While most of our customer base runs Microsoft Remote Desktop Services and Windows Virtual Desktop, we have a substantial subset of customers who use our tools to manage their Citrix environments. Most of our Citrix customers use our Remote Desktop Commander Suite solution to gain valuable insights about Citrix host performance and user activity monitoring, without spending lots of extra money on higher Citrix licensing tiers, and/or the Citrix Analytics service. When you consider that our Remote Desktop Commander Suite solution often runs less than $0.70 per user per month to implement, it is a “no brainer” in terms of cost savings.
Over the past year, we’ve gotten lots of great feedback from our RDS and WVD customers who have adopted our Premium Management Features overlay to provide delegation of administration to help desk staff, as well as offer improved shadowing, remote assistance, and live monitoring capabilities to admins, support staff, and managers. During this time, we heard from some of our Citrix customers that needed these same sorts of capabilities.
Citrix Shadowing Limitations
The first question we pondered was “why are Citrix customers asking us for this?” Citrix touts its solution as an extremely robust end user computing platform that greatly exceeds what comes out of the box with RDS or WVD. And certainly shadowing and delegation of administration is something that is provided by Citrix Virtual Apps and Desktops as well as their cloud-based offerings.
Well, we talked at length with our Citrix customers and learned of several shortcomings in the way they implemented shadowing in their more recent product versions. As a result, we made a few tweaks to our Premium Management Features overlay to make it completely compatible with Citrix environments, as well as RDS and WVD. Here is a list those shortcomings and how our Premium Management Features product overcomes it.
Citrix Shadowing Depends On Remote Assistance Being Installed On the Help Desk Technician’s Computer, Among Other Things…
To start shadowing a Citrix session, you log into Citrix Director, find the user’s session, and press “Shadow.” Citrix Director generates a Microsoft Remote Assistance file (invite.msrcincident), which you must load into the Microsoft Remote Assistance client (MSRA.exe) to start shadowing.
While MSRA.exe is already installed on most client operating systems like Windows 10, it is not installed by default on server operating systems like Server 2012, Server 2016, and Server 2019. If it is not installed already, a help desk technician will simply download a file they can do nothing with until the Microsoft Remote Assistance feature has been installed. On top of that, you better hope that your help desk technician’s PC that is running MSRA.exe has line of sight to the Citrix host with the target session to be shadowed. Otherwise, shadowing will not work, because the Remote Assistance ports are selected dynamically from a range, and there is no facility (unlike with modern STUN/TURN/ICE protocols) to wiggle a way through your firewall to connect to the Citrix server.
Our Premium Management Features solution, on the other hand, has zero dependencies on the Microsoft Remote Assistance client. In the Remote Desktop Commander Client with Premium Management Features enabled, the help desk technician simply selects the user session – or sessions plural, because our software can shadow multiple user sessions at once – and then starts the shadowing process. Nothing else is required – the help desk tech is taken directly into the user session. Watch this video to see how easy it is:
Because of this, our Remote Desktop Commander Client can be published as a seamless application, and help desk technicians can now support end users from ANYWHERE, even if they do not have line of sight access to the Citrix hosts running the user sessions, since our client will be running as an app on your servers in the Citrix environment.
Citrix Shadowing Requires User Consent
Currently, there is no way in Citrix to natively shadow a Citrix user’s session without obtaining consent through Microsoft Remote Assistance first. Citrix’s own KB article spells this out. This is a major problem, as there are numerous use cases where consent before shadowing is not desirable. As an example:
- Some highly regulated industries require that user activity be observable at any time by supervisors and managers to ensure compliance.
- Other industries require that managers have the ability to review worker activity at any time to ensure customer satisfaction.
- Educational institutions may need to have the ability to observe and monitor student activity to ensure compliance with policies or to aid in teaching.
Our Premium Management Features solution, with its new Citrix Management Delegation Wizard, allows administrators to set shadowing policies on Citrix hosts so that consent is not required when shadowing a session, and then specifically control which users/managers have the right to perform a shadowing action. Furthermore, our software’s user interface allows help desk technicians and managers to monitor and observe multiple user sessions at the same time with our special “Mini View Dock.”
Citrix Shadowing and Management Delegation
Admittedly, Citrix has much better management delegation capabilities when compared with RDS or WVD. Still, there are some challenges. Unless you are a customer at one of the highest licensing tiers, you will probably have to choose a preset delegation level. For shadowing, this would typically be the Help Desk Administrator role. Unfortunately, this role also gives extremely powerful rights to those users, such as being able to terminate processes, place servers in a delivery group into maintenance, and also perform power operations.
Our Premium Management Features solutions simplifies this considerably, allowing you to delegate out specific granular management and shadowing tasks to your users, without making them admins on those hosts or giving them rights that could lead to them accidentally taking a server offline. Common management tasks such as shadowing, logging users off, disconnecting users, and messaging users can be assigned to specific users or groups in Active Directory. Then, they only have the rights to perform those specific tasks as required.