Create and activate recording policies

Use the Session Recording Policy Console to create and activate policies that determine which sessions are recorded.

Important:

To use the Session Recording Policy Console, you must have the Broker PowerShell Snap-in (Broker_PowerShellSnapIn_x64.msi) installed. The snap-in cannot be automatically installed by the installer. Locate the snap-in on the XenApp/XenDesktop ISO (\layout\image-full\x64\Citrix Desktop Delivery Controller) and follow the instructions for installing it manually. Failure to comply can cause an error.

You can activate system policies available when Session Recording is installed or create and activate your own custom policies. Session Recording system policies apply a single rule to all users, published applications, and servers. Custom policies specifying which users, published applications, and servers are recorded.

The active policy determines which sessions are recorded. Only one policy is active at a time.

System policies

Session Recording provides these system policies:

  • Do not record. This is the default policy. If you do not specify another policy, no sessions are recorded.
  • Record everyone with notification. If you choose this policy, all sessions are recorded. A pop-up window appears to notify recording occurrence.
  • Record everyone without notification. If you choose this policy, all sessions are recorded. No pop-up window appears to notify recording occurrence.

System policies cannot be modified or deleted.

Activate a policy

  1. Log on to the server where the Session Recording Policy Console is installed.
  2. Start the Session Recording Policy Console.
  3. If you are prompted by a Connect to Session Recording Server pop-up window, ensure that the name of the Session Recording Server, protocol, and port are correct. Click OK.
  4. In the Session Recording Policy Console, expand Recording Policies.
  5. Select the policy you want to make the active policy.
  6. From the menu bar, choose Action **> Activate Policy**.

Create custom recording policies

When you create your own policy, you make rules to specify which users and groups, published applications, and servers have their sessions recorded. A wizard within the Session Recording Policy Console helps you create rules. To obtain the list of published applications and servers, you must have the site administrator read permission. Configure that on this site’s Delivery Controller.

For each rule you create, you specify a recording action and rule criteria. The recording action applies to sessions that meet the rule criteria.

For each rule, choose one recording action:

  • Do not record. (Choose Disable session recording in the Rules wizard.) This recording action specifies that sessions meeting the rule criteria are not recorded.
  • Record with notification. (Choose Enable session recording with notification in the Rules wizard.) This recording action specifies that sessions meeting the rule criteria are recorded. A pop-up window appears to notify recording occurrence.
  • Record without notification. (Choose Enable session recording without notification in the Rules wizard.) This recording action specifies that sessions meeting the rule criteria are recorded. Users are unaware that they are being recorded.

For each rule, choose at least one of the following items to create the rule criteria:

  • Users or Groups. Creates a list of users or groups to which the recording action of the rule applies.
  • Published Resources. Creates a list of published applications or desktops to which the recording action of the rule applies. In the Rules wizard, choose the XenApp/XenDesktop site or sites on which the applications or desktops are available.
  • Delivery Groups or Machines. Creates a list of Delivery Groups or machines to which the recording action of the rule applies. In the Rules wizard, choose the location of the Delivery Groups or machines.
  • IP Address or IP Range. Creates a list of IP addresses or ranges of IP addresses to which the recording action of the rule applies. On the Select IP Address and IP Range screen, add a valid IP address or IP range for which recording will be enabled or disabled.

Note: The Session Recording Policy Console supports configuring multiple criteria within a single rule. When a rule applies, both the “AND” and the “OR” logical operators are used to compute the final action. Generally speaking, the “OR” operator is used between items within a criterion, and the “AND” operator is used between separate criteria. If the result is true, the Session Recording policy engine takes the rule’s action. Otherwise, it goes to the next rule and repeats the process.

When you create more than one rules in a recording policy, some sessions might match the criteria for more than one rules. In these cases, the rule with the highest priority is applied to the sessions.

The recording action of a rule determines its priority:

  • Rules with the Do not record action have the highest priority
  • Rules with the Record with notification action have the next highest priority
  • Rules with the Record without notification action have the lowest priority

Some sessions might not meet any rule criteria in a recording policy. For these sessions, the recording action of the policies fallback rule applies. The recording action of the fallback rule is always Do not record. The fallback rule cannot be modified or deleted.

To configure custom policies, do the following:

  1. Log on as an authorized Policy Administrator to the server where the Session Recording Policy Console is installed.
  2. Start the Session Recording Policy Console and select Recording Policies in the left pane. From the menu bar, choose Action > Add New Policy.
  3. Right-click the New policy and select Add Rule.
  4. Select a recording option - In the Rules wizard, select Disable session recording, Enable Session Recording with notification (or without notification), and then click Next.
  5. Select the rule criteria - You can choose one or any combination of the options:
    Users or Groups
    Published resources
    Delivery Groups or Machines
    IP Address or IP Range
  6. Edit the rule criteria - To edit, click the underlined values. The values are underlined based on the criteria you chose in the previous step.
    Note: If you choose the Published Resources underlined value, the Site Address is the IP address, a URL, or a machine name if the Controller is on a local network. The Name of Application list shows the display name.
  7. Follow the wizard to finish the configuration.

