Citrix DaaS

Create policies

Before creating a policy, decide which group of users or devices it might affect. You might want to create a policy that is based on user job function, connection type, user device, or geographic location.

If you already created a policy that applies to a group, consider editing that policy instead of creating another policy. After editing the policy, configure the appropriate settings. Avoid creating a policy solely to enable a specific setting or to exclude the policy from applying to certain users.

When you create a policy, you can base it on settings in a policy template and customize settings as needed. You can also create it without using a template and add all the settings you need.

In Citrix Studio, new policies created are set to Disabled unless the Enable policy check box is explicitly checked.

During policy creation and when configuring the settings, the system provides an option to view the settings type. You can view the following settings type:

  • All settings - View all settings for all VDA versions
  • Current settings only - View settings for only the current VDA versions
  • Legacy settings only - View settings for only the deprecated VDA versions

To view the settings while configuring the settings:

  1. Log in to DaaS Premium.
  2. In the left-navigation, click Policies.
  3. In the Policies tab, click Create Policy.
  4. In the Select Settings table, click the drop-down next to Settings.
  5. Select one of the following options from the drop down:

    • All settings - View all settings for all VDA versions
    • Current settings only - View settings for only the current VDA versions
    • Legacy settings only - View settings for only the deprecated VDA versions
  6. The Settings table lists the settings available based on the previous step.

Policy settings

Policy settings can be enabled, disabled, or not configured. By default, policy settings aren’t configured, which means they aren’t added to a policy. Settings are applied only when they’re added to a policy.

The policy settings are enhanced to provide clarity between dependent policies. This feature ensures that the parent policy is configured first for the child policy settings to take effect when configured.

To configure the policy settings:

  1. On the Create Policy page, under Select Settings, search for “overall”. All the policies (parent and children) related to Overall session bandwidth limit are listed.
  2. When you hover over a child policy, a tool tip instructs you that the child policy cannot be configured until the Overall session bandwidth limit parent policy is configured.
  3. Configure the parent policy settings and then configure the child policy settings and click Save.
  4. The Settings and Current Value columns show the values configured in the Create/Edit policy table. The table shows the Edit option for you to modify the configured settings.

Dependent policy settings

Note:

  • The child policies cannot be selected until the parent policy is configured.
  • If the parent policy is unchecked, a pop-up message instructs that the child policies associated will also get unchecked or unselected.

The following table provides the list of parent policies along with the corresponding dependent or child policies.

Parent policy Dependent Child policies
Overall session bandwidth limit







Audio redirection bandwidth limit percent
Clipboard redirection bandwidth limit percent
COM port redirection bandwidth limit percent
File redirection bandwidth limit percent
HDX MediaStream Multimedia Acceleration bandwidth limit percent
LPT port redirection bandwidth limit percent
Printer redirection bandwidth limit percent
Client USB device redirection bandwidth limit percent
TWAIN device redirection bandwidth limit percent
Allow bidirectional content redirection
Allowed URLs to be redirected to Client
Allowed URLs to be redirected to VDA
CPU usage CPU usage excluded process priority
Legacy graphics mode Progressive compression level
Enable session watermark

Watermark custom text
Session watermark style
Watermark transparency
HDX adaptive transport Loss tolerant mode for audio

When configuring the settings for creating or editing a policy, if all delivery groups are disabled, then the system displays a None of the elements in this filter is enabled warning notification sign. If at least one delivery group is enabled, the system does not display the warning sign.

To view the warning while creating a policy:

  1. Log in to DaaS Premium.
  2. In the left-navigation, click Policies.
  3. In the Policies tab, click Create Policy.
  4. In the Select Settings table, select any setting and click Next.
  5. In the Assign Policy To table, select a filter from the drop-down.
  6. Unselect the Enable checkbox and click Save.

Note:

Not all filters support unselecting the Enable checkbox. In the Filters table, the filter displays the warning.

To view the warning while editing a policy:

  1. Log in to DaaS Premium.
  2. In the left-navigation, click Policies.
  3. In the Policies tab, select any of the policies listed and click Edit Policy.
  4. In the Edit Policy page, click Assign Policy To in the left navigation.
  5. In the Filter table, select or click Edit for the required filter:

    • If a filter does not have the Edit button, select the filter.
    • If a filter has the edit button, click Edit.
  6. Unselect the Enable option and click Save.

Note:

Not all filters support unselecting the Enable checkbox. In the Filters table, the filter displays the warning.

Some policy settings can be in one of the following states:

-  Allowed or Prohibited allows or prevents the action controlled by the setting. Sometimes users are allowed or prevented from managing the setting’s action in a session. For example, if the menu animation setting is set to Allowed, users can control menu animations in their client environment
-  Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.

