Workspace Environment Management

Assignments

Use assignments to make actions available to your users. This lets you replace a portion of your users’ logon scripts.


Assignment targets

The Assignment Targets page lets you add users and groups (targets) so that you can assign actions and security rules to them. Select a target to manage its assignments.

Note:

Converting SIDs to target names can take some time. If the conversion is incorrect or fails, verify that the Cloud Connectors are working properly by viewing their health status. If the issue persists, contact Citrix Technical Support.

There are two built-in targets:

  • Everyone. A built-in group that contains all users, including anonymous users and guests. Membership is controlled by the operating system.

  • Administrators. A built-in group that includes all members of the administrators group. After the initial installation of the operating system, the only member of the group is the administrator account. When a computer joins a domain, the Domain Admins group is added to the administrators group. When a server becomes a domain controller, the Enterprise Admins group is added to the administrators group.

Options available to you include:

  • Filter. Lets you filter the list.

  • Add an assignment target. Lets you add a target.

  • Refresh. Updates the list of targets.

  • View. Lets you view details for built-in targets.

  • Manage assignments. Lets you manage the Actions and Security rules

  • Edit. Lets you edit a target. You can change its description, priority, and enablement status. When configuring the priority, consider the following: The priority determines the order in which the actions you assign are processed. The greater the value, the higher the priority. Type an integer. If there is a conflict, the target with the higher priority prevails.

  • Enable. Lets you enable or disable the object (target).

  • Delete. Lets you delete a target. Note: Built-in targets will not be deleted.

Tip:

You can quickly enable or disable a target by using the toggle in the State column.

Add an assignment target

To add an assignment, perform the following steps:

  1. On the Assignment Targets page, click Add assignment target.

  2. Select the identity provider.

  3. Select a domain where the targets you want to add exist.

  4. Select the target type.

    Note:

    For Active Directory and Azure Active Directory, you can narrow your search to users or security groups. For Active Directory, you can also choose organizational units. Keep in mind that only Group Policy settings can be assigned to organizational units.

  5. In the Search box, enter the name of the target you want to add. As you enter the name, matches appear in the menu.

    Note:

    The search returns only the top 50 results. Refine your search if necessary. The location configuration option restricts the OU search scope to a specific location node to find the desired target OU quickly.

  6. Click the plus icon to add the target. (Targets you already added appear with a green check mark icon.)

    Tip:

    If you want to add targets from a different identity provider, switch to a different identity type to continue.

  7. After you finish, click Add to add the targets and to exit the wizard.

Manage assignments for a target

To manage assignments for a target, perform the following steps:

  1. On the Assignment Targets page, select the target. If needed, use the search box to quickly find the target.

  2. In the action bar, select Manage assignments. The Manage assignments window appears.

  3. Manage the assignments for each action or the security rules as needed. You can also select the Privilege Elevation rules to assign the target under the Manage security rule assignments page.

  4. Click Review changes to verify that you made the changes as intended.

Clone an assignment target

To clone an assignment target, perform the following steps:

  1. On the Assignment Targets page, select the target. If needed, use the search box to quickly find the target.
  2. In the action bar, select Clone. The Clone assignment target window appears.
  3. Select the configuration set to clone the target to.
  4. Click Clone.

Note:

  • You cannot clone built-in targets.
  • You can clone up to 10 targets at a time.
  • If a target already exists in the destination, it is skipped.
  • Descriptions of cloned targets are empty. Their assignments are not cloned, their priority is set to a default value (100), and their state defaults to enabled (check mark icon).

Filters

Note:

  • This feature is available as a preview.
  • Filters are for use with assignments and scripted tasks.

The Filters page lets you add filters for controlling when to assign actions to your users. A filter can comprise multiple conditions.

There is a built-in filter:

  • Always true. If selected, the related actions are always assigned to target users. You cannot edit or delete this built-in filter.

Options available to you include:

  • Add filter. Lets you add a filter so it is available for use when you assign actions.

  • Manage conditions. Lets you add, delete, and edit conditions.

  • Refresh. Updates the list of filters. Using this option also refreshes the list of conditions in Manage conditions.

  • Edit. Lets you edit a filter. If you edit a filter that is bound to actions assigned to users, the change will impact those users immediately.

  • Delete. Lets you delete a filter.

  • State. Lets you enable or disable a filter.

