying whether the desired property values are found.


The instructions for creating Endpoint Analysis policies are general guidelines. You can have many settings within one session policy. Specific instructions for configuring session policies might contain directions for configuring a specific setting. However, that setting can be one of many settings that are contained within a session profile and policy.

Sample EPA expressions

Following are the expression examples of some EPA components such as kill process, delete files, and device certificate:

  • Windows:
    • Kill process: sys.client_expr(\“proc_0_perl\“) -killProcess processToKill.exe
    • Device certificate :sys.client_expr(“device-cert_0_0”)
    • Delete files :sys.client_expr(\“proc_0_perl\“) -deletefiles “C:/removefile.txt”
  • MAC
    • Kill process: sys.client_expr(\“proc_0_perl\“) -killProcess processToKill.exe
    • Device cert:sys.client_expr(“device-cert_0_0”)
    • Delete files:sys.client_expr(\“proc_0_perl\“) -deletefiles “C:/removefile.txt”

Evaluate user logon options

When users log on, they can choose to skip the Endpoint Analysis scan. If users skip the scan, Citrix Gateway processes this action as a failed Endpoint Analysis. When users fail the scan, they only get access to the Web Interface or through clientless access.

For example, you want to provide users access by using the Citrix Secure Access agent. To log on to Citrix Gateway with the plug-in, users must be running an antivirus application, such as Norton Antivirus. If the user device is not running the application, users can log on with Receiver only and use published applications. You can also configure clientless access, which restricts access to specified applications, such as Outlook Web Access.

To configure Citrix Gateway to achieve this logon scenario, you assign a restrictive session policy as the default policy. You then configure the settings to upgrade users to a privileged session policy when the user device passes the Endpoint Analysis scan. At that point, users have network layer access and can log on with the Citrix Secure Access agent.

To configure Citrix Gateway to enforce the restrictive session policy first, perform the following steps:

  • Configure the global settings with ICA Proxy enabled and all other necessary settings if the specified application is not running on the user device.
  • Create a session policy and profile that enables the Citrix Secure Access agent.
  • Create an expression within the rule portion of the session policy to specify the application, such as (client.application.process(symantec.exe) exists)

    When users log on, the session policy is applied first. If Endpoint Analysis fails or the user skips the scan, Citrix Gateway ignores the settings in the session policy (the expression in the session policy is considered false). As a result, users have restricted access using the Web Interface or clientless access. If Endpoint Analysis passes, Citrix Gateway applies the session policy and users have full access with the Citrix Secure Access agent.

Skip the EPA scan

You can skip the EPA scan for post-authentication and advance authentication only. Skip EPA is available on browsers of all supported operating systems. Users must click the Skip EPA button that appears when accessing the gateway. If users skip the scan, Citrix Gateway processes this action as a failed Endpoint Analysis. When users fail the scan, they only get access to the Web Interface or through clientless access.

Also, see

Endpoint Analysis scans supported for Ubuntu

The following Endpoint Analysis (EPA) scans are supported for the EPA plug-in installed for the Ubuntu operating system. A sample expression to configure each of the scans is listed along with the EPA scans. You can configure these expressions in the authentication policies.

  • File
    • Existence: sys.client_expr(“file_0_/home/user/test.txt”)
    • MD5 Checksum: sys.client_expr(“file_0/home/user/test.txt_md5 ce780e271debcc29f551546e8db3368f”)
    • Text within a file (regular expression support): sys.client_expr(“file_0_/home/user/test.txt_search_cloud”)
  • Process
    • Existence: sys.client_expr(“proc_0_perl”)
    • MD5 Checksum: sys.client_expr(“proc_0perl_md5 c060d3a5f97e27066cef8c116785567a”)
    • Path: sys.client_expr(“proc_0perl_path/usr/bin/perl”)
  • File system device or Mountpoint name: sys.client_expr(“mountpoint_0_/sys”)

If you are using advanced policies, the expressions for each scan can be generated from the GUI (Security > AAA > Policies > Authentication > Advanced Policies > EPA).

Note: In the Expression Editor page, for the Linux client, you can select Common, and then select Process, File or Mount Point.

Endpoint policies