XenApp and XenDesktop Policy Planning Guide
Transcript of XenApp and XenDesktop Policy Planning Guide
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
1/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
i
XenApp and XenDesktop
Policy Planning Guide
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
2/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
ii
Table of Contents
Overview .................................................................................................................................... 1
Guidelines .................................................................................................................................. 2
Policy Configuration....................................................................................................................................................... 2
Planning a Baseline Policy ............................................................................................................................................. 6
Security Policies ............................................................................................................................................................... 7
Connection based policy configuration ....................................................................................................................... 7
Device based policy configuration ............................................................................................................................... 8
User Profile Considerations .......................................................................................................................................... 8
Planning ..................................................................................................................................... 9
Citrix User Policy Settings ........................................................................................................................................... 10
Citrix Computer Policy Settings ................................................................................................................................. 15
Microsoft Windows Policy .......................................................................................................................................... 16
Folder Redirection Policy ............................................................................................................................................ 18
Conclusion ............................................................................................................................... 20
Appendix: Policy Quick Reference ........................................................................................ 21
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
3/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
1
Overview
Citrix policies provide the basis to configure and fine tune your XenDesktop and XenApp
environments, allowing organizations to control connection, security and bandwidth settings based
on various combinations of users, devices or connection types. Correctly defining an initial baseline
policy and assigning additional policies based on security requirements and specific access scenarios
can be important in delivering a high definition user experience.
This planning guide is intended to be a guideline during the decision process for creating a baseline
policy and additional policies based on connection, security, device and profile considerations.
While it creates a baseline policy and recommendations for policy settings, it should not be assumed
to be a complete configuration, or absolutely correct for every customer situation. Architects should
review the recommendations contained in this document against desired outcomes within the
organization to ensure requirements are met.
When making policy decisions it is important to consider both Microsoft Windows and Citrixpolicies as components within both policy configurations have an impact on user experience and
environment optimization. Within this planning guide a base set of windows policies that can be
used to optimize XenApp and XenDesktop environments is presented. For more details on specific
Windows related policies, refer to theGroup Policy Settings Reference for Windows and Windows
Server,specifically settings related to Windows Server 2008 R2 and Windows 7.
To help architects design a XenDesktop and XenApp solution based on real-world projects,
organizations can refer to theCitrix Desktop Transformation Acceleratorfor step by step
assessment, design and deployment guidance, and theXenDesktop Design Handbookfor reference
architectures, planning guides and best practices.
http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.citrix.com/successaccelerator/http://www.citrix.com/successaccelerator/http://www.citrix.com/successaccelerator/http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://www.citrix.com/successaccelerator/http://www.microsoft.com/en-us/download/details.aspx?id=25250http://www.microsoft.com/en-us/download/details.aspx?id=25250 -
8/10/2019 XenApp and XenDesktop Policy Planning Guide
4/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
2
Guidelines
When creating a policy set for XenDesktop or XenApp environments, it is a good practice to define
a baseline policy set which outlines all of the common configuration options for an organization
within a single policy set, and then configure policy exceptions as required to override decisions for
specific needs. The key is to keep the policy configurations simple and well-structured in order to
avoid confusion about resultant set of policy as configurations grow and become more complex.
When creating a baseline and exception based policy structure, it is important to consider the
following major areas:
Policy configuration
o Group Policy vs. Citrix Policy engine
o Policy Integration
o Policy Filtering
o Policy Precedence
Baseline policy configuration Security policies
Connection based policy configuration
Device based policy configuration
User profile considerations
Policy Configuration
Group Policy vs. Citrix Policy Engine
With new versions of XenDesktop and XenApp, organizations have the option to configure
Citrix policies via the Citrix administrative consoles; AppCenter for XenApp or Desktop Studio
for XenDesktop, or through Active Directory group policy using Citrix ADMX files, which
extend group policy and provide advanced filtering mechanisms. Using Active Directory group
policy allows organizations to manage both Windows policies and Citrix policies in the same
location, and minimizes the administrative tools required for policy management. Group policies
are automatically replicated across domain controllers, protecting the information and simplifying
policy application. Citrix administrative consoles should be used if Citrix administrators do not
have access to Active Directory policies, or if filtering mechanisms such as Smart Access are
required. Architects should select one of the above two methods as appropriate for theirorganizations needs and use that method consistently to avoid confusion with multiple Citrix
policy locations.
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
5/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
3
Policy Integration
When configuring policies, organizations will often require both Active Directory policies and
Citrix policies to create a completely configured environment. With the use of both policy sets,
the resultant set of policies can become confusing to determine. In some cases, particularly with
respect to Windows Remote Desktop Services (RDS) and Citrix policies, similar functionality canbe configured in two different locations. For example, it is possible to enable client drive
mapping in Citrix policy and disable client drive mapping in RDS policy. The ability to use the
desired feature may be dependent upon the combination of RDS and Citrix policy. It is
important to understand that Citrix policies build upon functionality available in Remote Desktop
Services. If the required feature is explicitly disabled in RDS policy, Citrix policy will not be able
to affect a configuration as the underlying functionality has been disabled. In order to avoid this
confusion, it is recommended that RDS policies only be configured where required and there is
no corresponding policy in the XenDesktop or XenApp configuration, or the configuration is
specifically needed for RDS use within the organization. Configuring policies at the highest
common denominator will simplify the process of understanding resultant set of policies andtroubleshooting policy configurations.
Policy Filtering
Once policies have been created, they need to be applied to groups of users and/or computers
based on the required outcome. Policy filtering provides the ability to apply policies against the
requisite user or computer groups. With Active Directory based policies, a key decision is
whether to apply a policy to computers or users within site, domain or organizational unit (OU)
objects. Active Directory policies are broken down in to user configuration and computer
configuration. By default, the settings within the user configuration applied to users who reside
within the OU at logon, and settings within the computer configuration are applied to the
computer at system startup, and will affect all users who logon to the system. One challenge of
policy association with Active Directory and Citrix deployments revolves around three core areas:
Citrix specific computer policies. Citrix XenApp servers and virtual desktops often have
computer policies that are created and deployed specifically for the XenDesktop or
XenApp environment. Applying these policies is easily accomplished by creating separate
OU structures for the XenApp servers and the virtual desktops. Specific policies can
then be created and confidently applied to only the computers within the OU and below
and nothing else. Based upon requirements, virtual desktops and XenApp servers may be
further subdivided within the OU structure based on server roles, geographical locations
or business units.