Use Active Directory groups

Session Recording allows you to use Active Directory groups when creating policies. Using Active Directory groups instead of individual users simplifies creation and management of rules and policies. For example, if users in your company’s finance department are contained in an Active Directory group named Finance, you can create a rule that applies to all members of this group by selecting the Finance group in the Rules wizard when creating the rule.

White list users

You can create Session Recording policies ensuring that the sessions of some users in your organization are never recorded. This is called white listing these users. White listing is useful for users who handle privacy-related information or when your organization does not want to record the sessions of a certain class of employees.

For example, if all managers in your company are members of an Active Directory group named Executive, you can ensure that these users’ sessions are never recorded by creating a rule that disables session recording for the Executive group. While the policy containing this rule is active, no sessions of members of the Executive group are recorded. The sessions of other members of your organization are sessions recorded based on other rules in the active policy.

Use IP address or IP range rule criteria

You can use client IP addresses as rule criteria for policy matching. For example, if you want to record sessions from clients with specific IP addresses or within an IP range, use the Rules wizard to create a rule that applies only to those clients.

Create a new policy

Note: When using the Rules wizard, you might be prompted to “click on underlined value to edit” when no underlined value appears. Underlined values appear only when applicable. If no underline values appear, ignore the step.

  1. Log on to the server where Session Recording Policy Console is installed.
  2. Start the Session Recording Policy Console.
  3. If you are prompted by a Connect to Session Recording Server pop-up window, ensure that the name of the Session Recording Server, protocol, and port are correct. Click OK.
  4. In the Session Recording Policy Console, select Recording Policies.
  5. From the menu, choose Add New Policy. A policy called New Policy appears in the left pane.
  6. Right-click the new policy and choose Rename from the menu.
  7. Type a name for the policy you are about to create and press Enter or click anywhere outside the new name.
  8. Right-click the policy, choose Add New Rule from the menu to launch the Rules wizard.
  9. Follow the instructions to create the rules for this policy.

Modify a policy

  1. Log on to the server where the Session Recording Policy Console is installed.
  2. Start the Session Recording Policy Console.
  3. If you are prompted by a Connect to Session Recording Server pop-up window, ensure that the name of the Session Recording Server, protocol, and port are correct. Click OK.
  4. In the Session Recording Policy Console, expand Recording Policies.
  5. Select the policy you want to modify. The rules for the policy appear in the right pane.
  6. To add a new rule, modify a rule, or delete a rule:
    • From the menu bar, choose Action >Add New Rule. If the policy is active, a pop-up window appears requesting confirmation of the action. Use the Rules wizard to create a new rule.
    • Select the rule you want to modify, right-click, and choose Properties. Use the Rules wizard to modify the rule.
    • Select the rule you want to delete, right-click, and choose Delete Rule.

Delete a policy

Note: You cannot delete a system policy or a policy that is active.

  1. Log on to the server where the Session Recording Policy Console is installed.
  2. Start the Session Recording Policy Console.
  3. If you are prompted by a Connect to Session Recording Server pop-up window, ensure that the name of the Session Recording Server, protocol, and port are correct. Click OK.
  4. In the Session Recording Policy Console, expand Recording Policies.
  5. In the left pane, select the policy you want to delete. If the policy is active, you must activate another policy.
  6. From the menu bar, choose Action > Delete Policy.
  7. Select Yes to confirm the action.

Note: Limitation regarding prelaunched application sessions:

  • If the active policy tries to match an application name, the applications launched in the prelaunched session are not matched, which results in the session not being recorded.
  • If the active policy records every application, when a user logs on to Citrix Receiver for Windows (at the same time that a prelaunched session is established), a recording notification appears and the prelaunched (empty) session and any applications to be launched in that session going forward are recorded.

As a workaround, publish applications in separate Delivery Groups according to their recording policies. Do not use an application name as a recording condition. This ensures that prelaunched sessions can be recorded. However, notifications still appear.

Understand rollover behavior

When you activate a policy, the previously active policy remains in effect until the user’s session ends. However, in some cases, the new policy takes effect when the file rolls over. Files roll over when they have reached the maximum size. For more information about the maximum file size for recordings, see Specify file size for recordings.

The following table details what happens when you apply a new policy while a session is being recorded and a rollover occurs:

If the previous policy was: And the new policy is: After a rollover, the policy will be:
Do not record Any other policy No change. The new policy takes effect only when the user logs on to a new session.
Record without notification Do not record Recording stops.
Record without notification Record with notification Recording continues and a notification message appears.
Record with notification Do not record Recording stops.
Record with notification Record without notification Recording continues. No message appears the next time a user logs on.