This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Create policies
Before creating a policy, decide which group of users or devices it might affect. You might want to create a policy that is based on user job function, connection type, user device, or geographic location.
If you already created a policy that applies to a group, consider editing that policy instead of creating another policy. After editing the policy, configure the appropriate settings. Avoid creating a policy solely to enable a specific setting or to exclude the policy from applying to certain users.
When you create a policy, you can base it on settings in a policy template and customize settings as needed. You can also create it without using a template and add all the settings you need.
In Citrix Studio, new policies created are set to Disabled unless the Enable policy check box is explicitly checked.
During policy creation and when configuring the settings, the system provides an option to view the settings type. You can view the following settings type:
- All settings - View all settings for all VDA versions
- Current settings only - View settings for only the current VDA versions
- Legacy settings only - View settings for only the deprecated VDA versions
To view the settings while configuring the settings:
- Log in to DaaS Premium.
- In the left-navigation, click Policies.
- In the Policies tab, click Create Policy.
- In the Select Settings table, click the drop-down next to Settings.
-
Select one of the following options from the drop down:
- All settings - View all settings for all VDA versions
- Current settings only - View settings for only the current VDA versions
- Legacy settings only - View settings for only the deprecated VDA versions
- The Settings table lists the settings available based on the previous step.
Policy settings
Policy settings can be enabled, disabled, or not configured. By default, policy settings aren’t configured, which means they aren’t added to a policy. Settings are applied only when they’re added to a policy.
When configuring the settings for creating or editing a policy, if all delivery groups are disabled, then the system displays a None of the elements in this filter is enabled warning notification sign. If at least one delivery group is enabled, the system does not display the warning sign.
To view the warning while creating a policy:
- Log in to DaaS Premium.
- In the left-navigation, click Policies.
- In the Policies tab, click Create Policy.
- In the Select Settings table, select any setting and click Next.
- In the Assign Policy To table, select a filter from the drop-down.
- Unselect the Enable checkbox and click Save.
Note:
Not all filters support unselecting the Enable checkbox. In the Filters table, the filter displays the warning.
To view the warning while editing a policy:
- Log in to DaaS Premium.
- In the left-navigation, click Policies.
- In the Policies tab, select any of the policies listed and click Edit Policy.
- In the Edit Policy page, click Assign Policy To in the left navigation.
-
In the Filter table, select or click Edit for the required filter:
- If a filter does not have the Edit button, select the filter.
- If a filter has the edit button, click Edit.
- Unselect the Enable option and click Save.
Note:
Not all filters support unselecting the Enable checkbox. In the Filters table, the filter displays the warning.
Some policy settings can be in one of the following states:
- Allowed or Prohibited allows or prevents the action controlled by the setting. Sometimes users are allowed or prevented from managing the setting’s action in a session. For example, if the menu animation setting is set to Allowed, users can control menu animations in their client environment
- Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.
In addition, some settings control the effectiveness of dependent settings. For example, Client drive redirection controls whether users are allowed to access the drives on their devices. Both this setting and the Client network drives setting must be added to the policy to allow users to access their network drives. If the Client drive redirection setting is disabled, users can’t access their network drives, even if the Client network drives setting is enabled.
In general, policy setting changes that impact machines go into effect either when the virtual desktop restarts or when a user logs on. Policy setting changes that impact users go into effect the next time users log on.
For some policy settings, you can enter or select a value when you add the setting to a policy. You can limit the configuration of the setting by selecting Use default value. This selection disables the configuration of the setting and allows only the setting’s default value to be used when the policy is applied. This selection is regardless of the value that was entered before selecting Use default value.
As best practice:
- Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group.
- Disable unused policies. Policies with no settings added create unnecessary processing.
Policy assignments
When creating a policy, you assign it to certain users and machine objects. That policy is applied to connections according to specific criteria or rules. In general, you can add as many assignments as you want to a policy, based on a combination of criteria. If you specify no assignments, the policy is applied to all connections.
If you do not specify any assignments, or specify assignments but disable them, the policy is applied to all connections.
Note:
Policy assignments are also known as policy filters. For additional information, see the following topics:
The following table lists the available assignments:
Assignment name | Applies a policy based on |
---|---|
Access Control | Access control conditions through which a client is connecting. Connection type - Whether to apply the policy to connections made with or without NetScaler Gateway. NetScaler Gateway farm name - Name of the NetScaler Gateway virtual server. Access condition - Name of the end point analysis policy or session policy to use. |
Citrix SD-WAN | Whether a user session is launched through Citrix SD-WAN. Note: You can add only one Citrix SD-WAN assignment to a policy. |
Client IP Address | IP address of the user device used to connect to the session: IPv4 examples: 12.0.0.0, 12.0.0.*, 12.0.0.1-12.0.0.70, 12.0.0.1/24; IPv6 examples: 2001:0db8:3c4d:0015:0:0:abcd:ef12, 2001:0db8:3c4d:0015::/54 |
Client Name | Name of the user device. Exact match: ClientABCName. Using wildcard: Client*Name. |
Delivery Group | Delivery Group membership. |
Delivery Group type | Type of desktop or application: private desktop, shared desktop, private application, or shared application. |
Organizational Unit (OU) | Organizational unit. |
Tag | Tags. Note: Apply this policy to all tagged machines. Application tags aren’t included. |
User or Group | User or group name. |
When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.
Important:
When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings might not be applied as expected. For more information, see CTX127461.
A policy named “Unfiltered” is provided by default.
- If you use Studio manage Citrix policies, the settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a Site.
- The Sites and connections must be within the scope of the Group Policy Objects (GPOs) that includes the policy. For example, the Sales OU includes a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the Site, the settings in the Unfiltered policy are automatically applied to the session. This configuration is because the user is a member of the Sales-US GPO.
An assignment’s mode determines if the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.
-
Example: Assignments of like type with differing modes - In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:
Policy 1 includes the following assignments:
- Assignment A specifies the Sales group. The mode is set to Allow.
- Assignment B specifies the Sales manager’s account. The mode is set to Deny.
Because the mode for Assignment B is set to Deny, the policy isn’t applied when the Sales manager logs on to the Site, even though the user is a member of the Sales group.
-
Example: Assignments of differing type with like modes - In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type for the policy to be applied. For example:
Policy 2 includes the following assignments:
- Assignment C is a User assignment that specifies the Sales group. The mode is set to Allow.
- Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network). The mode is set to Allow.
When the Sales manager logs on to the Site from the office, the policy is applied because the connection satisfies both assignments.
Policy 3 includes the following assignments:
- Assignment E is a User assignment that specifies the Sales group. The mode is set to Allow.
- Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions. The mode is set to Allow.
When the Sales manager logs on to the Site from the office, the policy isn’t applied because the connection doesn’t meet the requirements of Assignment F.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.