Create an authorization policy

Perform this task to create an authorization policy in an office scenario.

Procedure

1. From the navigation pane, select Policies > Authorization Policies.

2. On the Authorization Policies page, click Create.

3. Configure basic information such as name and type, and click Next: Customize Policy.

4. Configure local resource mapping. Different application objects support different resource mapping policies.

5. Click Desktop Experience in the left, and configure related parameters. Only VDI authorization policies support this option.

6. Click Security Rules in the left, and configure related parameters. Only VDI authorization policies support this option.

7. Click Network Rules in the left, and configure a denylist. Only IDV and VOI authorization policies support this option.

8. Click Watermark Settings in the left, and configure a non-blind or blind watermark.

9. Click Display Parameters in the left, and configure desktop display parameters.

10. Click vGPU Settings in the left, select a scenario, and configure screenshot parameters and encoding parameters. Only VDI authorization policies support this option.

11. Click Software Denylist & Allowlist in the left, and create a rule to define a software denylist or allowlist.

12. Click Data Management in the left, and configure the user data roaming parameters.

13. Click Application Acceleration in the left, and configure resource parameters for application software.

14. Click Next: Confirm Configuration.

15. Confirm the configuration, and click OK. To modify a configuration item, click the  icon after it.

Parameters

Local resource and device

·          Only VDI and vAPP authorization policies support local resource and device configuration. vAPP authorization policies support only disk and clipboard mappings. The mapping direction for clipboard mapping can be bidirectional, but you cannot edit it. ·          In an education scenario, local resource mappings take effect only on the teacher desktops. ·          ARM hosts do not support local resource mapping.

 

• Local Resource Mappings:

• Disk: Set whether to allow cloud desktops to use disks of the local endpoint. If you enable this option, you can see the local disks on the cloud desktop. By default, this option is enabled.

• Serial Port: Set whether to allow cloud desktops to use serial ports of the local endpoint. If you enable this option, devices connected through the serial ports are mapped to the cloud desktop. By default, this option is enabled. Linux cloud desktops cannot use serial ports of the local endpoint through local resource mapping.

• Parallel Port: Set whether to allow cloud desktops to use parallel ports of the local endpoint. If you enable this option, devices connected through the parallel ports are mapped to the cloud desktop. Linux cloud desktops cannot use parallel ports of the local endpoint through local resource mapping.

• VDP Clipboard: Set whether to allow copy, cut, and paste operations between a client and the connected cloud desktop when they connect through the VDP protocol.

• Mapping Direction: Set a mapping direction for VDP clipboard mapping:

• Bidirectional: Supports copy, cut, and paste operations between the local endpoint and cloud desktop. By default, the mapping direction is bidirectional.

• Endpoint to VM: Supports copy, cut, and paste operations from the local endpoint to the cloud desktop.

• VM to Endpoint: Supports copy, cut, and paste operations from the cloud desktop to the local endpoint.

You can add filtering rules to filter packets. ARM hosts do not support configuring filtering rules.

• Camera: Set whether to allow cloud desktops to use cameras of the local endpoint. By default, this option is enabled. If this option is enabled, set the cloud desktop to HD mode. To set the HD mode, log in to the client and connect the cloud desktop, click the Advanced Settings icon in the toolbar, and select HD Mode from the Scene list on the Experience tab.

• USB Redirection: Set whether to allow cloud desktops to use the peripheral devices connected by the endpoint. Common peripheral device types include scanner, printer, camera, storage device, IC card, communications & CDC, USB type-C bridge class, wireless controller, and vendor-defined devices (such as a composite device or a serial device connected by a USB to serial connector). You can also define a custom USB redirection rules for peripherals. If a peripheral device is neither a common peripheral nor a custom peripheral device, the device will be treated according to the USB redirection rule for other types of devices.

• Device Type: Specify the device type for a custom USB redirection rule. In a custom USB redirection rule, at least one of the device type, VID, and PID is an exact match value.

• VID: Enter a vendor ID, a four-digit hexadecimal number. An asterisk (*) indicates all vendors.

