Create a policy group

Perform this task to create a policy group in an office scenario.

Procedure

From the left navigation pane, select Policies > Policy Group.

On the Policy Group page, click Create.

Configure basic information such as name, policy type, description, and schedule, and click Next.

Configure policy parameters for VDI, such as peripheral, client, session, display, watermarking, bandwidth limit, security, data management, and application acceleration, and click Next.

Configure policy parameters for IDV, such as peripheral, session, watermarking, network rules, security, and data management, and click Next.

Configure policy parameters for VOI, such as peripheral, session, watermarking, network rules, security, and data management, and click Next.

Configure policy parameters for physical hosts, such as peripheral, watermarking, network rules, security, and application acceleration, and click Next.

Configure policy parameters for vApps, such as peripheral, session, watermarking, and data management, and click Next.

Configure policy parameters for winserver, such as security and application acceleration, and click Next.

Select application objects, such as object type and object name, and click Next. If the policy group contains upgraded policies, you cannot authorize these policies to application objects. To authorize these policies to application objects, copy this policy group and then add application objects.

Confirm the configuration, and click Finish.

Parameters

Peripheral settings

· Only VDI and vApp authorization policies support local resource mappings. vApp authorization policies support only disk and clipboard mappings. The mapping direction for clipboard mapping can be bidirectional, and you can edit it.

· Winserver authorization policies do not support peripheral configuration.

· In an education scenario, only VDI authorization policies support local resource mappings. Serial ports, parallel ports, VDP clipboards, mapping directions, CDs/DVDs, and printers take effect only on the teacher desktops.

· For ARM hosts, only VDI authorization policies support local resource mapping. VDI authorization policies support only camera and VDP clipboard mappings.

Local Resource Mappings: Map local devices (such as disks, serial ports, and clipboards) on an endpoint and USB peripheral devices to the cloud desktop or virtual application that connects to a client. This parameter enables the user to use resources on the cloud desktop or virtual application just like using them on the local endpoint. You can use resource mappings to flexibly manage the local resource privilege for users on cloud desktops or virtual applications.

Disk: Set whether to allow cloud desktops to use disks of the local endpoint. If you enable this option, you can see the local disks on the cloud desktop. By default, this option is enabled.

Serial Port: Set whether to allow cloud desktops to use serial ports of the local endpoint. If you enable this option, devices connected through the serial ports are mapped to the cloud desktop. By default, this option is enabled. Only Windows cloud desktops can use serial ports of the local endpoint through local resource mapping.

Camera: Set whether to allow cloud desktops to use cameras of the local endpoint. By default, this option is enabled. If this option is enabled, set the cloud desktop to HD mode. To set the HD mode, log in to the client and connect to the cloud desktop, click the Advanced Settings icon in the toolbar, and select HD Mode from the Scene list on the Experience tab. Some camera software products are supported only by cloud desktops running certain versions of UOS and Kylin operating systems, and the endpoints cannot use the MIPS architecture. When the VDI policy enables a camera, the system automatically adds a general camera rule. This rule by default does not contain the VID or PID attributes, and you cannot add the two attributes. To configure a specific camera, add a cameral rule with the VID and PID configured to match that camera.

VID: Enter a vendor ID, a 4-digit hexadecimal number. Enter an asterisk (*) to match all vendor IDs.

PID: Enter a product ID, a 4-digit hexadecimal number. Enter an asterisk (*) to match all product IDs.

Effective Picture Sending Interval: Set the effective picture sending interval in the range of 0 to 3000 milliseconds. The default is 0, which means the interval is not set.

Picture Encoding Quality: Set the quality of encoded pictures, in the range of 0 to 100. The default is 50.

Picture Encoding Format: Set the picture encoding format to MJPG or H264. The default is MJPG.

Picture Encoding & Decoding Policy: Set the picture encoding and decoding policy to AUTO, SOFTWARE, or HARDWARE. The default is AUTO.

Max Picture Resolution: Set the maximum picture resolution. The value range is 1 to 10000 pixels. The default is 1920 × 1080 pixels.

Virtual Camera Picture Output Format: Set the picture output format of virtual cameras to MJPG, YUYV, or RGB24. The default is MJPG and YUYV.

Auto Frame Rate Control: Set the state of automatic frame rate control. With this feature enabled, the system automatically adjusts the frame sending rate to reduce the picture latency of the virtual cameras when the network bandwidth fluctuates.

