Citrix Virtual Apps and Desktops

Policy sets

Policy sets are objects in Citrix Virtual Apps and Desktops which aggregates policies to allow for simplified, role-based access, and easy management. You can create policy sets to mirror logical divisions in your administrator team and company. For example, you can create a policy set for each geographic region, business-unit, or for specific use case. Once created, scopes and delivery groups are assigned to policy sets so that only authorized administrators can manage the policies that apply to their relevant users and machines.

Note

Before enabling the policy sets, Citrix recommends that you make note of the following:

  • Additional policy validations are added. As a result, doing an in-place upgrade might lead to loss of policy data if invalid policy settings are present.
  • To detect the invalid data, use the GPO scanner tool and make necessary edits before upgrading. For more information, see CTX666304.
  • For all future upgrades, Citrix recommends you to use the latest SDK. Using an older SDK for updating policies might allow adding invalid data to the policy settings which might lead to the risk of losing policy data.

Benefits

  • Role-based access control for distributed administrator teams
  • Simplified mergers, acquisitions, and consolidations
  • Limited fault domain
  • Multitenant support for policies

Enable policy sets

From the Manage tab of Virtual Apps and Desktops, navigate to Settings and turn on the Policy sets setting.

Enable policy sets

Note:

You must enable policy sets before creating a policy set.

Feature comparison

Before applying policy sets After applying policy sets
Policies, settings, filters, and policy priorities for the entire site are configured in one place within Citrix Studio. Policies, settings, filters, and policy priorities are configured separately for each policy set.
If you manage one policy, you must manage every policy. Full administrators can delegate to lower-level admins the ability to manage a particular policy set on an individual basis.
Policies in large and distributed environments become complex and difficult to manage. Policies in large and distributed environments can be divided and managed easily.

How does policy sets work?

General overview

  • Policy sets are assigned to delivery groups
  • Policy sets have one or multiple scopes
  • Delivery groups with no policy set assigned receive the default policy set
  • A delivery group can have only one policy set assigned to it
  • Multiple delivery groups can use the same policy set
  • Even though policy sets are assigned to delivery groups, the policies maintain their filters

For more information, see How do filters get applied?. There is no change in the way that policy assignments or policy filters work for policy sets. That is, they work the same way as they do for policies.

Default policy set

  • When the policy set setting is turned on, all existing policies are grouped within the default policy set
  • Every delivery group receives the default policy set unless the administrator team creates a policy set and assigns that to a delivery group.
  • Once a delivery group has a different policy set assigned to it, it will no longer get policies from the default policy set

Policy set creation

Policy sets can be created in the following two ways:

  • Create policy set - this action creates an empty policy set
  • Clone policy set - this action creates a policy set based on an existing policy set

Create policy sets

  1. Sign in to Web Studio and select Policies in the left pane.

Create policy sets

  1. Select Create Policy Set. The Introduction tab appears.
  2. Click Next or click Name and Description tab.
  3. Enter the name and description of the policy set.
  4. Click Next or click the Assignments tab.
  5. Select one or more delivery groups to which you want to assign the policy set.
  6. Click Next or click Scopes tab.
  7. Select the scopes of the policy set.
  8. Click Create. The policy set is created with the defined assignment and scope.

Clone policy sets

  1. Sign in to Web Studio and select Policies in the left pane.
  2. Select Clone Policy Set.
  3. Modify the name of the policy set.
  4. Modify or create assignments for the policy set and click Next.
  5. Select or deselect policies to include in the cloned policy set.
  6. Modify the scope of the policy.
  7. Click Create. The policy set is created.

Edit policy sets

  1. Sign in to Web Studio and select Policies in the left pane.
  2. Select Edit Policy Set.
  3. Modify the name of the policy set and click Next.
  4. Modify or create assignments for the policy set and click Next.
  5. Modify the scope of the policy.
  6. Click Create.

Policy set assignment

Policy sets are assigned to delivery groups. You can configure assignments when the policy set is created or edited. You can also configure assignments when delivery groups are created or edited.

Policy set scopes

Administrators can define the scope of the policy set so that only authorized administrators can view or edit it. You can configure scopes when the policy set is created or edited.

With the introduction of Policy Sets, you can also create and manage Citrix Policy using API. For more information, see How to create a policy set in Citrix DaaS.

policy scopes

Policy sets