-
Understanding the Citrix Virtual Apps and Desktops Administration Model
-
-
-
-
-
Set-BrokerAccessPolicyRule
-
-
-
-
-
-
-
-
-
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Set-BrokerAccessPolicyRule
Modifies an existing rule in the site’s access policy.
Syntax
Set-BrokerAccessPolicyRule
[-InputObject] <AccessPolicyRule[]>
[-PassThru]
[-AddExcludedClientIPs <IPAddressRange[]>]
[-AddExcludedClientNames <String[]>]
[-AddExcludedSmartAccessTags <String[]>]
[-AddExcludedUsers <User[]>]
[-AddIncludedClientIPs <IPAddressRange[]>]
[-AddIncludedClientNames <String[]>]
[-AddIncludedSmartAccessTags <String[]>]
[-AddIncludedUsers <User[]>]
[-AllowedConnections <AllowedConnection>]
[-AllowedProtocols <String[]>]
[-AllowedUsers <AllowedUser>]
[-AllowRestart <Boolean>]
[-AppProtectionKeyLoggingRequired <Boolean>]
[-AppProtectionScreenCaptureRequired <Boolean>]
[-Description <String>]
[-Enabled <Boolean>]
[-ExcludedClientIPFilterEnabled <Boolean>]
[-ExcludedClientIPs <IPAddressRange[]>]
[-ExcludedClientNameFilterEnabled <Boolean>]
[-ExcludedClientNames <String[]>]
[-ExcludedSmartAccessFilterEnabled <Boolean>]
[-ExcludedSmartAccessTags <String[]>]
[-ExcludedUserFilterEnabled <Boolean>]
[-ExcludedUsers <User[]>]
[-HdxSslEnabled <Boolean>]
[-IncludedClientIPFilterEnabled <Boolean>]
[-IncludedClientIPs <IPAddressRange[]>]
[-IncludedClientNameFilterEnabled <Boolean>]
[-IncludedClientNames <String[]>]
[-IncludedSmartAccessFilterEnabled <Boolean>]
[-IncludedSmartAccessFilterType <String>]
[-IncludedSmartAccessTags <String[]>]
[-IncludedUserFilterEnabled <Boolean>]
[-IncludedUsers <User[]>]
[-RemoveExcludedClientIPs <IPAddressRange[]>]
[-RemoveExcludedClientNames <String[]>]
[-RemoveExcludedSmartAccessTags <String[]>]
[-RemoveExcludedUsers <User[]>]
[-RemoveIncludedClientIPs <IPAddressRange[]>]
[-RemoveIncludedClientNames <String[]>]
[-RemoveIncludedSmartAccessTags <String[]>]
[-RemoveIncludedUsers <User[]>]
[-LoggingId <Guid>]
[<CitrixCommonParameters>]
[<CommonParameters>]
<!--NeedCopy-->
Set-BrokerAccessPolicyRule
[-Name] <String>
[-PassThru]
[-AddExcludedClientIPs <IPAddressRange[]>]
[-AddExcludedClientNames <String[]>]
[-AddExcludedSmartAccessTags <String[]>]
[-AddExcludedUsers <User[]>]
[-AddIncludedClientIPs <IPAddressRange[]>]
[-AddIncludedClientNames <String[]>]
[-AddIncludedSmartAccessTags <String[]>]
[-AddIncludedUsers <User[]>]
[-AllowedConnections <AllowedConnection>]
[-AllowedProtocols <String[]>]
[-AllowedUsers <AllowedUser>]
[-AllowRestart <Boolean>]
[-AppProtectionKeyLoggingRequired <Boolean>]
[-AppProtectionScreenCaptureRequired <Boolean>]
[-Description <String>]
[-Enabled <Boolean>]
[-ExcludedClientIPFilterEnabled <Boolean>]
[-ExcludedClientIPs <IPAddressRange[]>]
[-ExcludedClientNameFilterEnabled <Boolean>]
[-ExcludedClientNames <String[]>]
[-ExcludedSmartAccessFilterEnabled <Boolean>]
[-ExcludedSmartAccessTags <String[]>]
[-ExcludedUserFilterEnabled <Boolean>]
[-ExcludedUsers <User[]>]
[-HdxSslEnabled <Boolean>]
[-IncludedClientIPFilterEnabled <Boolean>]
[-IncludedClientIPs <IPAddressRange[]>]
[-IncludedClientNameFilterEnabled <Boolean>]
[-IncludedClientNames <String[]>]
[-IncludedSmartAccessFilterEnabled <Boolean>]
[-IncludedSmartAccessFilterType <String>]
[-IncludedSmartAccessTags <String[]>]
[-IncludedUserFilterEnabled <Boolean>]
[-IncludedUsers <User[]>]
[-RemoveExcludedClientIPs <IPAddressRange[]>]
[-RemoveExcludedClientNames <String[]>]
[-RemoveExcludedSmartAccessTags <String[]>]
[-RemoveExcludedUsers <User[]>]
[-RemoveIncludedClientIPs <IPAddressRange[]>]
[-RemoveIncludedClientNames <String[]>]
[-RemoveIncludedSmartAccessTags <String[]>]
[-RemoveIncludedUsers <User[]>]
[-LoggingId <Guid>]
[<CitrixCommonParameters>]
[<CommonParameters>]
<!--NeedCopy-->
Description
The Set-BrokerAccessPolicyRule cmdlet modifies an existing rule in the site’s access policy.
