For the DLP Agent on XenDesktop:
DLP Agent resides on each virtual desktop and functions just like it would on a physical desktop. Client devices generally do not have the agent installed on them.
In the case of Citrix XenDesktop, if USB support is enabled, users can plug a USB device into their endpoint and that device is remoted to their virtual desktop. Devices available for remoting include flash drives, smartphones, PDAs, printers, scanners, MP3 players, security devices, and tablets. Such events are monitored by Removable Storage monitoring. Recovery and Restoration works for such drives.
If USB support is not enabled, USB devices plugged into the endpoint will appear as an endpoint drive. File operations to endpoint drives are monitored by Removable Storage monitoring but Recovery and Restoration will not work.
For the DLP Agent on XenApp:
DLP agent is installed on the XenApp server and monitors all applications accessed by remote users. Client devices generally do not have the agent installed on them.
All incidents generated will have the IP address of the XenApp Server because the agent is installed on it and not on the endpoints.
In the case of Citrix XenApp Server, within a published application, all endpoint drives are network shares. So saving anything on the endpoint has the effect of saving something to a network share. Although, each endpoint drive is viewed as a removable drive by the DLP agent. So such events are monitored by Removable Storage monitoring. Recovery and Restoration does not work on XenApp Server.