Compare, prioritize, model, and troubleshoot policies
You can use multiple policies to customize your environment to meet users’ needs based on their job functions, geographic locations, or connection types. For example, for enhanced security, place restrictions on user groups who regularly interact with sensitive data.
You can also create a policy that prevents users from saving sensitive files on their local client drives. However, if some users in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one takes precedence. When using multiple policies, you must determine:
- How to prioritize the policies
- How to create exceptions
- How to view the effective policy when policies conflict.
In general, policies override similar settings configured for the entire Site, for specific Delivery Controllers, or on the user device. The exception to this principle is security. The highest encryption setting in your environment, always overrides other settings and policies. The highest encryption setting includes the operating system and the most restrictive shadowing settings.
Citrix policies interact with policies that you set in your operating system. In a Citrix environment, Citrix settings override the same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. This setting includes settings that are related to typical Remote Desktop Protocol (RDP) client connection settings. The typical RDP settings include settings such as desktop wallpaper, menu animation, and view window contents while dragging.
Some policy settings, such as Secure ICA, must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you’re delivering application and desktops can be overridden.
For example, the encryption settings that you specify when creating Delivery Groups must be at the same level as the encryption settings you specified throughout your environment.
In the second hop of double-hop scenarios, consider that a Single-session OS VDA connects to Multi-session OS VDA. In this case, Citrix policies act on the Single-session OS VDA as if it were the user device. For example, consider policies are set to cache images on the user device. In this example, the images cached for the second hop in a double-hop scenario are cached on the Single-session OS VDA machine.
Compare policies and templates
You can compare the settings in a policy or template with the settings of the other policies or templates. For example, you might need to verify setting values to maintain compliance with best practices. You might also want to compare settings in a policy or template with the default settings that are provided by Citrix.
- Select Policies in the Studio navigation pane.
- Click the Comparison tab and then click Select.
- Choose the policies or templates to compare. To include default values in the comparison, select the Compare to default settings check box.
- After you click Compare, the configured settings are displayed in columns.
- To see all settings, select Show All Settings. To return to the default view, select Show Common Settings.
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.
You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting’s condition. For example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.
- Select Policies in the Studio navigation pane. Make sure that the Policies tab is selected.
- Select a policy.
- Select Lower Priority or Higher Priority in the Actions pane.
When you create policies for groups of users, user devices, or machines, you might find that some members of the group require exceptions to some policy settings. You can create exceptions by:
- Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group
- Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For example, a policy includes the following assignments:
- Assignment A is a client IP address assignment that specifies the range 208.77.88.*. The mode is set to Allow
- Assignment B is a user assignment that specifies a particular user account. The mode is set to Deny.
The policy is applied to all users who log on to the Site with IP addresses in the range that is specified in Assignment A. However, the policy isn’t applied to the user logging on to the Site with the user account specified in Assignment B.
Determine which policies apply to a connection
Sometimes a connection does not respond as expected because multiple policies apply. If a higher priority policy applies to a connection, it can override the settings you configure in the original policy. You can calculate the Resultant Set of Policy and determine how final policy settings are merged for a connection.
You can calculate the Resultant Set of Policy in the following ways:
- Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied. You can specify conditions for a connection scenario such as:
- Domain controller
- Citrix policy assignment evidence values
- Simulated environment settings such as slow network connection The report that the wizard produces lists the Citrix policies that would likely take effect in the scenario. Consider that you’re logged on to the Controller as a domain user. In this case, the wizard calculates the Resultant Set of Policy using both site policy settings and Active Directory Group Policy Objects (GPOs).
- Use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and controller. The Group Policy Results tool helps you evaluate the current state of GPOs in your environment and generates a report. The generated report describes how these objects, including Citrix policies, are currently being applied to a particular user and controller.
You can launch the Citrix Group Policy Modeling Wizard from the Actions pane in Citrix Studio. You can launch either tool from the Group Policy Management Console in Windows.
Site policy settings created using Studio aren’t included in the Resultant Set of Policy in the following cases:
- If you run the Citrix Group Policy Modeling Wizard from the Group Policy Management Console Or,
- If you run the Group Policy Results tool from the Group Policy Management Console
To verify that you obtain the most comprehensive Resultant Set of Policy, Citrix recommends launching the Citrix Group Policy Modeling wizard from Studio, unless you create policies using only the Group Policy Management Console.
Use the Citrix Group Policy Modeling Wizard
Open the Citrix Group Policy Modeling Wizard using one of the following:
- Select Policies in the Studio navigation pane, select the Modeling tab, and then select Launch Modeling Wizard in the Actions pane.
- Launch the Group Policy Management Console (gpmc.msc), right-click Citrix Group Policy Modeling in the tree pane, and then select Citrix Group Policy Modeling Wizard.
Follow the wizard instructions to select the following:
- Domain controller
- Environment settings
- Citrix assignment criteria to use in the simulation.
After you click Finish, the wizard produces a report of the modeling results. In Studio, the report appears in the middle pane under the Modeling tab.
To view the report, select View Modeling Report.
The Modeling tab isn’t available in Studio hosted in Citrix Cloud.
Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected. When you run the Citrix Group Policy Modeling Wizard or the Group Policy Results tool, you might discover that no policies are applied to user connections. In such a scenario, policy settings are not applied to the users who connect to their applications and desktops under conditions that match the policy evaluation criteria. This situation occurs when:
- No policies have assignments that match the policy evaluation criteria.
- Policies that match the assignment do not have any settings configured.
- Policies that match the assignment are disabled.
If you want to apply policy settings to the connections that meet the specified criteria, make sure:
- The policies you want to apply to those connections are enabled.
- The policies you want to apply have the appropriate settings configured.