Workspace Environment Management

Assignments

Use assignments to make actions available to your users. This lets you replace a portion of your users’ logon scripts.


Assignment targets

The Assignment Targets page lets you add users and groups (targets) so that you can assign actions and security rules to them. Select a target to manage its assignments.

Note:

Converting SIDs to target names can take some time. If the conversion is incorrect or fails, verify that the Cloud Connectors are working properly by viewing their health status. If the issue persists, contact Citrix Technical Support.

There are two built-in targets:

  • Everyone. A built-in group that contains all users, including anonymous users and guests. Membership is controlled by the operating system.

  • Administrators. A built-in group that includes all members of the administrators group. After the initial installation of the operating system, the only member of the group is the administrator account. When a computer joins a domain, the Domain Admins group is added to the administrators group. When a server becomes a domain controller, the Enterprise Admins group is added to the administrators group.

Options available to you include:

  • Filter. Lets you filter the list.

  • Add an assignment target. Lets you add a target.

  • Refresh. Updates the list of targets.

  • View. Lets you view details for built-in targets.

  • Edit. Lets you edit a target. You can change its description, priority, and enablement status. When configuring the priority, consider the following: The priority determines the order in which the actions you assign are processed. The greater the value, the higher the priority. Type an integer. If there is a conflict, the target with the higher priority prevails.

  • Enable. Lets you enable or disable the object (target).

  • Delete. Lets you delete a target. Note: Built-in targets will not be deleted.

Tip:

You can quickly enable or disable a target by using the toggle in the State column.

Add an assignment target

To add an assignment, perform the following steps:

  1. On the Assignment Targets page, click Add assignment target.

  2. Select the identity provider. For Active Directory and Azure Active Directory, you can choose whether to narrow your search to users or security groups.

  3. Select a domain where the targets you want to add exist.

  4. In the Search box, enter the name of the target you want to add. As you enter the name, matches appear in the menu.

    Note:

    The search returns only the top 50 results. Refine your search if necessary.

  5. Click the plus icon to add the target. (Targets you already added appear with a green check mark icon.)

    Tip:

    If you want to add targets from a different identity provider, switch to a different identity type to continue.

  6. After you have finished, click Add to add the targets and to exit the Add assignment target wizard.


Filters

Note:

  • This feature is available as a preview.
  • Filters are for use with assignments. Currently, the ability to assign actions to users is not yet available with the web console.

The Filters page lets you add filters for controlling when to assign actions to your users. A filter can comprise multiple conditions.

There is a built-in filter:

  • Always true. If selected, the related actions are always assigned to target users. You cannot edit or delete this built-in filter.

Options available to you include:

  • Add filter. Lets you add a filter so it is available for use when you assign actions.

  • Manage conditions. Lets you add, delete, and edit conditions.

  • Refresh. Updates the list of filters. Using this option also refreshes the list of conditions in Manage conditions.

  • Edit. Lets you edit a filter. If you edit a filter that is bound to actions assigned to users, the change will impact those users immediately.

  • Delete. Lets you delete a filter.

  • State. Lets you enable or disable a filter.

Add a filter

To add a filter, perform the following steps:

  1. On the Filters page, click Add filter.

  2. In Basic information, configure the following and then click Next.

    • Filter name. Enter a name for the filter.
    • Description. Enter a description for the filter to help you identify it from your other filters. This field is optional.
    • Enable this filter. Select Yes to enable or No to disable the filter.
  3. In Conditions, build your filter by selecting conditions from the list or creating new ones and then click Done.

    Note:

    • Conditions you create here are available for use with other filters.
    • If you select more than one condition, this filter holds true only when all conditions are met.
  4. Click Done when finished.

