Prioritize, model, compare, and troubleshoot policies
You can use policies to customize your environment to meet the needs of users based on the following:
- Job functions
- Geographic locations
- Connection types
For example, for improved security, place restrictions on user groups who regularly interact with sensitive data.
You can also create a policy that prevents users from saving sensitive files on their local client drives. You can create another policy for users in the user group who needs to access to their local drives. You then rank the two policies to control which one takes precedence. When using many policies, you must determine:
- How to prioritize the policies
- How to create exceptions
- How to view the effective policy when policies conflict
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The identification of all policies that match the assignments for the connection happens when a user signs on to the system. The identified policies and their associated settings are sorted into priority order. Each setting is applied according to the priority ranking of the policy.
You can prioritize policies by giving them different priority numbers in the Web Studio. By default, a new policy gets the lowest priority. If there are conflicts among settings of policies, a policy with a higher priority overrides a policy with a lower priority. A policy with the priority number of 1 is the highest priority policy. Policy settings are merged according to the following:
- Priorities of the policies
- Conditions specified in the filters of the policies
To prioritize policies, follow these steps:
- Select Policies in the left pane.
- On the Policies tab, select Change Policy Priorities in the action bar. The Change Policy Priorities page appears.
In the priority list, use the following ways to change the priority for a policy:
- Drag the policy to a desired position.
- To move it up or down by one position, click the Up or Down arrow icon respectively.
- To move it to the top or bottom of the list, click the Top or Bottom arrow icon respectively.
- To change the priority number, click the Edit icon, enter a number as needed, and then click Save.
- Click Save.
When you create policies and use filters to assign them to groups of users, user devices, or machines, you might find that some members of the group need exceptions to some policy settings. You can create exceptions by:
- Creating a policy only for specific group members who need exceptions and then ranking that policy higher than the policy for the entire group
- Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that don’t match the assignment criteria. For example, a policy includes the following assignments:
Assignment A is a client IP address assignment that specifies the range
208.77.88.*. The mode is set to Allow.
- Assignment B is a user assignment that specifies a particular user account. The mode is set to Deny.
The policy applies to all users who signs n to the site with IP addresses in the range that is specified in Assignment A. However, the policy doesn’t apply to the user who signs on to the site with the user account specified in Assignment B.
During the Assign Policy step, if you deselect the enable check box, assignment is disabled for the policy. If the only assignment for the policy is disabled, it is the same as not having any assignment, and, therefore, the policy applies to all objects in the site.
Determine which policies apply to a connection
Sometimes a connection does not respond as expected because multiple policies apply. If a higher priority policy applies to a connection, it can override the settings you configure in the original policy. You can calculate the Resultant Set of Policy and determine how the final policy settings are merged for a connection.
You can calculate the Resultant Set of Policy in the following ways:
- Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied. You can specify conditions for a connection scenario such as:
- Citrix policy assignment evidence values
- Use Group Policy Results to create a report describing the Citrix policies in effect for a given user and Virtual Delivery Agent (VDA).
Site policy settings created using Web Studio aren’t included in the Resultant Set of Policy when you run the Citrix Group Policy Modeling wizard from the Group Policy Management console. To verify that you obtain the most comprehensive Resultant Set of Policy, Citrix recommends starting the Citrix Group Policy Modeling wizard from the Web Studio, unless you create policies using only the Group Policy Management console.
Use the policy modeling wizard
Policy modeling helps you simulate enabled policies with filters for planning and testing purposes. Only enabled policies with filters are modeled. Disabled policies are never applied and enabled policies without filters are always applied.
Perform the following steps to open the Policy Modeling wizard:
- In Full Configuration, select Policies.
- Select the Modeling tab.
- Select Policy Modeling in the action bar.
- Read the Introduction page and click Next.
- Select users or computers. You can browse for containers or specific users or computers. Click Next.
- Choose your filter evidence. You can optionally get more granular with your simulation by entering additional details, such as Delivery group, Tags, Client IP address, and so on. Click Next.
- Review the summary of your selections and click Run.
After you click Run, the wizard generates a report of the modeling results. While viewing this report, you can:
- Select if you would like to view All settings, Computer settings, or User settings in the drop-down menu.
- Use the search bar to look for specific settings.
- Click a specific setting to view details of that setting. For example, if all user settings were not applied for a specific policy, the Details pane shows you the reason why the settings were not applied.
- Click Export to export the modeling results in JSON format, HTML format, or both.
After running policy modeling, more options become available to you. You can:
- View Modeling Report: This opens the same modeling report from above so you can view it again or export it.
- Rerun Policy Modeling: This allows you to rerun policy modeling with the same set of criteria selected previously and generate new modeling results. This is useful if some policies have changed and you would like to see how those changes affect your current model.
- Delete Modeling Report: This deletes the current modeling report.
Compare policies and templates
You can compare the settings in a policy or template with the settings of the other policies or templates. For example, you might want to verify setting values to maintain compliance with best practices. You might also want to compare settings in a policy or template with the default settings.
- Select Policies in the Web Studio navigation pane.
- Click the Comparison tab and then click Select.
- Choose the policies or templates to compare. To include default values in the comparison, select the Compare to default settings check box.
- After you click Compare, the configured settings are displayed in columns.
- To see all settings, select Show All Settings. To return to the default view, select Show Common Settings.
Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected. When you run the Citrix Group Policy Modeling wizard, you might discover that no policies apply to user connections. In such a scenario, policy settings doesn’t apply to the users who connect to their applications and desktops under conditions that match the evaluation criteria of the policy. This situation happens when:
- No policies have assignments that match the evaluation criteria of the policy.
- Policies that match the assignment don’t have any settings configured.
- Policies that match the assignment are disabled.
If you want to apply policy settings to the connections that meet the specified criteria, make sure:
- The policies you want to apply to those connections are enabled.
- The policies you want to apply have the appropriate settings configured.
In the second hop of double-hop scenarios, consider that a single-session OS VDA connects to multi-session OS VDA. In this case, Citrix policies act on the single-session OS VDA as if it were the user device. For example, consider policies are set to cache images on the user device. In this example, the images cached for the second hop in a double-hop scenario are cached on the single-session OS VDA machine.
Non-administrators can use the Director to view policies that applies to a user session.