Citrix In-session Watermark adds traceable information on top of the VDI screen. This provides a deterrent to prevent people from stealing the screen. To take this one step further, even if the information is leaked, you can still easily trace back to follow the identity on the screenshot.

Text-based session watermarks help to deter and enable tracking data theft. This traceable information appears on the session desktop as a deterrent to those using photographs and screen captures to steal data. You can specify a watermark that is a layer of text, which displays over the entire session screen without changing the content of the original document. Text-based session watermarks require VDA support.

The session watermark is text and is applied to the session that is delivered to the user. The session watermark carries information for tracking data theft. The most important data is the identity of the logon user of the current session in which the screen image was taken. To trace the data leakage more effectively, include other information such as server or client internet protocol address and a connect time.

To adjust the user experience, use the Session Watermark policy settings to configure the placement and watermark appearance on the screen.

Requirements

Virtual Delivery Agents:

Server OS 7.17 Desktop OS 7.17

Limitations

• Session watermarks are not supported in sessions where Local App Access, Flash redirection, Windows media redirection, MediaStream, browser content redirection, and HTML5 video redirection are used. To use session watermark, ensure that these features are disabled.

• Session watermark is not supported and doesn’t appear if the session is running in full-screen hardware accelerated modes (full-screen H.264 or H.265 encoding).

• If you set these HDX policies, watermark settings don’t take effect and a watermark isn’t displayed in the session display.

Use hardware encoding for video codec to Enabled Use video codec for compression to For the entire screen

• If you set these HDX policies, the behavior is undetermined and the watermark might not display.Use hardware encoding for video codec to Enabled Use video codec for compression to Use video codec when preferredTo ensure the watermark displays, set Use hardware encoding for video codec to Disabled, or set Use video codec for compression to For actively changing regions or Do not use video codec.

• Session watermark supports only Thinwire and not the Framehawk or Desktop Composition Redirection (DCR) graphic modes.

• If you use Session Recording, the recorded session doesn’t include the watermark.

• If you use Windows remote assistance, the watermark is not shown.

• If a user presses the Print Screen key to capture the screen, the screen captured at the VDA side doesn’t include the watermarks. We recommend that you take measures to avoid the captured image being copied.

Note:

Text-based session watermarking is not a security feature. The solution does not prevent data theft completely, but it provides some level of deterrent and traceability. Although we do not guarantee complete information traceability when using this feature, we recommend that you combine this feature with other security solutions as applicable.

This is how it looks when watermark feature is enabled:

The session watermark section contains policy settings to configure this feature. Enabling this feature causes a significant rise in the network bandwidth and CPU usage by the VDA machine. We recommend that you configure session watermark for selected VDA machines based on your available hardware resources.

Important

Enable session watermark for the other watermark policy settings to be effective. To achieve a better user experience, don’t enable more than two watermark text items.

Enable session watermark

When you enable this setting, the session display has an opaque textual watermark displaying session-specific information. The other watermark settings depend on this one being enabled.

By default, session watermark is disabled.

Include client IP address

When you enable this setting, the session displays the current client IP address as a watermark.

By default, Include client IP address is disabled.

Include connection time

When you enable this setting, the session watermark displays a connect time. The format is yyyy/mm/dd hh:mm. The time displayed is based on the system clock and time zone.

By default, Include connection time is disabled.

Include logon user name

When you enable this setting, the session displays the current logon user name as a watermark. The display format is USERNAME@DOMAINNAME. We recommend that the user name is a maximum of 20 characters. When a user name is more than 20 characters, excessively small character fonts or truncation might occur. This lessens the watermark effectiveness.

By default, Include logon user name is enabled.

Include VDA host name

When you enable this setting, the session displays the VDA host name of the current ICA session as a watermark.

By default, Include VDA host name is enabled.

Include VDA IP address

When you enable this setting, the session displays the VDA IP address of the current ICA session as a watermark.

By default, VDA IP address is disabled.

Session watermark style

This setting controls whether you display a single watermark text label or multiple labels. Choose Multiple or Single from the Value drop-down menu.

Multiple displays five watermark labels in the session. One in the center and four in the corners.

Single displays a single watermark label in the center of the session.

By default, Session watermark style is Multiple.

Watermark custom text

This setting specifies a custom text string (for example, the corporate name) to display in the session watermark. When you configure a non-empty string, it displays the text in a new line appending other information enabled in the watermark. The watermark custom text maximum is 25 Unicode characters. If you configure a longer string, it is truncated to 25 characters.

There is no default text.

Watermark transparency

You can specify watermark opacity from 0-100. The larger the value specified, the more opaque the watermark.

By default, the value is 17.

Change watermark text: https://support.citrix.com/article/CTX230054

Working with the text-based Session Watermark feature

To enable the session watermark feature, administrators must first enable the Enable session watermark HDX policy in Studio. It’s disabled by default.

After enabling the feature, additional session watermark HDX policies control which of the 6 text-based options to include in the watermark overlay. Information includes client IP address, VDA host name, session connection time, user logon name, and custom text. If none of the 6 text-based watermark policies are configured, the VDA host name and user logon name will be shown in the watermark by default. To avoid the watermark overlay being too much of a distraction to session users, administrators can configure HDX policies to choose between two watermark styles and can control the watermark transparency level.

Feature Limitations Session watermarks are not supported and won’t appear:

• In sessions where Local App Access, Flash redirection, Windows Media redirection, Browser Content redirection, and HTML5 video redirection is used.
• If the session is running in full-screen hardware accelerated modes (full-screen H.264 or H.265 encoding).
• If the HDX policy: Use hardware encoding for video codec is set to Enabled.
• If the HDX policy: Use video codec for compression is set to For the entire screen.

To ensure watermarks display in the session:

• Set the HDX policy: Use hardware encoding for video codec to Disabled.
• Set the HDX policy: Use video codec for compression to For actively changing regions or Do not use video codec.
• Session watermark supports only Thinwire and not the Framehawk or Desktop Composition Redirection (DCR) graphic modes.
• If using Session Recording, the recorded session doesn’t include the watermark.

Feature Considerations Screen captures taken on the VDA side do not contain the watermark. The session watermark layer will incur some graphics and system resource overheads. Because of this, Citrix recommends that if session watermarks have been enabled, no more than 2 text-based information pieces should be included. Many customers wishing to implement the session watermark feature will also have implemented many of the XenApp and XenDesktop features and settings listed in the Feature Limitations section. For this reason, Citrix support teams need to be familiar with these limitations.