• PID: Enter a product ID, a four-digit hexadecimal number. An asterisk (*) indicates all products.

• SubClass: Sub-class number.

• REL: BCD device version number.

• Prot: Protocol number.

• State: Set whether the USB devices can be used.

 

·          Configure USB redirection under the guidance of professionals. Wrong configuration will cause peripherals to be unusable. ·          After a USB peripheral is redirected, an endpoint cannot use the USB peripheral locally. For the endpoint to use the USB peripheral, disable it in the authentication policy.

 

• Advanced Settings: Set whether to enable read-only mode for storage devices. By default, this option is disabled. If you enable this option, data on the cloud desktop cannot be copied to a storage device.

Desktop experience

Only VDI and vAPP authorization policies support desktop experience configuration. vAPP authorization policies support only one desktop experience configuration item: virtual app session prestart. With this feature enabled, the system accelerates the connection speed of the first application. Virtual app session prestart supports only two application servers and can prestart a maximum of two servers even if you enable this feature for more than two application servers. ARM hosts do not support virtual app session prestart. The following features are available only in an education scenario and take effect only on the teacher desktops: ·          Allow Desktop to Shut Down ·          Allow Desktop to Reboot ·          Allow Desktop to Disconnect ·          Allow Desktop to Return ·          Allow Desktop to Power Off ·          Shutdown from OS Start Menu

 

• Allow Desktop to Shut Down: Set whether to allow the user to shut down the desktop on the client. By default, this option is enabled.

• Allow Clients to Take Snapshots for Desktop: Set whether to allow the user to take snapshots for a desktop on the client. By default, this option is enabled. This option applies only to bulk deployed desktops in non-protection mode through static desktop pools.

• Allow Desktop to Reboot: Set whether to allow the user to reboot the desktop on the client. By default, this option is enabled.

• Allow Clients to Edit Desktop Names: Set whether to allow the user to rename a desktop on the client by right clicking. By default, this option is disabled. Desktops in a manual or dynamic desktop pool do not support this function.

• Allow Desktop to Disconnect: Set whether to allow the user to disconnect the desktop on the client. By default, this option is enabled.

• Allow Desktop to Return: Set whether to allow the user to return to the Workspace App client through the Back button in the toolbar. By default, this option is enabled.

• Shut Down Thin Clients with Desktop: Set whether to allow the user to shut down the thin clients while shutting down the connected desktop. By default, this option is disabled. This setting takes effect only on clients that display desktops in full screen mode. Before enabling this option, enable the network wakeup function in the power option of endpoint BIOS. With this function enabled, do not enable the Shut Down Desktop upon Timeout parameter in the authorization policy or the Reboot After Release parameter for the dynamic desktop pool. ARM hosts do not support this parameter.

• Allow Desktop to Power Off: Set whether to allow the user to power off the desktop on the client. By default, this option is enabled.

• Shutdown from OS Start Menu: Set whether to allow the user to close the cloud desktop with a Windows operating system from the Start menu. By default, this option is enabled. The configuration of this option takes effect after a cloud desktop reboot or logout.

• TLS Encryption: Set whether to allow the client to access the cloud desktop with TLS encryption. By default, this option is disabled. ARM hosts do not support this parameter.

• HTTP Proxy: Set whether to allow HTTP proxy.

Security rules

 

VDI authorization policies support security rule configuration only in an office scenario.

 

• Log Off after Exit: Set whether to allow the user to log out after exiting the cloud desktop. By default, this option is disabled. Exiting the cloud desktop includes disconnecting, closing, rebooting, and powering off the cloud desktop.

• Permit Gateway User Login: Set whether to allow the user to log in to the cloud desktop through a gateway. By default, this option is enabled.

• Operation on Idle Desktops upon Timeout: Operations to take on idle desktops upon timeout. Options include No Operation, Disconnect, and Lock Screen.

• If you select Lock screen, the system locks the screen of the client if the user is inactive for the specified amount of time.