If the secure default setting is enabled, during VDA installation, the priority of the policy settings is affected as follows:

  • Customized setting takes the highest priority
  • Secure default setting takes the second priority
  • Default setting takes the least priority

To see the secure default setting for a policy:

  1. Sign in to DaaS Premium.
  2. In the left-navigation, click Policies.
  3. In the Policies tab, click Create Policy.
  4. In the Select Settings table, when you hover-over the settings that have Allowed ? as their current value, the Secure default value: Prohibited is shown.

    Secure default setting

In addition, some settings control the effectiveness of dependent settings. For example, Client drive redirection controls whether users are allowed to access the drives on their devices. Both this setting and the Client network drives setting must be added to the policy to allow users to access their network drives. If the Client drive redirection setting is disabled, users can’t access their network drives, even if the Client network drives setting is enabled.

In general, policy setting changes that impact machines go into effect either when the virtual desktop restarts or when a user logs on. Policy setting changes that impact users go into effect the next time users log on.

For some policy settings, you can enter or select a value when you add the setting to a policy. You can limit the configuration of the setting by selecting Use default value. This selection disables the configuration of the setting and allows only the setting’s default value to be used when the policy is applied. This selection is regardless of the value that was entered before selecting Use default value.

As best practice:

  • Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group.
  • Disable unused policies. Policies with no settings added create unnecessary processing.

Policy assignments

When creating a policy, you assign it to certain users and machine objects. That policy is applied to connections according to specific criteria or rules. In general, you can add as many assignments as you want to a policy, based on a combination of criteria. If you specify no assignments, the policy is applied to all connections.

If you do not specify any assignments, or specify assignments but disable them, the policy is applied to all connections.

Note:

Policy assignments are also known as policy filters. For additional information, see the following topics:

The following table lists the available assignments:

Assignment name Applies a policy based on
Access Control Access control conditions through which a client is connecting. Connection type - Whether to apply the policy to connections made with or without NetScaler Gateway. NetScaler Gateway farm name - Name of the NetScaler Gateway virtual server. Access condition - Name of the end point analysis policy or session policy to use.
Citrix SD-WAN Whether a user session is launched through Citrix SD-WAN. Note: You can add only one Citrix SD-WAN assignment to a policy.
Client IP Address IP address of the user device used to connect to the session: IPv4 examples: 12.0.0.0, 12.0.0.*, 12.0.0.1-12.0.0.70, 12.0.0.1/24; IPv6 examples: 2001:0db8:3c4d:0015:0:0:abcd:ef12, 2001:0db8:3c4d:0015::/54
Client Name Name of the user device. Exact match: ClientABCName. Using wildcard: Client*Name.
Delivery Group Delivery Group membership.
Delivery Group type Type of desktop or application: private desktop, shared desktop, private application, or shared application.
Organizational Unit (OU) Organizational unit.
Tag Tags. Note: Apply this policy to all tagged machines. Application tags aren’t included.
User or Group User or group name.

When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Important:

When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings might not be applied as expected. For more information, see CTX127461.

A policy named “Unfiltered” is provided by default.

  • If you use Studio manage Citrix policies, the settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a Site.
  • The Sites and connections must be within the scope of the Group Policy Objects (GPOs) that includes the policy. For example, the Sales OU includes a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the Site, the settings in the Unfiltered policy are automatically applied to the session. This configuration is because the user is a member of the Sales-US GPO.

An assignment’s mode determines if the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.

  • Example: Assignments of like type with differing modes - In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:

    Policy 1 includes the following assignments:

    • Assignment A specifies the Sales group. The mode is set to Allow.
    • Assignment B specifies the Sales manager’s account. The mode is set to Deny.

    Because the mode for Assignment B is set to Deny, the policy isn’t applied when the Sales manager logs on to the Site, even though the user is a member of the Sales group.

  • Example: Assignments of differing type with like modes - In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type for the policy to be applied. For example:

    Policy 2 includes the following assignments:

    • Assignment C is a User assignment that specifies the Sales group. The mode is set to Allow.
    • Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network). The mode is set to Allow.

    When the Sales manager logs on to the Site from the office, the policy is applied because the connection satisfies both assignments.

    Policy 3 includes the following assignments:

    • Assignment E is a User assignment that specifies the Sales group. The mode is set to Allow.
    • Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions. The mode is set to Allow.

    When the Sales manager logs on to the Site from the office, the policy isn’t applied because the connection doesn’t meet the requirements of Assignment F.

Create policies