An access policy rule defines a set of connection filters and access control rights relating to a desktop group. These allow fine-grained control of what access is granted to a desktop group based on details of, for example, a user’s endpoint device, its address, and the user’s identity.
Changing a rule does not affect existing user sessions, but it may result in users being unable to launch new sessions, or reconnect to disconnected sessions if the change removes access to the desktop group delivering those sessions.
Examples
EXAMPLE 1
Adds user group OFFICE\contractors to the Temp Staff access policy rule. The resources that the group can access are dependent on the existing properties of the rule in addition to the site’s assignment and entitlement policies.
Set-BrokerAccessPolicyRule 'Temp Staff' -AddIncludedUsers office\contractors
<!--NeedCopy-->
EXAMPLE 2
Modifies the Temp Staff access policy rule to remove access to any user device with an IP address matching 10.15.0.0/16, and requires that all connections by the rule must come through Access Gateway (assuming that the included SmartAccess tags filter is enabled).
Set-BrokerAccessPolicyRule 'Temp Staff' -ExcludedClientIPFilterEnabled $true -AddExcludedClientIPs '10.15.0.0/16' -AllowedConnections ViaAG
<!--NeedCopy-->
Parameters
-InputObject
The access policy rule to be modified.
Type: | AccessPolicyRule[] |
Position: | 2 |
Default value: | None |
Required: | True |
Accept pipeline input: | True (ByValue) |
Accept wildcard characters: | False |
-Name
The name of the access policy rule to be modified.
Type: | String |
Position: | 2 |
Default value: | None |
Required: | True |
Accept pipeline input: | True (ByPropertyName) |
Accept wildcard characters: | True |
-PassThru
This cmdlet does not generate any output, unless you use the PassThru parameter, in which case it returns the affected record.
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddExcludedClientIPs
Adds the specified user device IP addresses to the excluded client IP address filter of the rule.
See the ExcludedClientIPs parameter for more information.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddExcludedClientNames
Adds the specified user device names to the excluded client names filter of the rule.
See the ExcludedClientNames parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddExcludedSmartAccessTags
Adds the specified SmartAccess tags to the excluded SmartAccess tags filter of the rule.
See the ExcludedSmartAccessTags parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddExcludedUsers
Adds the specified users and groups to the excluded users filter of the rule.
See the ExcludedUsers parameter for more information.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddIncludedClientIPs
Adds the specified user device IP addresses to the included client IP address filter of the rule.
See the IncludedClientIPs parameter for more information.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddIncludedClientNames
Adds the specified user device names to the included client names filter of the rule.
See the IncludedClientNames parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddIncludedSmartAccessTags
Adds the specified SmartAccess tags to the included SmartAccess tags filter of the rule.
See the IncludedSmartAccessTags parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AddIncludedUsers
Adds the specified users and groups to the included users filter of the rule.
See the IncludedUsers parameter for more information.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AllowedConnections
Changes whether connections must be local or via Access Gateway, and if so whether specified SmartAccess tags must be provided by Access Gateway with the connection. This property forms part of the included SmartAccess tags filter.
Valid values are Filtered, NotViaAG, ViaAG and AnyViaAG.
For a detailed description of this property see “help about_Broker_AccessPolicy”.
Type: | AllowedConnection |
Accepted values: | Filtered, NotViaAG, ViaAG, AnyViaAG, AnyNotViaAG |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AllowedProtocols
Changes the protocols (for example HDX, RDP) available to the user for sessions delivered from the rule’s desktop group. If the user gains access to a desktop group by multiple rules, the allowed protocol list is the combination of the protocol lists from all those rules.
If the protocol list is empty, access to the desktop group is implicitly denied.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AllowedUsers
Changes the behavior of the included users filter of the rule. This can restrict access to a list of named users or groups, allow access to any authenticated user, any user (whether authenticated or not), or only non-authenticated users. For a detailed description of this property see “help about_Broker_AccessPolicy”.
Valid values are Filtered, AnyAuthenticated, Any, AnonymousOnly and FilteredOrAnonymous.
