Citrix Virtual Apps and Desktops

Create policies

Note:

You can manage your Citrix Virtual Apps and Desktops deployment using two management consoles: Web Studio (web-based) and Citrix Studio (Windows-based). This article covers only Web Studio. For information about Citrix Studio, see the equivalent article in Citrix Virtual Apps and Desktops 7 2212 or earlier.

Before creating a policy, decide which group of users or devices it might affect. You might want to create a policy that is based on user job function, connection type, user device, or geographic location. You can also use the same criteria that you use for Windows Active Directory group policies.

If you already created a policy that applies to a group, consider editing that policy instead of creating another policy. After editing the policy, configure the appropriate settings. Avoid creating a policy solely to enable a specific setting or to exclude the policy from applying to certain users.

When you create a policy, you can base it on settings in a policy template and customize settings as needed. You can also create it without using a template and add all the settings you need.

In Web Studio, new policies created are set to Disabled unless the Enable policy check box is explicitly checked.

During policy creation and when configuring the settings, the system provides an option to view the settings type. You can view the following settings type:

  • All settings - View all applicable to all VDA versions
  • Current settings only - View settings specific to the current VDA version
  • Legacy settings only - View settings applicable only to the deprecated VDA versions

To view the settings while configuring the settings:

  1. Sign in to Web Studio and select Policies in the left pane.
  2. In the Policies tab, click Create Policy.
  3. In the Select Settings table, click the drop-down next to Settings.
  4. Select one of the following options from the drop-down:
  • All settings-View all settings for all VDA versions
  • Current settings only-View settings for only the current VDA versions
  • Legacy settings only-View settings for only the deprecated VDA versions
  1. The Settings table lists the settings available based on the previous step.

Policy settings

Policy settings can be enabled, disabled, or not configured. By default, policy settings aren’t configured, which means they aren’t added to a policy. Settings are applied only when they’re added to a policy.

Some policy settings can be in one of the following states:

  • Allowed or Prohibited allows or prevents the action controlled by the setting. Sometimes users are allowed or prevented from managing the setting’s action in a session. For example, if the menu animation setting is set to Allowed, users can control menu animations in their client environment.
  • Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.

In addition, some settings control the effectiveness of dependent settings. For example, Client drive redirection controls whether users are allowed to access the drives on their devices. Both this setting and the Client network drives setting must be added to the policy to allow users to access their network drives. If the Client drive redirection setting is disabled, users can’t access their network drives, even if the Client network drives setting is enabled.

In general, policy setting changes that impact machines go into effect either when the virtual desktop restarts or when a user logs on. Policy setting changes that impact users go into effect the next time users log on. If you’re using Active Directory, policy settings are updated when Active Directory reevaluates policies at 90-minute intervals. And the policy settings are applied either when the virtual desktop restarts or when a user logs on.

For some policy settings, you can enter or select a value when you add the setting to a policy. You can limit the configuration of the setting by selecting Use default value. This selection disables the configuration of the setting and allows only the setting’s default value to be used when the policy is applied. This selection is regardless of the value that was entered before selecting Use default value.

If the secure default setting is enabled, during VDA installation, the priority of the policy settings is affected as follows:

  • Customized setting takes the highest priority
  • Secure default setting takes the second priority
  • Default setting takes the least priority

To see the secure default setting for a policy:

  1. Log in to Web Studio.
  2. In the left navigation, click Policies.
  3. In the Policies tab, click Create Policy.
  4. In the Select Settings table, when you hover over the settings that have Allowed ? as their current value, the Secure default value: Prohibited is shown.

    Secure default setting

As best practices:

  • Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group.
  • Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. Sometimes, Remote Desktop Session Host Configuration provides similar functionality to Citrix policy settings. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting.
  • Disable unused policies. Policies with no settings added create unnecessary processing.

Policy assignments

When creating a policy, you assign it to certain users and machine objects. That policy is applied to connections according to specific criteria or rules. In general, you can add as many assignments as you want to a policy, based on a combination of criteria.

If you do not specify any assignments, or specify assignments but disable them, the policy is applied to all connections.

