Configure session recording policies
You can activate system-defined recording policies or create and activate your custom recording policies. System-defined recording policies apply a single rule to entire sessions. Custom recording policies specify which sessions are recorded.
The active recording policy determines which sessions are recorded. Only one recording policy is active at a time.
Note:
After you create or activate a recording policy, the policy applies to all Session Recording servers of the selected site. You can create and activate separate recording policies for different sites.
System-defined recording policies
Session Recording provides the following system-defined recording policies:
Note:
Both lossy screen recording and audio recording for non-optimized HDX audio are available with Session Recording version 2308 and later.
- Do not record. The default policy. If you do not specify another policy, no sessions are recorded.
- Record entire sessions excluding audio (for everyone, with notification). This policy records entire sessions (including screens and events but excluding audio). Users receive recording notifications in advance.
- Record entire sessions excluding audio (for everyone, without notification). This policy records entire sessions (including screens and events but excluding audio). Users do not receive recording notifications.
- Record entire sessions excluding audio with lossy screen recording enabled (for everyone, with notification). This policy records entire sessions (including screens and events but excluding audio). Lossy screen recording is enabled to reduce the size of recording files. Users receive recording notifications in advance.
- Record entire sessions excluding audio with lossy screen recording enabled (for everyone, without notification). This policy records entire sessions (including screens and events but excluding audio). Lossy screen recording is enabled to reduce the size of recording files. Users do not receive recording notifications.
- Record entire sessions including audio (for everyone, with notification). This policy records entire sessions (including screens, events, and audio). Users receive recording notifications in advance. You can enable audio recording for non-optimized HDX audio. Non-optimized HDX audio refers to the audio that is processed on the VDA and transmitted to/from the client where Citrix Workspace app is installed. In contrast to non-optimized HDX audio is optimized HDX audio whose processing is offloaded to the client, such as in the Browser Content Redirection (BCR) and Optimization for Microsoft Teams scenarios.
- Record entire sessions including audio (for everyone, without notification). This policy records entire sessions (including screens, events, and audio). Users do not receive recording notifications.
- Record only events (for everyone, with notification). This policy records only events that your event detection policy specifies. It does not record screens or audio. Users receive recording notifications in advance.
- Record only events (for everyone, without notification). This policy records only events that your event detection policy specifies. It does not record screens or audio. Users do not receive recording notifications.
You can’t modify or delete the system-defined recording policies.
Create a custom recording policy
Considerations
You can record sessions of specific users or groups, published applications or desktops, delivery groups or VDA machines, and Citrix Workspace app client IP addresses. To obtain the lists of published applications or desktops and delivery groups or VDA machines, you must have the read permission as a site administrator. Configure the administrator read permission on the Delivery Controller of the site.
You can also specify smart access tags to use as scopes for a custom recording policy to apply to. This feature is available with Session Recording 2402 and later. It lets you apply policies based on the user access context including:
- The user’s location
- IP address range
- Delivery group
- Device type
- Installed applications
For each rule you create, you specify a recording action and a rule scope. The recording action applies to sessions that fall into the rule scope.
For each rule, choose one recording action:
- Enable session recording with notification. This option records entire sessions (screens and events). Users receive recording notifications in advance. With this option selected, you can further select to enable audio recording or lossy screen recording. Additionally, you can choose to hide specific applications in screen recordings.
- Enable session recording without notification. This option records entire sessions (screens and events). Users do not receive recording notifications. With this option selected, you can further select to enable audio recording or lossy screen recording. Additionally, you can choose to hide specific applications in screen recordings.
- Enable event only session recording with notification. Recording only specific events helps to free up storage space. This option records throughout sessions only events that your event detection policy specifies. It does not record screens. Users receive recording notifications in advance.
- Enable event only session recording without notification. Recording only specific events helps to free up storage space. This option records throughout sessions only events that your event detection policy specifies. It does not record screens. Users do not receive recording notifications.
-
Disable session recording. This option means that no sessions are recorded.
-
Hide specific applications in screen recording. This feature requires that you select Enable lossy screen recording. It lets you hide specific applications with a layer mask during screen recording. The color for the layer mask is configurable, which can be Black, Gray, or White.
For each rule, choose at least one of the following items to create the rule scope. When a rule applies, both the “AND” and the “OR” logical operators are used to compute the final action. Generally speaking, the “OR” operator is used within a rule item, and the “AND” operator is used between separate rule items. If the result is true, the Session Recording policy engine takes the rule’s action. Otherwise, it goes to the next rule and repeats the process.
- Published applications and desktops. Creates a list of published applications and desktops to which the action of the rule applies. Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) sites are selected by default. Citrix Virtual Apps and Desktops sites are not supported.
- Delivery groups and VDA machines. Creates a list of delivery groups and VDA machines to which the action of the rule applies.
