I have configured sys-gui in accordance with the documentation below:
However, the sys-gui session’s power system tray applet doesn’t display the battery’s charge level:
It also has no Network Manager applet, and the USB Manager applet is not populated with any USB devices. This makes it difficult to use as a daily driver.
One approach is to shut down sys-gui, and then change the guivm for both the sys-net and sys-usb qubes:
qvm-prefs sys-net guivm sys-gui
qvm-prefs sys-usb guivm sys-gui
However, I would prefer to not then grant the sys-gui user access to both of these qubes.
I tried locking down access for sys-gui like this, but it did not work:
admin.vm.Console * sys-gui sys-net deny
admin.vm.Console * sys-gui sys-usb deny
qubes.VMRootShell * sys-gui sys-net deny
qubes.VMRootShell * sys-gui sys-usb deny
qubes.VMShell * sys-gui sys-net deny
qubes.VMShell * sys-gui sys-usb deny