• If you select Disconnect, the system disconnects the client if the user is inactive for the specified amount of time. You can also specify whether to enable Thin Client Shutdown. With thin client shutdown feature enabled, the system automatically shuts down the thin client when the countdown is over. This thin client shutdown feature takes effect only on SpaceOS endpoints on which clients are displayed in fullscreen mode.

• Log Off Idle Desktops upon Timeout: Log off the user if the client is disconnected for the specified amount of time. After enabling this option, you need to set the timeout time.

• User Acceptance of Remote Assistance: After enabling this option, you must wait for the acceptance of a user before you can perform remote assistance for the user through Space Control.

• Shut Down Desktop upon Timeout: Set the timeout time for shutting down a cloud desktop.

• Not Shut Down: Do not shut down the cloud desktop.

• Shut Down: Shut down the cloud desktop immediately.

• Custom: Shut down the cloud desktop after the specified timeout time. The timeout time is the time during which a cloud desktop runs without a user connected to it.

With this function enabled, do not enable the Shut Down Thin Clients with Desktop parameter in the authorization policy.

This option and the Suspend Desktop upon Timeout option cannot be both set.

• Suspend Desktop upon Timeout: Set the timeout time for suspending a cloud desktop after the cloud desktop goes offline:

• Not Suspend: Do not suspend the cloud desktop.

• Suspend: Suspend the cloud desktop immediately.

• Custom: Suspend the cloud desktop after the specified offline time.

This option and the Shut Down Desktop upon Timeout option cannot be both set.

• Reconnection Timeout: Set the time period during which a cloud desktop will attempt to reconnect after being disconnected due to network problems. The value 0 means not reconnecting.

• Mail Notification for Login from External Network: Enable the system to send an email to the user mailbox when a user logs in a client from an external network. To use this function, you must configure mail server and a mailbox.

• Disconnect Desktop upon Screen Lock: Enable the client to disconnect from a cloud desktop when the screen of the cloud desktop is locked. Enable this feature as a best practice when the desktop pool is for domain users and dedicated client authentication server and desktop domain controller server are used. If you disable this feature, a user must first reconnect to a cloud desktop whose screen is locked when logging in to the cloud desktop.

• Dynamic Desktop Overallocation: Enables the system to bind a desktop to a user once the desktop is assigned. The user can use the bound desktop if logging in to the client from another endpoint or obtain an idle desktop from the dynamic desktop pool.

• User Authorization Group: Set the user group that a user joins after being connected to a cloud desktop. The user group configuration takes effect after the cloud desktop is reconnected. This parameter is supported only by Windows cloud desktops. For more information about this parameters, see the Microsoft official website.

• Remote Desktop Users: Specify the remote desktop user group. Users in this group can access cloud desktops through remote connections.

• Administrators: Specify the administrator group. This group has all privileges.

• Power Users: Specify the standard user group. Users in this group have more privileges than common users and fewer privileges than administrators. They can execute all operating system tasks except those restricted to administrators. For example, they can edit operating system settings.

• Users: Specify the common user group. Users in this group have limited privileges. For example, they cannot edit operating system settings or profiles of other users and can run only Windows-approved applications.

Network rules

 

IDV and VOI authorization policies support network rule configuration only in an office scenario.

 

• Trap Filter: Specify a protocol to match. Options include TCP and UDP.

• Type: Specify a rule type. Only the Denylist option is supported. IP addresses and port numbers in the denylist are not allowed to communicate with IDV or VOI cloud desktops.

• Direction: Specify a packet direction to match. Options include Inbound and Outbound.

• Start Port: Specify a start port of the port range to match.

• End Port: Specify an end port of the port range to match.

• IP: Specify an IP address to match. IP address 0.0.0.0 matches all IP addresses.

• Subnet Mask: Specify subnet mask for the IP address.

