A policy is a set of security rules that are used to control security configurations when regular users use cloud desktops. Policies improve data security. This topic describes the configuration items of the security rules that are contained in a policy and provides some examples of security rules.

A policy contains a basic policy, such as USB redirection and watermarks and one or more security group rules, such as inbound and outbound traffic rules. The following table describes the parameters in a policy.
Item Description
USB Redirection Specifies whether to enable the USB redirection feature. If you set this parameter to Enable, you can access USB flash drives that are connected to on-premises devices from cloud desktops.
Watermark Specifies whether to use watermarks. If you set this parameter to Enable, you can configure the content and transparency of watermarks that are displayed on cloud desktops.
Local Disk Mapping Specifies whether to allow read and write operations on the drives that map to the disks of your computer on cloud desktops.
Clipboard Specifies whether to allow copy operations between your computer and cloud desktops.
Allow Preemption Specifies whether you can log on to cloud desktops to which another regular user is logged on. By default, this feature is disabled and cannot be modified.
Notice To improve user experience and ensure data security, multiple regular users are not allowed to log on to the same cloud desktop.
Image Display Quality Specifies the display quality on Windows desktops.
HTML5 Client File Transfer Specifies whether you can transfer files between your computer and the Windows cloud desktops when you log on to cloud desktops by using a web browser.
Note This parameter is valid only on Windows cloud desktops. If you want to use the file transfer feature on the Linux cloud desktops, you must associate the default system policy with the cloud desktops.
Printer Redirection Specifies whether you can use USB printers and network printers that are connected to on-premises devices on cloud desktops.
Logon Method Specifies the types of EDS clients that you can use to log on to cloud desktops.
Security Group Control You can add security group rules to manage the inbound and outbound traffic of cloud desktops. By default, cloud desktops deny all inbound access requests and allow all outbound access requests.
Domain names in the whitelist and blacklist You can add domain names to the blacklist or whitelist to control the domain names that cloud desktops can access. By default, if you do not add domain names to the whitelist or blacklist, cloud desktops can access all domain names.
Client IP Whitelist If you configure the client IP whitelist, you can connect to cloud desktops only from the clients that use the CIDR blocks that you added in the whitelist. By default, if you do not add a CIDR block to the whitelist, you can connect to the cloud desktops from all EDS clients.

USB redirection

The USB redirection configuration determines whether regular users can access USB flash drives that are connected to their computers from their cloud desktops.
  • Disable: If this feature is disabled, regular users cannot use USB flash drives that are connected to their computers from their cloud desktops.
  • Enable: If this feature is enabled, users can use USB flash drives that are connected to their computers from their cloud desktops.

Watermark

Watermarks are overlaid on cloud desktops to reduce the risk of data leaks due to screenshots and photos. You can configure the content and transparency of watermarks. For example, you can select Show Username or Show Cloud Desktop ID to specify the watermark content and select Light, Medium, or Dark to specify the transparency.
  • Disable: If this feature is disabled, watermarks are not displayed on cloud desktops.
  • Enable: If this feature is enabled, watermarks are tiled across the display of cloud desktops, as shown in the following figure. Watermark

Local disk mapping

The local disk mapping configuration determines whether to grant regular users read and write permissions on the drives that map to the disks of your computer on cloud desktops.
Note This feature is not applicable to regular users who use web browsers to log on to cloud desktops.
  • Disable: The drives that map to the disks of your computer are not accessible from cloud desktops.
  • Read-only: The drives that map to the disks of your computer are accessible from cloud desktops. You can read and copy local files, but you cannot modify the files.
  • Read/Write: The drives that map to the disks of your computer are accessible from cloud desktops. You can read, copy, and modify local files.

Clipboard

The clipboard configuration determines whether to grant regular users the permissions to copy files between your computer and cloud desktops.

  • Enable One-way Transfer: You can copy files only from your computer to cloud desktops.
  • Enable Two-way Transfer: You can copy files between your computer and cloud desktops.
  • Disable Two-way Transfer: You cannot copy files between your computer and cloud desktops.

User preemption

The user preemption configuration manages whether a regular user can log on to a cloud desktop to which another regular user is logged on. To improve user experience and ensure data security, multiple regular users are not allowed to log on to the same cloud desktop. By default, this feature is disabled and cannot be modified.
Note If a regular user does not disconnect from a cloud desktop and attempts to log on to the same cloud desktop from another client, the earlier logon to the cloud desktop is disconnected.

Image display quality

The image display quality configuration controls the display quality of the Windows cloud desktop. You can specify this parameter based on your business requirements and bandwidth. Valid values: Adaptive, LD, HD, and Lossless.

HTML5 client file transfer

The configurations of HTML5 client file transfer controls whether files can be transferred between your computer and cloud desktops when you log on to the cloud desktops by using a web browser.
Note This feature is only valid on Windows cloud desktops.
  • Disable: You cannot transfer files between your computer and cloud desktops.
  • Allow Upload: You can upload local files to cloud desktops. However, you cannot download the files that are stored on cloud desktops to your computer.
  • Allow Download: You can download the files that are stored on cloud desktops to your computer. However, you cannot upload the local files from your computer to cloud desktops.
  • Allow Upload/Download: You can upload local files to cloud desktops from your computer, and download the files that stored on cloud desktops to your computer.