- IP addresses and IP address ranges. Creates a list of IP addresses and ranges of IP addresses to which the action of the rule applies. The IP addresses mentioned here are the IP addresses of the Citrix Workspace apps.
-
Filter. Creates a list of smart access tags to which the action of the rule applies. You can configure contextual access (smart access) using smart access policies on Citrix NetScaler, Citrix Device Posture service, and Adaptive access based on the user’s network location.
Contextual access (smart access) is available with Session Recording 2402 and later.
-
Users and user groups. Creates a list of users and user groups to which the action of the rule applies. Both Azure Active Directory (Azure AD) and Active Directory identity types are supported. For an example user group scenario, see Use user groups and white list users.
Note:
Azure AD support is a preview feature. It is available with Session Recording version 2402 and later.
Preview features might not be fully localized and are recommended for use in non‑production environments. Citrix Technical Support doesn’t support issues found with preview features.
To fully enable Azure AD identity support for configuring various policies and playback permissions from the cloud, complete the following steps and then restart the VDA:
-
Use the Citrix Virtual Apps and Desktops installer to install the Session Recording agent on an Azure AD joined machine. Select Enable Azure AD support during the installation.
For a Session Recording agent that you’ve installed otherwise, set the following registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartAuditor\Agent to enable Azure AD support:
- Set CommunicationProtocalToggle to 1 (0 means .net remoting. 1 means Websocket).
- Set AuthType to 1 (0 means Active Directory. 1 means Citrix Cloud authentication).
- Set SmAudIdpEnabled to 1 (0 means disabled. 1 means enabled)
-
Use the MSI package to install the Session Recording server on an Azure AD joined machine as well. Select Enable Azure AD support during the MSI installation.
-
When you create more than one rule in a recording policy, some sessions might match the criteria for more than one rule. In these cases, the rule with the highest priority is applied to the sessions.
The recording action of a rule determines its priority:
- Rules with the Disable session recording action have the highest priority.
- Rules with the Enable session recording with notification action have the second-to-highest priority.
- Rules with the Enable session recording without notification action have the second-to-lowest priority.
- Rules with the Enable event only session recording with notification action have the medium priority.
- Rules with the Enable event only session recording without notification action have the lowest priority.
Some sessions might not meet any rule in a recording policy. For these sessions, the action of the policy fallback rule applies. The action of the fallback rule is always Disable session recording. You cannot modify or delete the fallback rule.
Steps
- Sign in to Citrix Cloud.
- In the upper left menu, select My Services > DaaS.
- In the DaaS tile, scroll down in the left navigation pane and select Session Recording.
- In the Session Recording service view, select Policies from the left navigation.
- Select a target site. The Recording policy tab is displayed by default.
- Click Add policy.
- Enter a name and description for the new policy, and then click Add rule.
-
Enter a name and description for the rule. Specify a recording action and choose at least one of the following items to create the rule scope.
For each rule, specify a recording action:
- Enable session recording with notification
- Enable session recording without notification
- Enable event only session recording with notification
- Enable event only session recording without notification
- Disable session recording
For each rule, choose at least one of the following items to create the rule scope.
- Published applications and desktops
- Users and user groups
- Delivery groups and VDA machines
- IP addresses and IP address ranges
- Filter
- After the new policy is created, find it on the Recording policy tab and turn the toggle on to activate the policy.
Use user groups
Session Recording allows you to use user groups when creating policies. Using user groups instead of individual users simplifies the creation and management of rules and policies. For example, if users in your company’s finance department are contained in an Active Directory group called Finance, you can create a rule that applies to all the group members by selecting the Finance group in the Rules wizard.
White list users
You can create Session Recording policies ensuring that the sessions of some users in your organization are never recorded. This case is called white listing these users. White listing is useful for users who handle privacy-related information or when your organization does not want to record the sessions of a certain class of employees.
For example, if all managers in your company are members of an Active Directory group called Executive, you can ensure that sessions of these users are never recorded by creating a rule that disables session recording for the Executive group. While the policy containing this rule is active, no sessions of members of the Executive group are recorded. The sessions of other members of your organization are sessions recorded based on other rules in the active policy.
Understand rollover behavior
When you activate a policy, the previously active policy remains in effect until the session being recorded ends or the session recording file rolls over. Files roll over when they have reached the maximum size. For more information about the maximum file size for recordings, see Specify file size for recordings.
The following table details what happens when you apply a new recording policy while a session is being recorded and a rollover occurs:
If the previous recording policy was | And the new recording policy is | After a rollover, the recording policy will be |
---|---|---|
Do not record | Any other policy | No change. The new policy takes effect only when the user logs on to a new session. |
Record without notification | Do not record | The recording stops. |
Record without notification | Record with notification | The recording continues and a notification message appears. |
Record with notification | Do not record | The recording stops. |
Record with notification | Record without notification | The recording continues. No message appears the next time a user logs on. |