XenApp and XenDesktop

Policies

Policies are a collection of settings that define how sessions, bandwidth, and security are managed for a group of users, devices, or connection types.

You can apply policy settings to physical and virtual machines or to users. You can apply settings to individual users at the local level or in security groups in Active Directory. The configurations define specific criteria and rules. If you don’t specifically assign the policies, the settings are applied to all connections.

Processing and precedence image

You can apply policies on different levels of the network. Policy settings placed at the Organizational Unit GPO level take the highest precedence on the network. Policies at the Domain GPO level override policies on the Site Group Policy Object level, which override any conflicting policies on both the Microsoft and Citrix Local Policies levels.

All Citrix Local Policies are created and managed in the Citrix Studio console and stored in the Site Database. Group Policies are created and managed by using the Microsoft Group Policy Management Console (GPMC) and stored in Active Directory. Microsoft Local Policies are created in the Windows Operating System and are stored in the registry.

Studio uses a Modeling Wizard to help administrators compare configuration settings within templates and policies to help eliminate conflicting and redundant settings. Administrators can set GPOs using the GPMC to configure settings and apply them to a target set of users at different levels of the network.

These GPOs are saved in Active Directory, and access to the management of these settings is restricted for most of IT for security.

Settings are merged according to priority and their condition. Any disabled setting overrides a lower-ranked enabled setting. Unconfigured policy settings are ignored and do not override lower-ranked settings.

Local policies can also have conflicts with group policies in the Active Directory, which could override each other depending on the situation.

All policies are processed in the following order:

  1. The end user logs on to a machine using domain credentials.
  2. Credentials are sent to the domain controller.
  3. Active Directory applies all policies (end user, endpoint, organizational unit, and domain).
  4. The end user logs on to Receiver and accesses an application or desktop.
  5. Citrix and Microsoft policies are processed for the end user and machine hosting the resource.
  6. Active Directory determines precedence for policy settings. It then applies them to the registries of the endpoint device and to the machine hosting the resource.
  7. The end user logs off from the resource. Citrix policies for the end user and endpoint device are no longer active.
  8. The end user logs off the user device, which releases the GPO user policies.
  9. The end user turns off the device, which releases the GPO machine policies.

When creating policies for groups of users, devices, and machines, some members might have different requirements and would need exceptions to some policy settings. Exceptions are made by way of filters in Studio and the GPMC that determine who or what the policy affects.

Note

We do not support mixing Windows and Citrix policies in the same GPO.

Policies

In this article