Add a filter

To add a filter, perform the following steps:

  1. On the Filters page, click Add filter.

  2. In Basic information, configure the following and then click Next.

    • Filter name. Enter a name for the filter.
    • Description. Enter a description for the filter to help you identify it from your other filters. This field is optional.
    • Enable this filter. Select Yes to enable or No to disable the filter.
  3. In Conditions, build your filter by adding conditions. Click the operator to toggle between Match all (AND operator) or Match any (OR operator). You can use both operators to combine two or more conditions into a compound condition.

    • Add condition. Select conditions from the list or create new ones.
    • Add condition group. Add a condition group to group a series of conditions using the same logical operator - AND or OR. You can add condition groups within condition groups. You can nest condition groups up to three levels.

    Note:

    • Conditions you create here are available for use with other filters.
    • Use the Summary section for a deeper understanding of the criteria of compound conditions.
    • Filters containing OR operators are evaluated only on agents whose version is 2210.2.0.1 or later.
    • Certain types of conditions apply only to user settings. If you apply them to machine settings (for example, scripted tasks and GPOs), the agent skips them when evaluating the filter. For a complete list of filter conditions that do not apply to machine settings, see Conditions not applicable to machine settings.
  4. Click Done when finished.

Create a condition

You can create conditions when you add a filter or manage conditions. In the Create condition wizard that appears, perform the following steps:

  1. Enter a condition name.

  2. Select Yes to enable or No to disable the condition.

  3. Select a condition type from the list and then configure settings accordingly.

Different condition types might have different settings. The following condition types are available:

Condition type Description
Always true The condition always holds true.
Active Directory attribute True or false depending on whether the attribute name matches the specified values. Enter attribute values, separated by semicolons (;). Note: If you want the condition to hold true regardless of the attribute value, enter a question mark (?).
Active Directory group True or false depending on whether the group name matches the specified values. Enter group names, separated by semicolons (;).
Active Directory path True or false depending on whether the path matches the specified values. Enter paths, separated by semicolons (;). Note: You can use the asterisk (*) as a wildcard.
Active Directory site True or false depending on whether the site name matches the specified values. Enter site names, separated by semicolons (;).
Citrix Provisioning image mode True or false depending on whether the image mode is Shared or Private.
Citrix Virtual Apps farm name True or false depending on whether the farm name matches the specified value.
Citrix Virtual Apps version True or false depending on whether the version matches the specified value.
Citrix Virtual Apps zone name True or false depending on whether the zone name matches the specified value.
Citrix Virtual Desktops desktop group name True or false depending on whether the desktop group name matches the specified value.
Citrix Virtual Desktops farm name True or false depending on whether the farm name matches the specified value.
Client IP address True or false depending on whether the IP address matches the specified value.
Client name True or false depending on whether the client name matches the specified values. Enter client names, separated by semicolons (;). You can use the asterisk (*) as a wildcard. You can also use dynamic tokens.
Client OS True or false depending on whether the client OS matches the specified value.
Client remote OS True or false depending on whether the client remote OS matches the specified value.
Computer name True or false depending on whether the computer name matches the specified values. Enter computer names, separated by semicolons (;). You can use the asterisk (*) as a wildcard.
Connection state True or false depending on whether the connection state is Online or Offline.
Date and time True or false depending on whether the date and time matches the specified values. Enter dates or date ranges, separated by semicolons (;). Enter dates in the format, mm/dd/yyyy. Enter date ranges in the format (time optional), mm/dd/yyyy HH:mm - mm/dd/yyyy HH:mm.
Day of week True or false depending on whether the day matches the specified values.
Dynamic value True or false depending on whether the dynamic value matches the specified values. Enter values the dynamic expression resolves to, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the dynamic expression, enter a question mark (?).
Environment variable True or false depending on whether the environment variable matches the specified values. Enter values of the environment variable, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the environment variable, enter a question mark (?).
File version True or false depending on whether the file version matches the specified values. Enter file versions, separated by semicolons (;).
File/folder exists or not True or false depending on whether the path matches the specified value. Enter a full path of the file or the folder. The path must not include any quotes (“). You can use dynamic tokens.
IP address True or false depending on whether the IP address matches the specified value. Enter IP addresses or IP address ranges, separated by semicolons (;). Note: You can use the asterisk (*) as a wildcard.
Name is in list or not True or false depending on whether the name is in the specified list. In the Name field, enter a name to look for in the list. In the File path of XML list field, enter a full file path of the XML list.
Name/value is in list or not True or false depending on whether the name or value is in the specified list. In the Name field, enter a name or value to look for in the list. In the File path of XML list field, enter a full file path of the XML list.
Network connection state True or false depending on whether the network connection state is Available or Not available.
OS platform type True or false depending on whether the OS platform type is x86 or x64.
Published resource name True or false depending on whether the name matches the specified values. Enter published resource names, separated by semicolons (;).
Registry value True or false depending on whether the registry value matches the specified values. In the Registry path and name field, enter a full path that includes the registry value name. In the Registry value field, enter registry values, separated by semicolons (;). Note: If you want the condition to hold true regardless of the value of the registry entry, enter a question mark (?).
Transformer mode state True or false depending on whether the state is Disabled or Enabled.
Regional format True or false depending on whether the format matches the specified value. Use the Add values not in the list option to enter ISO language codes, separated by semicolons (;), if necessary.
User SBC resource type True or false depending on whether the type is Desktop or Published application.
User UI language True or false depending on whether the language matches the specified values.
WMI query True or false depending on whether the specified query has a result. The Windows Management Instrumentation (WMI) query operation can run queries on the agent machine. You can define this condition based on results returned from the query. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/windows/win32/wmisdk/querying-with-wql.

