You can set policies for tenants on the Policy configuration tab.

To show the Policy configuration tab:

  1. In the Service Center user interface, select tenants > policy.
  2. From the Organization drop-down menu, select your tenant organization.

You set policies on a per tenant basis. The Policy configuration screen displays the values of configuration parameters for Tenant appliances and Desktop Managers.

Click the Show Description button to show a brief description of each parameter. The default value appears in square brackets.

To change the value of a policy parameter:

  1. Double-click the row of the parameter you want to change.
  2. Enter the new value.
  3. Click OK to make the change or Cancel to retain the current value.

The screen displays only the most common policies by default. To see the full list, including advanced policies, select the web page and type “dtpolicy".

Configure Policies for RDSH Licensing Per Device

This feature provides proper handling of RDSH Per Device client access licenses (CALs) by saving the issued license, supplying it to the RDS host at the time of connection, and saving any upgrades. This prevents potential over-usage of Per Device CALs. It is implemented in Horizon Agent and Horizon Client, and requires Horizon Cloud implementation to support it.

There are two new policies you can set in Service Center to enable this functionality: rds.license.enable and rds.license.brokeronly.enable. The default value for both is false. The results of various settings for these policies are shown below.

rds.license.enable rds.license.brokeronly.enable Result
True False CALs are stored both in broker and client.
True True CALs are stored only in broker.
False True/False CALs are not stored in either place. Feature is deactivated.

Configure Policy for Single vCenter Server Configuration

To set up an environment with a single vCenter Server, you must set this policy to true.

Policy Description
allow.shared.hostmanager Controls whether direct a host manager can be shared by management appliances and tenant pool resources.
  • To allow for a shared host manager, set to true.
  • To not allow for a shared host manager, set to false.

Configure Policies for Agent Update Functionality

In order for the Agent Update functionality to work, you must specify the upgrade server URL in the agentupdate.updateserver.url policy.

The following policies also affect this functionality, and can be set as needed (default values are shown in brackets):
Policy Description
agentupdate.cachePath File share location for downloading agent installers. The tenant appliance updates this location as needed.
agentupdate.cipherList Cryptographic cipher suite to use with SSL when connecting to Update Server [ECDHE-RSA-AES256-GCM-SHA384]
agentupdate.enable When enabled (set to true), The tenant appliance scans for agent updates on the Update Server. Setting this policy to false disables the scan for new agents and also disables the scan for hot patch files on the file share.
agentupdate.enablehotpatch When this policy is set to true), the tenant appliance scans for hot patch files placed on the file share by customer admin. Setting this policy to false disables the scan for hot patch files on the file share.
agentupdate.job.repeatInterval Interval (in ms) between scans for new agents on Update Server. Defaults to 24 hours [86400000].
agentupdate.job.startDelay Wait time (in ms) for agent update scan to start after the tenant appliance starts up. Defaults to one minute [60000] .
agentupdate.sslProtocol Cryptographic protocols to use with SSL when connecting to Update Server [TLS_V1_2].
element.agentupdate.max.concurrent.updates.per.pool Maximum number of VMs to update at a time in each pool. This value is also the maximum number of failures in a pool after which an agent update task gives up and fails. The default value is 30.
To enable the skip VM option, you must set the agentUpdate.skipVmsWithLoggedInUser property to 'true'. To enable the restart VM option, you must set the agentUpdate.rebootVmBeforeAAU property to 'true'. No reboot or restart of any service is required after making these settings. In multi-DM environment, only the primary appliance pair needs to be edited.

Configure Policy for Direct Access to VMs

Policy Description
element.agentcontroller.validate.user.logon.enabled Controls whether direct access to VM is allowed. Default setting is false.
  • To allow direct access, set to false.
  • To not allow direct access, set to true.

Configure Policies for Domain Security Settings

You use these settings to prevent communication of Active Directory domain names to unauthenticated users using the various Horizon clients. These settings govern whether the information about the Active Directory domains that are registered with your environment is sent to the Horizon end-user clients and, if sent, how it is displayed in end-user clients' login screens.

Policy Description
secure.domain.list Controls whether domain information is sent to the client. Settings are as follows.
  • true - Domain information is not sent to the client. Client shows the text *DefaultDomain* where the drop-down normally appears.
  • false - Domain information is sent to the client, allowing the user to select a domain in the client domain drop-down menu.

This policy maps to the same setting in the Administration Console (General Settings > Show Default Domain Only).

client.hide.domain.list Controls whether the domain text box is displayed in the client. Settings are as follows.
  • true - The domain text box is displayed in the client (what is displayed in this text box is governed by the secure.domain.list setting).
  • false - The domain text box is not displayed in the client at all.
Note: If the tenant has multiple domains, and the secure.domain.list setting is true, then the client.hide.domain.list policy must also be set to true to support launches from Horizon Client versions earlier than 5.0.

This policy maps to the same setting in the Administration Console (General Settings > Hide Domain Field).

display.default.domain.at.top Controls the listing order of domains in the client domain drop-down menu. Settings are as follows.
  • true - The client drop-down menu displays the default domain at the top of the list, and sorts the other domains in alphabetical order.
  • false - The client drop-down menu displays domains in the order in which you registered them. The earliest registered domain is listed at the top, and the most recently registered domain is listed at the bottom of the menu.

The default domain is defined by the check box setting in the Administration Console (Settings > General Settings).

Note: The display.default.domain.at.top policy only takes effect when both of the following conditions are met.
  • The secure.domain.list policy is set to false (in the Administration Console, General Settings > Show Default Domain Only is set to off).
  • The client.hide.domain.list policy is set to false (in the Administration Console, General Settings > Hide Domain Field is set to off).

When changing the display.default.domain.at.top policy, it can take up to 5 minutes for the update to take effect.

Configure Policy for Two-Factor Authentication

This policy allows Service Provider administrators to force tenants to move Two-Factor Authentication (2FA) from the tenant portal to Unified Access Gateway. You can access the settings from the Two-Factor Authenitcation page on the Admin portal.

Policy Description
tenant.2fa.through.uag The default value of the policy is set based on the Two-Factor Authentication configuration:
  • Default setting is true for tenants prior to 9.2.1 that have 2FA configured as RSA and new tenants on 9.2.1.
  • Default setting is false for tenants prior to 9.2.1 that have 2FA configured as RADIUS.
where:
  • true - configures 2FA from United Access Gateway
  • false - allows configuring of 2FA RADIUS from the tenant portal