You can use cloud computer policies to manage data security, access control, user experience, and collaboration.Elastic Desktop Service provides a default policy that cannot be modified or deleted. For specific requirements, you can create custom policies. This topic describes how to create and manage custom policies.
Create a custom policy
You can create a custom policy in several ways based on your needs.
Create from scratch
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Policy page, click Create Policy.
On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.
Clone existing policy
To quickly create a policy with settings similar to an existing one, clone that policy and modify it as needed.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Policy page, find the custom policy that you want to clone and click Clone in the Actions column.
In the Clone Policy dialog box, enter a policy name and click OK.
Import from file
You can quickly create a policy by importing a standard JSON configuration file.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Policies page, click Import policy.
In the Import policy dialog box, enter a policy name, upload the policy configuration file in JSON format, and then click OK.
Convert to a global policy
Custom policies created before October 2024 are legacy region-specific policies. A policy in a region can only be associated with cloud computers in the same region. Policies created after this date are global policies and can be associated with cloud computers in any region. You can convert legacy, region-specific policies into global policies.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the page, find the legacy custom policy that you want to convert and click Switch to Global Policy in the Actions column.
Change an associated policy
If the policy associated with a cloud computer or a multi-shared cloud computer no longer meets your business requirements, you can replace it.
Cloud computer
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose Resource Management > Cloud Computers.
On the Cloud Computers page, perform one of the following actions as needed:
For a single cloud computer: Find the cloud computer, click More in the Actions column, and then select Change Policy.
For multiple cloud computers: Select the cloud computers, and then choose More > Change Policy at the bottom of the page.
In the Change Policy panel, perform the following actions as needed.
Change a required policy
A required policy applies to all IP addresses. Each cloud computer must have exactly one associated required policy. To change the required policy, on the Required Policy tab, click Change Policy in the Actions column. Then, select a new policy and click OK.
NoteIf the cloud computer's resource group already has an associated policy, you cannot directly change the policy for the cloud computer. You must either change the policy for the resource group or move the cloud computer out of the group before you can change its policy.
Adjust optional policies
An optional policy applies to specific IP addresses. You can associate a cloud computer with up to four optional policies. Optional policies always have a higher priority than the required policy. You can also adjust their priority by reordering them.
To add an optional policy, on the Optional Policies tab, click Associate Policy and then select one or more new policies.
To remove an optional policy, on the Optional Policies tab, click Disassociate in the Actions column.
In the dialog box that appears, click OK.
Multi-shared cloud computer
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Shared Cloud Computer page, find the target multi-shared cloud computer and click its Cloud computer share ID.
On the Basic Information tab, find Policy Group Name and click the edit icon.
In the Change panel, deselect the current policy, select a new one, and click Change.
Resource group
When you associate a policy with a resource group, it applies to all cloud computers in the group and overrides any policies associated with individual cloud computers.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose Resource Management > Resource Group.
On the Resource Group page, find the target resource group, and in the Actions column, click Associate Policy.
On the Manage Policy tab, perform the following operations as needed:
Change the required policy
A policy that applies to all IP addresses is a required policy. Each resource group can have only one required policy.
To add a required policy, on the Required Policy tab, click Add Policy, select a policy, and click OK.
To change the required policy, on the Required Policy tab, click Change Policy in the Actions column, select a new policy, and click OK.
To remove the required policy, on the Required Policy tab, click Disassociate in the Actions column.
Adjust optional policies
A policy that applies to specific IP addresses is an optional policy. Each resource group can have up to four optional policies. Optional policies take priority over the required policy, and you can adjust their priority by reordering them.
To add optional policies, on the Optional Policies tab, click Associate Policy, select one or more policies, and click OK.
To remove an optional policy, on the Optional Policies tab, click Disassociate in the Actions column.
Modify custom policy settings
If a custom policy's settings no longer meet your business requirements, you can modify them.
Procedure
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Policy page, find the custom policy that you want to modify and click Modify Policy in the Actions column.
On the Modify Policy page, adjust the policy settings as needed.
When modifications take effect
After you modify a policy that is attached to a workspace, the time it takes for changes to different rules to take effect varies. Changes to the following rules take effect immediately. The end user does not need to disconnect from and reconnect to the workspace.
Display mode
Watermark
Security group control
Domain name access control
Screen recording audit
Remote assistance
Changes to other rules take effect the next time the end user connects to a workspace with the policy attached.
Specify effective CIDR blocks
By default, a custom policy applies to all cidr blocks. If you need a policy to apply only to specific network locations, you can specify effective cidr blocks. Once specified, when an end user connects to an associated cloud computer by using an Alibaba Cloud Workspace terminal, the system checks whether the terminal's public IP address is within the specified cidr blocks to determine whether to enforce the policy.
Procedure
The following steps describe how to set the effective cidr blocks for a policy.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the Policy page, find the custom policy for which you want to specify effective cidr blocks and click Modify Policy in the Actions column.
At the top of the Modify Policy page, select Specific CIDR Block next to Valid IP Address, and then click Add CIDR Block.
NoteYou can directly modify the effective cidr blocks for policies that are not yet associated with any cloud computer, or for policies that are already associated but have specified cidr blocks.
For a policy that is already associated with a cloud computer and applies to all cidr blocks, you must first disassociate it from the cloud computer before you can specify its effective cidr blocks. Alternatively, if you do not want to disassociate the policy, clone it, specify the effective cidr blocks for the clone, and then associate the new policy with the cloud computer. For more information about how to clone a policy, see Create a custom policy.
In the Add CIDR Block dialog box, enter up to three cidr blocks and click OK.
After you set the effective cidr blocks and associate the policy with a cloud computer, the policy will take effect on the next connection.
NoteA cloud computer must have exactly one policy that applies to all IP addresses. A cloud computer can be associated with a maximum of four policies that apply to specific cidr blocks.
Export a policy
Cloud computer policies can be exported as standard configuration files in JSON format. You can share these files with other users so they can quickly create the same policy by importing them.
Log on to the Elastic Desktop Service Enterprise console.
In the left-side navigation pane, choose .
On the O&M Management > Policy page, find the policy that you want to export, and in the Actions column, click Export Policy.
A JSON file is automatically generated and downloaded to your device.