How to Monitor Remote Employee Activities in a Citrix Environment

citrix activity monitoring How to Track End-User Activity with CurrentWare

Need solutions for tracking end-user activity in your Citrix environment? CurrentWare is a Citrix Ready partner with solutions for user activity monitoring, web filtering, USB device control, and remote PC power management.

Click the button below to get your free trial, or continue reading to learn more about CurrentWare’s user monitoring software for Citrix.

Table of Contents

How to Report on Remote Worker Activities in Citrix

The CurrentWare Suite is the best third-party monitoring tool for tracking employee productivity in a Citrix environment. 

So long as the virtual desktops in your environment are Windows-based you can use CurrentWare to monitor and control the computer activities of your end-users. You can also monitor employees that remotely connect to an on-premises endpoint via RDP.

When monitoring employees in Citrix with CurrentWare you can track computer activities with PC Mode to track the individual virtual machine or with User Mode to track the activities of specific employees across multiple devices and/or virtual machines.

With CurrentWare you can…

  • Track websites visited by employees
  • Track employee logon and logoff times
  • Block unauthorized USB storage devices
  • Monitor what applications are being used
  • Audit file transfers to portable storage devices
  • Restrict internet access based on content category, domain, or URL
  • See how long was spent on websites that are productive, unproductive, and neutral

These user activity reports are the perfect complement to Citrix’s performance monitoring tools. By monitoring employee activity in your Citrix environment you have the ability to enforce acceptable use policies, improve employee productivity, and ensure that your remote employees are focused on their tasks.

Track Remote Employee Work Hours on Citrix

Using enPowerManager’s User Logon History report you can audit logon events on the virtual machine. Tracking employee login activity allows you to correlate time spent working remotely with the hours that employees self-report.

enpowermanager's user logon history report with timestamps of when employees log in and out each day

This report shows you

  • Which users connected to a certain virtual desktop
  • Their logon time and date
  • Their logoff time and date
  • The duration of their logon session (logon-logoff time)

enPowerManager also includes a Startup and Shutdown History report to track each time a remote user alters the power state of their virtual desktop.

enpowermanager startup and shutdown history report

This report shows you

  • Startup Events
  • Sleep/Shutdown Events
  • Hibernate/Standby Events

Using these reports you can track how long users have been connected to their local computers, remote workstations, and/or virtual machines. 

This allows you to

  • Verify that employees are starting and stopping their work days at expected times.
  • Audit remote connections for off-hours access (potential insider threat risk)
  • Compare logon times to BrowseReporter’s computer activity reports to see how they spend their time during work hours

To better track how your employees spend their time at work, you can track idle time with BrowseReporter. BrowseReporter’s automated employee time tracking features will show you whether the employee was actively using their computer during the day based on their keyboard and mouse inputs. 

Monitor Remote Employee Productivity on Citrix

Using BrowseReporter’s user activity reports you can monitor the Citrix activity levels of your employees to track their productivity levels. 

BrowseReporter also audits the internet and application usage of users that connect to remote computers using remote desktop and similar technologies.

If you have employees who work from home you can use the end-user activity reports to verify that they were using their computers during work hours. 

BrowseReporter even includes a pre-built employee productivity report that provides a high-level overview of how much time your employees spend on websites that are productive, unproductive, or neutral. These classifications can be customized to match what is considered productive for your employees.

Monitor Internet and Application Usage on Citrix

Monitoring internet and application usage is essential for ensuring that your remote users are in compliance with your company’s acceptable use policies.

When your employees browse the internet or use applications on a Citrix virtual desktop, their activity data will be collected by the CurrentWare client. 

Samples of BrowseReporter’s internet and application activity reports

Track End-User Active vs Idle Time on Citrix

Two bar charts with employee computer usage data: top 5 active time and top 5 idle time

BrowseReporter measures the Idle Time of your users to see how long they are away from their workstation. Using the email alerts feature you can even get notified when a user is idle for a predetermined period of time.

The distinction between Active Time and Idle Time is based on their mouse and keyboard activity. When there is no input from their mouse or keyboard for a designated period of time, BrowseReporter will shift tracking from Active Time to Idle Time.

By default, the amount of time that the end-user must be inactive before BrowseReporter switches from Active Time to Idle Time is 20 minutes. This threshold can be customized to better suit your environment.

BrowseReporter's idle time tracking limit setting

BrowseReporter’s integrated system idle time tracker sorts remote user activity into three categories based on their usage:

  • Active Time is how long the employee was actively using their computer. A computer is considered active when mouse and keyboard inputs are detected.
  • Idle Time is how long a given website was left open but was not actively being used.
  • Total Time is the full length of time that a given website was open (active time + idle time)

Learn More: Track the Idle Time of Employees 

Audit File Transfers to Portable Storage Devices on Citrix

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

  1. Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
  2. and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales. 