Simulation of Full Camera Attributes: Set the state of simulation of full camera attributes. With this feature enabled, the camera redirection service adds full camera physical information, including the basic and extended information, to the commands for adding virtual cameras. With this feature disabled, only basic information about physical cameras are included in the commands.

Parallel Port: Set whether to allow cloud desktops to use parallel ports of the local endpoint. If you enable this option, devices connected through the parallel ports are mapped to the cloud desktop. Only Windows cloud desktops can use parallel ports of the local endpoint through local resource mapping.

CD/DVD: Set whether to allow cloud desktops to use CD/DVD drivers of the local endpoint. By default, this option is enabled.

Printer: Set whether to allow cloud desktops to use printers of the local endpoint. By default, this option is enabled. If you enable this option, printers connected to the local endpoint are mapped to the cloud desktop. Only Windows cloud desktops and endpoints support this feature.

Clipboard Usage Policy: Set whether to allow copy, cut, and paste operations between a client and the connected cloud desktop when they connect through the VDP protocol.

· The clipboard feature is supported only on endpoints running UOS 1022 or 1042, Windows 7, Windows 10, Kylin 2107, and MacOS. In addition, the endpoints cannot use the MIPS architecture.

· The clipboard feature is supported only on cloud desktops running UOS 1022 or 1042, Windows 7, Windows 10, and Kylin 2107.

You can set one of the following mapping directions for VDP clipboard mapping:

Disable Bidirectional Usage of Clipboard: Does not support copy, cut, and paste operations between the local endpoint and cloud desktop.

Allow Bidirectional Usage of Clipboard: Supports copy, cut, and paste operations between the local endpoint and cloud desktop. By default, the mapping direction is Allow Bidirectional Usage of Clipboard.

Allow Clipboard Usage Only from Endpoint to VM: Supports copy, cut, and paste operations from the local endpoint to the cloud desktop.

Allow Clipboard Usage Only from VM to Endpoint: Supports copy, cut, and paste operations from the cloud desktop to the local endpoint.

Clipboard Limit Rules: Add limit rules for the clipboard.

Allow Only Copying Texts: This option is not available if you select Disable Bidirectional Usage of Clipboard.

Allows Copying Texts Reversely: You can enable this feature only after you specify a unidirectional clipboard usage policy (for example, Clipboard Usage from Endpoint to VM).

Disable Copying Filename Extension: This field must start with a dot (.). Separate multiple types with commas (,), for example, .zip, .doc.

USB Redirection: Set whether to allow cloud desktops to use the peripheral devices connected by the endpoint. Common peripheral device types include scanner, printer, camera, storage device, IC card, wireless controller, communications & CDC, USB type-C bridge class, and vendor-defined devices (such as a composite device or a serial device connected by a USB to serial connector). You can also define a custom USB redirection rules for peripherals. If a peripheral device is neither a common peripheral nor a custom peripheral device, the device will be treated according to the USB redirection rule for other types of devices.

Device Type: Specify the device type for a custom USB redirection rule. In a custom USB redirection rule, at least one of the device type, VID, and PID is an exact match value.

VID: Enter a vendor ID, a four-digit hexadecimal number. An asterisk (*) indicates all vendors.

PID: Enter a product ID, a four-digit hexadecimal number. An asterisk (*) indicates all products.

SubClass: Sub-class number.

REL: BCD device version number.

Prot: Protocol number.

State: Set whether the USB devices can be used.

· Configure USB redirection under the guidance of professionals. Wrong configuration will cause peripherals to be unusable.

· After a USB peripheral is redirected, an endpoint cannot use the USB peripheral locally. For the endpoint to use the USB peripheral, disable it in the authentication policy.

Advanced Settings: Set whether to enable read-only mode for storage devices. By default, this option is disabled. If you enable this option, data on the cloud desktop cannot be copied to a storage device. Only Window cloud desktops support this feature.

Client settings

Only VDI authorization policies support client configuration.

In an education scenario, only VDI authorization policies support client configuration, and the following features are available only in the education scenario and take effect only on the teacher desktops:

· Allow Desktop to Disconnect

· Allow Desktop to Reboot

· Allow Desktop to Shut Down

· Allow Desktop to Power Off

· Shutdown from OS Start Menu

· Allow Desktop to Return

Power:

Allow Desktop to Disconnect: Set whether to allow the user to disconnect the desktop on the client. By default, this option is enabled.

