Most organizations have identity well established by now. MFA is on, accounts are protected and access to Citrix or Azure Virtual Desktop seems under control.
But in practice, the greatest risk is often not in accounts. It’s in devices, context and behavior.
Therefore, the real question is not just who someone is, but where someone is working, from what network, with what device and under what conditions.
Especially now that hybrid working, home working and remote access have become normal, it is not enough to rely on identity alone. deviceTRUST helps organizations factor real-time context into access decisions, within Citrix, within Azure Virtual Desktop and even on local endpoints when using Citrix UHMC.
Why identity alone is no longer enough
In a traditional setup, someone gets access as soon as username, password and MFA are correct. That feels secure, but it tells nothing about the state of the device or the situation.
Consider an employee logging in from a laptop without recent updates. Or someone disconnecting a VPN connection while a session remains active. Or a remote party working from an unmanaged network.
Formally, the user is legitimate. Practically, the risk is increased.
Many security incidents arise precisely in this gray area: the identity is correct, but the context is not.
Case study: a shielded Citrix environment with strict network rules
One organization was working with a highly protected Citrix environment that processed highly sensitive data. The environment was deliberately airgapped and should only be accessible when a user was internal or connected via VPN.
The goal was clear: access should exist only as long as the user is in a controlled and secure network environment.
With deviceTRUST, this was technically enforced. Users were given access to the Citrix environment only when:
- they were on the corporate network internally, or
- A valid VPN connection was active
Once the VPN was disconnected or someone left the internal network, the session was automatically terminated.
No dependence on user discipline, no manual checks, but continuous validation based on real-time network context.
The same principle is applicable within Azure Virtual Desktop and hybrid environments where sensitive data requires additional protection.
deviceTRUST: adding context to access within Citrix, AVD and endpoints
deviceTRUST looks not only at who a person is, but also at the state of the device, network, location and behavior while working.
That works inside:
- Citrix Virtual Apps and Desktops
- Azure Virtual Desktop (AVD)
- Microsoft Remote Desktop Services
- Local endpoints and workstations, especially in organizations with Citrix UHMC
Instead of separate security rules per platform, one consistent way to use context for access and security is created.
How organizations are using deviceTRUST within Azure Virtual Desktop
Azure Virtual Desktop is increasingly being deployed as a modern workplace. But as with Citrix, access is only secure if the endpoint and context are reliable.
With deviceTRUST, access to AVD can be made dependent on the state of the device. Only endpoints that meet agreed-upon security criteria are granted full access.
When a device fails, access can be automatically restricted or temporarily blocked. This prevents sensitive data from being accessed from insecure devices, without IT having to constantly intervene.
This makes Zero Trust in AVD practical, without unnecessarily antagonizing users.
More than virtual desktops: deviceTRUST on endpoints with Citrix UHMC
deviceTRUST is often seen as a solution for Citrix environments, but with Citrix UHMC, organizations can deploy deviceTRUST unlimitedly, including on local endpoints.
That means context-based security does not stop at the virtual session, but also applies to:
- laptops and workstations
- home workplaces
- hybrid users working partly locally
For example, you can enforce that a device must be technically sound before access is granted to corporate applications. If a firewall is down, updates are missing or security is inactive, access can be automatically restricted until the problem is resolved.
Thus, security shifts from trust to continuous monitoring based on real-time device posture.
Smart data and behavior instead of blocking everything
In many organizations, the reflex is to block everything in the face of risk. But that often leads to frustration, workarounds and lost productivity.
With deviceTRUST, policies can be designed smarter.
Some organizations make copying and pasting within Citrix or AVD dependent on context. Within a secure internal environment, it is allowed, while it is automatically restricted when someone is working externally or handling sensitive data.
Other organizations check that endpoints are technically up-to-date, such as for Windows updates or supported browser versions, before granting full access.
USB usage can also be controlled smarter. Instead of allowing everything or blocking everything, only approved devices get access, while unknown storage is automatically denied.
The result is targeted security without unnecessary blocking.
Zero Trust not stopping after logging in
A key difference from traditional security is that deviceTRUST does not check only at the time of login.
The context is continuously monitored. If the situation changes, the policy can be adjusted automatically.
Think of a VPN connection going down, an unwanted USB device being plugged in or a device suddenly failing to meet security requirements.
Instead of reacting after the fact, the environment can intervene immediately at the moment the risk arises.
This principle applies within Citrix as well as within Azure Virtual Desktop and on local endpoints.
What this means for Digital Employee Experience
Security and usability are often seen as opposites. More security would make working more complicated.
In practice, we see that context can actually help impose less generic constraints.
Users who work safely experience fewer roadblocks.
Risky situations are addressed in a more targeted way.
IT needs to apply fewer all-or-nothing policies.
This often leads to fewer support tickets, less frustration and a better Digital Employee Experience, while security levels go up.
Many organizations are already paying for this
With modern Citrix licenses and especially with Citrix UHMC, many organizations already have deviceTRUST available.
Yet in practice, it is often not used much, if at all. Meanwhile, those same organizations are investing in additional tooling for endpoint compliance, conditional access or data protection.
So the opportunity lies not only in better security, but also in more return on existing investments and licenses.
Here’s how New Yard helps apply deviceTRUST effectively
Greater control of risk without added complexity
At New Yard, we look not only at what is technically possible, but more importantly at what is realistic, manageable and valuable for your organization.
We help organizations deploy deviceTRUST smartly within Citrix, Azure Virtual Desktop and on endpoints, with an eye on security, performance and user experience.
We do this through Health Checks of digital workstations, deviceTRUST assessments, monitoring, second opinions, consultancy and automation based on DevOps, among other things. We also support organizations in domain name security and e-mail security through SPF, DKIM and DMARC.
The goal is always the same: more control, less risk and a digital workplace that remains enjoyable to work in.
Schedule a free consultation about deviceTRUST
Discover how much value you already have but are not yet utilizing
Want to know how your organization can deploy deviceTRUST for Citrix, Azure Virtual Desktop and local endpoints, and where you can reduce risk without additional tooling or licensing costs?
We are happy to take a no-obligation look and show you what is realistic, feasible and makes sense for your area.