This post is specifically looking at printer policies to block external users from enabling printers. There is a lack of documentation and a bit of confusion when looking at the policies in XenDesktop.
Lets say you have a simple deployment, internal and external users.
Let’s focus on printing for now. You want to allow internal users to map printers and deny external users from mapping home printers. This would be a DLP strategy to keep data from leave the session from a remote location. Looking at the policies, you would think that just allowing internal and deny internal would work.
Wrong. Printing is actually enabled by default without a policy in place. I could not find this documented anywhere! That should be the first disclaimer on http://support.citrix.com/proddocs/topic/xendesktop-7/ps-console-policies-rules-printer-clients-v2.html.
It took working with support for weeks to find the proper configuration to block printing from external clients. I even worked with the NetScaler teams, thinking the policy had to be tied to the SmartHost name.
The correct configuration is almost a double negative. Set “Client printer redirection – Prohibit” and “Auto-create client printers – Do not create client printers”.
Set the access controller filter to “Allow with Netscaler” using asterisk (if you have just one NetScaler) as the farm name and access condition. This is allowing the “deny printers” policy to apply to anyone who uses the NetScaler. If you want to use a specific NetScaler, use the SmartHost name for the Farm Name.
Also Apply a second filter to the Delivery Group with “Allow”.
This will block external users from using home printers to printer data from a Citrix session. Users will also need to authenticate against the NetScaler when logging on from an external network. This is best practice, but you do have the option to authenticate directly against storefront (not recommended).