Note:

Policy assignments are also known as policy filters. For additional information, see the following topics:

The following table lists the available assignments:

Assignment name Applies a policy based on
Access Control Access control conditions through which a client is connecting. Connection type - Whether to apply the policy to connections made with or without NetScaler Gateway. NetScaler Gateway farm name - Name of the NetScaler Gateway virtual server. Access condition - Name of the end point analysis policy or session policy to use.
NetScaler SD-WAN Whether a user session is launched through NetScaler SD-WAN. Note: You can add only one NetScaler SD-WAN assignment to a policy.
Client IP Address IP address of the user device used to connect to the session: IPv4 examples: 12.0.0.0, 12.0.0.*, 12.0.0.1-12.0.0.70, 12.0.0.1/24; IPv6 examples: 2001:0db8:3c4d:0015:0:0:abcd:ef12, 2001:0db8:3c4d:0015::/54
Client Name Name of the user device. Exact match: ClientABCName. Using wildcard: Client*Name.
Delivery Group Delivery Group membership.
Delivery Group type Type of desktop or application: private desktop, shared desktop, private application, or shared application. Note: Private desktop and shared desktop filter options are available only for Citrix Virtual Apps and Desktops 7.x. For more information, see CTX219153.
Organizational Unit (OU) Organizational unit.
Tag Tags. Note: Apply this policy to all tagged machines. Application tags aren’t included.
User or Group User or group name.

When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Important:

When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings might not be applied as expected. For more information, see CTX127461

A policy named “Unfiltered” is provided by default.

  • If you use Web Studio to manage Citrix policies, the settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a Site.
  • If you use the Local Group Policy Editor to manage Citrix policies, the settings you add to the Unfiltered policy are applied to all Sites and connections. The Sites and connections must be within the scope of the Group Policy Objects (GPOs) that includes the policy. For example, the Sales OU includes a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the Site, the settings in the Unfiltered policy are automatically applied to the session. This configuration is because the user is a member of the Sales-US GPO.

An assignment’s mode determines if the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.

  • Example: Assignments of like type with differing modes - In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:

    Policy 1 includes the following assignments:

    • Assignment A specifies the Sales group. The mode is set to Allow.
    • Assignment B specifies the Sales manager’s account. The mode is set to Deny.

    Because the mode for Assignment B is set to Deny, the policy isn’t applied when the Sales manager logs on to the Site, even though the user is a member of the Sales group.

  • Example: Assignments of differing type with like modes - In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type for the policy to be applied. For example:

    Policy 2 includes the following assignments:

    • Assignment C is a User assignment that specifies the Sales group. The mode is set to Allow.
    • Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network). The mode is set to Allow.

    When the Sales manager logs on to the Site from the office, the policy is applied because the connection satisfies both assignments.

    Policy 3 includes the following assignments:

    • Assignment E is a User assignment that specifies the Sales group. The mode is set to Allow.
    • Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions. The mode is set to Allow.

    When the Sales manager logs on to the Site from the office, the policy isn’t applied because the connection does not satisfy Assignment F.

Create a policy based on a template, using Web Studio

  1. Sign in to Web Studio and select Policies in the left pane.

  2. Select the Templates tab and select a template.

  3. Select Create Policy from Template in the action bar.

  4. By default, the new policy uses all the default settings in the template. In this case, the Template default settings (recommended) is selected. If you want to change settings, select the Modify default settings and add more, and then add or remove settings.

  5. Specify how to apply the policy by selecting one of the following:

    • Selected user and machine objects. To apply the policy to selected user and machine objects, and then click Assign to select the user and machine objects to which the policy must be applied.
    • All objects in the site. To apply the policy to all user and machine objects in the site.
  6. Enter a name for the policy. Consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

    The policy is disabled by default; you can enable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you must prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

Create a policy using Web Studio

  1. Sign in to Web Studio and select Policies in the left pane.

  2. Select the Policies tab.

  3. Select Create Policy in the action bar.

  4. Add and configure policy settings.

  5. Specify how to apply the policy by choosing one of the following:

    • Assign to selected user and machine objects and then select the user and machine objects to which the policy must be applied.
    • Assign to all objects in a site to apply the policy to all user and machine objects in the Site.
  6. Enter a name for the policy or accept the default. Consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

    The policy is enabled by default; you can disable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you must prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

Create and manage policies using the Group Policy Editor

From the Group Policy Editor, expand Computer Configuration or User Configuration. Expand the Policies node and then select Citrix Policies. Choose the appropriate action:

Task Instruction
Create a policy On the Policies tab, click New.
Edit an existing policy On the Policies tab, select the policy and then click Edit.
Change the priority of an existing policy On the Policies tab, select the policy and then click either Higher or Lower.
View summary information about a policy On the Policies tab, select the policy and then click the Summary tab.
View and amend policy settings On the Policies tab, select the policy and then click the Settings tab.
View and amend policy filters On the Policies tab, select the policy and then click the Filters tab. When you add more than one filter to a policy, all the filter conditions must be met for the policy to be applied.
Enable or disable a policy On the Policies tab, select the policy and then select either Actions > Enable or Actions > Disable.
Create a policy from an existing template On the Templates tab, select the template and then click New Policy.
Create policies