Watermark settings

 

·          Watermark configuration is not supported for education scenes. ·          For VDI authorization policies, blind watermarking and non-blind watermarking can be configured simultaneously. For IDV and VOI authorization policies, you can configure either blind watermarking or non-blind watermarking, but not both. vAPP authorization policies support only non-blind watermarking. ·          The IP address and MAC address of a cloud desktop in abnormal state might not be displayed because the system might be unable to obtain them. To solve this issue, disconnect from and reconnect the cloud desktop. ·          Web clients do not support blind watermarking. ·          ARM hosts do not support blind watermarking.

 

• Non-Blind Watermarking:

• For VDI authorization policies: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, and the font size, transparency, location, rotation angle, color, and custom content of the watermark.

• For IDV and VOI authorization policies: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, tiling watermark, and the color, font size, transparency, rotation angle and custom content of the watermark.

• For vApp authorization policies: After enabling this option, you can configure displaying the user login name, IP address, MAC address, font size, transparency, color, and custom content of the watermark.

• Blind Watermarking: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, tiling watermark, rotation angle, and custom content of the watermark.

Display parameters settings

 

·          Only VDI authorization policies support configuring display parameters. ·          Retain the default settings for the recommended display parameters.

 

• Bandwidth:

• Low Bandwidth Threshold: Low bandwidth condition occurs if the bandwidth between the client and the server drops below the threshold.

• Network Monitor Interval: Interval at which the system detects the bandwidth between the client and the server for low bandwidth issues.

• Video Display Parameters: Graphic display-related parameters for desktops in non-vGPU scenarios. If the client uses the speed-first mode, the video stream compression algorithm is applied to all images. If the client uses the intelligent mode, the algorithm is applied only to non-redirected videos and images played though a player.

• Encoding Threads: Number of encoding threads of videos.

• Max Frame Rate: Maximum frame rate of videos.

• Transcoding Mode: Video stream transcoding mode. Options include YUV420 and YUV444.

• Encoding Format: Video stream encoding format. Options include H.265 and H.264.

• Idle Timeout: Idle timeout of desktop images for the system to stop compressing video streams and compress images instead. This parameter takes effect only when the client is in intelligent mode.

• x264 Encoding Rate: x264 encoding rate for video streams.

• Advanced Encoding Parameters: Advanced encoding parameters, including H.265 Coding Rate, H.264 Coding Rate, H.265 VBV, H.264 VBV, H.265 VBV Buffer, H.264 VBV Buffer, H.265 KeyInt, H.264 KeyInt, H.265Q PMax, and H.264 QPMax.

• Picture Encoding Parameters:

• Compression Mode: Options include Lossless and Lossy. If the client has a compression mode configured, the client configuration takes precedence.

• Compression Ratio: Specifies the compression ratio of non-text content on the desktop. Higher the ratio, better the image quality, and higher the bandwidth usage. This parameter takes effect only when the compression mode is lossless.

• Nebula Algorithm: Specifies whether to enable the image Nebula algorithm.

• Command Merge: Specifies whether to combine multiple drawing commands into one command for processing to reduce the bandwidth usage.

vGPU settings

 

·          Only VDI authorization policies support vGPU configuration. ·          ARM hosts do not support vGPU.

 

• Scenario: Five scenarios are supported: Office-Ultra Light Load, Office-Light Load, Office-Medium Load, Office-Standard Load (Recommended), and Office-Heavy Load. Different scenes have different default values for screenshot parameters and encoding parameters.

• Office-Ultra Light Load: Applied to text file browsing with a bandwidth lower than 512 kbps. This scenario has low display quality.

• Office-Light Load: Applied to text file browsing and static picture browsing with a bandwidth lower than 1 Mbps. This scenario has higher display quality than the ultra light load scenario.

• Office-Medium Load: Applied to text file browsing, static picture browsing, and dynamic webpage browsing with a bandwidth lower than 4 Mbps.

• Office-Standard Load (Recommended): Applied to standard or high definition video playing with a bandwidth lower than 20 Mbps bandwidth. This scenario provides the best balance between bandwidth and display quality.

• Office-Heavy Load: Applied to high definition video playing with a bandwidth higher than 20 Mbps bandwidth.