When using “client” and “computer” related condition, be aware of the following two scenarios:

  • If the agent is installed on a single-session or multi-session OS:
    • “Client” refers to a client device connecting to the agent host.
    • “Computer” and “Client Remote” refer to the agent host.
  • If the agent is installed on a physical endpoint, conditions that contain “client” in the condition names are not applicable.

More information

Conditions not applicable to machine settings

There are two types of settings:

  • Machine settings. Those settings apply only to machines regardless of who logs on to them. Examples: Group Policy settings and scripted tasks.
  • User settings. Those settings apply only to users regardless of which machine they log on to. Example: User’s language settings.

The following conditions do not apply to machine settings. If a filter contains any of them, the agent skips them when evaluating the filter.

Filter name Applicable to machine settings
ClientName Match No
Client IP Address Match No
Registry Value Match If you configure a registry value starting with HKCU, the Registry Value Match filter does not work if applied to machine settings.
User Country Match No
User UI Language Match No
User SBC Resource Type No
Active Directory Path Match No
Active Directory Attribute Match No
No ClientName Match No
No Client IP Address Match No
No Registry Value Match No
No User Country Match No
No User UI Language Match No
No Active Directory Path Match No
No Active Directory Attribute Match No
Client Remote OS Match No
No Client Remote OS Match No
Active Directory Group Match No
No Active Directory Group Match No
Published Resource Name No

Assignment Groups

This feature allows you to add actions and application security, including GPO and JSON files to a group and select assignment targets for deployment. Assignment details such as filters and options are managed at the individual item level. You can now set a single filter for all assignments associated with a particular target. When you add new items to the group, assignments for those items are generated automatically, letting you review assignment details and make any necessary adjustments.

Create an assignment group

To create an assignment group, complete the following steps.

  1. Enter the name and description of the assignment group.
  2. Click Add and select the desired actions that you need to include in the group on the Configure group content page.
  3. Choose the assignment targets from the dropdown list.
  4. You can either copy, paste, and apply the desired configuration to all the assignments on the tab.

Note:

  • If an item in the group is already assigned to a specified target from the dropdown list, the selected target updates the assignment. You can further configure the assignment details for each assignment target in the Assignment details page.
  • If a group has been assigned to the organizational units, it cannot contain items other than the Group Policy settings.
  • To add virtual drives, you must select a drive letter manually.

Create an assignment group using security rules

You can now create an assignment group using the security rules. Follow the same steps as that of the Create an assignment group for this feature. You can also configure the Privilege Elevation rule under the Configure group content page.

Note:

Default rules cannot be included in the assignment groups and are not displayed in the Configure group content page.

Create an assignment group using the exported settings

To create an assignment group using the exported settings, import the exported settings into WEM actions and complete the following steps:

  1. To begin, upload the ZIP file containing the converted settings.

  2. Click Import to save the selected settings/items in the current configuration set and create an assignment group with them.

  3. Assign the current assignment group to the selected assignment target.

  4. Refresh the agent host settings to apply changes immediately.

View assignment group

  • To view an assignment group, select it and then click View in the action bar.

  • You can view the categories of items along with the items listed in the selected category of a table on the Content tab.
  • On the Assignments tab, you can list the assignment targets that the group is assigned to.

Edit assignment group

  • To edit an assignment group, select it and then click Edit in the action bar.

  • In the Content tab, edit the name, description, and content of the assignment group.

  • In the Assignments tab, you can add or remove the assignment targets. You can also edit the assignment details for each target.

Delete assignment group

To delete an assignment group, select the assignment and then click Delete in the action bar.