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur. 

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

 In the overview dashboard you can review the following metrics:

  • File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
  • Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
  • The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
  • The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
  • The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
  • The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
  • And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

  • A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
  • You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
  • Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
  • And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard

In this dashboard, we have…

  • A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices. 
  • Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period. 
  • Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious. 

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity. 

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices. 

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in. 

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

With AccessPatrol’s device control features you can prevent data exfiltration when employees work from home. 

With the CurrentWare Client installed on the devices you would like to monitor you can detect when USB devices are plugged in to domain controllers, servers, Citrix VMs, and other Windows-based endpoints.

You can also configure alerts that notify you when files are transferred to portable storage devices or when certain peripheral devices are inserted into monitored endpoints.

Sample USB Device Reports

File Operations

AccessPatrol USB file operations report
Hourly graph of USB file operations

Allowed vs Denied USB Devices History

Graph of an hourly timeline showing blocked vs allowed USB devices
AccessPatrol Allowed vs Denied report with 13 different devices listed.

Bonus: Block Websites & Portable Storage Devices on Citrix

Screenshot of category filtering window from BrowseControl web filter. Porn and social media categories blocked.

In addition to tracking user activity Citrix, the CurrentWare Suite includes:

These tools further enhance the security of your Citrix environment by providing you with the means to protect against data theft and the use of high-risk/inappropriate websites.

When applying web filtering and/or device control policies in Citrix with CurrentWare you can apply policies with PC Mode to control the individual virtual machine or with User Mode to control the permissions of specific employees across multiple devices and/or virtual machines.

How CurrentWare’s Software for Tracking User Activity in Citrix Works

CurrentWare’s Citrix user activity logging software is supported on desktop computers, virtual machines (VMs) and servers running the Windows operating system. 

In addition, all CurrentWare components are compatible with Remote Desktop Services (RDS) or Terminal Servers (TS)

So long as the underlying operating system is a version of Windows that is supported by CurrentWare, your users can be monitored. 

This means that you can audit user activity on Desktop as a Service (DaaS) providers such as Amazon Workspaces and Citrix, self-hosted Virtual Desktop Infrastructure (VDI), or physical endpoints that are being accessed through remote desktop, DirectAccess, or a VPN. 

CurrentWare is known to be compatible with the following virtualization software:

  • VMware
  • Parallels
  • VirtualBox
  • Oracle VM
  • Virtual-PC
  • Hyper-V

CurrentWare integrates with Active Directory, allowing you to import your Windows users and OUs directly from your Active Directory onto the CurrentWare Console. 

CurrentWare allows you to set custom data grooming/data retention periods, allowing you to keep records of end-user activities on Citrix virtual desktops for as long as your organization needs. 

When monitoring and managing your end-users in Citrix with CurrentWare you can track and control computer activities with PC Mode to manage the individual virtual machine or with User Mode to track and control the activities of specific users across multiple devices and/or virtual machines.

Monitoring and managing your end-users with CurrentWare in a Terminal Services environment works similarly. The exception is that in a Terminal Server/Terminal Services environment the server will be registered as an individual endpoint; when you run a report from PC mode it will give you a report on all the users’ profiles in a single report.

Remote Monitoring Software Agent

Screenshot of the CurrentWare installation window

CurrentWare tracks user activity in Citrix with a software agent that is installed on each endpoint (virtual or physical) that you would like to monitor. The CurrentWare client agent is responsible for receiving the policies from your CurrentWare Server and triggering them locally on the remote computer.

The CurrentWare Client agent is able to differentiate between each user that is logged in. This allows you to separate your users/endpoints into logical groupings and apply unique security policies to them or run reports on their individual computer activities. 

  • Integrity: The user activity monitoring software offered by CurrentWare is protected from attempts to stop or uninstall the agent by the end-user.
  • Connectivity: Even if the connection between the CurrentWare Server and CurrentWare Client is lost, the CurrentWare Client will continue to monitor your employees. The user activity data and last known security policies will be stored locally until a connection to the CurrentWare server is re-established.
  • Visibility: The CurrentWare Client can be deployed in stealth mode or with optional privacy-enhancing features enabled. 

Tracking User Activity in Citrix vs Monitoring Local Endpoints

How you will deploy CurrentWare to start tracking user activity in Citrix depends entirely on the needs of your environment. 

If you would like assistance with your CurrentWare deployment or evaluation our technical support team is available to assist you over the phone, live chat, or email. 