• Screenshot Frame Rate: Snapshots taken per second. The larger this value, the smoother the video. However, higher display quality is achieved at the expense of high bandwidth and GPU usage. If the client uses software decoding, the CPU usage also increases.

• Screenshot Mode: Options include Timeout-Based, Periodic, and Dynamic. By default the Timeout-Based mode is used.

• Timeout-Based: Takes a snapshot upon expiration of a timeout timer if the screen is not refreshed or the mouse is not moved. By default, the timeout timer is 150 milliseconds.

• Periodic: Takes snapshots at an interval of 1000/screenshot frame rate, in milliseconds.

• Dynamic: Takes a snapshot when the screen is refreshed or the mouse moves.

• Prioritized Factor: Options include Quality and Bandwidth. By default, the Quality option is used.

• Quality: This option compresses video data based on video quality. Relative parameters for this option are Average Quality, Lowest Quality, Highest Quality, and Peak Bitrate.

• Bandwidth: This mode compresses video data based on the bit rate. Relative parameters for this option are Average Bitrate and Peak Bitrate.

• Average Quality: Average display quality for videos. For the Quality option, the greater this value, the lower the video quality.

• Average Bitrate: Average bit rate for video images, in kbps. In bandwidth first mode, the greater this value, the higher the video quality.

• Lowest Quality: Lowest display quality for videos. For the Quality option, the greater this value, the lower the video quality.

• Peak Bitrate: Peak bit rate for video images, in kbps. The greater this value, the higher the video quality.

• Highest Quality: Highest display quality for videos. For the Quality option, the greater this value, the lower the video quality.

• Encoding Preset: Algorithm used for video compression. The smaller this value, the faster the encoding speed and the smoother the video, but the poorer the image quality and the more bandwidth consumed.

• GOP: Algorithm used for video compression. A GOP is a group of continuous pictures. The greater the GOP value, the higher the video quality, but the more the bandwidth consumed. As a best practice, set this parameter to a value one to two times the frame rate.

• Encoding Mode: Video encoding mode, which can be H.264 or H.265. H.265 upgrades H.264 in compression rate and transmission bit rate. Compared with H.264, H.265 occupies less storage space and requires less bandwidth to provide videos with the same quality and bit rate. However, H.265 occupies more CPU resources and therefore it allows less concurrency. H.265 also has higher performance requirements on endpoints. If H.265 is used, a client will automatically identify whether it can meet the endpoint configuration requirements. If no, the client uses H.264.

Software denylist & allowlist

 

·          Only VDI, IDV, and VOI authorization policies support software denylist and allowlist. ·          ARM hosts do not support software denylist and allowlist. ·          You can configure a maximum of 20 software denylist or allowlist rules, and the matched process name must be in English. ·          The software denylist and allowlist feature can block or allow only the .exe programs of the Windows 7 or Windows 10 operating system.

 

Create a software allowlist or denylist:

• List Type: Specify the list type. Options include Allowlist and Denylist. You can add processes, files, and directories to a denylist but only processes to an allowlist. Directories support only exact matching of absolute paths (C:\Program Files (x86)\Professional\Computer, for example), and support Chinese characters. Process and file names cannot contain Chinese characters.

• Match Mode:

• Exact Match: Match the process name exactly. A program is denied if its process name is matched. This match mode is recommended.

• Fuzzy Match: Match the process names that contain the string you enter. For example, qq matches qq.exe and qq2013.exe. To avoid mismatch, enter the exact process name to match or specify the process name as accurate as possible. For example, do not specify .exe for fuzzy matching.

Data management

 

·          Only VDI authorization policies in an office scenario support data management configuration. ·          You can configure data management only for Windows cloud desktops with domain users. ·          ARM hosts do not support data management.

 

• Roaming Configuration File Path: Enter a shared path on the network server for saving configuration files of roaming users. Configuration files for different operating systems are saved separately. For example, the configuration files for Windows 7 and Windows 10 cloud desktops are saved in folders whose names are suffixed with .V2 and .V6, respectively.