Allow Desktop to Reboot: Set whether to allow the user to reboot the desktop on the client. By default, this option is enabled.

Allow Desktop to Shut Down: Set whether to allow the user to shut down the desktop on the client. By default, this option is enabled.

Allow Desktop to Power Off: Set whether to allow the user to power off the desktop on the client. By default, this option is enabled.

Shutdown from OS Start Menu: Set whether to allow the user to close the cloud desktop with a Windows operating system from the Start menu. By default, this option is enabled. The configuration of this option takes effect after a cloud desktop reboot or logout. ARM hosts do not support this parameter.

Shut Down Thin Clients with Desktop: Set whether to allow the user to shut down the thin clients while shutting down the connected desktop. By default, this option is disabled. This setting takes effect only on clients that display desktops in full screen mode. Before enabling this option, enable the network wakeup function in the power option of endpoint BIOS. With this function enabled, do not enable the Shut Down Desktop upon Timeout parameter in the authorization policy or the Reboot After Release parameter for the dynamic desktop pool. ARM hosts do not support this parameter.

Actions:

Allow Clients to Take Snapshots for Desktop: Set whether to allow the user to take snapshots for a desktop on the client. By default, this option is enabled. This option applies only to bulk deployed desktops in non-protection mode through static desktop pools. Snapshot is a temporary disaster recovery solution. If the image file of a VM is corrupted or deleted by mistake, the snapshot data will also be lost. As a best practice, back up VMs if VM backup data is needed in the long run.

TLS Encryption: Set whether to allow the client to access the cloud desktop with TLS encryption. By default, this option is disabled. ARM hosts do not support this parameter.

Log Out Users After They Exit Desktop: Set whether to allow the user to log out after exiting the cloud desktop. By default, this option is disabled. Exiting the cloud desktop includes disconnecting, shutting down, rebooting, and powering off the cloud desktop.

Allow Clients to Edit Desktop Names: Set whether to allow the user to rename a desktop on the client by right clicking. By default, this option is disabled. Desktops in a manual or dynamic desktop pool do not support this function.

Allow Desktop to Return: Set whether to allow the user to return to the Workspace App client through the Back button in the toolbar. By default, this option is enabled.

Dynamic Desktop Overallocation: Enables the system to bind a desktop to a user once the desktop is assigned. The user can use the bound desktop if logging in to the client from another endpoint or obtain an idle desktop from the dynamic desktop pool.

WAN UDP protocol: With WAN UDP protocol enabled, a VDI client can use a UDP protocol to connect to the desktop via a gateway. A UDP protocol has lower latency and higher efficiency. ARM64 endpoints do not support enabling UDP protocol.

WAN Preferential Protocol: After enabling a WAN UDP protocol, you must configure the preferential protocol. The selected protocol will be preferred during the connection process of a VDI client to the desktop via a gateway. The system uses another protocol automatically for connection if the preferential protocol connection fails.

LAN UDP protocol: With LAN UDP protocol enabled, a VDI client can use a UDP protocol to connect to the desktop via a gateway. A UDP protocol has lower latency and higher efficiency. ARM64 endpoints do not support enabling UDP protocol.

LAN Preferential Protocol: After enabling a LAN UDP protocol, you must configure the preferential protocol. The selected protocol will be preferred during the connection process of a VDI client to the desktop via a gateway. The system uses another protocol automatically for connection if the preferential protocol connection fails.

Session parameter settings

· IDV and VOI authorization policies support only user acceptance of remote assistance.

· vApp authorization policies support only vApp session prestart, desktop shortcut creation for vApp, and input method transparent transmission for vApps,.

· Winserver authorization policies support only the vApp session logout time limit.

Permit Gateway User Login: Set whether to allow the user to log in to the cloud desktop through a gateway. By default, this option is enabled. Only Windows cloud desktops support this parameter.

Mail Notification for Login from External Network: Enable the system to send an email to the user mailbox when a user logs in a client from an external network. To use this function, you must configure the mail server and a mailbox.

Operation on Idle Desktops upon Timeout: Operations to take on idle desktops upon timeout. Options include No Operation, Disconnect, and Lock Screen. Only Windows cloud desktops support this parameter.

If you select Lock screen, the system locks the screen of the client if the user is inactive for the specified amount of time. If desktop screen locking is disabled, this setting does not take effect.