Citrix specific user policies. When creating policies for XenDesktop and XenApp there
are a number of policies specific to user experience and security that are applied based on
the users connection to the Citrix environment. However the users accounts could be
located anywhere within the Active Directory structure, creating difficulty with simply
applying user configuration based policies. It is not desirable to apply the Citrix specific
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
6/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
4
configurations at the domain level as the settings would be applied to every system any
user logged on to. Simply applying the user configuration settings at the OU where the
XenApp servers or virtual desktops are located will also not work, as the user accounts
are not located within that OU. The answer is to apply a loopback policy, which is a
computer configuration policy that forces the computer to apply the assigned user
configuration policy of the OU to any user who logs into the server or virtual desktop,regardless of the users location within Active Directory. Loopback Processing can be
applied with either Merge or Replace settings. Using Replace overwrites the entire user
GPO with the policy from the XenApp or XenDesktop OU. Merge will combine the
user GPO with the GPO from the XenApp or XenDesktop OU. As the computer
GPOs are processed after the user GPOs when merge is used, the Citrix related OU
settings will have precedence and be applied in the event of a conflict.
Active Directory policy filtering. In more advanced cases, there may be a need to apply a
policy setting to a small subset of users like Citrix administrators. In this case, Loopback
Processing will not work as the policy is intended to be applied only to the subset ofusers, not all users who log in to the system. Active Directory policy filtering can be used
to specify specific users or groups of users to which the policy is applied. A policy can be
created for a specific function, and then a policy filter can be set to apply that policy only
to a group of users such as Citrix administrators. Policy filtering is accomplished using
the Security properties of each target policy.
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
7/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
5
Citrix policies created using the Citrix administrative consoles in either XenDesktop or XenApp
have specific filter settings available, which may be used to address policy-filtering situations that
cannot be handled using group policy. Filters may be applied using any combination of the
following filters:
Filter Name Filter Description Policy ScopeAccess Control Applies a policy based on access control conditions
through which a client is connecting. For example,users connecting through a Citrix Access Gateway canhave specific policies applied.
User policies
Branch Repeater Applies a policy based on whether or not a user sessionwas launched through Citrix Branch Repeater.
User policies
Client IP Address Applies a policy based on the IPv4 or IPv6 address ofthe user device used to connect the session. Care mustbe taken with this filter if IPv4 address ranges are usedin order to avoid unexpected results.
User policies
Client Name Applies a policy based on the name of the user device
used to connect the session.
User policies
Desktop Group Applies a policy based on the desktop groupmembership of the desktop running the session
XenDesktop useror machine policies
Desktop Type Applies a policy based on the type of machine runningthe session. For example, different policies can be setdepending upon whether a desktop is pooled,dedicated or streamed.
XenDesktop useror machine policies
Organizational Unit Applies a policy based on the OU of the desktoprunning the session.
XenDesktop useror machine policies
Tag Applies a policy based on any tags applying to thedesktop running the session. Tags are strings that canbe added to virtual desktops in XenDesktop
environments that can be used to search for or limitaccess to desktops.
XenDesktop useror machine policies
User or Group Applies a policy based on the Active Directory groupmembership of the user connecting to the session.
User policies
Worker Group Applies a policy based on the worker groupmembership of the server hosting the session.
XenApp user orcomputer policies
Policy Precedence
With the tree-based structure of Active Directory, policies can be created and enforced at any
level in the tree structure. As such, it is important to understand how the aggregation of policies,known as policy precedence flows in order to understand how a resultant set of policies is
created. With Active Directory and Citrix policies, the precedence is as follows:
Processed first/lowest precedence: Local server policies
Processed second: Citrix policies created using the Citrix administrative consoles
Processed third: Site level AD policies
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
8/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
6
Processed fourth: Domain level AD policies
OU based AD policies
o Processed fifth: Highest level OU in domain
o Processed sixth and subsequent: Next level OU in domain
o Processed last/highest precedence: Lowest level OU containing object
Policies from each level are aggregated into a final policy that is applied to the user or computer.
In most enterprise deployments, Citrix administrators do not have rights to change policies
outside their specific OUs, which will typically be the highest level for precedence. In cases
where exceptions are required, the application of policy settings from higher up the OU tree can
be managed using Block Inheritance and No Override settings. The Block Inheritance setting
stops the settings from higher-level OUs (lower precedence) from being incorporated into the
policy. However if a higher-level OU policy is configured with No Override, the BlockInheritance setting will not be applied. Given this, care must be taken in policy planning, and
available tools such as the Active Directory Resultant Set of Policy tool or the XenDesktop
policy planning feature should be used to validate the observed outcomes with the expected
outcomes.
Planning a Baseline Policy
The baseline policy should contain all common elements required to deliver a high definition
experience to the majority of users within the organization. The baseline policy creates the
foundation for user access, and any exceptions that may need to be created to address specific access
requirements for groups of users. It should be comprehensive to cover as many use cases as
possible and should have the lowest priority, for example 99 (a priority number of 1 is the highest
priority), in order to create the simplest policy structure possible and avoid difficulties in
determining the resultant set of policies. The unfiltered policy set provided by Citrix as the default
policy may be used to create the baseline policy as it is applied to all users and connections. In the
baseline configuration presented in this whitepaper, Citrix policies have been enabled with default
settings in many cases in order to clearly identify the policies applied, and to avoid confusion should
default settings change over time.
The baseline policy configuration also includes Windows policies. Windows policies reflect user
specific settings that optimize the user experience and remove features that are not required or
desired in a XenDesktop or XenApp environment. For example, one common feature turned off
in these environments is Windows Update. In virtualized environments, particularly where desktops
and XenApp servers may be streamed and non-persistent, Windows update creates processing and
network overhead, and changes made by the update process will not persist a restart of the virtual
desktop or application server. Also in many cases, organizations use Windows Software Update
Service (WSUS) to control windows updates. In these cases, updates are applied to the master disk
and made available by the IT department on a scheduled basis. Additional configuration
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
9/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
7
considerations for virtual desktops and XenApp servers can be found in theWindows 7and
Windows 2008 R2optimization guides in theXenDesktop design handbook.
In addition to the above considerations, an organizations final baseline policy may include settings
specifically created to address security requirements, common network conditions, or to manage
user device or user profile requirements. These areas need to be addressed both in the defaultbaseline policy configuration, as well as in any additional policy sets created to address exceptions or
additional needs.
Security Policies
Security policies address policy decisions made to enforce corporate security requirements on the
XenDesktop or XenApp environments. Requirements pertaining to data security and access can be
controlled by the correct application of security policy. Users can be allowed to read and write to
local or removable media, connect USB devices such as storage devices, smart phones, or TWAIN
compliant devices, or cut and paste from the local system based on security requirements.
Organizations can also enforce encryption and authentication requirements through security related
Citrix policies. While security is a continuum, high and low security policy guidance has been
provided in this whitepaper. Architects should consider the most appropriate level of security and
add the policy settings to the baseline policy set, and then address security exceptions through
additional policy sets.
