You can use multiple policies to customize XenApp to meet users’ needs based on their job functions, geographic locations, or connection types. For example, for security reasons you may need to place restrictions on user groups who regularly work with highly sensitive data. You can create a policy that requires a high level of encryption for sessions and prevents users from saving sensitive files on their local client drives. However, if some people in the user group do need access to their local drives, you can create another policy for only those users. You then rank or prioritize the two policies to control which one takes precedence.
Note: When managing policies through the Delivery Services Console, be aware that making frequent changes can adversely impact server performance. When you modify a policy, the XenApp server synchronizes its copy of the farm Group Policy Object (GPO) with the data store, propagating the change to other servers in the farm. For example, if you make changes to five policies, the server synchronizes the farm GPO five times. In a large farm with multiple policies, this frequent synchronization can result in delayed server responses to user requests. To ensure server performance is not impacted by needed policy changes, arrange to make these changes during off-peak usage periods.
When using multiple policies, you need to determine how to prioritize them, how to create exceptions, and how to view the effective policy when policies conflict.
In general, policies override similar settings configured for the entire server farm, for specific servers, or on the client. The exception to this principle is security. The highest encryption setting in your environment, including the operating system and the most restrictive shadowing setting, always overrides other settings and policies.
Citrix policies interact with policies you set in your operating system. Some Windows policies take precedence over Citrix policies. For some policy settings, such as Secure ICA, the settings in policies must match the settings in the operating system. If a higher priority encryption level is set elsewhere, the Secure ICA policy settings that you specify in the policy or when you are publishing an application can be overridden.
For example, the encryption settings that you specify when you are publishing an application should be at the same level as the encryption settings you specified throughout your environment.
Posted in Citrix eDocs
Troubleshooting Policies With No Configured Settings
Because settings configured in some policies can conflict with settings configured in others and policies can have multiple filters, a policy may not behave as expected or it may not run at all. Users, IP addresses, and other filtered objects can have more than one policy that applies to them simultaneously. In this case, XenDesktop merges these policies’ settings to effectively form a new policy resulting from the existing ones. This combination of settings is known as the resultant policy. When there are multiple policies that can apply to a session, it is the resultant policy that XenDesktop enforces.
When you run the Citrix Group Policy Modeling Wizard or the Group Policy Results tool, you might create a resultant policy that has no configured settings. When this happens, users connecting to their virtual desktops under conditions that match the policy evaluation criteria are not affected by any policy rules. This occurs when:
- No policies have filters that match the policy evaluation criteria
- Policies that match the filter do not have any settings configured
- Policies that match the filter are disabled
Posted in Citrix eDocs
Using the Citrix Policy Modeling Wizard
With the Citrix Group Policy Modeling Wizard, you can specify conditions for a connection scenario such as domain controller, users, Citrix policy filter evidence values, and simulated environment settings such as slow network connection. The report that the wizard produces lists the Citrix policies that would likely take effect in the scenario.
If you are logged on to the server as a domain user and your environment includes Active Directory, the wizard calculates the resultant set of policy by including settings from Active Directory Group Policy Objects (GPOs). If you run the wizard from the Delivery Services Console, the farm GPO residing on the server is included in this calculation as well. However, if you are logged on to the server as a local user and run the wizard from the Delivery Services Console, the wizard calculates the Resultant Set of Policy using only the farm GPO.
Using Group Policy Results
The Group Policy Results tool helps you evaluate the current state of GPOs in your environment and generates a report that describes how these objects, including Citrix policies, are currently being applied to a particular user and server.
Posted in Citrix eDocs