In the third part of our 6-part series on the benefits of Citrix XenClient — the local VM option of XenDesktop and its FlexCast delivery technology — we discussed how XenClient can be used to minimize WAN traffic for branch and distributed offices. In this part, we will examine how XenClient can be used to safeguard business-critical data on PCs and laptops. XenClient is a production-ready client virtualization solution with thousands of desktops in deployment today.

It’s a never-ending story in the news!

You probably heard about several cases of confidential data being compromised due to security breaches at organizations, including stolen hard drives exposing corporate or personal data. For example, earlier this year a health insurance provider in Tennessee agreed to pay $1.5 million to settle with the U.S. Department of Health and Human Services due to the earlier theft of 57 unencrypted hard drives that resulted in data for more than 1 million people becoming compromised! According to a survey conducted by Symantec and the Ponemon Institute, a whopping 28% of all malicious attacks on corporations involve theft of corporate devices containing data such as hard drives.

So, you may probably be asking yourself, “Why is this still happening? Aren’t there ways to prevent data loss in the event of a security breach?”

Besides the typical human errors that will happen no matter what precaution is taken, security measures including software-related approaches do exist. In this blog, I will discuss ways to protect laptops and PCs, and the valuable data on them from security breaches with a software-based approach.

The software-based approach to protecting data

Citrix XenClient is an intelligent client virtualization solution that provides a single-solution with a management backend that can cost-effectively address many of challenges faced by IT administrators in managing the security and data protection requirements for enterprise endpoints. The cost- and time-savings in terms of helping IT to get desktops and laptop users to maximum productivity is a key differentiation for Citrix XenClient Enterprise.

The following are some of the ways XenClient Enterprise protects PCs and laptops and the invaluable data on them:

Access Control

  • Iron-clad control of user access: An encrypted hard drive, including one removed from a physical computer, cannot be accessed unless the registered owner’s password is entered. The user’s password needs to be entered before the Citrix XenClient Engine (the hypervisor) can start. The password used for the encryption is not set during installation, this happens during the registration process between the Engine (client hypervisor) on the managed PC to the management server, the Synchronizer, ensuring a reliable security process.
  • User authentication: Integration with Microsoft Active Directory for user authentication ensures only allowed users have access to corporate assets. Employees can also use their Single Sign-On (SSO) credentials to access assigned resources.
  • Certificate-based authentication: ensures trusted computing on systems managed by Citrix XenClient Enterprise.

Secure Mobility

Citrix XenClient Enterprise provides IT organizations with the option to implement full disk encryption on managed endpoints running the client hypervisor engine.

  • Full disk encryption: Uses AES-NI 256-bit encryption to allows the managed PC’s disk and residing data to be accessible by authorized users while keeping the data secure from unauthorized access to PC or laptop loss/theft.
  • Encryption keys are stored in the TPM (if this is available on managed PCs)
  • AES-NI instructions used (if available on managed PCs)
  • Centralized key recovery
  • Complete VM isolation: Encrypted and managed local virtual desktop images provide complete isolation of virtual machines. The complete separation of VMs on a single physical PC system ensures full protection of user access, data, and productivity.


Citrix XenClient Enterprise also offers various policies that are centrally controlled and can be enabled on managed PCs and VMs that run on the endpoints.

  • Expiration: IT admins can control user’s access to the VMs and PCs. This feature is useful for contractors or a contingent workforce that will only have access to corporate network and data for the life of a project/assignment.
  • Lockout: Policies that describe how long a period the computer can be allowed to be out of contact with the management server (Synchronizer) before locking users out of the VM on the device. This ensures that the user checks in periodically for the latest security updates and retains ownership of the device.
  • VLAN tagging: A new feature in XenClient Enterprise 4.5 that extends the notion of virtual machine isolation by tagging and routing network traffic to specific virtual machines. This can be used to comply with regulations such as PCI requirements. For example, one customer is using it today to meet PCI requirements by processing credit card transactions in one VM while leaving other VMs available for other business uses – all on a single device!

Remote Kill/Remote Wipe
XenClient Enterprise’s Remote Wipe or also known as the Remote Kill feature simplifies the management of lost/stolen devices to protect valuable corporate data. The Remote Kill/Remote Wipe process includes:

  • Shredding of all encryption keys
    • Encrypted disks can’t be further access or read
  • Deleting all VM VHD files
    • Any running VMs will have a blue screen at some point when the data can’t be read.
  • Writing random data all over the physical disk
    • Will completely wipe the entire disk (and anything on the system including dual boot roots)
  • Finally, the system is halted after 30 minutes if not already stopped

Disaster Recovery

  • Fast Recovery: OS, applications and user data are synchronized in automatic backups and can be easily made available for recovery in the event of a device failure, loss or a disaster event. Recovery of a whole system back from the last backed up stage ensures that the end user becomes productive again very quickly.

Safe and trusted computing is a holistic process that involves continuous improvements. Starting on the right path is key to getting things right. Citrix XenClient Enterprise has many security-oriented features that can help remedy many of the issues from loss/theft of PCs or laptops, an issue that continues until this day.

Join the conversation by connecting with the Citrix XenClient team online!