With my new JUST BLOG IT mantra clear in thought. Let me get straight to the point…

We all know that giving access to resources through Studio is very straightforward in XenDesktop 5.x & 7.x. With 5.x we just associate a user or a group of users with a Desktop Group or Delivery group in the case of a VM hosted Apps (VMHA’s) and hey presto… the user or users get access to the resources.

With 7.x we still associate a user or a group of users with a Delivery Group but with the inclusion of RDS workers and even tighter integration of VMHA’s came two new mechanisms that control what types of resources the associated user or user group has access to.

1. Delivery Type Mode (Set at the Delivey Group level and controls whether a Delivery Group can provide Desktops, Desktops & Application or just Applications)


2. Application Visibility or Limit Visibility (Set at the Application level and controls what users see the Application)


So as you can see, providing access through the UI in XD5.x & XD7.x is easy… Glad we got that out of the way.

Now, a question that comes up time and time again is HOW can users be excluded from accessing resources that the larger user group they are part of has access to. i.e. how do we explicitly exclude users or a user from accessing resources? Well unfortunately there is no option to do this through the UI right now but that’s not necessarily a bad thing. Performance vs functionality right….

The good news is that it can be done through the SDK i.e. PowerShell (PoSH)

XenDesktop 5.x through 7.x both include three very important internal Site wide Policies which allow us to control access to resources. Not only do these Policies allow us to control who has access to published resources but also the conditions through which resources are accessed.

 1.Entitlement Policy (Controls access to Pooled/Shared Desktops & Applications)
•Get-BrokerEntitlementPolicyRule
•Set-BrokerEntitlementPolicyRule
•Get-BrokerAppEntitlementPolicyRule
•Set-BrokerAppEntitlementPolicyRule

 

 2.Assignment Policy (Controls access to Dedicated/Private Desktops & Applications)
•Get-BrokerAssignmentPolicyRule
•Set-BrokerAssignmentPolicyRule
•Get-BrokerAppAssignmentPolicyRule
•Set-BrokerAppAssignmentPolicyRule

 

 3.Access Policy (Controls the conditions through which both Desktops & Applications are accessed)
•Get-BrokerAccessPolicyRule
•Set-BrokerAccessPolicyRule

Types of conditions include: Allowed Protocols, Allowed Connections, Excluded Client IPs, Excluded Client Names, Smart Access Filters…

So basically we have one Policy for Pooled/Shared Delivery Groups, one for Dedicated/Private Delivery Group & one for all Delivery Groups. Each of these policies contains rules which correspond to existing Delivery Groups.

Running Get-BrokerEntitlementPolicyRulewithout any search parameters will return a list of rules for Pooled/Shared Delivery Groups contained within the Site Entitlement Policy:

By default, rules exist for each Delivery Group within each of the above mentioned Site Policies i.e. they are generated automatically when you create a Delivery Group.

We see limited reflections of these Site wide Policies in Studio under the Users & Access Policy tabs of individual Delivery Groups but as is the norm with XenDesktop, most of the advanced configuration options are only available directly through PoSH.

Example 1:  (Explicitly excluding one specific user from accessing a Desktop)

Based on three existing Delivery Group user assignments, the following desktops types are available to User1 when logged in through StoreFront:

1. W2K12 RDS Shared Desktop

2. Win7 Random Desktop

3. Win8 Static Desktop

To exclude user1 from from accessing the Win7 Random Desktop we need to edit the existing Entitlement Policy Rule for the relevent Delivery Group. To do this we can just run the following through PoSH:

Set-BrokerEntitlementPolicyRule -Name “Training Win7_1″ -ExcludedUserFilterEnabled $true -ExcludedUsers training\user1
Once run, we can then confirm that the exclusion has been set by running the following command:Get-BrokerEntitlementPolicyRule -Name “Training Win7_1″

A quick logout/login or refresh of Storefront will show the impact of the new Entitlement Policy exclusion set above i.e. the Win7 Random Desktop icon is no longer available for User1:

Note: To remove the above exclusion we can run one of the following strings:

Set-BrokerEntitlementPolicyRule -Name “Training Win7_1″ -RemoveExcludedUsers training\user1  -ExcludedUserFilterEnabled $false

Set-BrokerEntitlementPolicyRule -Name “Training Win7_1″ -ExcludedUserFilterEnabled $false -ExcludedUsers @()

If we stick with the example above and wanted to exclude user1 from accessing the Win8 Static Desktop then we would carry out the same steps but as the Win8 Desktop is a Static/Private Desktop, we would use the Assignment Policy cmdlets:

Running Get-BrokerAssignmentPolicyRule without any search parameters will return a list of rules for Static/Private Delivery Groups contained within the Site Assignment Policy:

 

Example 2: (Set an access condition to exclude a user from accessing a Desktop from a specific Client IP)

Based on three existing Delivery Group user assignments, the following desktops types are available to User1 when logged in through StoreFront:

1. W2K12 RDS Shared Desktop

2. Win7 Random Desktop

3. Win8 Static Desktop

Running Get-BrokerAccessPolicyRule without any search parameters will return a list of rules for all Delivery Groups contained within the Site Access Policy:

Note: The Site Access Policy contains two rules by default for each existing Delivery Group regardless of type i.e. Existing Static, Pooled Static (MCS), Existing Random or Pooled Random (MCS) and controls the conditions for accessing resources contained within each Delivery Group. By default, a Direct connection rule and a connection via Access Gateway exist.
To make things a little easier, we can use the select command to just return the information we need:Get-BrokerAccessPolicyRule -DesktopGroupName “Training Win8″ | select allowedconnections, desktopgroupname, excludedclientip*, name | format-list

To set a new ClientIP access exclusion type the following:

Set-BrokerAccessPolicyRule “Training Win8_Direct” -ExcludedClientIPFilterEnabled $true -ExcludedClientIPs 192.168.10.29

Note: We are setting the ClientIP exclusion against the direct rule i.e. for direct connections not through AG

Once again, a quick logout/login or refresh of Storefront will show the impact of the new Access Policy exclusion set above i.e. the Win8 Static Desktop icon is no longer available for User1:

 

Note: To remove the above exclusion we can run one of the following strings:

Set-BrokerAccessPolicyRule “Training Win8_Direct” -ExcludedClientIPFilterEnabled $false -ExcludedClientIPs @()

Set-BrokerAccessPolicyRule “Training Win8_Direct” -ExcludedClientIPFilterEnabled $false -RemoveExcludedClientIPs 192.168.10.29

 

Best Regards
Mick Glover (aka XD Tipster)
Senior Readiness Specialist,
Worldwide Support Readiness [EMEA]
Citrix Systems, Inc