Connection based policy configuration
Connection based policy considerations are used to develop a policy solution that creates the best
user experience based on the network environment through which end-users access the network
infrastructure. Latency and bandwidth available will determine how to best provide access to audioand video over the HDX connection, providing the best quality experience based on the available
resources. Image quality and compression, audio quality and video frame rates can be adjusted
based on the connection quality to utilize the bandwidth and network performance appropriately.
Multi-stream ICA features can be utilized in concert with network Quality of Service (QoS) to
provide an optimized experience for multimedia, input and display and printing requirements. This
whitepaper outlines options for WAN/High Latency connections and LAN/Low Latency
connections. In addition to the settings outlined, there are Citrix policy settings available to limit the
bandwidth consumption for Citrix sessions generally, or specifically for audio, clipboard, COM and
LPT ports, local drive, or printer access. These policies can be configured based on specific
bandwidth consumption, or a percentage of available bandwidth. These settings are very specific to
the network constraints of a given environment, and thus have not been included in the policy
baselines presented in this guide. Architects should consider the requirements of their specific
network environment in determining whether to apply these settings, and the specific
configurations. As with security policies, architects should consider the appropriate base network
configuration and add the settings to the initial baseline configuration. Additional network
requirements can be dealt with by creating additional higher level policies to override baseline
configurations.
http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX127050/http://support.citrix.com/article/CTX131577/http://support.citrix.com/article/CTX131577/http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://community.citrix.com/kits/#/kit/1067009http://support.citrix.com/article/CTX131577/http://support.citrix.com/article/CTX127050/ -
8/10/2019 XenApp and XenDesktop Policy Planning Guide
10/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
8
Device based policy configuration
Device based policy configuration deals with the management of specific device requirements such
as tablets and smart phones within an organization. Citrix has created a set of policies to optimize
the experience of tablets and smart phones when connecting to XenApp environments, allowing
these devices to use location services and to customize the user interface where appropriate.Multimedia specific features, such as Windows Media and Flash redirection will automatically drop
back from client side redirection to server side rendering of media content if the device does not
support it; therefore no specific configuration is required to address these features with tablets, or
with other devices such as thin clients that may not support these features.
Another consideration for device based policy configuration revolves around the security
requirements for bring your own (BYO) devices. These elements, such as the need to allow or
prohibit local access to hard drives or removable devices, should be addressed through security
policy settings.
User Profile Considerations
User profiles play a critical role in determining how successful the user experience is within a virtual
desktop or virtual application scenario. User profile management can be a key player in mitigating
the risks of lengthy logon times or lost settings, providing a consistent user experience across
multiple devices, and providing users with their specific data and settings in a virtualized
environment. With Citrix Profile Management (UPM), policies control two important aspects of
user profiles; folder redirection, handled through AD group policy, and UPM settings through Citrix
policy.
As stated in the Citrix blogCitrix Profile Management and VDIDoing it Right,there is more toconfiguring UPM than simply turning the features on via Citrix policy. Architects must consider the
correct folder redirection configuration for their environment, as well as configuring Citrix policy
settings for folder exclusions from the UPM environment. Settings for profile streaming and active
write back must also be carefully considered based on the size of the profile and whether the virtual
desktops or application servers are persistent or non-persistent respectively. The base configuration
for profile management is presented in the planning section of this guide. Profile management
policies should be included in the baseline policy if they are to be applied across all users in an
organization.
http://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-righthttp://blogs.citrix.com/2012/02/11/citrix-profile-management-and-vdi-%E2%80%93-doing-it-right -
8/10/2019 XenApp and XenDesktop Policy Planning Guide
11/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
9
Planning
The planning section outlines the initial policy configurations recommended by Citrix Consulting for various scenarios, including baselineconfiguration, network related policies, security related policies, mobile device and profile policy considerations. Each policy configurationmay contain the following policy settings:
Policy Settings
Enabled - Enables the setting. Where applicable, specific settings are detailed.
Disabled
Disables the settingNote: Disabling the policy overrides lower priority policies settings.
AllowAllows the action controlled by the setting. Where applicable, specific
settings are detailed.
ProhibitProhibits the action controlled by the setting
Note: Prohibiting a feature or functionality overrides lower priority policies
settings.
Not ConfiguredUnless specifically set, un-configured policies use default
settings.
Note: The policy settings specified generally apply to XenApp 6.5 and XenDesktop 5.6 with Feature Pack 1 installed. If a previous version
is used, please review the Appendix of this whitepaper for applicability of settings to XenApp 6 and XenDesktop 5 or 5.5.
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
12/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
10
Citrix User Policy Settings
User Policy Setting XA XD Baseline LowSecurity
HighSecurity
LANSpeed
WANSpeed
Tablet Profile
ICA
Client clipboard redirection X X Allow Prohibit
Desktop launches X Disable
Launching of non-published programs during client connection X Disable
ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration X X Enabled
Flash default behavior X X Enable Flash Redirection
Flash event logging X X Enabled
Flash intelligent fallback X X Enabled
Flash latency threshold X X 30 milliseconds
ICA\Adobe Flash Delivery\Legacy Server Side Optimization
Flash quality adjustment X Allow
ICA\Audio
Audio over UDP Real-time Transport X Enabled Enabled
Audio Plug N Play X Allow
Audio quality X X Medium
Client audio redirection X X Allow
Client microphone redirection X X Prohibit
ICA\ Client Sensors\ Location
Allow applications to use the physical lo cations of the client device X Enable if
secure
connection
ICA\Desktop UI
Aero Redirection X Allow Prohibit
Aero Redirection Graphics Quality X High Disable
Desktop wallpaper X X Enable DisableMenu animation X X Allow Prohibit
View window contents while dragging X X Allow Prohibit
ICA\File Redirection
Auto connect client drives X X Allow Prohibit
Client fixed drives X X Enable Disable
Client floppy drives X X Prohibit
Client network drives X X Allow Prohibit
Client optical drives X X Prohibit
Client removable drives X X Allow Prohibit
Host to client redirection X Disable
Preserve client drive letters X Disable
Read-only client drive access X X Disable
