So you have Citrix XenApp, but have not started investigating or do not have the funding for Mobile Device Management and Virtual Desktop (VDI) solutions to secure your enterprise email.  Consider using Citrix XenApp and group policy to secure your email data by publishing Outlook Web App instead of using Exchange Active Sync.  Don’t get me wrong, Exchange Active Sync is great and has some security options as well, this article is just trying provoke thought outside of the box to meet your business needs.  This article also assumes that you have a Citrix XenApp farm with external access to your Citrix environment.  It also assumes that your mobile devices, tablets and laptops have Citrix Receiver installed/configured.


First publish Outlook Web Access via your Citrix XenApp farm through PowerShell

Note:  In order to use PowerShell with Citrix you must download the appropriate PowerShell SDK and install on your Citrix servers.

  • Login to a Citrix XenApp Server
  • Open Windows Powershell with Citrix XenApp Server SDK (X86)
  • Type set-executionpolicy remotesigned enter, choose Y and press enter
  • Type New-XAApplication -BrowserName OWA –DisplayName OWA -CommandLineExecutable “C:\Program Files (x86)\Internet explorer\iexplore.exe ”  -WorkingDirectory “C:\Program Files (x86)\Internet Explorer\” -ApplicationType ServerInstalled and press enter
  • Type Add-XAApplicationServer -browsername OWA -ServerNames XEN1 and press enter
  • Type Add-XAApplicationAccount -BrowserName OWA “domain\userid” and press enter
  • Type Set-XAApplication OWA –Enabled $true and press enter

Note:  In this case you will need to go into the citrix console and the application properties to adjust the command line executable to match the following “C:\Program Files (x86)\Internetexplorer\iexplore.exe”  Powershell will not allow for the proper placement of the quotation marks.

Create an OU and group policy to force your Save location

Either install the Group Policy Management Console on your workstation if you have rights to Active Directory ( or login to a domain controller.

  • To create a new OU, open Active Directory Users and Computers.  The new OU should include the Citrix servers that will need the group policy
  • Right-click on on the domain name and choose New, Organizational Unit


  • Fill in the Name and click OK to complete creation of the new OU


  • To create a new group policy, open Group Policy Management
  • Right-click on the new OU and click Create a GPO in this domain, and Link it here…


  • Provide the Group Policy a name and click OK


Here are the policies that you will want to set:

  • Loopback processing allows a user-based policy to apply to the users that logon to the computer.  Click on the image to see in more detail.


  • Use the Places Bar Location and the Restricted Browsing approved locations appropriate for your organization.  Click on the image to see in more detail.GPO

Note:  The policy depicted shows this is for Office 2007, but it will work with OWA for Exchange 2010.