A policy is a collection of rules that can be used to manage end user permissions on cloud computers to improve data security. This topic describes policies of different types and the rules on how the policies take effect.
Billing
Before WUYING Workspace officially releases the policy billing announcement, you are not charged for using the system policy and all custom policies.
Screen Recording Audit is in public review, during which you can use this feature free of charge. After the public preview ends, you are charged for using the screen recording audit feature. After the public preview ends, an announcement about the billing rules will be released. The most recent announcement shall prevail.
Policy type
WUYING Workspace policies are classified into the following types based on policy sources:
System policy: the policy that is provided by WUYING Workspace. The system policy passes the security and stability tests of Alibaba Cloud and provides the default settings of configuration items.
Custom policy: the policies that are created by administrators in the WUYING Workspace console.
Introduction to the system policy
The system policy is named as All enabled policy. The policy ID is system-all-enabled-policy.
You cannot change the default settings of configuration items in the system policy. You cannot delete the system policy, either.
The following table describes the default settings of configuration items in the system policy.
Configuration item | Valid IP Address | USB Redirection | Local Disk Mapping | Clipboard | Image Display Quality | Network Transfer | Web Client File Transfer | Printer Redirection |
Default settings | All CIDR Block | Enable | Read/Write | Enable Two-way Transfer | SD | Enable | Allow Upload/Download | Enable |
Introduction to custom policies
A custom policy contains the following configuration items: Basic Policy, Logon Method Control, Security Group Control, DNS, Client IP Whitelist, Peripheral Control, Screen Recording Audit, Valid IP Address and Media Redirection.
Basic policy
The following table describes the parameters on the Basic Policy tab. For information about how to create a basic policy, see Create a basic policy.
Parameter | Description |
Watermark | Specifies whether to display watermarks on the screens of cloud computers. If you enable this feature, watermarks are tiled across the screens of cloud computers. The watermarks facilitate auditing screenshots and screen recordings. |
Anti-screenshot | Specifies whether to allow end users to capture the screens of cloud computers by using on-premises screenshot tools. If you enable this feature, end users cannot capture the screens of cloud computers by using on-premises screenshot tools. |
Clipboard | Specifies whether to allow end users to copy text, images, and files between on-premises computers and cloud computers. |
Allow Preemption | To improve user experience and ensure data security, multiple end users are not allowed to connect to the same cloud computer at the same time. |
Image Display Quality | Specifies the display quality of cloud computer screens. Valid values: LD, SD, HD, and Lossless. |
Network Transfer | If you enable this feature, Adaptive Streaming Protocol (ASP)-based cloud computers use the UDP/TCP adaptive mode. By default, the ASP-based cloud computers use the User Datagram Protocol (UDP), which delivers better user experience in weak network conditions. If the UDP protocol fails to provide services, the Transmission Control Protocol (TCP) is automatically used. |
Image Quality Control | This feature improves the image quality of cloud computers. If your end users use Enterprise Graphics cloud computers in design scenarios, we recommend that you enable this feature to improve the performance and user experience of cloud computers. |
Web Client File Transfer | Specifies whether to allow end users to transfer files between cloud computers and on-premises computers after end users connect to the cloud computers from web clients. |
Logon method control
This feature specifies which types of WUYING terminals can be used by end users to connect to cloud computers. For information about how to enable the Logon Method Control feature, see Manage logon methods.
Security group control
You can add inbound and outbound rules to control the inbound and outbound traffic of cloud computers. By default, cloud computers deny all inbound traffic and allow all outbound traffic. For information about how to enable the Security Group Control feature, see Configure a security group.
DNS
By default, the DNS policy is disabled. In this case, cloud computers can access all domain names. You can enable this feature based on your business requirements. If you enable this feature, you must specify the domain names that you allow or forbid cloud computers to access. You can also control access from cloud computers to domain names of multiple levels in a fine-grained manner. For information about how to enable the DNS feature, see Enable the DNS feature.
Client IP whitelist
You can configure a client IP address whitelist to specify the CIDR blocks of the WUYING terminals that can be used by end users to connect to cloud computers. If you do not configure a client IP address whitelist, end users can use any type of WUYING terminals to connect to cloud computers from any IP address. For information about how to enable the Client IP Whitelist feature, see Configure a client IP address whitelist.
Peripheral control
This feature specifies whether end users can access the on-premises disks or use the peripherals that are connected to their on-premises devices after the end users connect to cloud computers. For information about how to enable the Peripheral Control feature, see Peripheral control.
Screen recording audit
This feature specifies whether to record the operations of end users on cloud computers for security purposes. You can play back the screen recordings to audit the operations of end users as an administrator. For more information about how to enable the Screen Recording Audit feature, see Configure the screen recording audit feature (public preview).
This feature is in public preview, and you can use it for free during the public preview. After the public preview ends, you are charged for the feature. An announcement that includes the billing rules will be released in advance. We recommend that you stay tuned to our latest updates and announcements.
Valid IP address
You can specify CIDR blocks for a policy to take effect on based on your business requirements. When end users connect to cloud computers from on-premises devices, WUYING Workspace checks the IP addresses of the WUYING terminals of the end users and enables the matching policies based on the check results. This further improves data security of cloud computers. For information about how to enable the Valid IP Address feature, see Specify a CIDR block on which a policy takes effect.
Media redirection
This feature specifies whether to redirect audio and video files from cloud computers to on-premises computers for playback. Playing back the files on on-premises computers provides a smoother media experience. For information about how to enable the Media Redirection feature and the limits of the feature, see Configure media redirection.
Rules for configuration items to take effect
After you create or modify a policy, specific configuration items immediately take effect and other configuration items take effect upon the next connection to the associated cloud computers. The following table describes the rules for different configuration items to take effect.
Configuration item | Rule |
Watermark | Takes effect immediately. |
Anti-screenshot | Takes effect upon the next connection to the associated cloud computers. |
Local Disk Mapping | Takes effect upon the next connection to the associated cloud computers. |
Clipboard | Takes effect upon the next connection to the associated cloud computers. |
Image Display Quality | Takes effect immediately. |
Image Quality Control | Takes effect upon the next connection to the associated cloud computers. |
Network Transfer | Takes effect upon the next connection to the associated cloud computers. |
Web Client File Transfer | Takes effect upon the next connection to the associated cloud computers. |
Printer Redirection | Takes effect upon the next connection to the associated cloud computers. |
Webcam Redirection | Takes effect upon the next connection to the associated cloud computers. |
Logon Method Control | Takes effect upon the next connection to the associated cloud computers. |
Security Group Control | Takes effect immediately. |
DNS | Takes effect immediately. |
Client IP Whitelist | Takes effect upon the next connection to the associated cloud computers. |
USB Redirection | Takes effect upon the next connection to the associated cloud computers. |
Screen Recording Audit | Takes effect immediately. |
Media Redirection | Takes effect upon the next connection to the associated cloud computers. |
Valid IP Address | Takes effect upon the next connection to the associated cloud computers. |