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
13/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
11
Use asynchronous writes X X Disable
ICA\ Mobile Experience X X
Automatic Keyboard Display X Enable
Launch touch-optimized desktop X Enable
Remote the combo box X Enable
ICA\ Multi Stream Connections
Multi-Stream X X Enable
with QoS
Enable
with QoS
ICA\Port Redirection
Auto connect client COM ports X X Disable
Auto connect client LPT port s X X Disable
Client COM port redirection X X DisableClient LPT port redirection X X Disable
ICA\Printing
Client printer redirection X X Allow Prohibit
Default printer X X Set to clients main printer
Direct connections to print servers X X Enable Disable
Printer auto creation log preference X X Errors
Wait for printers to be created (desktop) X X Disabled
ICA\Printing\Client Printers
Auto-create client printers X X Default printer only
Auto-generate generic universal drive r X X Disabled
Client printer names X X Standard names
Printer properties retention X X Retained in
profile only
Retained and restored client printers X X Allowed
ICA\Printing\Drivers
Automatic installation of in-box printer drivers X X Disabled
Universal driver usage X X Use Universal Printing only if
requested driver is unavailableICA\Printing\Universal Printing
Universal printing EMF processing mode X X Spool to printer
Universal printing image compression limit X X Best Quality
Universal printing optimization defaults X X Standard Quality
Caching of embedded images
Caching of embedded fonts
Universal printing preview preference X X Use for auto-generated and
generic
ICA\SecureICA
SecureICA minimum encryption level X RCS 128 bit
Logon only
RCS 128 bit
ICA\Session Limits
Disconnected session timer X Disabled Enabled
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
14/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
12
Disconnected session timer interval X 30 Minutes
Linger Disconnect Timer Interval X 5 Minutes
Linger Terminate Timer Interval X 10 Minutes
Pre-Launch Disconnect Timer Interval X 15 Minutes
Pre-Launch Terminate Timer Interval X 30 Minutes
Session connection timer X Disabled
Session idle timer X Disabled Enabled
Session idle timer interval X 2 hours
ICA\Shadowing
Input from shadow connections X Allow Prohibit
Log shadow attempts X Allow
Notify user of pending shadow connections X AllowUsers who can shadow other users X Defined by security
ICA\Time Zone Control
Estimate local time for legacy clients X Enable
Use local time of client X X Use Client time zone
ICA\TWAIN devices
Client TWAIN device redirection X X Allow Prohibit
TWAIN compression level X X Low High
ICA\USB devices
Client USB device redirection X X Enable Disable
Client USB device redirection rules X X Allow Prohibit
Client USB Plug and Play device redirection X Allow Prohibit
ICA\Virtual Desktop Agent Settings\ICA Latency Monitoring
Enable Monitoring X Disabled
ICA\ Virtual Desktop Agent Settings\ Profile Load Time
Monitoring
Enable Monitoring X Disabled
ICA\Visual Display
Max Frames per Second X X 30 15ICA\Visual Display\Moving Images
Moving Image Compression X X Enabled
Minimum Image Quality X Very
High
Low
Target Minimum Frame Rate X 10 10
ICA\Visual Display\Still Images
Extra Color Compression X X Disabled Enabled
Extra Color Compression Threshold X X 8192
kbps
8192
kbps
Lossy compression level X X Low High
Lossy compression level threshold value X X Unlimited Unlimited
Profile Management
Enable Profile Management X X Enabled
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
15/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
13
Process Groups X X Configure groups
Path to User Store X X UNC Path
Active Write Back X X Enabled
(Persistent
desktops)
Process logons of local administrators X X Enabled
Profile Management\ Advanced Settings
Delete Redirected Folders X X Enabled
Directory of MFT Cache Files X X Local or
persistent
location
Process Internet cookie files on logoff X X EnabledProfile Management\ File System
Exclusion listdirectories X X Exclude
redirected
folders
Profile Management\ File System\ Synchronization
Directories to Synchronize X X Exclude
directories
Files to Synchronize X X Selected files
Folders to Mirror X X Selected
folders
Profile Management\ Profile handling
Local profile conflict handling X X Delete local
profile
Migration of existing profiles X X None
Profile Management\ Profile Streamed user profiles
Profile Streaming X X Enable if large
profile
Server Session Settings
Session importance X Normal
Single Sign-on X X Disabled
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
16/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
14
List of excluded files for Profile Management
AppData\Local
AppData\LocalLow
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Microsoft\Windows\Start Menu
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
Application Data
Citrix
Contacts
Desktop
Documents
Favorites
Java
Links
Local Settings
Music
My Documents
My Pictures
My Videos
Pictures
UserData
Videos
AppData\Roaming\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\Flash Player\#SharedObject
AppData\Roaming
Downloads
Saved Games
Searches
Synchronized Directories
AppData\Roaming\Microsoft\Credentials
AppData\Roaming\Microsoft\Crypto
AppData\Roaming\Microsoft\Protect
AppData\Roaming\Microsoft\SystemCertificates
AppData\Local\Microsoft\Credential
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
17/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
15
Synchronized Files
Example Synchronized Files for Microsoft Outlook and Google Earth AppData\Local\Microsoft\Office\*.qat
AppData\Local\Microsoft\Office\*.officeUI
AppData\LocalLow\Google\GoogleEarth\*.kml
Mirrored Folders
AppData\Roaming\Microsoft\Windows\Cookies
Citrix Computer Policy Settings
Computer Policy Setting XA XD Baseline LowSecurity
HighSecurity
LANSpeed
WANSpeed
Tablet Profile
ICA
ICA listener connection timeout X X 120000 ms
ICA listener port number X X 1494
ICA\ Auto Client Reconnect
Auto client reconnect X X Allow
Auto client reconnect authenti cation X Not required Require
Auto client reconnect log ging X X Disabled
ICA\ End User Monitoring
ICA round trip calculation X X Enable
ICA round trip calculations for idle connections X X Disable
ICA\ Graphics
Display memory limit X X 32768 KB
Display mode degrade preference X X Degrade Color Depth First
Dynamic Windows preview X X Enabled
Image caching X X Enabled
Maximum allowed color depth X 32 bit
Notify user when display mode is degraded X X Disabled
Queuing and tossing X X Enabled
ICA\Graphics\Caching
Persistent Cache Threshold X X 3000000 Kbps
ICA\ Keep Alive
ICA keep alive timeout X X 60 seconds
ICA keep alives X X Enabled
ICA\ Multimedia
Windows Media Redirection X X Allowed
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
18/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
16
Microsoft Windows Policy
User PolicyPolicy Path Setting Description Applies to
Control Panel\ Prohibit Access to the Control Panel Enable Disables all control panel programs XenApp, XenDesktop
Control Panel\ Personalization\ Enable screen saver Enable Enables the use of a Screen Saver XenApp, XenDesktop
Control Panel\ Personalization\ Force specific screen saver Enable scrnsave.scr Forces the use of the blank screen saver in Windows XenApp, XenDesktop
Control Panel\ Personalization\ Password protect the screen
saver
Enabled Forces password protection on the screen saver XenApp, XenDesktop
Control Panel\ Personalization\ Screen saver timeout Enabled
X Minutes (default 15)
Sets the amount of time in minutes that elapse before the screen saver is
activated
XenApp (Published Desktop),
XenDesktop
Desktop\ Dont save settings on exit Enabled Prevents users from changing some desktop configurations such as the size
of the taskbar or the position of open windows on exit.
