Product Documentation

Apply policies

Jun 17, 2013

When you assign a policy to certain user and machine objects, that policy is applied to connections according to specific criteria or rules. If no assignments are added, the policy is applied to all connections.

In general, you can add as many assignments as you want to a policy, based on a combination of criteria.
Note: You can add only one Citrix CloudBridge assignment to a policy.

The following table lists the available assignments:

Assignment Name Assignment Description

Access Control

Applies a policy based on the access control conditions through which a client is connecting.

Citrix CloudBridge

Applies a policy based on whether or not a user session is launched through Citrix CloudBridge.

Client IP Address

Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session.

IPv4 Examples:
  • 12.0.0.0
  • 12.0.0.*
  • 12.0.0.1-12.0.0.70
  • 12.0.0.1/24
IPv6 Examples:
  • 2001:0db8:3c4d:0015:0:0:abcd:ef12
  • 2001:0db8:3c4d:0015::/54

Client Name

Applies a policy based on the name of the user device from which the session is connected.

Delivery Group

Applies a policy based on the Delivery Group membership of the desktop running the session.

Desktop Type

Applies a policy based on the type of desktop running the session.

Organizational Unit

Applies a policy based on the organizational unit (OU) of the desktop running the session.

Tag

Applies a policy based on any tags applying to the desktop running the session.

User or Group

Applies a policy based on the user or group membership of the user connecting to the session.

When a user logs on, all policies that match the assignments for the connection are identified. The identified policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy. If you are using Active Directory, policy settings are updated when Active Directory re-evaluates policies at regular 90 minute intervals and applied when a user logs on.

Any policy setting that is disabled takes precedence over a lower-ranked setting that is enabled. Policy settings that are not configured are ignored.

Important: When configuring both Active Directory and Citrix policies using the Group Policy Management Console, assignments and settings may not be applied as expected. For more information, see http://support.citrix.com/article/CTX127461

Unfiltered policies

By default, you are provided with an "Unfiltered" policy. The settings added to this policy apply to all connections.

If you use Studio to manage Citrix policies, settings you add to the Unfiltered policy are applied to all servers, desktops, and connections in a site.

If you have Active Directory in your environment and use the Group Policy Editor to manage Citrix policies, settings you add to the Unfiltered policy are applied to all sites and connections that are within the scope of the Group Policy Objects (GPOs) that contain the policy. For example, the Sales OU contains a GPO called Sales-US that includes all members of the US sales team. The Sales-US GPO is configured with an Unfiltered policy that includes several user policy settings. When the US Sales manager logs on to the site, the settings in the Unfiltered policy are automatically applied to the session because the user is a member of the Sales-US GPO.

Assignment modes

An assignment's mode determines whether or not the policy is applied only to connections that match all the assignment criteria. If the mode is set to Allow (the default), the policy is applied only to connections that match the assignment criteria. If the mode is set to Deny, the policy is applied if the connection does not match the assignment criteria. The following examples illustrate how assignment modes affect Citrix policies when multiple assignments are present.

Example: Assignments of like type with differing modes

In policies with two assignments of the same type, one set to Allow and one set to Deny, the assignment set to Deny takes precedence, provided the connection satisfies both assignments. For example:

Policy 1 includes the following assignments:
  • Assignment A is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment B is a User assignment that specifies the Sales manager's account and the mode is set to Deny

Because the mode for Assignment B is set to Deny, the policy is not applied when the Sales manager logs on to the site, even though the user is a member of the Sales group.

Example: Assignments of differing type with like modes

In policies with two or more assignments of differing types, set to Allow, the connection must satisfy at least one assignment of each type in order for the policy to be applied. For example:

Policy 2 includes the following assignments:
  • Assignment C is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment D is a Client IP Address assignment that specifies 10.8.169.* (the corporate network) and the mode is set to Allow

When the Sales manager logs on to the site from the office, the policy is applied because the connection satisfies both assignments.

Policy 3 includes the following assignments:
  • Assignment E is a User assignment that specifies the Sales group and the mode is set to Allow
  • Assignment F is an Access Control assignment that specifies NetScaler Gateway connection conditions and the mode is set to Allow

When the Sales manager logs on to the site from the office, the policy is not applied because the connection does not satisfy Assignment F.