CXANZ Blog

Citrix Acquires deviceTRUST: Enabling Contextual Security for Hybrid Work

Written by John Kotsopoulos | Jul 16, 2025 3:22:16 AM

In December 2024, Citrix, a business unit of Cloud Software Group, acquired deviceTRUST GmbH, a leader in contextual security and device posture assessment. This acquisition enhances Citrix’s ability to deliver Zero Trust Network Access (ZTNA) across hybrid environments—on-premises and in the cloud—by integrating real-time device and user context into access decisions.

As hybrid work becomes the norm across Australia, organisations face increasing pressure to secure access to sensitive applications and data from a wide range of devices—managed, unmanaged, corporate, and BYO. deviceTRUST addresses this challenge by enabling dynamic, policy-based access control based on real-time conditions such as device compliance, location, network, and user identity.

For customers with a Universal Hybrid Multi-Cloud (UHMC) subscription, this acquisition means built-in access to deviceTRUST capabilities as part of the Citrix platform. It empowers IT teams to enforce context-aware access policies across Citrix Virtual Apps and Desktops (CVAD) and Citrix DaaS environments, ensuring that only trusted users on secure devices can access critical resources.

What is deviceTRUST?

deviceTRUST is a lightweight, agent-based solution that continuously evaluates the security posture of endpoints and contextual factors such as:

  • Device compliance (e.g., antivirus, encryption, domain membership)
  • Network type (corporate LAN, VPN, public Wi-Fi)
  • Geolocation and time of access
  • User identity and group membership
  • Session type (local, remote, published app)

This context is then used to grant, restrict, or adapt access to Citrix sessions in real time. For example, a user accessing from a non-compliant device or unknown location can be denied access or redirected to a restricted desktop.

How it works with Citrix

Data Backends Supported On-Premises (CVAD)

  • Agent installed on Windows VDAs and optionally on endpoints.
  • Contextual data is passed to Citrix policies via environment variables or registry keys.
  • Access control is enforced using Citrix Studio policies

Citrix DaaS (Cloud)

  • deviceTRUST agent runs on cloud-hosted VDAs.
  • Context is evaluated at session launch and continuously during the session.
  • Works with Citrix Cloud policies

High-Level Implementation Guide

1. Planning

  • Identify use cases (e.g., block access from unmanaged devices, enforce MFA off-network).
  • Define contextual policies (e.g., allow access only from encrypted devices on corporate Wi-Fi).

2. Deployment

  • Install deviceTRUST agent on VDAs (Windows Server or Desktop OS).
  • Optionally install endpoint agent for richer context.
  • Configure policies using the deviceTRUST Console.
  • Integrate with Citrix Studio for enforcement.

3. Validation

  • Test access scenarios (compliant vs. non-compliant devices).
  • Monitor logs and policy hits via deviceTRUST dashboard.
  • Fine-tune policies based on user behaviour and risk tolerance.

Use Cases for Australian Organizations

Industry

Use Case

Benefit

Healthcare

Restrict access to patient data from unmanaged devices

Ensure HIPAA/ISO 27001 compliance

Finance

Enforce MFA and encryption for remote workers

Meet APRA CPS 234 requirements

Government

Block access from foreign IPs or public Wi-Fi

Prevent data leakage and unauthorized access

Education

Allow students access only from campus networks

Protect academic resources

Legal

Restrict access to case files to domain-joined devices

Maintain confidentiality and auditability

 

Frequently Asked Questions (FAQ) 

Q1: Do I need to install the deviceTRUST agent on every endpoint?

A: No. The agent is required on Citrix VDAs (virtual desktops or apps). Installing it on endpoints is optional but recommended for richer context (e.g., local antivirus status, disk encryption).

Q2: Can deviceTRUST block access in real time if a device becomes non-compliant?

A: Yes. deviceTRUST continuously monitors context and can trigger session termination, restriction, or policy changes dynamically during the session.

Q3: What backend systems can deviceTRUST integrate with?

A: It can export logs and events to SIEM platforms like Splunk, Microsoft Sentinel, or Elastic for auditing and threat detection.

Q4: Is deviceTRUST included in my UHMC subscription?

A: Yes. deviceTRUST is now available to all UHMC customers at no additional cost.

If you're ready to enhance your contextual security and device posture, now is the time to explore what deviceTRUST can do for your environment. Reach out to our CXANZ team for a friendly chat or to book a personalised demonstration.
View full post