XenApp
Desktop\ Hide Network Locations icon on desktop Enabled Removes the Network Locations icon from the desktop. XenApp
Desktop\ Prohibit user from manually redirecting Profile
Folders
Enabled Prevents users from manually changing the path to their profile folders. XenApp, XenDesktop
Desktop\ Remove Recycle Bin icon from desktop Enabled Removes most occurrences of the Recycle Bin icon. XenApp, XenDesktop
Start Menu and Taskbar\ Change Start Menu power button Enabled
Log Off
Set Start Menu power button functionality to Log Off user. XenApp, XenDesktop
Start Menu and Taskbar\ Prevent changes to Taskbar and Start
Menu settings
Enabled Removes the Taskbar and Start Menu settings from Settings on the Start
Menu.
XenApp
Start Menu and Taskbar\ Remove and prevent access to the
Shut Down, Restart, Sleep and Hibernate commands
Enabled Prevents user from performing these commands from the Start Menu or the
Windows Security screen.
XenApp
Start Menu and Taskbar\ Remove links and access to Enabled Prevents users from connecting to the Windows Update website. XenApp, XenDesktop
Windows Media Redirection Buffer Size X X 10 seconds
Windows Media Redirection Buffer Size Use X X Enabled
ICA\ Multistream Connections
Multistream X X Enabled
(QoS)
Enabled
(QoS)
ICA\ Session Reliability
Sessionreliability connections X X Prevent
ICA\ Virtual Desktop Agent Settings\ CPU Usage Monitoring
Enable Monitoring X Disabled
ICA\ Shadowing
Shadowing X Allow
LicensingLicense server host name X License Server Name
License server port X 27000
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
19/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
17
User PolicyPolicy Path Setting Description Applies to
Windows Update
Start Menu and Taskbar\ Remove network icon from the Start
Menu
Enabled Removes the network icon from the Start Menu XenApp, XenDesktop
Start Menu and Taskbar\ Remove Run menu from the Start
Menu
Enabled Removes the Run command from the Start Menu, Internet Explorer, and
Task Manager
XenApp
System\ Prevent access to registry editing tools Enabled Disables the Windows Registry Editor XenApp, XenDesktop
System\ Prevent access to the Command Prompt Enabled Prevents users from running the interactive command prompt cmd.exe XenApp
System\ Ctrl+Alt+Del Options\ Remove Task Manager Enabled Prevents users from starting Task Manager XenApp
System\ Folder Redirection\ Do not automatically make
redirected folders available offline
Enabled Prohibits redirected shell folders Contacts, Documents, Desktop, Favorites,
Music, Pictures, Videos, Start Menu and AppData\Roaming from being
available offline
XenApp, XenDesktop
System\ User Profiles\ Exclude Directories in Roaming
Profile
Citrix, Contacts,
Desktop, Downloads,
Favorites, Links,
Documents, Pictures,
Videos, Music, Saved
Games, Searches
Excludes the specified directories from the Roaming Profile XenApp, XenDesktop
Windows Components\ Windows Update\ Remove access to
use all Windows Update features
Enabled Removes all Windows Update functions XenApp, XenDesktop
Windows Explorer\ Do not move deleted files to the Recycle
Bin
Enabled Prohibits deleted files from being placed in the Recycle Bin. All files are
permanently deleted.
XenApp, XenDesktop
Windows Explorer\ Hide these specified drives in My
Computer
Enabled
Local hard drives
Hides local hard drives from My Computer XenApp
Windows Explorer\ Prevent access to drives from My
Computer
Enabled
Local hard drives
Prevents access to local hard drives from My Computer XenApp
Machine PolicyPolicy Path Setting Description Applies to
Internet Communication settings\ Turn off Windows
Customer Improvement Program
Enabled Turns off the Windows Customer Improvement Program for all users XenApp, XenDesktop
System\ Group Policy\ User Group Policy loopback
processing mode
Merge or Replace Applies alternate user settings when a user logs on to a computer affected by
this setting
XenApp, XenDesktop
System\ Power Management\ Select an active power plan High Performance Specifies a power plan from a list of available plans. XenApp, XenDesktop
System\ System Restore\ Turn off System Restore Enabled Turns off Windows System Restore features XenApp, XenDesktop
System\ User Profiles\ Do not check for user ownership of
Roaming Profile folders
Enabled Disables security check for roaming profile folders XenApp, XenDesktop
Windows Components\ AutoPlay Policies\ Turn off AutoPlay Enabled Turns off AutoPlay for removable devices. XenApp
Windows Components\ Internet Explorer\ Turn off reopen
last browsing session
Enabled Disables ability to reopen the users last browsing session XenApp
Windows Components\ Remote Desktop Services\ RD XenApp server security Specifies the servers to which RDS will provide licenses XenApp
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
20/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
18
Machine PolicyPolicy Path Setting Description Applies to
Licensing\ License server security group groups
Windows Components\ Remote Desktop Services\ Remote
Desktop Session Host\ Licensing\ Set the Remote Desktop
licensing mode
Per User or Per Device Specifies the licensing mode used by Remote Desktop Server XenApp
Windows Components\ Remote Desktop Services\ Remote
Desktop Session Host\ Licensing\ Use the specified Remote
Desktop license servers
Specified servers Specifies the preferred license servers for Remote Desktop Services XenApp
Windows Components\ Windows Update\ Configure
Automatic Updates
Disabled Specifies whether the computer system will receive automatic updates
through the Windows Update process.
XenApp, XenDesktop
Folder Redirection Policy
User Policy\Windows Settings\Security Settings\Folder RedirectionFolder Setting Options
AppData (Roaming) Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Contacts Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Desktop Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Documents Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Disabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Downloads Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Favorites Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Links Basic Grant User Exclusive Rights: Disabled
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
21/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
19
User Policy\Windows Settings\Security Settings\Folder RedirectionFolder Setting Options
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Music Follow the Documents
Folder
Pictures Follow the Documents
Folder
Saved Games Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Searches Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Start Menu Basic Grant User Exclusive Rights: Disabled
Move Contents to new location: Enabled
Apply Policy to Windows 2000, Windows XP, Windows 2003: Disabled
Policy Removal Behavior: Leave Contents
Videos Follow the Documents
Folder
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
22/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
20
Conclusion
Creating policies for XenDesktop and XenApp configurations involves a combination of Citrix andMicrosoft Active Directory group policy settings. Correctly configuring a baseline policyconfiguration and keeping policy exceptions to a minimum allows organizations to create an
environment that meets user experience and security requirements, while providing a policystructure that is easy to review and diagnose. This planning guide has provided a suggested set ofpolicies as a starting point for a XenDesktop or XenApp configuration. It can be used as a basis forarchitects to customize an initial policy configuration for an organization.