If you select Disconnect, the system disconnects the client if the user is inactive for the specified amount of time. You can also specify whether to enable Thin Client Shutdown. With thin client shutdown feature enabled, the system automatically shuts down the thin client when the countdown is over. This thin client shutdown feature takes effect only on SpaceOS endpoints on which clients are displayed in fullscreen mode.

Log Out Desktops upon Disconnection Timeout: Log off the user if the desktop is disconnected for the specified amount of time. After enabling this option, you need to set the timeout time.

Suspend Desktops upon Disconnection Timeout: Set the timeout time for suspending a cloud desktop after the cloud desktop is disconnected.

Not Suspend: Do not suspend the cloud desktop.

Suspend: Suspend the cloud desktop immediately.

Custom: Suspend the cloud desktop after the specified disconnection timeout time.

This option and the Shut Down Desktops upon Disconnection Timeout option cannot be both set.

Shut Down Desktops upon Disconnection Timeout: Set the timeout time for shutting down a disconnected cloud desktop.

Not Shut Down: Do not shut down the cloud desktop.

Shut Down: Shut down the cloud desktop immediately.

Custom: Shut down the cloud desktop after the specified timeout time.

With this function enabled, do not enable the Shut Down Thin Clients with Desktop parameter in the authorization policy.

This option and the Suspend Desktops upon Disconnection Timeout option cannot be both set.

This policy does not take effect on a cloud desktop accessed from the console.

User Acceptance of Remote Assistance: After enabling this option, you must wait for the acceptance of a user before you can perform remote assistance for the user through Space Control.

Reconnection Timeout: Set the time period during which a cloud desktop will attempt to reconnect after being disconnected due to network problems. The value 0 means not reconnecting.

Enable Network Reconnection Enhancement: With this feature enabled, you can reconnect to the network after WLAN switchover occurs or a NIC in use has an error in a multi-NIC system.

Lock Desktop Screen: Set whether to allow users to lock the screen of a Windows cloud desktop. The default is enabled.

Disconnect Desktop upon Screen Lock: Enable the client to disconnect from a Windows cloud desktop when the screen of the cloud desktop is locked. Enable this feature as a best practice when the desktop pool is for domain users and dedicated client authentication server and desktop domain controller server are used. If you disable this feature, a user must first reconnect to a cloud desktop whose screen is locked when logging in to the cloud desktop. This feature does not take effect if desktop screen locking is disabled.

Lock Screen upon Desktop Disconnection: Set whether to lock the screen of a Window cloud desktop when the desktop is disconnected from the client. The default is disabled. This feature can be enabled only after desktop screen locking is enabled.

Allow Cloud Desktop to Play Sounds: Set whether to allow the cloud desktop to play sounds. By default, this option is enabled.

Allow Cloud Desktop to Perform Recordings: Set whether to allow the cloud desktop to record sounds from the microphone. By default, this option is enabled.

HTTP Proxy: Set whether to allow HTTP proxy. If you enable this option, you must configure the proxy IP address and proxy port.

vApp Session Prestart: With this feature enabled, the connection speed for a client to the first virtual application can be accelerated. vApp session prestart supports only two application servers. If more than two application servers exist, the system prestarts only two application servers. ARM hosts do not support this parameter.

Desktop Shortcut Creation for vApps: With this feature enabled, a desktop shortcut will be created for a virtual application after a user logs in to the Workspace App client and accesses the application. This feature is enabled by default.

User Auth for vApp Desktop Shortcut Access: With this feature enabled, a user must enter its password for authentication when the user opens a virtual application by double-clicking its desktop shortcut. This feature is disabled by default. This parameter can be configured only after you enable Desktop Shortcut Creation for vApps.

Input Method Transparent Transmission for vApps: With this feature enabled, virtual applications can use input methods installed on the endpoint.

vApp Session Logout Time Limit: Set whether to limit the vApp session logout time. The default is disabled. The vApp session will be disconnected from the RD session host server when the last virtual application is closed, but it will not be logged out. With this feature enabled, if a user closes the last running virtual application for a vApp session, the session will remain disconnected within the specified time limit. When the specified time limit is reached, the vApp session will be logged out from the RD session host server. This feature takes effect on Windows Server 2008 and later versions with domain users.

vApp Session Logout Delay Time: Set the period of time that the RD session host server must wait before logging out a session that does not have any running virtual application.

