Here’s a brain dump of some considerations for use of Policies in Citrix Virtual Apps and Desktops environments based on quite a few years of administration and observation. If you have any questions or disagreements, feel free to drop me a line or comment below!
Should policies be placed in AD Group Policy or within Citrix Studio?
App and Desktop policies can be set either via Citrix Studio or within .ADMX files imported into your Active Directory central store. Each option has its own benefits and, yes, this is just another way of saying, “it depends.”
Citrix Studio Policies:
No Active Directory access required. If you are not an AD admin in addition to being a Citrix admin, you need to stick with Studio policies. If you have control over the Citrix environment, control settings within that and only that with Citrix Studio policy. You will eliminate bottlenecks in requesting things be done for you and not have concern of impacting more than what you’re responsible for.
Citrix Policies are a part of the Site Configuration DB. You’ll see this listed twice in this posting. Citrix policies are stored in a single DB. They’re not replicated amongst however many Domain Controllers you have in your AD and thus aren’t impacted by replication delays. This can save you some time in troubleshooting when new settings don’t apply via GPO delivered policy (did it make it over to Australia? BTW why is this user in Alabama connected to this DC in Australia?!).
You can compare policy settings within Studio. This is extremely useful when determining why certain policies aren’t delivering the expected results, and is one of the key reasons I’d recommend using Studio for policy creation:
GPO delivered Citrix policies:
GPO based policies are transferable between Citrix Virtual Apps and Desktops (XenApp/XenDesktop) Sites: this allows for quick transfer of policy settings when a new site is introduced.
GPO based policies are NOT a part of the Site Configuration DB, they are stored in Active Directory. Thus backing up AD backs up your Citrix policies as well as all other GPO’s.
Windows and Office settings can be included alongside Virtual Apps and Desktops settings. I actually like to separate these in case I want things like folder redirection and Office settings to apply enterprise wide rather than just apply to Citrix sessions. However, fewer policies applied generally cuts down on logon times, so there may be benefit here.
Verdict: I’ve always veered towards applying Citrix specific settings via Studio, and MS/Windows/Office settings via GPO. But, the choice is one determined by your environment and your style of administration.
Additionally, Workspace Environment Management (WEM) is certainly worth considering for management of the whole sh’bang, but that’s an entirely different article I’ll be writing soon.
Back ‘dat thing up
You can backup and restore (to the same site only!) Citrix Studio edited policies with Citrix Powershell SDK.
Citrix policies (like everything else) can get corrupted, so it’s a good idea to perform this task manually, at least prior to a major edit (Citrix support does not recommend automating this process via SDK cmdlet).
To Backup:
PS> asnp Citrix*
PS> Export-BrokerDesktopPolicy | out-file .\CitrixPolicyBackup.txt
To Restore:
PS> asnp Citrix*
PS> Import-BrokerDesktopPolicy(Get-Content .\CitrixPolicyBackup.txt)
Don’t edit Studio based Policies from more than one machine at once
You’ll end up corrupting your policy and needing to restore using the instructions above.
Keep the number of Policies to a minimum
To lessen the app and desktop launch impact on your users, it is best to cover everything general in one big policy than to split up the settings into multiple policies that apply to just about everyone.
You’re better off having department specific settings in their own smaller policies, but for settings you want to cover everyone, include this in one organization wide policy. You will shave a few precious seconds off logons and help turn the perception into a happy reality.
Again, another good option to look into is WEM.
I’ll be back with more tech tips real soon! Hope these help in your user experience perfection.
-2018 Adam Paul Shattuck