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
23/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
21
Appendix: Policy Quick Reference
The following table provides a description for all Citrix policy settings contained in this document. For complete and up-to-date policy
settings, consult the policy settings references sections for the various technologies inCitrix eDocs.
User PolicyPolicy Group\ Policy Description Applies toICA
Client clipboard redirection Allow or prevent the clipboard on the client device to be mapped to the clipboard on the server. XA 6, XD 5
Desktop launches When allowed, non-administrative users can connect. XA 6 RDS only
Launching of non-published programs
during client connection
Specifies whether to launch initial applications or published applications on the server. XA 6
ICA\Adobe Flash Delivery\Flash Redirection
Flash acceleration Enables or disables, in Legacy mode only, Flash content rendering on client devices instead of
the server.
XA 6, XD 5
Flash backwards compatibility Enabling Flash backwards compatibility allows earlier versions of Citrix Receiver to work with
legacy Flash Redirection features
XA 6.5, XD 5.5
Flash default behavior Establishes the default behavior of second generation Flash acceleration. XA 6.5, XD 5.5
Flash event logging Allows Flash events to be recorded in the Windows application event log. XA 6, XD 5
Flash intelligent fallback If enabled, the system attempts to automatically revert to server-side rendering for Flash Player
instances for which client-side rendering is unnecessary or would provide a poor experience
XA 6.5, XD 5.5
Flash latency threshold Maximum latency threshold for Flash redirection. Only applies to Legacy mode features. Flash
backwards compatibility must be enabled.
XA 6, XD 5
ICA\Adobe Flash Delivery\Legacy Server Side Optimizations
Flash quality adjustment Adjusts quality of Flash content rendered on session hosts to improve performance. XA 6
ICA\ Audio
Audio over UDP Real-time Transport Allows transmission of audio between host and client over Real-time Transport Protocol (RTP)
using the user datagram protocol (UDP).
XD 5.5
Audio Plug N Play Allows the use of multiple audio devi ces. XA 6
Audio quality Specify the sound quality as low, medium, or high.
Select "Medium - optimized for speech" for delivering Voice over IP applications. Audio sent to
the client is compressed up to 64Kbps.
XA 6, XD 5
Client audio redirection Allows or prevents applications hosted on the server to play sounds through a sound device
installed on the client computer. Also allows or prevents users to record audio input.
XA 6, XD 5
Client microphone redirection Enables or disables client microphone redirection. XA 6, XD 5
ICA\ Client Sensors\ Location
Allow applications to use the physical
locations of the client device
Enables or disables the ability for applications to use the physical location of the client device. XA 6.5 FP1
ICA\ Desktop UI
Aero Redirection Allow the redirection of Aero commands from VDA to client to enrich user experience. XD 5.5
http://support.citrix.com/proddocshttp://support.citrix.com/proddocshttp://support.citrix.com/proddocshttp://support.citrix.com/proddocs -
8/10/2019 XenApp and XenDesktop Policy Planning Guide
24/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
22
User PolicyPolicy Group\ Policy Description Applies to
Aero Redirection Graphics Quality Determine the quality of graphics for Aero Redirection. XD 5.5
Desktop wallpaper Enables or disables the desktop wallpaper in user sessions. XA 6, XD 5
Menu animation Allows or prevents menu animation. XA 6, XD 5
View window contents while dragging Controls the display of window content when dragging a window across the screen. XA 6, XD 5
ICA\ File Redirection
Auto connect client drives Allows or prevents automatic connection o f client drives when users log on. XA 6, XD 5
Client drive redirection Enables or disables file (drive) redirection to and from the client. XA 6, XD 5
Client floppy drives Allows or prevents users from accessing or saving files t o floppy drives on the client d evice. XA 6, XD 5
Client fixed drives Allows or prevents users from accessing or saving files to fixed drives on the user device. XA 6, XD 5
Client network drives Allows or prevents users from accessing and saving files to client network (remote) drives. XA 6, XD 5Client optical drives Allows or prevents users from accessing or saving files to CD-ROM, DVD-ROM, and BD-
ROM drives on the client device.
XA 6, XD 5
Client removable drives Allows or prevents users from accessing or saving files to removable drives on the user device. XA 6, XD 5
Host to client redirection Enables or disables file type associations for URLs and some media content to be opened on
the client device.
XA 6
Preserve client drive letters Enables or disables preservation of client drive letters. XD 5
Read-only client drive access When enabled, files/folders on mapped client drives can only be accessed in read-only mode.
When disabled, files/folders on mapped client drives can be accessed in regul ar read/write
mode.
XA 6.5, XD 5.5
SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a
client device.
XA 6
Use asynchronous writes Enables or disables asynchronous disk writes. XA 6, XD 5
ICA\ Mobile Experience
Automatic Keyboard Display Enables or disables the automatic display of the soft keyboard on mobile devices. XA 6.5 FP1, XD 5.6 FP1
Launch touch-optimized desktop Enables or disables the launching of a touch-optimized desktop for mobile clients. XA 6.5 FP1, XD 5.6 FP1
Remote the combo box Enables or disables the remoting of the combo box on mobile devices. XA 6.5 FP1, XD 5.6 FP1
ICA\ Multi Stream Connections
Multi-Stream Enables or disables the Multi-Stream feature for specified users. XA 6.5, XD 5.5
ICA\ Port Redirection
Auto connect client COM ports When enabled, COM ports from the client are automatically connected. XA 6, XD 5
Auto connect client LPT port s When enabled, LPT ports from the client are automatic ally connected. XA 6, XD 5
Client COM port redirection When enabled, COM port redirection to and from the client is allowed. XA 6, XD 5
Client LPT port redirection When enabled, LPT port redirection to the client is allowed. XA 6, XD 5
ICA\ Printing
Client printer redirection Allows or prevents client printers to be mapped to a server when a user logs on to a session. XA 6, XD 5
Default printer Specifies how the clients default printer is established in an ICA session. XA 6, XD 5
Printer auto-creation event log preference Specifies which events are logged during the printer auto-creation process. You can choose to
log no errors or warnings, only errors, or errors and warnings.
XA 6, XD 5
Wait for printers to be created (desktop) Allows or prevents a delay in connecting to a session so that desktop printers can be auto-
created.
