Product Documentation

Using Multiple Policies

Apr 28, 2015
You can use multiple policies to customize XenApp to meet users’ needs based on their job functions, geographic locations, or connection types. For example, for security reasons you may need to place restrictions on user groups who regularly work with highly sensitive data. You can create a policy that requires a high level of encryption for sessions and prevents users from saving sensitive files on their local client drives. However, if some people in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one takes precedence.
Note: When managing policies through the Delivery Services Console, be aware that making frequent changes can adversely impact server performance. When you modify a policy, the XenApp server synchronizes its copy of the farm Group Policy Object (GPO) with the data store, propagating the change to other servers in the farm. For example, if you make changes to five policies, the server synchronizes the farm GPO five times. In a large farm with multiple policies, this frequent synchronization can result in delayed server responses to user requests. To ensure server performance is not impacted by needed policy changes, arrange to make these changes during off-peak usage periods.

When using multiple policies, you need to determine how to prioritize them, how to create exceptions, and how to view the effective policy when policies conflict.

In general, policies override similar settings configured for the entire server farm, for specific servers, or on the client. The exception to this principle is security. The highest encryption setting in your environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.

Citrix policies interact with policies you set in your operating system. Some Windows policies take precedence over Citrix policies. For some policy settings, such as Secure ICA, the settings in policies must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you are publishing an application can be overridden.

For example, the encryption settings that you specify when you are publishing an application should be at the same level as the encryption settings you specified throughout your environment.

Prioritizing Policies and Creating Exceptions

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. The process XenApp uses to evaluate policies is as follows:
  1. When a user logs on, all policies that match the filters for the connection are identified.
  2. XenApp sorts the identified policies into priority order and compares multiple instances of any setting, applying the setting according to the priority ranking of the policy.

You prioritize policies by giving them different priority numbers. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting's condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.

When you create policies for groups of users, client devices, or servers, you may find that some members of the group require exceptions to some policy settings. You can create exceptions by:
  • Creating a policy only for those group members who need the exceptions and then ranking the policy higher than the policy for the entire group
  • Using the Deny mode of a filter added to the policy
A filter with the mode set to Deny tells XenApp to apply the policy to connections that do not match the filter criteria. For example, a policy contains the following filters:
  • Filter A is a Client IP address filter that specifies the range 208.77.88.* and the mode is set to Allow.
  • Filter B is a User filter that specifies a particular user account and the mode is set to Deny.

The policy is applied to all users who log on to the farm with IP addresses in the range specified in Filter A. However, the policy is not applied to the user logging on to the farm with the user account specified in Filter B, even though the user's computer is assigned an IP address in the range specified in Filter A.

To change the priority of a policy

  1. From the console tree, choose to view Citrix Computer Policies or Citrix User Policies.
  2. From the middle pane, select the policy you want to prioritize.
  3. Click Increase Priority or Decrease Priority as appropriate until the policy has the preferred rank.