Compare, prioritize, and troubleshoot policies
You can manage your Citrix Virtual Apps and Desktops deployment using two management consoles: Web Studio (web-based) and Citrix Studio (Windows-based). This article covers only Web Studio. For information about Citrix Studio, see the equivalent article in Citrix Virtual Apps and Desktops 7 2212 or earlier.
You can use multiple policies to customize your environment to meet users’ needs based on their job functions, geographic locations, or connection types. For example, for enhanced security, place restrictions on user groups who regularly interact with sensitive data.
You can also create a policy that prevents users from saving sensitive files on their local client drives. However, if some users in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one takes precedence. When using multiple policies, you must determine:
- How to prioritize the policies
- How to create exceptions
- How to view the effective policy when policies conflict.
In general, policies override similar settings configured for the entire Site, for specific Delivery Controllers, or on the user device. The exception to this principle is security. The highest encryption setting in your environment, always overrides other settings and policies. The highest encryption setting includes the operating system and the most restrictive shadowing settings.
Citrix policies interact with policies that you set in your operating system. In a Citrix environment, Citrix settings override the same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. This setting includes settings that are related to typical Remote Desktop Protocol (RDP) client connection settings. The typical RDP settings include settings such as desktop wallpaper, menu animation, and view window contents while dragging.
Some policy settings, such as Secure ICA, must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you’re delivering application and desktops can be overridden.
For example, the encryption settings that you specify when creating Delivery Groups must be at the same level as the encryption settings you specified throughout your environment.
In the second hop of double-hop scenarios, consider that a Single-session OS VDA connects to Multi-session OS VDA. In this case, Citrix policies act on the Single-session OS VDA as if it were the user device. For example, consider policies are set to cache images on the user device. In this example, the images cached for the second hop in a double-hop scenario are cached on the Single-session OS VDA machine.
Use the policy modeling wizard
Policy modeling helps you simulate enabled policies with filters for planning and testing purposes. Only enabled policies with filters are modeled. Disabled policies are never applied and enabled policies without filters are always applied.
Perform the following steps to open the Policy Modeling wizard:
- Select Policies from the left navigation.
- Select the Modeling tab.
- Select Policy Modeling in the action bar.
- Read the Introduction page and click Next.
- Select users or computers. You can browse for containers or specific users or computers. Click Next.
- Choose your filter evidence. You can optionally get more granular with your simulation by entering additional details, such as Delivery group, Tags, Client IP address, and so on. Click Next.
- Review the summary of your selections and click Run.
After you click Run, the wizard generates a report of the modeling results. While viewing this report, you can:
- Select if you would like to view All settings, Computer settings, or User settings in the drop-down menu.
- Use the search bar to look for specific settings.
- Click a specific setting to view details of that setting. For example, if all user settings were not applied for a specific policy, the Details pane shows you the reason why the settings were not applied.
- Click Export to export the modeling results in JSON format, HTML format, or both.
After running policy modeling, more options become available to you. You can:
- View Modeling Report: This opens the same modeling report from above so you can view it again or export it.
- Rerun Policy Modeling: This allows you to rerun policy modeling with the same set of criteria selected previously and generate new modeling results. This is useful if some policies have changed and you would like to see how those changes affect your current model.
- Delete Modeling Report: This deletes the current modeling report.
Compare policies and templates
You can compare the settings in a policy or template with the settings of the other policies or templates. For example, you might need to verify setting values to maintain compliance with best practices. You might also want to compare settings in a policy or template with the default settings that are provided by Citrix.
- Sign in to Web Studio and select Policies in the left pane.
- Click the Comparison tab and then click Select.
- Choose the policies or templates to compare. To include default values in the comparison, select the Compare to default settings check box.
- After you click Compare, the configured settings are displayed in columns.
- To see all settings, select Show All Settings. To return to the default view, select Show Common Settings.
Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.
You prioritize policies by giving them different priority numbers. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting’s condition. For example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.
- Select Policies in the left pane. Make sure that you select the Policies tab.
- On the Policies tab, select Change Policy Priorities in the action bar. The Change Policy Priorities page appears.
In the priority list, use one of the following ways to change the priority for a policy:
- Drag the policy to a desired position.
- To move it up or down by one position, click the Up or Down arrow icon respectively.
- To move it to the top or bottom of the list, click the Top or Bottom arrow icon respectively.
- To change the priority number, click the Edit icon, enter a number as needed, and then click Save.
- Click Save.
When you create policies for groups of users, user devices, or machines, you might find that some members of the group require exceptions to some policy settings. You can create exceptions by:
- Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group
- Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For example, a policy includes the following assignments:
- Assignment A is a client IP address assignment that specifies the range 208.77.88.*. The mode is set to Allow
- Assignment B is a user assignment that specifies a particular user account. The mode is set to Deny.
The policy is applied to all users who log on to the Site with IP addresses in the range that is specified in Assignment A. However, the policy isn’t applied to the user logging on to the Site with the user account specified in Assignment B.
Determine which policies apply to a connection
A connection might not respond as expected because multiple policies apply. If a higher priority policy applies to a connection, it can override the settings you configure in the original policy. You can calculate the Resultant Set of Policy and determine how final policy settings are merged for a connection.
You can calculate the Resultant Set of Policy in the following ways:
- Use the Citrix Group Policy Modeling Wizard to simulate a connection scenario and discern how Citrix policies might be applied. You can specify conditions for a connection scenario such as:
- Domain controller
- Citrix policy assignment evidence values
- Simulated environment settings such as slow network connection The report that the wizard produces lists the Citrix policies that take effect in the scenario. Because you log on to the Controller as a domain user, the wizard calculates the results using both site policy settings and Active Directory Group Policy Objects (GPOs).
- Use Group Policy Results to produce a report describing the Citrix policies in effect for a given user and controller. The Group Policy Results tool helps you evaluate the current state of GPOs in your environment and generates a report. The generated report describes how these objects, including Citrix policies, are currently being applied to a particular user and controller.
You can launch the Citrix Group Policy Modeling Wizard in Web Studio. Or, you can launch the Group Policy Results tool through the Group Policy Management Console in Windows.
Site policy settings created using Web Studio aren’t included in the Resultant Set of Policy in the following cases:
- If you run the Citrix Group Policy Modeling Wizard from the Group Policy Management Console
- If you run the Group Policy Results tool from the Group Policy Management Console
To verify that you obtain the most comprehensive Resultant Set of Policy, Citrix recommends launching the Citrix Group Policy Modeling wizard from Web Studio, unless you create policies using only the Group Policy Management Console.
Users, IP addresses, and other assigned objects can have multiple policies that apply simultaneously. This scenario can result in conflicts where a policy might not behave as expected. When you run the Citrix Group Policy Modeling Wizard or the Group Policy Results tool, you might discover that no policies are applied to user connections. In such a scenario, policy settings are not applied to the users who connect to their applications and desktops under conditions that match the policy evaluation criteria. This situation occurs when:
- No policies have assignments that match the policy evaluation criteria.
- Policies that match the assignment do not have any settings configured.
- Policies that match the assignment are disabled.
If you want to apply policy settings to the connections that meet the specified criteria, make sure:
- The policies you want to apply to those connections are enabled.
- The policies you want to apply have the appropriate settings configured.