Create a condition

You can create conditions when you add a filter or manage conditions. In the Create condition wizard that appears, perform the following steps:

  1. Enter a condition name.

  2. Select Yes to enable or No to disable the condition.

  3. Select a condition type from the list and then configure settings accordingly.

Different condition types might have different settings. The following condition types are available:

Condition type Description
Always true The condition always holds true.
Active Directory attribute True or false depending on whether the attribute name matches the specified values. Enter attribute values, separated by semicolons (;). Note: If you want the condition to hold true regardless of the attribute value, enter a question mark (?).
Active Directory group True or false depending on whether the group name matches the specified values. Enter group names, separated by semicolons (;).
Active Directory path True or false depending on whether the path matches the specified values. Enter paths, separated by semicolons (;). Note: You can use the asterisk (*) as a wildcard.
Active Directory site True or false depending on whether the site name matches the specified values. Enter site names, separated by semicolons (;).
Citrix Provisioning image mode True or false depending on whether the image mode is Shared or Private.
Citrix Virtual Apps farm name True or false depending on whether the farm name matches the specified value.
Citrix Virtual Apps version True or false depending on whether the version matches the specified value.
Citrix Virtual Apps zone name True or false depending on whether the zone name matches the specified value.
Citrix Virtual Desktops desktop group name True or false depending on whether the desktop group name matches the specified value.
Citrix Virtual Desktops farm name True or false depending on whether the farm name matches the specified value.
Client IP address True or false depending on whether the IP address matches the specified value.
Client name True or false depending on whether the client name matches the specified values. Enter client names, separated by semicolons (;). You can use the asterisk (*) as a wildcard. You can also use dynamic tokens.
Client OS True or false depending on whether the client OS matches the specified value.
Client remote OS True or false depending on whether the client remote OS matches the specified value.
Computer name True or false depending on whether the computer name matches the specified values. Enter computer names, separated by semicolons (;). You can use the asterisk (*) as a wildcard.
Connection state True or false depending on whether the connection state is Online or Offline.
Date and time True or false depending on whether the date and time matches the specified values. Enter dates or date ranges, separated by semicolons (;). Enter dates in the format, mm/dd/yyyy. Enter date ranges in the format (time optional), mm/dd/yyyy HH:mm - mm/dd/yyyy HH:mm.
Day of week True or false depending on whether the day matches the specified values.
Dynamic value True or false depending on whether the dynamic value matches the specified values. Enter values the dynamic expression resolves to, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the dynamic expression, enter a question mark (?).
Environment variable True or false depending on whether the environment variable matches the specified values. Enter values of the environment variable, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the environment variable, enter a question mark (?).
File version True or false depending on whether the file version matches the specified values. Enter file versions, separated by semicolons (;).
File/folder exists or not True or false depending on whether the path matches the specified value. Enter a full path of the file or the folder. You can use dynamic tokens.
IP address True or false depending on whether the IP address matches the specified value. Enter IP addresses or IP address ranges, separated by semicolons (;). Note: You can use the asterisk (*) as a wildcard.
Name is in list or not True or false depending on whether the name is in the specified list. In the Name field, enter a name to look for in the list. In the File path of XML list field, enter a full file path of the XML list.
Name/value is in list or not True or false depending on whether the name or value is in the specified list. In the Name field, enter a name or value to look for in the list. In the File path of XML list field, enter a full file path of the XML list.
Network connection state True or false depending on whether the network connection state is Available or Not available.
OS platform type True or false depending on whether the OS platform type is x86 or x64.
Published resource name True or false depending on whether the name matches the specified values. Enter published resource names, separated by semicolons (;).
Registry value True or false depending on whether the registry value matches the specified values. In the Registry path and name field, enter a full path that includes the registry value name. In the Registry value field, enter registry values, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the registry entry, enter a question mark (?).
Transformer mode state True or false depending on whether the state is Disabled or Enabled.
Regional format True or false depending on whether the format matches the specified value. Use the Add values not in the list option to enter ISO language codes, separated by semicolons (;), if necessary.
User SBC resource type True or false depending on whether the type is Desktop or Published application.
User UI language True or false depending on whether the language matches the specified values.
WMI query True or false depending on whether the specified query has a result. The Windows Management Instrumentation (WMI) query operation can run queries on the agent machine. You can define this condition based on results returned from the query. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/windows/win32/wmisdk/querying-with-wql.

When using “client” and “computer” related condition, be aware of the following two scenarios:

  • If the agent is installed on a single-session or multi-session OS:
    • “Client” refers to a client device connecting to the agent host.
    • “Computer” and “Client Remote” refer to the agent host.
  • If the agent is installed on a physical endpoint, conditions that contain “client” in the condition names are not applicable.
Assignments