Product Documentation

Apply policies

May 10, 2015

When you assign a policy to certain user and machine objects, that policy is applied to connections according to specific criteria or rules. If no assignments are added, the policy is applied to all connections.

In general, you can add as many assignments as you want to a policy, based on a combination of criteria.
Note: You can add only one Citrix CloudBridge assignment to a policy.

The following table lists the available assignments:

Assignment Name Assignment Description

Access Control

Applies a policy based on the access control conditions through which a client is connecting.

Citrix CloudBridge

Applies a policy based on whether or not a user session is launched through Citrix CloudBridge.

Client IP Address

Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session.

IPv4 Examples:
  • 12.0.0.0
  • 12.0.0.*
  • 12.0.0.1-12.0.0.70
  • 12.0.0.1/24
IPv6 Examples:
  • 2001:0db8:3c4d:0015:0:0:abcd:ef12
  • 2001:0db8:3c4d:0015::/54

Client Name

Applies a policy based on the name of the user device from which the session is connected.

Delivery Group

Applies a policy based on the Delivery Group membership of the desktop running the session.

Desktop Type

Applies a policy based on the type of desktop running the session.

Organizational Unit

Applies a policy based on the organizational unit (OU) of the desktop running the session.

Tag

Applies a policy based on any tags applying to the desktop running the session.

User or Group

Applies a policy based on the user or group membership of the user connecting to the session.

When a user logs on, all policies that match the assignments for the connection are identified. The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. If you are using Active Directory, policy settings are updated when Active Directory re-evaluates policies at regular 90 minute intervals and applied when a user logs on.

Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Important: When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings may not be applied as expected. For more information, see http://support.citrix.com/article/CTX127461

Unfiltered policies

By default, you are provided with an "Unfiltered" policy. The settings added to this policy apply to all connections.

If you use Studio to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a site.

If you have Active Directory in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all sites and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the site, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO.

Assignment modes

An assignment's mode determines whether or not the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.

Example: Assignments of like type with differing modes

In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:

Policy 1 includes the following assignments:
  • Assignment A is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment B is a User assignment that specifies the Sales manager's account and the mode is set to Deny

Because the mode for Assignment B is set to Deny, the policy is not applied when the Sales manager logs on to the site, even though the user is a member of the Sales group.

Example: Assignments of differing type with like modes

In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type in order for the policy to be applied. For example:

Policy 2 includes the following assignments:
  • Assignment C is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network) and the mode is set to Allow

When the Sales manager logs on to the site from the office, the policy is applied because the connection satisfies both assignments.

Policy 3 includes the following assignments:
  • Assignment E is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions and the mode is set to Allow

When the Sales manager logs on to the site from the office, the policy is not applied because the connection does not satisfy Assignment F.

To apply a policy

To apply a policy only to certain user and machines objects you must add at least one assignment to that policy. If you do not add any assignments, policy settings are applied to all connections, unless those policy settings are overridden by settings in a policy with a higher priority.
  1. From Studio, select the Policy node in the left pane.
  2. Click the Policies tab and then select an existing policy or create a new policy.
  3. Follow the policy wizard to the Users and Machines page.
  4. Select the assignment you want to apply and click Assign.
  5. In the Assign Policy dialog box, select the mode for the assignment and configure the assignment elements:
    Assignment Type Parameters
    Access Control
    • Connection type. Select whether to apply the policy to connections made either with or without NetScaler Gateway.
    • NetScaler Gateway farm name. Enter the name of the NetScaler Gateway (formerly Access Gateway) virtual server.
    • Access condition. Enter the name of the endpoint analysis policy or session policy to use.
    Citrix CloudBridge Connections. Select whether to apply the policy to sessions launched either with or without Citrix CloudBridge.
    Client IP address IP address. IP address of the user device to which you want to apply the policy.
    Client name Client name. Name of the user device to which you want to apply the policy.
    Delivery Group
    • Controller. Name of the controller managing the desktops to which you want to apply the policy.
    • Delivery Group. Name of the Delivery Group to which you want to apply the policy.
    Desktop type
    Desktop type. Type of desktop to which you want to apply the policy. Choose one of the following:
    • Private Desktop
    • Shared Desktop
    • Private Application
    • Shared Application
    Organizational Unit (OU) Organizational Unit. Name of the OU to which to apply the policy.
    Tag
    • Controller. Name of the controller managing the desktops to which you want to apply the policy.
    • Tag. The desktop tag to search for when applying the policy.
    User or group User or group name. Name of the user or group to which you want to apply the policy.

The policy is applied the next time the relevant users establish a connection.

Use multiple policies to customize users' access

Updated: 2015-04-26

You can use multiple policies to customize you environment to meet users’ needs based on their job functions, geographic locations, or connection types. For example, for security reasons you may need to place restrictions on user groups who regularly work with highly sensitive data. You can create a policy that prevents users from saving sensitive files on their local client drives. However, if some people in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one takes precedence.

When using multiple policies, you need to determine how to prioritize them, how to create exceptions, and how to view the effective policy when policies conflict.

In general, policies override similar settings configured for the entire site, for specific controllers, or on the user device. The exception to this principle is security. The highest encryption setting in your environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.

Citrix policies interact with policies you set in your operating system. In a Citrix environment, Citrix settings override the same settings configured in an Active Directory policy or using Remote Desktop Session Host Configuration. This includes settings that are related to typical Remote Desktop Protocol (RDP) client connection settings such as Desktop wallpaper, Menu animation, and View window contents while dragging. For some policy settings, such as Secure ICA, the settings in policies must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you are delivering application and desktops can be overridden.

For example, the encryption settings that you specify when you are creating delivery groups to provide users with applications and desktops should be at the same level as the encryption settings you specified throughout your environment.

Prioritize policies and create exceptions

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The process used to evaluate policies is as follows:
  1. When a user logs on, all policies that match the assignments for the connection are identified.
  2. The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.

You prioritize policies by giving them different priority numbers. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.

When you create policies for groups of users, user devices, or machines, you may find that some members of the group require exceptions to some policy settings. You can create exceptions by:
  • Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group
  • Using the Deny mode for an assignment added to the policy
An assignment with the mode set to Deny applies a policy only to connections that do not match the assignment criteria. For example, a policy contains the following assignments:
  • Assignment A is a Client IP address assignment that specifies the range 208.77.88.* and the mode is set to Allow
  • Assignment B is a User assignment that specifies a particular user account and the mode is set to Deny

The policy is applied to all users who log on to the site with IP addresses in the range specified in Assignment A. However, the policy is not applied to the user logging on to the site with the user account specified in Assignment B, even though the user's computer is assigned an IP address in the range specified in Assignment A.