• Excluded Files: Exclude files in the default synchronization directory.

• Excluded Folders: Exclude file folders in the default synchronization directory.

• File Sync: Synchronize all user configuration files and specific files in the directory.

• Directory Sync: Synchronize all user configuration files and specific directories in the directory.

• Administrators' Access Rights to Configuration: Configure whether to allow the users named Administrator to access the roaming configuration file path.

• Roaming Profile File for Chrome: Configure whether to allow Chrome profile files to roam. With this feature enabled, the roaming profiles for Chrome are saved in the %APPDATA%\Google\Chrome\User Data\Default\profile.pb file.

• User Config File Timeout Removal: Configure whether to delete user configuration files. User configuration files refer to all settings and files that must be loaded when a user logs in to a Windows desktop. The deleted files cannot be restored. Please be cautious.

• Idle Timeout for User Config File: Specify the idle timeout of user configuration files. The system deletes all expired user configuration files every time it starts up.

• Limit File Size: Limit the size of configuration files.

• Configuration File Size Limit: Set the maximum size of a configuration file. A cloud desktop does not send a configuration file to the roaming configuration file path if the configuration file exceeds this limit.

• Include Registry in Configuration Files: Configure whether to include the registry in configuration file synchronization. If you enable this feature, the size of the registry is included in the configuration file size.

• Alert for Configuration File Limit Crossing: Configure whether to notify users of configuration file limit crossing events.

• Alert Interval for Configuration File Limit Crossing: Configure the interval for sending the alert messages.

• Content of Alert for Configuration File Limit Crossing: Enter the content of the alert messages sent to users.

Application acceleration

 

·          VDI, IDV, VOI, and vAPP authorization policies support application acceleration. ·          ARM hosts do not support application acceleration.

 

• CPU:

Management

• CPU Spike Protection: With this feature enabled, the system automatically identifies processes with high CPU usage and lowers the process priority. To use this feature, you must also configure the protection mode: Auto or Manual. In auto mode, the system determines if the CPU usage of a process is high based on the CPU core-related experience. In manual mode, specify the following parameters for the system to identify processes with high CPU usage:

• High CPU Threshold: Specify the upper threshold for the CPU usage of a process.

• Limit Sample Time: Specify the high-CPU-usage duration that can triggers the system to lower the process priority.

• Optimization Duration: Specify the duration during which the process priority is lowered.

• Limit CPU Core Usage: Specify whether to limit the number of CPU cores available for a process.

• Intelligent CPU Optimization: Specify whether to enable CPU optimization. With this feature enabled, optimized processes can adjust or restore the CPU priority as needed.

• Intelligent I/O Optimization: Specify whether to enable I/O optimization. With this feature enabled, optimized processes can adjust or restore the I/O priority as needed.

• Excluded Processes: Specify processes excluded from CPU spike protection. Excluded processes are not protected by CPU spike protection.

Priority

• Process Priority: Specify whether to enable process priority. With this feature enabled, you must add processes to the list and the system will adjust the CPU priority of listed processes to the specified value at process startup.

Affinity

• Process Affinity: Specify whether to enable process affinity. With this feature enabled, you must add processes to the list and the system will bind the specified number of CPU cores to the listed processes at process startup.

Clamping

• Process Clamping: Specify whether to enable process affinity. With this feature enabled, you must add processes to the list and the system will limit the maximum CPU usage of listed processes.

• Memory:

• Idle Process Memory Optimization: With this feature enabled, the system automatically identifies idle processes and release memory occupied by the processes.

• Process Idle Time: Specify the idle state duration that can trigger the system to release memory.

• Process Idle State CPU Usage: Specify the CPU usage threshold below which a process is identified as idle.

• Excluded Processes: Specify processes excluded from idle process memory optimization.

• Process:

• Process IO Priority: Specify whether to enable process I/O priority. With this feature enabled, you must add processes to the list and the system will adjust the I/O priority of listed processes to the specified value at process startup.