Display parameter settings

· Only VDI authorization policies support configuring display parameters.

· Retain the default settings for the recommended display parameters.

· ARM hosts do not support vGPU configuration.

vGPU Scene: The following scenarios are supported: Office-Ultra Light Load, Office-Light Load, Office-Medium Load, Office-Standard Load (Recommended), and Office-Heavy Load. Different scenes have different default values for screenshot parameters and encoding parameters. Only Windows cloud desktops support vGPU scene selection.

Office-Ultra Light Load: Applied to text file browsing with a bandwidth lower than 512 kbps. This scenario has low display quality.

Office-Light Load: Applied to text file browsing and static picture browsing with a bandwidth lower than 1 Mbps. This scenario has higher display quality than the ultra light load scenario.

Office-Medium Load: Applied to text file browsing, static picture browsing, and dynamic webpage browsing with a bandwidth lower than 4 Mbps.

Office-Standard Load (Recommended): Applied to standard or high definition video playing with a bandwidth lower than 20 Mbps bandwidth. This scenario provides the best balance between bandwidth and display quality.

Office-Heavy Load: Applied to high definition video playing with a bandwidth higher than 20 Mbps bandwidth.

vGPU Scene Parameters:

Screenshot Frame Rate: Snapshots taken per second. The larger this value, the smoother the video. However, higher display quality is achieved at the expense of high bandwidth and GPU usage. If the client uses software decoding, the CPU usage also increases.

Screenshot Mode: Options include Timeout-Based, Periodic, and Dynamic. By default the Timeout-Based mode is used.

Timeout-Based: Takes a snapshot upon expiration of a timeout timer if the screen is not refreshed or the mouse is not moved. By default, the timeout timer is 150 milliseconds.

Periodic: Takes snapshots at an interval of 1000/screenshot frame rate, in milliseconds.

Dynamic: Takes a snapshot when the screen is refreshed or the mouse moves.

Prioritized Factor: Options include Quality and Bandwidth. By default, the Quality option is used.

Quality: This option compresses video data based on video quality. Relative parameters for this option are Average Quality, Lowest Quality, Highest Quality, and Peak Bitrate.

Bandwidth: This mode compresses video data based on the bit rate. Relative parameters for this option are Average Bitrate and Peak Bitrate.

Average Quality: Average display quality for videos. For the Quality option, the greater this value, the lower the video quality.

Lowest Quality: Lowest display quality for videos. For the Quality option, the greater this value, the lower the video quality.

Highest Quality: Highest display quality for videos. For the Quality option, the greater this value, the lower the video quality.

Average Bitrate: Average bit rate for video images, in kbps. In bandwidth first mode, the greater this value, the higher the video quality.

Peak Bitrate: Peak bit rate for video images, in kbps. The greater this value, the higher the video quality.

Encoding Preset: Algorithm used for video compression. The smaller this value, the faster the encoding speed and the smoother the video, but the poorer the image quality and the more bandwidth consumed.

GOP: Algorithm used for video compression. A GOP is a group of continuous pictures. The greater the GOP value, the higher the video quality, but the more the bandwidth consumed. As a best practice, set this parameter to a value one to two times the frame rate.

Encoding Mode: Video encoding mode, which can be H.264 or H.265. H.265 upgrades H.264 in compression rate and transmission bit rate. Compared with H.264, H.265 occupies less storage space and requires less bandwidth to provide videos with the same quality and bit rate. However, H.265 occupies more CPU resources and therefore it allows less concurrency. H.265 also has higher performance requirements on endpoints. If H.265 is used, a client will automatically identify whether it can meet the endpoint configuration requirements. If no, the client uses H.264.

Color Space: Video stream transcoding mode. Options include yuv420 and yuv444.

Display Parameters:

Bandwidth:

Low Bandwidth Threshold: Low bandwidth condition occurs if the bandwidth between the client and the server drops below the threshold.

Network Monitor Interval: Interval at which the system detects the bandwidth between the client and the server for low bandwidth issues.

Video Display Parameters: Graphic display-related parameters for desktops in non-vGPU scenarios. If the client uses the speed-first mode, the video stream compression algorithm is applied to all images. If the client uses the intelligent mode, the algorithm is applied only to non-redirected videos and images played though a player.

Encoding Threads: Number of encoding threads of videos.

Max Frame Rate: Maximum frame rate of videos.

