Exclude user/group from citrix policy or apply citrix policy to some/specific users

Website Visitors:

Exclude users from citrix policy:

Normally when we create a citrix policy, you have option to choose specific citrix/AD entities like shown below:

Assignment Name Assignment Description
Access Control Applies a policy based on the access control conditions through which a client is connecting.
Citrix CloudBridge Applies a policy based on whether or not a user session is launched through Citrix CloudBridge.
Client IP Address Applies a policy based on the IP address (IPv4 or IPv6) of the user device used to connect to the session.

IPv4 Examples:

- 12.0.0.*

IPv6 Examples:

- 2001:0db8:3c4d:0015:0:0:abcd:ef12
- 2001:0db8:3c4d:0015::/54
Client Name Applies a policy based on the name of the user device from which the session is connected.
Delivery Group Applies a policy based on the Delivery Group membership of the desktop running the session.
Desktop Type Applies a policy based on the type of desktop running the session.
Organizational Unit Applies a policy based on the organizational unit (OU) of the desktop running the session.
Tag Applies a policy based on any tags applying to the desktop running the session.
User or Group Applies a policy based on the user or group membership of the user connecting to the session.

You might end up in a situation where, you have a citrix policy, which you want to apply to all users on only one application.  Directly you cannot apply a policy to a single application in citrix policy node. You have two ways to achieve this:

  • Create a tag, apply that tag to required application. Create a citrix policy and apply that policy to the tag. So, whoever is using that application will have the setting applied.
    Note: Applying policy through tag only applies to desktops not applications. This is till 7.11. From XenDesktop 7.12, Tags are officially announced with full functionality. Set this policy to higher priority than the other citrix policy that denies the setting.
  • Other way is to create a new AD group and new citrix policy. Apply citrix policy to that AD group. Set this policy to higher priority than the other citrix policy that denies the setting.  Note: When you apply a citrix policy to user group, this policy will be applied to all desktops and applications in the site.
    Example, You already have a citrix policy to disable a setting like clipboard redirection. If you allow the same setting through new citrix policy and apply it to new AD group, this new policy would allow clipboard redirection on all applications and desktops, for all users given in the new AD group, as you are applying a policy to AD group. So all users in that AD group will have clipboard redirection enabled.

In both the cases make sure the new citrix policy has higher priority than the other citrix policy that denies the setting.

Prioritize policies

Prioritizing policies allows you to define the precedence of policies when they contain conflicting settings. When a user logs on, all policies that match the assignments for the connection are identified. Those policies are sorted into priority order and multiple instances of any setting are compared. Each setting is applied according to the priority ranking of the policy.

You prioritize policies by giving them different priority numbers in Studio. By default, new policies are given the lowest priority. If policy settings conflict, a policy with a higher priority (a priority number of 1 is the highest) overrides a policy with a lower priority. Settings are merged according to priority and the setting’s condition; for example, whether the setting is disabled or enabled. Any disabled setting overrides a lower-ranked setting that is enabled. Policy settings that are not configured are ignored and do not override the settings of lower-ranked settings.

Want to learn more on Citrix Automations and solutions???

Subscribe to get our latest content by email.

If you like our content, please support us by sponsoring on GitHub below: