Product Documentation

Create policies

Sep 22, 2015

Before creating a policy, decide which group of users or devices it should affect. You may want to create a policy based on user job function, connection type, user device, or geographic location. Alternatively, you can use the same criteria that you use for Windows Active Directory group policies.

If you already created a policy that applies to a group, consider editing that policy and configuring the appropriate settings, instead of creating another policy. Avoid creating a new policy solely to enable a specific setting or to exclude the policy from applying to certain users.

When you create a new policy, you can base it on settings in a policy template and customize settings as needed, or you can create it without using a template and add all the settings you need.

Policy settings

Policy settings can be enabled, disabled, or not configured. By default, policy settings are not configured, which means they are not added to a policy. Settings are applied only when they are added to a policy.

Some policy settings can be in one of the following states:
  • Allowed or Prohibited allows or prevents the action controlled by the setting. In some cases, users are allowed or prevented from managing the setting's action in a session. For example, if the Menu animation setting is set to Allowed, users can control menu animations in their client environment.
  • Enabled or Disabled turns the setting on or off. If you disable a setting, it is not enabled in lower-ranked policies.

In addition, some settings control the effectiveness of dependent settings. For example, Client drive redirection controls whether or not users are allowed to access the drives on their devices. To allow users to access their network drives, both this setting and the Client network drives setting must be added to the policy. If the Client drive redirection setting is disabled, users cannot access their network drives, even if the Client network drives setting is enabled.

In general, policy setting changes that impact machines go into effect either when the virtual desktop restarts or when a user logs on. Policy setting changes that impact users go into effect the next time users log on. If you are using Active Directory, policy settings are updated when Active Directory re-evaluates policies at 90-minute intervals and applied either when the virtual desktop restarts or when a user logs on.

For some policy settings, you can enter or select a value when you add the setting to a policy. You can limit configuration of the setting by selecting Use default value; this disables configuration of the setting and allows only the setting's default value to be used when the policy is applied, regardless of the value that was entered before selecting Use default value.

As best practice:
  • Assign policies to groups rather than individual users. If you assign policies to groups, assignments are updated automatically when you add or remove users from the group.
  • Do not enable conflicting or overlapping settings in Remote Desktop Session Host Configuration. In some cases, Remote Desktop Session Host Configuration provides similar functionality to Citrix policy settings. When possible, keep all settings consistent (enabled or disabled) for ease of troubleshooting.
  • Disable unused policies. Policies with no settings added create unnecessary processing.

Policy assignments

When creating a policy, you assign it to certain user and machine objects; that policy is applied to connections according to specific criteria or rules. In general, you can add as many assignments as you want to a policy, based on a combination of criteria. If you specify no assignments, the policy is applied to all connections.

The following table lists the available assignments:
Assignment Name Applies a policy based on

Access Control

Access control conditions through which a client is connecting.
  • Connection type - Whether to apply the policy to connections made with or without NetScaler Gateway.
  • NetScaler Gateway farm name - Name of the NetScaler Gateway virtual server.
  • Access condition - Name of the end point analysis policy or session policy to use.

Citrix CloudBridge

Whether or not a user session is launched through Citrix CloudBridge.

Note: You can add only one Citrix CloudBridge assignment to a policy.

Client IP Address

IP address of the user device used to connect to the session.
  • IPv4 examples: 12.0.0.0, 12.0.0.*, 12.0.0.1-12.0.0.70, 12.0.0.1/24
  • IPv6 examples: 2001:0db8:3c4d:0015:0:0:abcd:ef12, 2001:0db8:3c4d:0015::/54

Client Name

Name of the user device.

  • Exact match: ClientABCName
  • Using wildcard: Client*Name

Delivery Group

Delivery Group membership.

Delivery Group type

Type of desktop or application: private desktop, shared desktop, private application, or shared application.

Organizational Unit (OU)

Organizational unit.

Tag

Tags.

Note: To ensure that policies are applied correctly when using tags, install the hotfix at CTX142439

User or Group

User or group name.

When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Important: When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings may not be applied as expected. For more information, see CTX127461
A policy named "Unfiltered" is provided by default.
  • If you use Studio to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a Site.
  • If you use the Local Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all Sites and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the Site, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO.
An assignment's mode determines if the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.
  • Example: Assignments of like type with differing modes - In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:
    Policy 1 includes the following assignments:
    • Assignment A specifies the Sales group; the mode is set to Allow
    • Assignment B specifies the Sales manager's account; the mode is set to Deny

    Because the mode for Assignment B is set to Deny, the policy is not applied when the Sales manager logs on to the Site, even though the user is a member of the Sales group.

  • Example: Assignments of differing type with like modes - In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type in order for the policy to be applied. For example:
    Policy 2 includes the following assignments:
    • Assignment C is a User assignment that specifies the Sales group; the mode is set to Allow
    • Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network); the mode is set to Allow

    When the Sales manager logs on to the Site from the office, the policy is applied because the connection satisfies both assignments.

    Policy 3 includes the following assignments:
    • Assignment E is a User assignment that specifies the Sales group; the mode is set to Allow
    • Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions; the mode is set to Allow

    When the Sales manager logs on to the Site from the office, the policy is not applied because the connection does not satisfy Assignment F.

Create a new policy based on a template, using Studio

  1. Select Policies in the Studio navigation pane.
  2. Select the Templates tab and select a template.
  3. Select Create Policy from Template in the Actions pane.
  4. By default, the new policy uses all the default settings in the template (the Use template default settings radio button is selected). If you want to change settings, select the Modify defaults and add more settings radio button, and then add or remove settings.
  5. Specify how to apply the policy by selecting one of the following:
    • Assign to selected user and machine objects and then select the user and machine objects to which the policy will apply.
    • Assign to all objects in a site to apply the policy to all user and machine objects in the Site.
  6. Enter a name for the policy (or accept the default); consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

    The policy is enabled by default; you can disable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you need to prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

Create a new policy using Studio

  1. Select Policies in the Studio navigation pane.
  2. Select the Policies tab.
  3. Select Create Policy in the Actions pane.
  4. Add and configure policy settings.
  5. Specify how to apply the policy by choosing one of the following:
    • Assign to selected user and machine objects and then select the user and machine objects to which the policy will apply.
    • Assign to all objects in a site to apply the policy to all user and machine objects in the Site.
  6. Enter a name for the policy (or accept the default); consider naming the policy according to who or what it affects, for example Accounting Department or Remote Users. Optionally, add a description.

    The policy is enabled by default; you can disable it. Enabling the policy allows it to be applied immediately to users logging on. Disabling prevents the policy from being applied. If you need to prioritize the policy or add settings later, consider disabling the policy until you are ready to apply it.

Create and manage policies using the Group Policy Editor

From the Group Policy Editor, expand Computer Configuration or User Configuration. Expand the Policies node and then select Citrix Policies. Choose the appropriate action below.
Task Instruction
Create a new policy On the Policies tab, click New.
Edit an existing policy On the Policies tab, select the policy and then click Edit.
Change the priority of an existing policy On the Policies tab, select the policy and then click either Higher or Lower.
View summary information about a policy On the Policies tab, select the policy and then click the Summary tab.
View and amend policy settings On the Policies tab, select the policy and then click the Settings tab.
View and amend policy filters On the Policies tab, select the policy and then click the Filters tab.
Enable or disable a policy On the Policies tab, select the policy and then select either Actions > Enable or Actions > Disable.
Create a new policy from an existing template On the Templates tab, select the template and then click New Policy.