XA 6, XD 5
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
25/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
23
User PolicyPolicy Group\ Policy Description Applies to
ICA\ Printing \ Client Printers
Auto-create client printers Specifies which client printers are auto-created. XA 6, XD 5
Auto-create generic universal print er Enables or disables auto-creation of the Citrix UNIVERSAL Printer generic printing obje ct for
sessions with a UPD capable client.
XA 6, XD 5
Client printer names Selects the naming convention for auto-created client printers. XA 6, XD 5
Direct connections to print servers Enables or disables direct connections from the host to a print server for client printers hosted
on an accessible network share.
XA 6, XD 5
Printer properties retention Specifies whether and where to store printer properties. XA 6, XD 5
Retained and restored client printers Enables or disables the retention and re-creation of client printers. XA 6, XD 5
ICA\ Printing \ Drivers
Automatic installation of in-box printer
drivers
Enables or disables the automatic installation of printer drivers from the Windows in-box driver
set or from driver packages which have been staged onto the host using "pnputil.exe /a".
XA 6, XD 5
Universal driver usage Specifies when to use universal printing. Universal printing employs generic printer drivers
instead of standard model-specific drivers potentially simplifying burden of driver management
on host machines.
XA 6, XD 5
ICA\ Printing \ Universal Printing
Universal printing EMF processing mode Controls the method of processing the EMF spool file on the Windows client machine. XA 6, XD 5
Universal printing image compression
limit
Defines the maximum quality and the minimum compression level available for images printed
with the Universal Printer driver.
XA 6, XD 5
Universal printing optimization defaults Specifies the default settings for the Universal Printer when it is created for a session. XA 6, XD 5
Universal printing preview preference Specifies whether to use the print preview function for auto-created or generic universal
printers.
XA 6, XD 5
ICA\ Security
SecureICA minimum encryption level Specifies the minimum level at which to encrypt session data sent between the server and a
client device.
XA 6
ICA\ Session Limits
Disconnected session timer Enables or disables a timer to determine how long a disconnected, locked workstation can
remain locked before the session is logged off.
XD 5
Disconnected session timer interval Determines how long, in minutes, a disconnected, locked workstation can remain locked before
the session is logged off.
XD 5
Linger Disconnect Timer Interval Disconnects an existing session the specified number of minutes after the last application exits. XA 6.5
Linger Terminate Timer Interval Terminates an existing session the specified number of minutes after the last application exits. XA 6.5
Pre-launch Disconnect Timer Interval Disconnects an existing Pre-launch session after the specified number of minutes. XA 6.5
Pre-launch Terminate Timer Interval Terminates an existing Pre-launch session after the specified number of minutes. XA 6.5
Session connection timer Enables or disables a timer to determine the maximum duration of an uninterrupted connection
between a user device and a workstation.
XD 5
Session idle timer Enables or disables a timer to determine how long an uninterrupted user device connection to a XD 5
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
26/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
24
User PolicyPolicy Group\ Policy Description Applies to
workstation will be maintained if there is no input from the user.
Session idle timer interval Determines, in minutes, how long an uninterrupted user device connection to a workstation will
be maintained if there is no input from the user.
XD 5
ICA\ Shadowing
Input from shadow connections Allows or prevents shadowing users to take control of the keyboard and mouse of the user
being shadowed during a shadowing session.
XA 6
Log shadow attempts Allows or prevents recording of attempted shadowing sessions in the Windows event log. XA 6
Notify user of pending shadow
connections
Allows or prevents shadowed users to receive notification of shadowing requests from other
users.
XA 6
Users who can shadow other users Specifies the users who can shadow other users. XA 6
ICA\ Time Zone Control
Estimate local time for legacy clients Enables or disables estimating the local time zone of client devices that send inaccurate time
zone information to the server.
XA 6
Use local time of client Determines the time zone setting of the user session. XA 6, XD 5
ICA\ TWAIN devices
Client TWAIN device redirection Allows or prevents users to access TWAIN devices, such as digital cameras or scanners, on the
client device from published image processing applications.
XA 6, XD 5.5
TWAIN compression level Specifies the level of compression of image t ransfers from client to server. XA 6, XD 5.5
ICA\ USB devices
Client USB device redirection Enables or disables redirection of USB devices to and from the client (workstation hosts only). XA 6 VM Hosted Apps,
XD 5
Client USB device redirection rules Lists redirection rules for USB devices. XA 6 VM Hosted Apps,
XD 5
Client USB Plug and Play device
redirection
Allows or prevents plug-n-pl ay devices such as cameras or point-of-sale (POS) devices to be
used in a client session.
XA 6 Terminal Server
ICA \ Visual Display
Max Frames per Second Sets the maximum number of frames per second that the virtual desktop will send to the client. XA 6, XD 5
ICA \ Visual Display \ Moving Images
Minimum Image Quality Adaptive Display JPEG Quality Floor. XD 5.5Moving Image Compression Enables Adaptive Display. XA 6.5 (with hotfix
XA650W2K8R2X64011),
XD 5.5
Target Minimum Frame Rate The system will try its best to maintain th is many frames per second when bandwidth is low. XD 5.5
ICA \ Visual Display \ Still Images
Extra Color Compression Extra color compression improves responsiveness over low bandwidth connections at the
expense of image quality.
XA 6.5, XD 5
Extra Color Compression Threshold Threshold at which Extra Color Compression is applied. XA 6.5, XD 5
Lossy compression level Degree of lossy compression used on images. XA 6, XD 5
Lossy compression threshold value The maximum bandwidth in kilobits per second for a connection to which lossy compression is
applied.
XA 6, XD 5
Server Session Settings
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
27/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
25
User PolicyPolicy Group\ Policy Description Applies to
Session importance Specifies the importance level at which a session is run. XA 6
Single Sign-On Enables or disables the use of Single Sign-On when users connect to servers or published
applications in a XenApp farm.
XA 6.5, XD 5.5
ICA\ Virtual Desktop Agent Settings\ ICA Latency Monitoring
Enable Monitoring Enable or disable ICA Latency monitoring. XD 5.5
Monitoring Period Period of time, in seconds, during which the moving average for ICA Latency is calculated. XD 5.5
Threshold Threshold, in milliseconds, that trig gers a High Latency condition, displayed in Desktop Studio
and Desktop Director.
XD 5.5
ICA\ Virtual Desktop Agent Settings\ Profile Load Time Monitoring
Enable Monitoring Enable or disable Profile load time monitoring. XD 5.5
Threshold Threshold, in seconds, that triggers a High Profi le Load Time condition, displayed in Desktop
Studio and Desktop Director.
