How I delivered XenVault using XenVault?

XenVault is part of the upcoming XenDesktop 4 Feature Pack 2 and provides FIPS approved AES-256 level encryption for the safe zone on Windows 7. This is important for Federal agencies that are required to have FIPS compliant remote access solutions.

How I delivered XenVault using XenVault?

You may have seen the recent announcement on XenVault, offered as part of XenDesktop 4 Feature Pack 2. I am the development manager of the XenVault engineering team that created this innovative technology. I will be completing 7 years with Citrix tomorrow (wow!!!) and have led different technologies within the XenApp product development group.

How do I manage my laptop?
In February of this year, I received a new laptop from Citrix. Most companies are unlike Citrix in that they will lockdown laptops and not allow you to install anything that they do not approve. This usually forces an employee to have two devices: one for work and one for whatever they want to do on their own.

Working at Citrix and being somewhat technology savvy, I wiped off the Operating System it came with (Windows Vista) and installed Windows 7. I made myself the administrator of the OS and chose not to join the corporate domain. I installed all of my favorite applications and started using the laptop for both personal use at home and company use at Citrix. I honestly love the fact that I don’t have to work on two different devices, one at home and other one at work. I am not sure how many "rules" I have broken here to keep myself more productive.

Citrix offers BYOC program and employees love it!!!
Citrix also has a Bring Your Own Computer (BYOC) program and a lot of employees have enrolled in it. They all love it for the same reasons I do. They also get to work on a device of their own choice and have the flexibility to use it for both personal and company work.

What about contractors?
Also, I have contractors working for me who bring their own laptops to work. Now, I don’t know what Citrix data has been stored on their laptops and what happens to it when they leave Citrix. That is scary!!!! Wouldn’t it be great if we can wipe the data from their laptops on the last day of their contracts without touching any of their personal stuff?

We know these problems exist in every organization, but there hasn’t been an elegant solution for these (until now! ). This really inspired me to lead the development of this technology and create a solution to enable BYOC and give everyone the flexibility to have the same device for both work and personal use. We built XenVault with the following mission:

"XenVault MUST secure and simplify management of corporate data on user-owned laptops by automatically saving any data generated by corporate applications into an encrypted space."


XenVault plug-in coming out this quarter will include many new capabilities to further simplify and enhance end point data protection.

XenVault plug-in (that works in conjunction with Citrix Receiver) creates an encrypted space, referred to as a "Safe Zone", on the end user device to store all corporate information. Based on policies established by IT, sensitive and critical data such as cached email is automatically and seamlessly redirected to the end user’s encrypted space.

The encrypted safe zone is created on Microsoft Windows 7 devices and is protected with a user defined password. Once a safe zone has been created, only Windows explorer and XenApp delivered applications including hosted, streamed and App-V packages are able to access the encrypted space. Additionally XenApp-delivered applications are restricted to storing data only in this location.

The core capabilities available in the Technology Preview are still present in v1 and are configured and managed through the Citrix Receiver and Merchandising Server:

  • FIPS approved AES-256 level encryption for the safe zone on Windows 7
  • Lock or delete encrypted information on a user’sdevice based on administrator controls
    • When Receiver starts or refreshes, Merchandising Server tells the plug-in whether a Lock/Delete is applied
  • Control over which applications are allowed to access the encrypted data

The v1 release adds a number of features:

  • Time-based lock – Once a lease period elapses, the safe zone is locked. Lease period is calculated based on number of days user has not connected to their corporate network.
  • Administrator controlled password reset/unlock function
  • Password complexity rules – length, caps, numbers, symbols
  • Remember my password support
  • Configurable safe zone size
  • Support for English, German, Japanese, French, Spanish, and Simplified Chinese

The XenVault plug-in Technology Preview has been available since May 2010 so please take a moment to go download it and give it a try if you haven’t already (MyCitrix logon is required and you will see it under its previous name of Encrypted Data plug-in).

We look forward to your feedback and comments which will certainly help guide us as we create the next releases. The feedback forum is located here:

To learn more, check out a video overview which illustrates how XenVault works. There are also a number of blogs on this technology –

More info on XenVault can be found at

Now with this technology developed, my mind is at rest knowing that I can control Citrix’s sensitive data on my contractors’ laptops. Would you not all want the same piece of mind?

When I look at XenVault in combination with XenClient, I feel that every enterprise organization needs to ditch the old bad habits of installing the apps and the OS and the data on to the laptop and adopt the right desktop virtualization technology for 100% of their laptops!

Innovation in XenVault development does not stop here!!! Team is working on innovative solutions to provide more granular control to IT in order for them to effectively manage the contractors and employee owned laptops.

View Online | Add Comment

[link to original | source: The Citrix Blog | published: 1 hour ago | shared via feedly]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.