Color Space: Video stream transcoding mode. Options include yuv420 and yuv444.

Encoding Format: Video stream encoding format. Options include H.265 and H.264.

Idle Timeout: Idle timeout of desktop images for the system to stop compressing video streams and compress images instead. This parameter takes effect only when the client is in intelligent mode.

x264 Encoding Rate: x264 encoding rate for video streams.

Advanced Encoding Parameters: Advanced encoding parameters, including H.265 Coding Rate, H.264 Coding Rate, H.265 VBV, H.264 VBV, H.265 VBV Buffer, H.264 VBV Buffer, H.265 KeyInt, H.264 KeyInt, H.265Q PMax, and H.264 QPMax.

Picture Encoding Parameters:

Compression Mode: Options include Lossless and Lossy. If the client has a compression mode configured, the client configuration takes precedence.

Nebula Algorithm: Specify whether to enable the image Nebula algorithm. By default, this algorithm is enabled.

POWER Algorithm: Specify whether to enable the image POWER algorithm. By default, this algorithm is enabled. When the POWER algorithm and Nebula algorithm are enabled simultaneously, the system adaptively selects an algorithm based on the resource usage.

Command Merge: Specify whether to combine multiple drawing commands into one command for processing to reduce the bandwidth usage.

Compression Ratio: Specify the compression ratio of non-text content on the desktop. Higher the ratio, better the image quality, and higher the bandwidth usage. This parameter takes effect only when the compression mode is lossless.

Mandatory Issuing: Specify whether to enable mandatory issuing of the decoding mode for the client. If you enable this option, the user can only use the specified decoding mode on the client, and cannot switch the decoding mode.

Decoding Mode: Specify a decoding mode for the client to display pictures. Options include Autosensing, Hardware Decoding, Software Decoding. The user can switch the decoding mode on the client as required.

Watermark settings

· For VDI authorization policies, blind watermarking and non-blind watermarking can be configured simultaneously. For IDV, VOI, and physical host authorization policies, you can configure either blind watermarking or non-blind watermarking, but not both. vApp authorization policies support only non-blind watermarking.

· The IP address and MAC address of a cloud desktop in abnormal state might not be displayed because the system might be unable to obtain them. To solve this issue, disconnect from and reconnect the cloud desktop.

· Web clients do not support blind watermarking.

· ARM hosts do not support blind watermarking.

· Only Windows cloud desktops support blind watermarking.

Non-Blind Watermarking:

For VDI authorization policies: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, and the font size, transparency, location, rotation angle, color, and custom content of the watermark.

For IDV and physical host authorization policies: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, tiling watermark, and the color, font size, transparency, rotation angle and custom content of the watermark.

For VOI authorization policies: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, and the color, font size, transparency, location, rotation angle and custom content of the watermark.

For vApp authorization policies: After enabling this option, you can configure displaying the user login name, IP address, MAC address, font size, transparency, color, and custom content of the watermark.

Blind Watermarking: After enabling this option, you can configure displaying the user name, user login name, computer name, IP address, MAC address, time stamp, tiling watermark, rotation angle, and custom content of the watermark.

Network rules

Only IDV, VOI, and physical host authorization policies support network rule configuration.

Filtering Rule: Specify a protocol to match. Options include TCP and UDP.

Type: Specify a rule type. Only the Denylist option is supported. IP addresses and port numbers in the denylist are not allowed to communicate with IDV or VOI cloud desktops.

Direction: Specify a traffic direction to match. Options include Inbound and Outbound.

Start Port: Specify a start port of the port range to match.

End Port: Specify an end port of the port range to match.

IP: Specify an IP address to match. IP address 0.0.0.0 matches all IP addresses.

Subnet Mask: Specify a subnet mask for the IP address.

Bandwidth limit settings

Only VDI authorization policies support bandwidth limit configuration.

Total Bandwidth: Configure the total bandwidth limit for protocol channels.

Bandwidth Limit Type: Select the bandwidth limit type for each channel. Options include Size and Percentage.

Configuration Details: Configure a bandwidth limit for each channel, such as peripheral, camera, disk, serial port, printer, parallel port, multimedia, webpage redirection, vGPU, clipboard, and display.

Security settings

· Only vApp authorization policies do not support security configuration.

· Only Windows cloud desktops support security configuration.

· Only VDI authorization policies support enabling screen monitoring.

