Prioritize, model, compare, and troubleshoot policies
You can use policies to customize your environment to meet the needs of users based on the following:
- Job functions
- Geographic locations
- Connection types
For example, for improved security, place restrictions on user groups who regularly interact with sensitive data.
You can also create a policy that prevents users from saving sensitive files on their local client drives. You can create another policy for users in the user group who needs to access to their local drives. You then rank the two policies to control which one takes precedence. When using many policies, you must determine:
- How to prioritize the policies
- How to create exceptions
- How to view the effective policy when policies conflict
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The identification of all policies that match the assignments for the connection happens when a user signs on to the system. The identified policies and their associated settings are sorted into priority order. Each setting is applied according to the priority ranking of the policy.
You can prioritize policies by giving them different priority numbers in the Web Studio. By default, a new policy gets the lowest priority. If there are conflicts among settings of policies, a policy with a higher priority overrides a policy with a lower priority. Policy with the priority number of 1 is the highest priority policy. Policy settings are merged according to the following:
- priorities of the policies
- and the conditions specified in the filters of the policies
- Select Policies in the Web Studio navigation pane. Ensure that you select the Policies tab.
- Select a policy.
- Select Lower Priority or Higher Priority in the Actions pane.
When you create policies and use filters to assign them to groups of users, user devices, or machines, you might find that some members of the group need exceptions to some policy settings. You can create exceptions by:
- Creating a policy only for specific group members who need exceptions and then ranking that policy higher than the policy for the entire group
- Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that don’t match the assignment criteria. For example, a policy includes the following assignments:
Assignment A is a client IP address assignment that specifies the range
208.77.88.*. The mode is set to Allow.
- Assignment B is a user assignment that specifies a particular user account. The mode is set to Deny.
The policy applies to all users who signs n to the site with IP addresses in the range that is specified in Assignment A. However, the policy doesn’t apply to the user who signs on to the site with the user account specified in Assignment B.
During the Assign Policy step, if you deselect the enable check box, assignment is disabled for the policy. If the only assignment for the policy is disabled, it is the same as not having any assignment, and, therefore, the policy applies to all objects in the site.
Determine which policies apply to a connection
Sometimes a connection does not respond as expected because multiple policies apply. If a higher priority policy applies to a connection, it can override the settings you configure in the original policy. You can calculate the Resultant Set of Policy and determine how the final policy settings are merged for a connection.
You can calculate the Resultant Set of Policy in the following ways:
- Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied. You can specify conditions for a connection scenario such as:
- Citrix policy assignment evidence values
- Use Group Policy Results to create a report describing the Citrix policies in effect for a given user and Virtual Delivery Agent (VDA).
Site policy settings created using Web Studio aren’t included in the Resultant Set of Policy when you run the Citrix Group Policy Modeling wizard from the Group Policy Management console. To verify that you obtain the most comprehensive Resultant Set of Policy, Citrix recommends starting the Citrix Group Policy Modeling wizard from the Web Studio, unless you create policies using only the Group Policy Management console.
Use the Citrix Group Policy Modeling wizard [Technical Preview]
Perform the following steps to open the Citrix Group Policy Modeling wizard:
- Select Policies in the Web Studio navigation pane.
- Select the Modeling tab.
- Select Launch Modeling Wizard in the Actions pane.
Follow the wizard instructions to select the following:
- Filter evidence to use in the simulation
After you click Finish, the wizard generates a report of the modeling results.
To view the report, select View Modeling Report.
Technical previews are available for customers to test in their non-production or limited production environments, and to give customers a chance to share feedback. Citrix does not accept support cases for feature previews but welcomes feedback for improving them. Citrix might or might not act on feedback based on its severity, criticality, and importance. It’s advised that Beta builds aren’t deployed in production environments.
Compare policies and templates
You can compare the settings in a policy or template with the settings of the other policies or templates. For example, you might want to verify setting values to maintain compliance with best practices. You might also want to compare settings in a policy or template with the default settings.
- Select Policies in the Web Studio navigation pane.
- Click the Comparison tab and then click Select.
- Choose the policies or templates to compare. To include default values in the comparison, select the Compare to default settings check box.
- After you click Compare, the configured settings are displayed in columns.
- To see all settings, select Show All Settings. To return to the default view, select Show Common Settings.
Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected. When you run the Citrix Group Policy Modeling wizard, you might discover that no policies apply to user connections. In such a scenario, policy settings doesn’t apply to the users who connect to their applications and desktops under conditions that match the evaluation criteria of the policy. This situation happens when:
- No policies have assignments that match the evaluation criteria of the policy.
- Policies that match the assignment don’t have any settings configured.
- Policies that match the assignment are disabled.
If you want to apply policy settings to the connections that meet the specified criteria, make sure:
- The policies you want to apply to those connections are enabled.
- The policies you want to apply have the appropriate settings configured.
In the second hop of double-hop scenarios, consider that a single-session OS VDA connects to multi-session OS VDA. In this case, Citrix policies act on the single-session OS VDA as if it were the user device. For example, consider policies are set to cache images on the user device. In this example, the images cached for the second hop in a double-hop scenario are cached on the single-session OS VDA machine.
Non-administrators can use the Director to view policies that applies to a user session.