Citrix Storefront – Adventures in customization – Restrict app visibility with single factor authentication, show all apps with two-factor authentication

Citrix Storefront – Adventures in customization – Restrict app visibility with single factor authentication, show all apps with two-factor authentication

/ /
in Blog

I have been working with a colleague of mine (Saman Salehian) who has been working on a project with a Citrix Netscaler.  One of the hopes of this project is to offer Citrix applications externally.  A problem was posed to me about restricting users to only access non-critical, non-patient facing applications (eg, Outlook, intranet site, etc.) if they logged in with their domain credentials, but if users were using a two factor authentication method to show all applications.

Citrix has 3 articles (one, two three) that I’ve been able to find about executing on this.  The problem with these articles is that they are now outdated.  Citrix has a much more flexible and (In My Humble Opinion) better way to hide/show applications.  And that is through the Receiver Extension APIs.  Through a single store, I’ll be able to show and hide applications dynamically.

The two API calls that are relevant are:

Exclude an application completely from all UI, even if it would normally be included.

Include an application, even if it would normally be excluded. For example a platform might exclude applications intended for a different platform.

The architecture of this solution looks like this:


It’s pretty damn simple.  Look that a specific cookie has a specific value and if it does NOT have that value, exclude the app(s) from being shown.

So the role of the Netscaler here is when the user logs on, it will write a cookie based on the authentication.  Our Storefront script will check for the value of that cookie.  If the cookie contains our known value then we iterate through all applications and look for some unique text we’ve set in the application description field (this works with both XenApp 6.5 and 7.X) and hide those applications.  For my example, I’ve added ” 2FA” to the application description field for the applications I want excluded from single-factor authentication. Note: I’ve required a ‘space’ before the characters 2FA.

And that’s it!  A deliciously simple addition to \custom\script.js.


  1. Timon 2017-12-19 6:41 am

    Hi Trentent,

    Thank you for posting this as this may be the answer I have been looking for when it comes to dynamically hiding applications for our external users. I have modified your script slightly and I am now able to hide applications using the set keyword but it only seems to be working for the website, not the native receiver app. Should this work in the app as well?



    • trententtye 2017-12-22 12:10 pm

      Hi Timon,

      We only use this feature for our 2FA users, so for external users via the web-only. I have not had an opportunity to test it with native receiver, but I do not believe it would work as it requires a cookie to be set which would only happen with a web browser. There maybe another way to check for whether the connection is an access gateway connection that you could pick up on with native receiver, but I have not had to do that work.

      • Timon 2018-01-05 4:43 am

        Thank you for taking the time to reply. I was coming to the same conclusion that the native app doesn’t handle cookies in the same way although looking at the documentation it does appear to make some use of cookies for authentication. I will raise a support call with Citrix for confirmation and I will respond back here if I find anything that works.

        This was so close to a perfect solution!


Post a Comment

Your email address will not be published. Required fields are marked *