· Winserver authorization policies support only software denylist and allowlist. Physical host authorization policies support only software denylist.

· Software denylist and allowlist are available only in an education scenario.

· ARM hosts do not support user authorization group, and software denylist and allowlist.

· The matched process name must be in English.

· The software denylist and allowlist feature can block or allow only the .exe programs of the Windows 7 or Windows 10 operating system.

· The Windows applications in the C:\Windows\XXX folders are in the allowlist by default, such as Calculator.

User Authorization Group: Assign user groups to an authorized user after the user connects to the cloud desktop. The modification of the user authorization group takes effect only after the user reconnects to the cloud desktop. This parameter is supported only on the cloud desktop running on a Windows endpoint. For more information, see the Microsoft official website.

Remote Desktop Users: Add an authorized user to the remote desktop user group of the cloud desktop. Users added in this group can connect to the desktop remotely.

Administrators: Add an authorized user to the administrator group of the cloud desktop. Users added in this group have all privileges.

Power Users: Add an authorized user to the standard user group of the cloud desktop. The privileges of users added in this group are higher than that of users in the Users group, and lower than that of users in the Administrators group. Users in this group can perform any OS tasks other than those exclusive to the Administrators group, modification of the OS settings for example.

Users: Add an authorized user to the common user group of the cloud desktop. Users added in this group are restricted to perform tasks, such as not being allowed to modify the OS settings or other user information, and only being allowed to run authenticated Windows applications.

Create a software allowlist or denylist:

List Type: Specify the list type. Options include Allowlist and Denylist.

Type: You can add processes, files, and directories to a denylist but only processes to an allowlist. Directories support only exact matching of absolute paths (C:\Program Files (x86)\Professional\Computer, for example), and support Chinese characters. Process and file names cannot contain Chinese characters.

Match Mode:

Exact Match: Match the name exactly. A program is denied if its name is matched. This match mode is recommended.

Fuzzy Match: Fuzzy matching matches all names that contain the name string. For example, qq matches qq.exe and qq2013.exe. To avoid mismatch, enter the exact name to match or specify the name as accurate as possible. For example, do not specify .exe for fuzzy matching.

Name: Specify the case-insensitive name of the process, file, or directory to match. To obtain the process name of the target program, start the program, select the program from the Applications tab of Windows Task Manager, right-click the program, and then click Go to Process.

Description: Description of the process, file, or directory.

Screen Monitoring: With this feature enabled, the cloud desktop screen will be recorded by continuous screenshots. The system will end the recording if no action from the keyboard or mouse connecting to the cloud desktop is performed for over 5 minutes. Before enabling this feature, configure the screen recording server on the System > Logs > Screen Monitoring Log page. Screen monitoring is supported only on a Windows 7 or Windows 10 cloud desktop.

Recording Interval (Second): Set the recording interval for screenshots. The minimum recording interval is 1 second and the maximum is 300 seconds. The shorter the recording interval, the higher the VM resource consumption. As a best practice, set the recording interval to 60 seconds.

Data management

· Only VDI, IDV, VOI, and vApp authorization policies in an office scenario support data management configuration.

· You can authorize vApp authorization policies to virtual applications and shared desktops. The data management feature takes effect only on shared desktops, not on virtual applications.

· When you configure data management in different types of policies for a client, you can specify the same configuration file directory created on the remote server as the roaming directory path for the Roaming Directory field. For example, data management configuration for VDI, IDV, and VOI policies can use the same configuration file directory and so it is with the data management configuration for VDI and vAPP policies.

· X86 management nodes support only Windows roaming configuration, which provides user data roaming for the data management policy for Windows cloud desktops. ARM management nodes support only Linux ARM 64 configuration, which provides user data roaming for the data management policy for Kylin V10 cloud desktops.

Windows roaming configuration

File Storage:

Storage Type: Specify the storage location for user configuration files. Options include Local and Remote.

If you select Local, user configuration files will be saved in the local roaming directory of a cloud desktop.

If you select Remote, you must enter the administrator username and password of the remote storage server. Then, configuration files will be saved in the roaming directory on the remote server. Configure the remote storage server before you save the configuration files.

Roaming Directory: Enter a shared path on the server for saving configuration files of roaming users.

For local storage, enter a local path on a cloud desktop, such as C:\HomeFolder.