Type: | AllowedUser |
Accepted values: | Filtered, AnyAuthenticated, Any, AnonymousOnly, FilteredOrAnonymous |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AllowRestart
Changes whether the user can restart sessions delivered from the rule’s desktop group. Session restart is handled as follows: For sessions on single-session power-managed machines, the machine is powered off, and a new session launch request made; for sessions on multi-session machines, a logoff request is issued to the session, and a new session launch request made; otherwise the property is ignored.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AppProtectionKeyLoggingRequired
Specifies whether key logging app protection is required.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Introduced in: | Citrix Virtual Apps and Desktop 7 2106 |
-AppProtectionScreenCaptureRequired
Specifies whether screen capture app protection is required.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Introduced in: | Citrix Virtual Apps and Desktop 7 2106 |
-Description
Changes the description of the rule. The text is purely informational for the administrator, it is never visible to the end user.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Disallowed characters: | All ASCII control characters |
-Enabled
Changes whether the rule is enabled or disabled. A disabled rule is ignored when evaluating the site’s access policy.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedClientIPFilterEnabled
Changes whether the excluded client IP address filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedClientIPs
Changes the IP addresses of user devices explicitly denied access to the rule’s desktop group. Addresses can be specified as simple numeric addresses or as subnet masks (for example, 10.40.37.5 or 10.40.0.0/16). This property forms part of the excluded client IP address filter.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedClientNameFilterEnabled
Changes whether the excluded client names filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedClientNames
Changes which names of user devices are explicitly denied access to the rule’s desktop group. This property forms part of the excluded client names filter.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedSmartAccessFilterEnabled
Changes whether the excluded SmartAccess tags filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedSmartAccessTags
Changes which SmartAccess tags explicitly deny access to the rule’s desktop group if any occur in those provided with the user’s connection. This property forms part of the excluded SmartAccess tags filter.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedUserFilterEnabled
Changes whether the excluded users filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ExcludedUsers
Changes which users and groups are explicitly denied access to the rule’s desktop group. This property forms part of the excluded users filter.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-HdxSslEnabled
Indicates whether TLS encryption is enabled for sessions delivered from the rule’s desktop group.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedClientIPFilterEnabled
Changes whether the included client IP address filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedClientIPs
Changes which IP addresses of user devices allowed access to the rule’s desktop group. Addresses can be specified as simple numeric addresses or as subnet masks (for example, 10.40.37.5 or 10.40.0.0/16). This property forms part of the included client IP address filter.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedClientNameFilterEnabled
Changes whether the included client name filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedClientNames
Changes which names of user devices are allowed access to the rule’s desktop group. This property forms part of the included client names filter.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedSmartAccessFilterEnabled
Changes whether the included SmartAccess tags filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedSmartAccessFilterType
Changes whether all tags present in IncludedSmartAccessTags must match tags provided by the user’s connection to grant access (MatchAll), or whether any tag matching is sufficient (MatchAny).
Type: | String |
Accepted values: | MatchAny, MatchAll |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Introduced in: | Citrix Virtual Apps and Desktop 7 2305 |
-IncludedSmartAccessTags
Changes which SmartAccess tags grant access to the rule’s desktop group if they occur in those provided with the user’s connection. If multiple tags are specified, access also depends on the IncludedSmartAccessFilterType setting. This property forms part of the included SmartAccess tags filter.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedUserFilterEnabled
Changes whether the included users filter is enabled or disabled. If the filter is disabled, it is ignored when the access policy rule is evaluated.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IncludedUsers
Changes which users and groups are granted access to the rule’s desktop group. This property forms part of the included users filter.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveExcludedClientIPs
Removes the specified user device IP addresses from the excluded client IP address filter of the rule.
See the ExcludedClientIPs parameter for more information.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveExcludedClientNames
Removes the specified user device names from the excluded client names filter of the rule.
See the ExcludedClientNames parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveExcludedSmartAccessTags
Removes the specified SmartAccess tags from the excluded SmartAccess tags filter of the rule.
See the ExcludedSmartAccessTags parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveExcludedUsers
Removes the specified users and groups from the excluded users filter of the rule.
See the ExcludedUsers parameter for more information.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveIncludedClientIPs
Removes the specified user device IP addresses from the included client IP address filter of the rule.
See the IncludedClientIPs parameter for more information.
Type: | IPAddressRange[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveIncludedClientNames
Removes the specified client names from the included client names filter of the rule.
See the IncludedClientNames parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveIncludedSmartAccessTags
Removes the specified SmartAccess tags from the included SmartAccess tags filter of the rule.
See the IncludedSmartAccessTags parameter for more information.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RemoveIncludedUsers
Removes the specified users and groups from the included users filter of the rule.
See the IncludedUsers parameter for more information.
Type: | User[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LoggingId
Specifies the identifier of the high level operation that this cmdlet call forms a part of. Desktop Studio and Desktop Director typically create High Level Operations. PowerShell scripts can also wrap a series of cmdlet calls in a High Level Operation by way of the Start-LogHighLevelOperation and Stop-LogHighLevelOperation cmdlets.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
CitrixCommonParameters
This cmdlet supports the common Citrix parameters: -AdminAddress, -AdminClientIP, -BearerToken, -TraceParent, -TraceState and -VirtualSiteId. For more information, see about_CitrixCommonParameters.
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
Citrix.Broker.Admin.SDK.AccessPolicyRule
The access policy rule to be modified.
Outputs
None, or Citrix.Broker.Admin.SDK.AccessPolicyRule
This cmdlet does not generate any output, unless you use the PassThru parameter, in which case it generates a Citrix.Broker.Admin.SDK.AccessPolicyRule object.
Related Links
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.