Citrix DaaS™

Manage advanced policy scenarios

You can use policies to customize your environment to meet the needs of users based on criteria such as:

  • Job functions
  • Geographic locations
  • Connection types

For example, to improve security, you can restrict access for users who regularly handle sensitive data. You can also create a policy that prevents users from saving files to local client drives, and create another policy to allow local drive access for a specific user group. By assigning and prioritizing these policies, you control which one takes effect.

When working with multiple policies, consider the following:

Prioritize policies

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The identification of all policies that match the assignments for the connection happens when a user signs on to the system. The identified policies and their associated settings are sorted into priority order. Each setting is applied according to the priority ranking of the policy.

You can prioritize policies by giving them different priority numbers in Studio. By default, a new policy gets the lowest priority. If there are conflicts among settings of policies, a policy with a higher priority overrides a policy with a lower priority. A policy with the priority number of 1 is the highest priority policy. Policy settings are merged according to the following:

  • Priorities of the policies
  • Conditions specified in the filters of the policies

Prioritizing policies helps control which settings take precedence when multiple policies apply. When a user signs in, Citrix® identifies all applicable policies and sorts them by priority.

You can assign priorities to policies by number. A lower number means a higher priority (1 is the highest). If settings conflict, the setting from the higher priority policy applies. By default, a new policy gets the lowest priority. Policy settings are merged according to the following:

  • Priorities of the policies
  • Conditions specified in the filters of the policies

To change policy priorities, follow these steps:

  1. In Studio, select Policies in the left pane.
  2. On the Policies tab, select Change Policy Priorities from the action bar.
  3. On The Change Policy Priorities page that appears, use the following methods:

    • Drag the policy to a desired position.
    • To move it up or down by one position, click the Up or Down arrow icon respectively.
    • To move it to the top or bottom of the list, click the Top or Bottom arrow icon respectively.
    • To change the priority number, click the Edit icon, enter a number as needed, and then click Save.
  4. Click Save to apply changes.

Manage policy assignment exceptions

When you create policies and use filters to assign them to groups of users, user devices, or machines, you might find that some members of the group need exceptions to some policy settings.

You can make exceptions for certain users or machines within a group by:

  • Creating a separate policy only for those group members and giving it higher priority
  • Using the Deny mode for an assignment added to the policy

An assignment with the mode set to Deny means that the policy applies to connections that don’t match the assignment criteria. For example, a policy includes the following assignments:

  • Assignment A: Client IP address assignment range 208.77.88.*, mode = Allow.
  • Assignment B: Specific user account, mode = Deny.

This policy applies to users connecting from the specified IP range, except the user defined in Assignment B.

Note:

In the Assign Policy step, if you clear the Enable checkbox, the assignment is disabled. If a policy has no enabled assignments, it applies to all objects in the site.

Evaluate which policies apply to a connection

If a connection doesn’t behave as expected, it might be due to conflicting policies. Higher-priority policies can override others.

Use one of the following Resultant Set of Policy methods to evaluate which settings apply to a given connection:

  • Citrix Group Policy Modeling Wizard

    Simulate a connection scenario by specifying users and assignment conditions.

  • Group Policy Results

    Generate a report of Citrix policies applied to a user and Virtual Delivery Agent (VDA).

Site policy settings created using Studio aren’t included in the Resultant Set of Policy when you run the Citrix Group Policy Modeling wizard from the Group Policy Management Console (GPMC).

To verify that you obtain the most comprehensive Resultant Set of Policy, We recommend starting the Policy Modeling wizard from the Studio, unless you create policies using only the GPMC. For more information, see Simulate policies using the Policy Modeling wizard.

Troubleshoot policies

Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected.

When you run the Policy Modeling wizard, you might discover that no policies apply to user connections. In such scenarios, policy settings don’t apply to the users who connect to their applications and desktops under conditions that match the evaluation criteria of the policy. This situation happens when:

  • No policies have assignments that match the evaluation criteria of the policy.
  • Policies that match the assignment don’t have any settings configured.
  • Policies that match the assignment are disabled.

To ensure correct application:

  • Enable the policies
  • Configure at least one setting for each policy

Note:

In double-hop scenarios (for example, a single-session OS VDA connecting to a multi-session OS VDA), Citrix policies treats the single-session OS VDA as the user device. Consider policies are set to cache images on the user device. In this example, the images cached for the second hop apply to the first-hop machine.

Use Director to view applied policies

Non-administrators can use Director to view policies that applies to a user session.

Manage advanced policy scenarios