Jump to content
Welcome to our new Citrix community!
  • 0

Policy assignment to non corporate machines


IT Support1709152897

Question

7 answers to this question

Recommended Posts

  • 0
15 minutes ago, Carl Stalhood1709151912 said:

Thanks Carl. Do you need to push out the EPA client still for this, or is it now handled by the receiver? I imagine it wouldn't be pre-auth as i do my client checks at my saml IDP so not use EPA for a long time.

 

Thanks

Link to comment
  • 0
4 hours ago, IT Support1709152897 said:

Hi,

We have a requirement to restrict copy/paste out of a session/remote app on non corporate machines. Is there a way to apply a policy based on a machine not being a on our domain?

We are on 1909.

 

Thanks

 

Here's something to consider perhaps based on first hand experience:

 

Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all.

 

Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason)

 

After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access.

 

Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using.

 

So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway.

 

To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name.  Ever since I never have had to adjust the design again no matter what additional requests came in.

 

Link to comment
  • 0
19 minutes ago, Andy Vanderbeken said:

 

Here's something to consider perhaps based on first hand experience:

 

Last year I received this question as well from corporate management. After some research I implemented smart access but soon after that some additional and "exceptional" requests started coming in for a few specific external partner pc's that should be allowed after all.

 

Soon after that the request came to allow to -by default- no longer allow people all people with internal company pc's to be able to do it but rather restrict it to only people that request permission (with a valid reason)

 

After that the request came to allow a specific internal range of a subsidiary where different machines (windows and mac's) are randomly used by different persons. They need to have access.

 

Finally some time later the request came for a few specific user that need to get this functionality regardless of which machine they are using.

 

So eventually I realized I had to come up with a design model that allowed granular control over all of these scenario's and still provide certainty that no 'overlooked' situations could accidentally still have access where they shouldn't, both for internal or external machines, regardless whether through a full vpn or Citrix sessions through Netscaler gateway.

 

To design a fitting solution for all of these possibilities for once and for all I ended up chosing to apply a full deny of this functionality in my Virtual apps default policy (last priority) and then 3 exceptional policies with a higher priority based on respectively "client (machine) name", Client ip (range) and "User or Group" name.  Ever since I never have had to adjust the design again no matter what additional requests came in.

 

Thanks for your input. I was thinking about this way as well, as least for the short term until Corona is over. I'd be a bit concerned about implemented EPA when all our staff are WFH!

Will need to think about how i can do this when staff are on VPN, but using remote app.

Link to comment
  • 0

that's the beauty of this model. As long as you don't provide their software as locally installed onto the local machines but rather force users to have to go through Citrix virtual app or desktop sessions these policies will apply to them always and under all circumstances and scenario's. This way you control and contain all.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...