Data Loss Prevention

What are the best practices / recommended solutions for running DLP on Citrix VDI non-persistent virtual desktops?  Environment = Specifically XenDesktop Citrix VDA version 7.11, with Windows 7 sp1.  (Running on VMware version 6.0)  Currently we are running DLP servers version 14.5, and have Trend Micro OfficeScan Agent ver 11.0.6285 on the virtual desktops.  We are running the DLP agent in the non-persistent image.  We have 8,000 virtual desktops total split into two PODs, each being serviced by ten Citrix Provisioning Servers (also version 7.11).  The virtual desktops are reboot after each logoff.

Is it better to install the DLP agent on the Citrix Provisioning server?  If so what are those steps, and recommended configurations for the Agent, and the Agent configurations on the Enforce server to support virtual desktops?

Is it better to install the DLP agent in the XenDesktop virtual image?  If so what are those steps, and recommended configurations for the Agent, and the Agent configurations on the Enforce server to support virtual desktops?

For XenDesktop install the agent on the virtual guest OS, whether it's persistent or non-persistent. The agent works fine being installed on a master/golden image, it will retrieve it's new hostname at boot. You only install the agent on the servers for XenApp.

Stay with v14.5 while you're on Citrix XenDesktop 7.11, as there are some changes in v14.6 that require XenDesktop 7.12+ or 7.6 base (no RUs) due to Citrix bugs.

Always recommend a separate Agent Configuration for Virtual Desktops, which you can automatically assign to the virtual desktops using Agent Groups. Citrix Drive redirection will typically be handled by the 'Copy to Network Share' channel (\\tsclient\c\) in the agent configuration on XenDesktop 7.11 - even for redirected Removable Storage drives, so you don't need Removable Storage channel enabled.