9.9. Terms & Conditions

XSTRA
XDESK – Terms & Conditions
Security baseline, session controls, account lifecycle rules, and support boundaries for XDESK.
Overview
This page outlines the baseline policies applied to XDESK (hosted desktops and remote app access). These policies apply to all users unless a specific written exception is recorded for your organisation.
Quick summary
  • Strong identity baseline: long passwords (passphrases encouraged) and lockout controls.
  • Session safety: idle sessions are disconnected automatically to reduce risk and resource use.
  • Account hygiene: inactive accounts are restricted and then removed to reduce attack surface and unnecessary costs.
  • Backup clarity: backups support recovery, but do not equal “real-time cyber protection”.
  • Clear support boundaries: what’s included vs optional billable support is defined below.
Security Baseline Policies
Our baseline is designed to align with the intent of the ACSC Essential Eight (strong identities, least privilege, and safe session behaviour), while keeping policies practical for end users.
1) Password policy (passphrase-first)
  • Minimum length: 14 characters.
  • Must not include: the user’s name or username.
  • Recommended format: long passphrases (easy to remember, hard to guess). Example: Everysummerisfishingtime2025!!
  • Reuse protection: the last 10 passwords are remembered and cannot be reused.
  • Change timing: users must wait at least 1 day between password changes.
Password expiry: XSTRA does not enforce routine password expiry by default. Password resets are required when there is evidence of compromise, suspected compromise, or on request by the Client for compliance reasons (where a client mandates periodic expiry, we can apply it by written directive). If a Client does not use Multi-Factor Authentication (MFA) for access to XDESK (or any other online service), the Client is responsible for implementing and enforcing a regular password change schedule. XSTRA recommends this as a risk-reduction measure where MFA is not in place.
2) Account lockout policy (brute-force protection)
XSTRA enforces account lockout settings to reduce the risk of credential stuffing and brute-force login attempts.
Setting Value
Lockout threshold 10 invalid logon attempts
Lockout duration 30 minutes
Counter reset Resets after 30 minutes with no failed attempts
These settings form part of our baseline security posture. For more information on the ACSC Essential Eight framework, see: ACSC Essential Eight.
3) Multi-Factor Authentication (MFA)
MFA significantly reduces risk from stolen passwords. Where available and feasible, XSTRA recommends MFA for all remote access. MFA may be required for privileged/admin access, and can be deployed using XSTRA security services where contracted.
For information on XSTRA’s cybersecurity services, see: XFORCE.
Session Management
Idle session disconnect policy
XDESK sessions that are active but idle (no keyboard/mouse input) will be automatically disconnected after 2 hours of inactivity.
  • Reduces the risk of unattended sessions being exploited
  • Frees resources tied to inactive sessions
  • Encourages better session hygiene for shared environments
Important: save your work before disconnecting
XDESK sessions are often persistent between logon/logoff events, however sessions can be terminated to facilitate maintenance and administrative tasks. Users should always save all work before disconnecting.
To understand when maintenance may occur, refer to: XDEVICE – Maintenance Schedule.
Backup & Recovery Statements
For clarity regarding statements about data protection, cyber protection, and the scope of backups vs real-time threat prevention, please refer to the dedicated policy page:
XDESK – User Account Disablement & Deletion Policy
Often clients forget to disable a user account with us and incur costs that should have been avoided. Unless we have written directives from the Client to the contrary, XSTRA will apply the following:
Trigger Action Notes
45 days Disable remote access Remote application and/or desktop access (including RDP and/or ICA) is disabled for any user account that has not been used for 45 days.
135 days Delete AD account The Active Directory (AD) user account is deleted if it has not been logged into for 135 days.
Pre-deletion checks Review cloud identity & licensing Before deleting an AD account, we check if the user also exists in Azure AD via directory sync (where applicable). If the user exists in Azure AD and has an Office 365 license and has logged into Office 365 within the past 135 days, we will follow one of the below (subject to client directives):
  • Convert the Azure AD identity to a Cloud Only account type (to preserve the cloud identity), or
  • Un-assign the Office 365 license, follow any client-specific procedures for license removal, and then delete the Azure AD user.
Retention / legal hold note: If your organisation requires retention, archiving, or legal hold, you must provide written directives to XSTRA so account actions align with your policy and compliance obligations.
XDEVICE – PC Edition Subscription (Mandatory)
To maintain the security and integrity of each Client’s XDESK environment, all Windows PCs owned and used within the Client’s environment must be covered by an XDEVICE PC Edition subscription. This reduces cyber risk from unmanaged endpoints, improves visibility, and simplifies supportability.
Included entitlement (effective 1 July 2025)
Each XDESK user subscription includes one complimentary XDEVICE PC Edition subscription. If the number of PCs exceeds the number of active XDESK users, additional XDEVICE PC Edition subscriptions will be billed separately at the prevailing rate.
In most cases, the Client will need to contact XSTRA to have additional XDEVICE subscriptions added.
XDESK Support Policy
This section outlines what support is included with your XDESK subscription and the options available for additional assistance.
1) What’s included in XDESK support
  • Ensuring you can successfully connect to your XDESK environment.
  • Ensuring the XDESK system is operating as expected.
  • Microsoft operating system components directly integrated into the XDESK service.
  • Citrix Virtual Apps and Desktops and other core components used within XDESK.
2) Third-party software support options
XSTRA does not provide complimentary support for third-party applications installed in XDESK. Where needed, you can choose from the following structured options:
Option Pricing What you get
Microsoft 365 support (X365-PLUS) Per plan / per user Support for Microsoft 365 applications such as Outlook, Teams, and OneDrive via X365-PLUS.
XDESK – App-Pool Support From $6 per user / month per software title Installation and maintenance of XSTRA-approved third-party software within XDESK.
  • Includes installation and configuration only
  • Excludes training and ongoing usage support
  • Complex/vendor-supported apps (e.g., AutoCAD, Adobe) are excluded
  • Examples: common browsers (Chrome/Edge), and XSTRA-developed software
XDESK – Chaperone Support 50% off Schedule 1 Rates XSTRA acts as liaison between you and a third-party vendor/support team. We coordinate communication and provide technical context.
High-risk configurations (elevated privileges)
If your setup requires elevated permissions (e.g., admin access), XSTRA can support this, however it increases risk and can reduce XSTRA’s visibility. Setup and further troubleshooting will be billed at the agreed rate for the work performed.
General Legal Information
For broader legal terms that apply to XSTRA services, see the relevant legal pages and trading terms on x.direct. Where there is any conflict between service-specific policies and overarching terms, the overarching terms apply unless explicitly stated otherwise.

Need more help with this?
© 2021–2026 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.