If you would like to monitor Citrix virtual desktops, you will install the CurrentWare client on the Windows Server that is hosted on Citrix.

If you would like to remotely monitor the end-user’s physical endpoint, you will need to install the CurrentWare Client on their computer. 

To reduce potential privacy concerns the best practice is to provide your remote users with a company-owned device and have them sign a written policy that alerts them to the nature of the monitoring. 

screenshot of a workplace monitoring policy template

Workplace Monitoring
Policy Template

  • Disclose your company’s intent to monitor employees in the workplace
  • Set workplace privacy expectations for employees
  • Meet transparency requirements for compliance with privacy laws

Get started today—Download the FREE template and customize it to fit the needs of your organization.

For more information on workplace privacy and employee monitoring, download our free white paper.

Why Do I Need Third-Party User Activity Monitoring Tools for Citrix?

Citrix comes with an excellent suite of monitoring tools for tracking end-user experience, detecting potential security risks, and diagnosing the health status of Citrix virtual apps and desktops. 

But when it comes to monitoring the productivity of remote workers, integrating Citrix with CurrentWare’s user activity monitoring software will produce the best results.

By integrating CurrentWare with Citrix you can track granular details about the websites that employees visit, how much time they spend browsing the web, and the time they spend on productive vs unproductive websites. 

What User Activity Does Citrix Log?

In terms of tracking user activity in Citrix, there are some native options.

While the names and functions of these monitoring tools have changed over the years (SmartAuditor, Citrix Analytics, Citrix Director, etc), Citrix’s focus has been on tracking performance metrics related to the health of the Citrix platform rather than the specific activities of end-users.

Citrix’s monitoring tools help diagnose end-user experience issues by tracking things like…

  • Session failures
  • Logon duration times
  • VDA registration failures
  • Bandwidth usage
  • Domains accessed
  • Etc

For example, consider this excerpt about the Performance Analytics service from Citrix Analytics:

  • Performance Analytics aggregates Site performance metrics into easy-to-view User Experience and Infrastructure dashboards. They help you analyze the user experience and optimize the usage of your Citrix Virtual Apps and Desktops Sites.
  • Performance Analytics quantifies the user performance factors and classifies the users based on these factors. It provides actionable insights to troubleshoot failures, screen lags, delayed session logons, and other performance indicators.
  • Performance Analytics allows you to find and filter metrics to narrow down to specific users or sessions facing performance issues.

    Source: Citrix Product Documentation, January 2021

Citrix Security Monitoring

That said, over time Citrix has introduced some monitoring tools that log user activity for security and compliance purposes. 

For example, the Platinum Edition of Citrix XenApp and XenDesktop (which has since been rebranded to Citrix Virtual Apps and Desktops) introduced Session Recording, a feature that allows administrators to record and playback user sessions.

Here’s Citrix’s summary of the Session Recording feature:

“Session Recording is a key component in Citrix XenApp and XenDesktop Platinum Edition that enables IT admins to record active virtual apps and desktop sessions, based on user, application or server and then save the recording file for future reference when needed.”

Along the same vein, they have also introduced web security monitoring in Citrix Secure Workspace Access. 

This monitors things like…

  • The number of hits to websites that are malicious, dangerous, or blocked
  • Which users visit risky websites the most
  • Data download volume from risky sites

These are certainly valuable features for industries that need to protect sensitive information in a remote environment, but it lacks the granularity needed to monitor the productivity of remote employees in a Citrix environment.

Since they are primarily used for network performance monitoring, the data that is accessible through Citrix’s internet usage reports also suffer from “noisy” datacontent delivery networks, advertisements, etc. BrowseReporter’s reports filter out this data for you so you can focus on what the end-user was actually doing.

Key Takeaway
When it comes to logging user activity for productivity management purposes, CurrentWare’s end-user productivity monitoring tools for Citrix give you the granular insights you need to track what each individual user was doing.

Start Tracking User Activity in Citrix With CurrentWare

CurrentWare’s end-user productivity reports for Citrix audits user activity on local or cloud based desktop computers, virtual machines (VMs) and servers running the Windows operating system. 

In addition, all CurrentWare components are compatible with Remote Desktop Services (RDS) or Terminal Servers (TS).

The CurrentWare Suite provides dozens of remote desktop activity reports for auditing how end-users interact with endpoint devices. 

These reports include…

Many of these reports can be configured as email alerts to notify you when specific actions occur on monitored endpoints. 

In addition to Citrix user activity reports, the CurrentWare Suite includes solutions for peripheral device control, web content filtering (without the need for SSL inspection), and remote power management

Learn More

Sai Kit Chu
Sai Kit Chu
Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.