Policy groups
About policy group
An policy group sets rules for users to use cloud desktops, virtual applications, or physical PCs. A policy group is a collection of multiple types of policies, such as VDI policy, IDV policy, VOI/TCI policy, physical host policy, virtual application policy, and shared desktop policy. Each type of the policy includes the following rules:
Peripheral: Configure local resource mappings (such as disk mappings and camera mappings), USB redirection, and storage device read-only.
Client: Configure desktop power control and user action management.
Session: Manage actions performed by users on sessions, such as actions upon login, actions upon timeout, and other actions.
Display: Configure vGPU scene and display parameters.
vGPU Scene—The following scenes are supported: Office-Ultra Light Load, Office-Light Load, Office-Medium Load, Office-Standard Load (Recommended), and Office-Heavy Load.
Display Parameters—Configure bandwidth, scene configuration, video display parameters, advanced encoding parameters, and picture encoding parameters for cloud desktops.
Watermark Settings: Non-blind watermarking and blind watermarking are supported.
Non-Blind Watermarking: Human-visible words implemented on the cloud desktop through layer overlay on the client. This type of watermark is used for copyright notice and protection.
Blind Watermarking: Human-invisible words implemented on the cloud desktop through layer overlay on the client. This type of watermark can track the source of pictures without damaging original pictures and is used for identifying who should be held accountable for data revealing. The Space Console can use the blind watermark decoding function to decode clear pictures from capture pictures on the cloud desktop. For more information about blind watermark parsing, see "Blind watermark decoding."
Bandwidth Limit: Configure bandwidth limits for protocol channels, including the total bandwidth limit and bandwidth limit for each channel.
Network Rules: Configure a denylist for IDV or VOI/TCI cloud desktops or physical hosts. IP addresses or port numbers in the denylist cannot communicate with for IDV or VOI/TCI cloud desktops or physical hosts.
Security: Configure rules for User Authorization Group, Software Denylist and Allowlist, and Screen Monitoring.
User Authorization Group: Assign user groups to an authorized user after the user connects to the cloud desktop. The modification of the user authorization group takes effect only after the user reconnects to the cloud desktop.
Software Denylist & Allowlist:
Software Denylist: Prevent programs that match the denylist from running on the cloud desktop. You can use the denylist to block programs that affect the secure and stable operation of the cloud desktop. If a matching program is started or installed to the cloud desktop, the system displays a dialog box indicating that the program is illegal.
For ongoing software that matches a denylist rule, the system will prohibit the software from running at next startup.
The installation package of software that matches a denylist rule can be copied to the cloud desktop in the corresponding policy, but the software cannot be installed and started.
Software Allowlist: Permit only programs in the allowlist to run on the cloud desktop. Programs of a guest operating system are not controlled by the allowlist.
Screen Monitoring: With this feature enabled, the cloud desktop screen will be recorded by continuous screenshots. The system will end the recording if no action from the keyboard or mouse connecting to the cloud desktop is performed for over 5 minutes. Before enabling this feature, configure the screen recording server on the System > External Services > Screen Recording Server page.
Data Management: Manage user configuration files for local users, Windows cloud desktops with domain users. Only user data roaming is supported in the current software version. To use user data roaming, you must configure a shared path on the network server to save roaming configuration files. When a user logs in to any cloud desktop assigned to it, the cloud desktop obtains the user's configuration file from the shared path to provide a consistent cloud desktop environment for the user. When the user logs out of the cloud desktop, changes to the cloud desktop environment are saved to the shared path for use in the next login.
Application Acceleration: Guarantees CPU, memory, and I/O resources for cloud desktop applications to improve user experience.
For office scenarios, the system provides default policy group Default-Strategy for each application object: VDI for VDI desktops, IDV for IDV desktops, VOI/TCI for VOI/TCI desktops, physical host for physical hosts, virtual application for virtual applications, and shared desktop for shared desktops. ARM hosts do not support configuring policies for IDV, VOI/TCI, virtualization applications, or shared desktops.
The following table shows the support of different application objects for the preceding options:
Policy Type | Peripheral | Client | Session | Display | Watermark Settings | Network Rules | Bandwidth Limit | Security | Data Management | Application Acceleration |
VDI | √ | √ | √ | √ | √ | × | √ | √ | √ | √ |
IDV | Supports only USB redirection | × | Supports only user acceptance of remote assistance | × | Supports both blind watermarking and non-blind watermarking | √ | × | Screen monitoring is not supported. | √ | √ |
VOI/TCI | Supports only USB redirection | × | Supports only user acceptance of remote assistance | × | Supports both blind watermarking and non-blind watermarking | √ | × | Screen monitoring is not supported. | √ | √ |
Physical Host | Supports only USB redirection (Not supported if the physical host is indirectly accessed, for example, accessed through a client.) | × | × | × | Supports both blind watermarking and non-blind watermarking | √ | × | Supports only software denylist and allowlist | × | √ |
Virtual Application | Local resource mappings support only disk and clipboard mappings. USB redirection supports only printer, camera redirection. Supports storage device read-only. | × | Supports only | × | Supports only non-blind watermarking | × | × | × | × | × |
Shared Desktop | × | × | × | × | × | × | Supports software denylist and allowlist. | × | √ |
Configuration workflow
Configuration workflow (office scenario)
Create a policy group: Create a policy group based on the type.
Apply a policy group: After the policy group configuration is completed, select application objects as required, such as desktop pools, desktop pool groups, desktops, users, user groups, endpoints, endpoint groups, network plans, OUs, and application groups.
Manage a policy group: Edit, delete, view, prioritize, and copy, a policy group, and manage authorization for a policy group.
Configuration workflow (education scenario)
Create a policy group: In an education scenario, one policy group containing VDI authorization policies and VOI/TCI authorization policies are automatically created when a classroom is created. For information about creating a classroom, see "Create a classroom."
Apply a policy group: In an education scenario, an endpoint uses the policy group of the classroom.
Manage a policy group: Edit and view a policy group. In an education scenario, editing a policy group takes effect after a class dismiss/start or an endpoint reboot.
Restrictions and guidelines
In an education scenario, only VDI and VOI/TCI policy groups are available.
In the policy group, only the software denylist, software allowlist, USB redirection, and blind watermarking policies take effect in real time. After you configure the remaining policies and their authorizations, the VDI client, physical host, virtual application, and shared desktop must be disconnected and reconnected to cloud desktops for the policies to take effect, while IDV, VOI, and TCI users need to restart their endpoints for the policies to take effect.
For a VDI authorization policy, the priority order of the Local Resources and Devices settings is USB redirection for custom devices > USB redirection for common devices > USB redirection for other devices.
For cameras and USB devices, use local resource mapping for redirection as a best practice. For a read-only USB device in NTFS format, you must use local resource mapping. For an encrypted USB device, you must use USB redirection. To edit a MATLAB project in mlx format on a USB device in real time, you must use USB redirection.
You can check whether a policy group takes effect through pages on the client. For more information, see H3C Workspace Cloud Desktop Client User Guide (Office Scenario).