Printer redirection

The printer redirection configuration controls whether regular users can use USB printers and network printers that are connected to on-premises devices on cloud desktops.
  • Enabled: You can use the printers that are connected to on-premises devices on cloud desktops.
  • Disabled: You cannot use the printers that are connected to on-premises devices on cloud desktops.
Note
  • If a regular user wants to use a USB printer on cloud desktops, the printer redirection and USB redirection features must be enabled.
  • If an AD user wants to use a printer on cloud desktops, the group policy of the AD domain and the printer redirection feature must be enabled.

Logon methods

The logon methods control the types of clients that regular users can use to log on to cloud desktops. The following client types are supported:
  • Software client: the Windows and macOS clients
  • Web client: the HTML5 client
  • Hardware client: the A series box-shaped cloud devices and C-key card-shaped cloud devices
  • Mobile client: the Android and iOS clients

Security group control

Security group rules control the inbound and outbound traffic of cloud desktops. To define a security group rule, you must specify properties such as the rule direction, priority, CIDR block, protocol type, port range, and authorization policy. Before a connection for data communication is established to a cloud desktop, the system matches access requests against the security group rules in the policy that is associated with the cloud desktop to determine whether to allow the access requests. Access requests are allowed or denied based on the matched security group rule:
  • If access requests match a security group rule whose Authorization Policy is set to Allow, the access requests are allowed.
  • If access requests match a security group rule whose Authorization Policy is set to Deny, the access requests are blocked and data packets are dropped.
If no security group rules are added, cloud desktops deny all inbound access requests and allow all outbound access requests. You can add security group rules to control the inbound and outbound traffic of a cloud desktop. The following table shows sample configurations.
  • Example 1: Allow a cloud desktop to access only specific IP addresses.
    By default, cloud desktops allow all outbound access requests. You can add the following outbound rule to allow a cloud desktop to access only specific IP addresses:
    • Rule 1: Deny all outbound access requests. The following table shows sample configurations.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Outbound 2 0.0.0.0/0 All -1/-1 Deny
    • Rule 2: Allow outbound access to specific IP addresses. The priority of Rule 2 must be higher than the priority of Rule 1. The following table shows sample configurations.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Outbound 1 The allowed destination IP address. Example: 192.168.1.1/32. Select a protocol type. Specify a port range. Allow
  • Example 2: Allow inbound access from a specific IP address to a cloud desktop.
    By default, cloud desktops deny all inbound access requests. You can add an inbound rule to allow access from a specific IP address. The following table shows sample configurations.
    Rule direction Priority CIDR block Protocol type Port Authorization policy
    Inbound 1 The allowed source IP address. Example: 192.168.1.1/32. Select a protocol type. Specify a port range. Allow
  • Example 3: Enable mutual access between cloud desktops that are associated with different policies.
    For example, Cloud Desktop A is associated with Policy A, and Cloud Desktop B is associated with Policy B. Cloud Desktop A and Cloud Desktop B cannot access each other because cloud desktops deny all inbound access requests by default. You can add the following inbound rule to Policy A and Policy B to enable mutual access between the two cloud desktops:
    • Add an inbound rule to Policy A to allow access from Cloud Desktop B. The following table shows sample configurations.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Inbound 1 The IP address of Cloud Desktop B. Select a protocol type. Specify a port range. Allow
    • Add an inbound rule to Policy B to allow access from Cloud Desktop A. The following table shows sample configurations.
      Rule direction Priority CIDR block Protocol type Port Authorization policy
      Inbound 1 The IP address of Cloud Desktop A. Select a protocol type. Specify a port range. Allow

Domain names in the whitelist and blacklist

The domain blacklist and whitelist control the domain names that cloud desktops can access and cannot access. By default, cloud desktops can access all domain names. You can add the domain names to the blacklist and whitelist based on your actual requirements.
  • If you do not configure the blacklist or the whitelist, cloud desktops can access all domain names.
  • If you configure a blacklist, cloud desktops cannot access these domain names in the blacklist. For example, if an enterprise does not want employees to access some video streaming websites on cloud desktops, the enterprise adds the domain names of these websites to the blacklist to deny access to these websites. Then, if employees visit these websites, an error code 404 is returned on these web pages. However, employees can visit other websites that are not in the blacklist.
  • If you configure a whitelist, cloud desktops can access only the domain names in the whitelist. For example, if an enterprise wants employees to access some private websites within the enterprise or websites needed for work, the enterprise adds the domain names of these websites to the whitelist. Then, if employees visit these websites, the web pages properly appear. However, an error code 404 is returned on other websites whose domain names are not specified in the whitelist.
Notice The domain names in the blacklist and whitelist are mutually exclusive. If you configure the blacklist and whitelist, only the list that you configured last takes effect.

Client IP whitelist

The client IP whitelist controls the CIDR blocks that the clients can use to connect to cloud desktops.
  • If you do not configure the client IP whitelist, regular users can connect to cloud desktops from all EDS clients.
  • If you configure the client IP whitelist, regular users can connect to cloud desktops only from the clients that use the CIDR blocks in the whitelist. For example, for security reasons, an enterprise can add the CIDR blocks of clients that employees in a region use to the whitelist. Then, only employees in the region can connect to cloud desktops from the clients that use the CIDR blocks specified in the whitelist. This way, employees in other regions cannot access the cloud desktops.