How to Create USB Policy Rules

book

Article ID: CTX119722

calendar_today

Updated On:

Description

This article describes the default USB policy rules in Desktop Delivery Controller (DDC) including their semantics.
Note: *XenDesktop 5.5 does not have any pre-configured default polices.

Instructions

Default Policy

The following are the default policy configuration:

DENY: class=09 # Hub devices
DENY: class=03 subclass=01 # HID Boot device (keyboards and mice)
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless Controllers
DENY: class=02 # Communications and CDC Control
DENY: class=0a # CDC Data
ALLOW: # Ultimate fallback: allow everything else

How It Works

When a user plugs in a simple USB device, the host device checks it against each policy rule consecutively until a match is found. The first match for any device is considered definitive. If the first match is an Allow rule, the device is redirected to the virtual desktop. If the first match is a Deny rule, the device is available only to the local desktop (that is its not redirected). If no match is found, default rules are used.
User-added image
When a user plugs in a composite USB device (a device with multiple functions (interfaces) for example audio headset with speaker, mic and HID button) the host device checks for all functions (interfaces) against each policy rule. If the first match for any function(interface) is a Deny rule, the rule is considered definitive for the composite device and device is denied. If the first match for a function (interface) is an Allow rule, the host device continues to match the rules against next function (interface). The composite device is allowed if no function (interface) is denied by a policy rule. If definitive match for composite device is a Deny Rule, the device is available only to the local desktop otherwise the device is remoted to the virtual desktop. If no match is found, default rules are used.

User-added image

Creating New USB Policy Rules

Refer to the Citrix Receiver for Windows documentation for information on Updating the List of USB Devices Available for Remoting.
Tip: When creating new policy rules, refer to the USB Class Codes , available from the USB web site.
Policy rules take the format {Allow:|Deny:} followed by a set of tag=value expressions separated by whitespace. The following tags are supported:

Tag	Description
VID	Vendor ID from the device descriptor
PID	Product ID from the device descriptor
REL	Release ID from the device descriptor
Class	Class from either the device descriptor or an interface descriptor
SubClass	Subclass from either the device descriptor or an interface descriptor
Prot	Protocol from either the device descriptor or an interface descriptor

When creating new policy rules, consider the following:

Rules are case-insensitive.
Rules might have an optional comment at the end, introduced by #. A delimiter is not required and the comment is ignored for matching purposes.
Blank and pure comment lines are ignored.
Whitespace is used as a separator, but cannot appear in the middle of a number or identifier, for example, Deny: Class = 08 SubClass=05 is a valid rule; Deny: Class=0 Sub Class=05 is not.
Tags must use the matching operator =. For example, VID=1230.
Each rule must start on a new line or form part of a semicolon separated list.

Important! If you are using the Administrative (ADM) template, you must create rules on a single line, as a semicolon-separated list.
For example a set of administrator-defined USB policy rules:
Allow: VID=1230 PID=0007 # ANOther Industries, ANOther Flash Drive
Deny: Class=08 SubClass=05 # Mass Storage

Issue/Introduction

This article describes the default USB policy rules in DDC including their semantics.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"