For remote storage, enter a shared path on the remote server. You cannot use a subfolder in the shared path as the roaming directory. Configuration files for different operating systems are saved separately. For example, the configuration files for Windows 7 and Windows 10 cloud desktops are saved in folders whose names are suffixed with .V2 and .V6, respectively.

File Configuration: This parameter is required if you specify the file storage type as Remote.

Excluded Files: Exclude files in the default synchronization directory.

Excluded Folders: Exclude file folders in the default synchronization directory.

File Sync: Synchronize all user configuration files and specific files in the directory.

Directory Sync: Synchronize all user configuration files and specific directories in the directory.

File Size Limit per User: Local configuration files (excluding excluded files) of a user will not be synchronized to the storage server if total size of the configuration files exceeds this limit.

Size Limit per File: Set whether to limit the synchronization for the size of the user configuration files. With this feature enabled, configuration files that exceed this limit will not be synchronized to the roaming directory.

Notification Upon File Limit Crossing: Configure whether to notify users when total size of the user local configuration files (excluding excluded files) exceeds the limit. With this feature enabled, the system sends the notification to the user desktops by the following specified parameters:

Notification Interval: Configure the interval for sending the notification messages.

Notification Content: Enter the content of the notification messages sent to users.

Advanced Settings: This parameter is required if you specify the file storage type as Remote.

Administrators' Access Rights to Configuration: Configure whether to allow the users named Administrator to access the roaming configuration file path.

Roaming Profile File for Chrome: Configure whether to allow Chrome profile files to roam. With this feature enabled, the roaming profiles for Chrome are saved in the %APPDATA%\Google\Chrome\User Data\Default\profile.pb file.

Third-Party Software Data Sync: Synchronize configuration files of the third-party software products (IE for example) to the roaming directory. If the synchronization is required, add the software directories of the third-party software products,.for example, C:\Program Files\Internet Explorer.

Linux roaming configuration

File Storage:

Roaming Cluster: A roaming cluster is required for the Linux roaming configuration. To create a roaming cluster, navigate to the System > Data Roaming > Roaming Server Configuration page.

Application acceleration

· vApp authorization policies do not support application acceleration.

· Only Windows cloud desktops support application acceleration.

· ARM hosts do not support application acceleration.

Optimization Policy: Options include Intelligent Acceleration and Custom.

CPU:

Management

CPU Spike Protection: With this feature enabled, the system automatically identifies processes with high CPU usage and lowers the process priority. To use this feature, you must also configure the protection mode: Auto or Manual. In auto mode, the system determines if the CPU usage of a process is high based on the CPU core-related experience. In manual mode, specify the following parameters for the system to identify processes with high CPU usage:

High CPU Threshold: Specify the upper threshold for the CPU usage of a process.

Limit Sample Time: Specify the high-CPU-usage duration that can triggers the system to lower the process priority.

Optimization Duration: Specify the duration during which the process priority is lowered.

Limit CPU Core Usage: Specify whether to limit the number of CPU cores available for a process.

Intelligent CPU Optimization: Specify whether to enable CPU optimization. With this feature enabled, optimized processes can adjust or restore the CPU priority as needed.

Intelligent I/O Optimization: Specify whether to enable I/O optimization. With this feature enabled, optimized processes can adjust or restore the I/O priority as needed.

Excluded Processes: Specify processes excluded from CPU spike protection. Excluded processes are not protected by CPU spike protection.

Priority

Process Priority: Specify whether to enable process priority. With this feature enabled, you must add processes to the list and the system will adjust the CPU priority of listed processes to the specified value at process startup.

Affinity

Process Affinity: Specify whether to enable process affinity. With this feature enabled, you must add processes to the list and the system will bind the specified number of CPU cores to the listed processes at process startup.

Clamping

Process Clamping: Specify whether to enable process affinity. With this feature enabled, you must add processes to the list and the system will limit the maximum CPU usage of listed processes.

Memory:

Idle Process Memory Optimization: With this feature enabled, the system automatically identifies idle processes and release memory occupied by the processes.

Process Idle Time: Specify the idle state duration that can trigger the system to release memory.

Process Idle State CPU Usage: Specify the CPU usage threshold below which a process is identified as idle.

Excluded Processes: Specify processes excluded from idle process memory optimization.

Process:

Process IO Priority: Specify whether to enable process I/O priority. With this feature enabled, you must add processes to the list and the system will adjust the I/O priority of listed processes to the specified value at process startup.