A policy is a set of security rules that are used to control the permissions on a cloud desktop when a regular user uses the cloud desktop. You can use a policy to improve data security. This topic describes configuration items of security rules in a policy and provides security rule examples.
Policies include basic policies for features such as watermarking and local disk mapping,
and other policies for features such as USB redirection, security group control, and
logon method control. The following table describes the features that you can configure
in a policy.
| Configuration item | Description | |
|---|---|---|
| Basic Policy | Watermark | Specifies whether to display watermarks. If you enable watermarking, you can configure the content and transparency of watermarks that are displayed on the cloud desktop. |
| Local Disk Mapping | Specifies whether to allow read and write operations on the mapped drives of local
disks on the cloud desktop.
Note You can run the built-in applications on your computer on cloud desktops. You cannot
run applications installed on your local computer on cloud desktops. However, if you
run the built-in applications on cloud desktops, the desktop bandwidth and user experience
may be compromised. Therefore, we recommend that you do not run applications installed
on your computer on cloud desktops. You can enable Local Disk Mapping to read or write
files stored on your computer on cloud desktops.
|
|
| Clipboard | Specifies whether the regular user can copy files between a local computer and the cloud desktop. | |
| Allow Preemption | Specifies whether the regular user can connect to the cloud desktop to which another
regular user is connected. By default, this feature is disabled and the value cannot
be modified.
Notice To improve user experience and ensure data security, multiple regular users are not
allowed to connect to the same cloud desktop at the same time.
|
|
| Image Display Quality | Specifies the display quality for a Windows cloud desktop. | |
| Image Quality Control | Specifies the display quality for a Graphics cloud desktop. | |
| HTML5 Client File Transfer | Specifies whether the regular user can transfer files between the local computer and
the Windows cloud desktop when the regular user logs on to cloud desktops from the
web client.
Note This configuration item is valid only for Windows cloud desktops. If the regular user
wants to use the file transfer feature on Linux cloud desktops, you must associate
the default system policy with the cloud desktops.
|
|
| Printer Redirection | Specifies whether the regular user can use printers that are connected to the local
computer on the cloud desktop.
Note This configuration item is valid for cloud desktops only from the software client.
If the regular user wants to use USB printers on the cloud desktop from the hardware
client, enable USB redirection.
|
|
| Webcam Redirection | Specifies whether the regular user can use webcams that are connected to local computers on cloud desktops. | |
| Logon Method | Specifies the types of Elastic Desktop Service (EDS) clients that the regular user can use to connect to the cloud desktop. | |
| Security Group Control | The regular user can add inbound and outbound security group rules to control the inbound and outbound traffic of the cloud desktop. By default, cloud desktops deny all inbound access requests and allow all outbound access requests. | |
| Domain Name Blacklist and Whitelist | The regular user can add domain names to the domain name blacklist or whitelist to limit the domain names that the cloud desktop can access. By default, if you do not configure the blacklist or the whitelist, cloud desktops can access all domain names. | |
| Client IP Whitelist | If you specify a CIDR block in the CIDR block whitelist, the regular user can connect to the cloud desktop only from the clients that use the CIDR block. By default, if you do not add a CIDR block to the whitelist, the regular user can connect to the cloud desktop from all EDS clients. | |
| USB Redirection | Specifies whether to enable USB redirection. After you enable USB redirection, USB devices that are connected to the local computer can be used on the cloud desktop. You can manage the USB device whitelist and blacklist by VID and PID or by device class. | |
| Screen Recording Audit | Specifies whether to enable screen recording audit in the EDS console. If you enable screen recording audit, you can play videos that record operations performed by the regular user on the cloud desktop and audit the operations to ensure data security. | |
Preview of basic policies
Watermark
Watermarks are overlaid on the cloud desktop to reduce the risk of data leaks due
to screenshots and photos. You can configure the watermark information, including
username, desktop ID, and transparency. The transparency can be light, medium, or
dark.
- Disable: Watermarks are not displayed on cloud desktops.
- Enable: Watermarks are tiled across the display of the cloud desktop. The following
figure shows an example of the display of the cloud desktop when the watermarking
feature is enabled.
Local disk mapping
The local disk mapping feature is used to control whether to grant read and write
permissions on the mapped drives of local disks on the cloud desktop to the regular
user.
Note This feature does not apply to scenarios in which the regular user connects to the
cloud desktop from the web client.
- Disable: No mapped drives of local disks are available on the cloud desktop.
- Read-only: The mapped drives of local disks are available on the cloud desktop. The regular user can only read and copy files from the mapped drives of local disks.
- Read/Write: The mapped drives of local disks are available on cloud desktops. Regular users can read, copy, and modify files on the mapped drives of local disks.
Clipboard
The clipboard configurations control whether to grant permissions on the clipboard
to the regular user to copy files between the local computer and the cloud desktop.
- Enable One-way Transfer: The regular user can copy files only from the local computer to the cloud desktop.
- Enable Two-way Transfer: The regular user can copy files between the local computer and the cloud desktop.
- Disable Two-way Transfer: The regular user cannot copy files between the local computer and the cloud desktop.
User preemption
The user preemption configurations control whether the regular user can connect to
the cloud desktop to which another regular user is connected. To improve user experience
and ensure data security, multiple regular users cannot connect to the same cloud
desktop at the same time. By default, this feature is disabled and the value cannot
be modified.
Note If the regular user does not disconnect from the cloud desktop and attempts to connect
to the same cloud desktop from another client, the earlier connection to the cloud
desktop stops.
Image display quality
The image display quality configurations control the display quality of a Windows cloud desktop. You can configure this parameter based on your business requirements and bandwidth. Valid values: Adaptive, LD, HD, and Lossless.
Image quality control
The image quality configurations control the image display quality of a GPU-accelerated cloud desktop. If the regular user uses a Graphics cloud desktop for design scenarios, we recommend that you enable the feature to improve desktop performance and user experience.
HTML5 client file transfer
The configurations of HTML5 client file transfer control whether files can be transferred
between the local computer and the cloud desktop when the regular user connects to
the cloud desktop from the web client.
Note This feature is valid only for Windows cloud desktops.
- Disable: Files cannot be transferred between the cloud desktop and the local computer.
- Allow Upload: Files that are stored on the local computer can be uploaded to the cloud desktop, but files that are stored on the cloud desktop cannot be downloaded to the local computer.
- Allow Download: Files that are stored on the cloud desktop can be downloaded to the local computer, but files that are stored on the local computer cannot be uploaded to the cloud desktop.
- Allow Upload/Download: Files that are stored on the local computer can be uploaded to the cloud desktop, and the files that are stored on the cloud desktop can be downloaded to the computer.
Printer redirection
The printer redirection configurations control whether the regular user can use USB
printers and network printers that are connected to the local computer on the cloud
desktop. This configuration item is valid for the cloud desktop that the regular user
is connected to only from the software client.
- Enabled: The regular user can use the printers that are connected to the local computer on the cloud desktop.
- Disabled: The regular user cannot use the printers that are connected to the local computer on the cloud desktop.
Note
- When the regular user connects to the cloud desktop from the hardware client, you can use the USB redirection feature to manage whether the regular user can use the USB printers that are connected to the local computer on the cloud desktop.
- If an AD user wants to use a printer on the cloud desktop, you must enable the group policy of the AD domain and the printer redirection feature.
Webcam redirection
The webcam redirection configurations control whether the regular user can use the
webcam that is connected to the local computer on the cloud desktop.
- Enabled: The regular user can use the webcam that is connected to the local computer on the cloud desktop.
- Disabled: The regular user cannot use the webcam that is connected to the local computer on the cloud desktop.