XD 5.5
Computer PolicyPolicy Group\ Policy Description Applies to
ICA
ICA listener connection timeout Maximum wait time for a connection using the ICA protocol to be completed. XA 6 (VM Hosted Apps),
XD 5
ICA listener port number The TCP/IP port number used by the ICA protocol on the server. XA 6 (VM Hosted Apps),
XD 5
ICA\ Auto Client Reconnect
Auto client reconnect Allows or prevents automatic reconnection by the same client after a connection has been
interrupted.
XA 6, XD 5
Auto client reconnect authenti cation Requires authentication for automatic client reconnections. XD 5
Auto client reconnect logging Records or prevents recording auto client reconnections in the event log. XA 6, XD 5
ICA\ End User MonitoringICA round trip calculation Enables or disables the calculation of ICA round trip measurements. XA 6, XD 5
ICA round trip calculations for idle
connections
Determines whether ICA round trip calculations are performed for idle connections. XA 6, XD 5
ICA\ Graphics
Display memory limit Specifies the maximum video buffer size in kilobytes for the session. XA 6, XD 5
Display mode degrade preference Degrades either color depth or resolution first when the session display memory limit is
reached.
XA 6, XD 5
Dynamic Windows preview Dynamic Windows preview enables the state of seamless windows to be seen on the various
windows previews (Flip, Flip 3D, Taskbar Preview, and Peek).
XA 6.5, XD 5.5
Image caching Cache image to make scrolling smoother XA 6, XD 5
Maximum allowed color depth Specifies the maximum color depth allowed for a session. XA 6
Notify user when display mode is Displays a popup with an explanation to the user when the color depth or resolution is XA 6, XD 5
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
28/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
26
Computer PolicyPolicy Group\ Policy Description Applies to
degraded degraded.
Queuing and tossing Discards queued images that are replaced by another image. XA 6, XD 5
ICA\Graphics\Caching
Persistent Cache Threshold Caches bitmaps on the client disk. XA 6, XD 5
ICA\ Keep Alive
ICA keep alive timeout Seconds between successive ICA keep-alive messages. XA 6, XD 5
ICA keep alives Sends or prevents sending ICA keep-alive messages periodically. XA 6, XD 5
ICA\ Multimedia
Windows Media Redirection Controls and optimizes the way XenApp servers deliver streaming audio and video to users. XA 6, XD 5Windows Media Redirection Buffer Size Specify a buffer size from 1 to 10 seconds for Windows Media Redirection. XA 6, XD 5
Windows Media Redirection Buffer Size
Use
If this setting is enabled, the system will use the buffer size specified in the "Windows Media
Redirection Buffer Size" setting.
XA 6, XD 5
ICA\ Multi Stream Connections
Multi-Stream Enables or disables the Multi-Stream feature on the server. By default, Multi-Stream is disabled.
This policy need not be enabled when using branch repeater that supports Multi- Stream.
Enable this policy when using 3rd party routers or legacy branch repeaters to achieve desired
QoS. Restart the server for the changes to take effect.
XA 6.5, XD 5.5
ICA\ Session Reliability
Session reliability connections Allow or prevent session reliability connections. XA 6, XD 5
ICA\ Virtual Desktop Agent Settings\ CPU Usage Monitoring
Enable Monitoring Enable or disable CPU usage monitoring. XD 5.5
Monitoring Period Period of time, in seconds, during which the moving average for CPU usage is calculated. XD 5.5
Threshold Threshold, as a percentage, that triggers a High CPU condition, displayed in Desktop Studio
and Desktop Director.
XD 5.5
ICA\ Shadowing
Shadowing Allow shadowing of ICA sessions XA 6
Licensing
License server host name The name of the server hosting XenApp licenses. XA 6
License server port The port number of the server hosting XenApp licenses. XA 6
Profile Management
Enable Profile Management Turns on Citrix Profile Management UPM 2.0
Process Groups Active Directory groups that will use Citrix Profile Management UPM 2.0
Path to User Store Network location of end-user profile store UPM 2.0
Active Write Back Files and folders (but not registry keys) will be synchronized as they are modified. UPM 3.0
Process logons of local administrators Process the profile of a user who is a local administrator on a system. UPM 2.0
Profile Management\ Advanced Settings
Delete Redirected Folders Folder is deleted from the local profile when the user next logs on. UPM 3.2
Directory of MFT Cache Files Identifies the location for the MFT Cache file. The MFT cache file should be saved in a
persistent, easily accessible location for best performance
UPM 2.0
Process Internet cookie files on logoff Stale Internet cookie files are removed on user logoff UPM
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
29/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
27
Computer PolicyPolicy Group\ Policy Description Applies to
Profile Management\ File System
Exclusion listdirectories Identifies what directories to exclude from the user profile UPM 2.0
Profile Management\ File System\ Synchronization
Directories to Synchronize Identifies which directories should be synchronized from the system to the profile on logoff. UPM 2.0
Files to Synchronize Identifies specific files, which should be synchronized from the system to the profile on logoff. UPM 2.0
Folders to Mirror Mirroring folders allows Profile management to process a transactional folder and its contents
as a single entity, thereby avoiding profile bloat.
UPM 3.1
Profile Management\ Profile handling
Local profile conflict handling Identifies how UPM handles conflicts between Windows local profiles and Citrix profiles. UPM 2.0
Migration of existing profiles Determines which types of existing user profiles to migrate. UPM 2.0Profile Management\ Profile Streamed user profiles
Profile Streaming Enables streaming of profiles as files are requested. UPM 3.0
-
8/10/2019 XenApp and XenDesktop Policy Planning Guide
30/30
Worldwide Consulting Solutions | WHITE PAPER | Citrix Policy
Acknowledgments
Citrix Consulting Solutions would like to thank all of the individuals that offered guidance andtechnical assistance during the course of this project including who were extremely helpfulanswering questions, providing technical guidance and reviewing documentation throughout the
project: Adeel Arshed
Thomas Berger
Daniel Feller
Nicholas Rintalan
Dimitrios Samorgiannidis
Product Versions
Product VersionXenDesktop 5.0 / 5.5 / 5.6XenApp 6.0 / 6.5Citrix Profile Manager 3.x / 4.0
Revision History
Revision Change Description Updated By Date1.0 Initial Document Rich Meesters July 13, 2012
About Citrix
Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help
companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization,
networking, and cloud computing technologies into a full portfolio of products that enable virtual
work styles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely
on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with
over 10,000 companies in more than 100 countries. Annual revenue in 2011 was $2.20 billion.
2012 Citrix Systems, Inc. All rights reserved. Citrix, Access Gateway, Branch Repeater,
Citrix Repeater, HDX, XenServer, XenApp, XenDesktop and Citrix Delivery Centerare trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered
in the United States Patent and Trademark Office and in other countries. All other trademarks and
registered trademarks are property of their respective owners.