Enterprise Mobility and Security Blog

RSS

 

Today, we are happy to announce that customers using the Remote Desktop app on iOS 8+ and Android 4+ can now use Microsoft Intune mobile application management (MAM) capabilities to further securely control the usage of the Remote Desktop app within their organization. These capabilities are available on our Remote Desktop app for Android version 8.1.24+ and Remote Desktop app for iOS version 8.1.14+. Combined with our recent update to support Multi-Factor Authentication for Azure RemoteApp, Azure RemoteApp now offers controls for protecting corporate data on mobile devices while preserving a rich and productive experience for users.

Managing Remote Desktop Client applications with Microsoft Intune

Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite provides MAM capabilities for the Microsoft Remote Desktop applications. With Intune MAM, you can restrict actions such as cut, copy, and paste of corporate data between Intune-managed apps and apps that are not managed by Intune. You can also require the entry of a PIN or corporate credentials when a managed application is launched – preventing accidental access to corporate data by unauthorized users.

How the solution works on the Remote Desktop Client applications

As an Intune administrator, you can now create MAM policies and associate them with your Remote Desktop Client app deployments. Then, when the user launches the Remote Desktop Client app on an Intune managed device, Intune will apply these settings to protect the Remote desktops and RemoteApps you can access. The MAM policies allow you to customize these settings for the Remote Desktop apps to achieve the level of protection that meets your organization’s needs, such as:

  • Application access: When the user is accessing the Remote Desktop app, require a PIN or corporate credentials to be entered.
  • Restrict cut/copy/paste: Prevent users from copying data from corporate desktops/applications onto non-managed applications.
  • Screenshots: Prevent users from taking screenshots while in the application on Android. On iOS, this can be configured via device policy.
  • Encryption: Encrypt corporate application data. Use this policy to protect data on redirected drives on your Android devices.
Step 1: Create a mobile application management policy

Your MAM policy dictates which restrictions are placed on your deployment of Remote Desktop Client for iOS or Android. Intune applies this policy to the apps when they are initially deployed and also gives you the option to update the settings even after the apps have been installed by users.

On the device, these settings will be applied when the user launches the Remote Desktop app.

To create a Mobile Application Management policy, go to Policy > Configuration Policies and select Add… Then choose Software > Mobile Application Management Policy (select iOS or Android). Select the settings you require, and click Save Policy.

image

Step 2: Add the RD Client app to your Intune app catalog

To deploy the RD Client app to end users, you will need to upload the app information to the Intune admin console. The RD Client apps are available in the Google Play and iOS App Stores, so all you need to do is add links to those apps to Intune and deploy the apps.

In the Intune console, go to Apps > Add Apps. Under Select how this software is made available to devices, choose:

  • External link for the Android app and enter the link:

https://play.google.com/store/apps/details?id=com.microsoft.rdc.android

  • Managed iOS App from the App Store for the iOS app and enter the link:

https://itunes.apple.com/us/app/microsoft-remote-desktop/id714464092?mt=8

Then complete the wizard to upload the app. For more details on app deployment, see the TechNet article here.

image

Step 3: Deploy the RD Client app with your mobile application management policy

You are now ready to deploy the Remote Desktop app with a MAM policy. In the Intune console, navigate to Apps > Apps. Locate Remote Desktop Client on that list, and click Manage Deployment…

First, you will select the groups for the deployment and the deployment action for each group. Then, on the Mobile App Management tab, you can choose the MAM policy that you created in step 1. If you need different MAM policies per group in the deployment, you can create additional MAM policies and target them to the appropriate groups on this page.

image

When you finish this wizard, Remote Desktop app is deployed to the selected group(s) with the selected policy(s). If you need to change the policy in the future, remember that you can either edit the policy itself, or add a new MAM policy to the deployment in the Manage Deployment wizard.

Use the managed Remote Desktop Client application

To access the managed Remote Desktop client application, open the Intune Company Portal application on your Intune managed device and install the Remote Desktop client application from the Intune Company Portal.

Depending on the policies that you have applied to the Remote Desktop client application, you will now notice that certain actions are restricted in the Remote Desktop client.

clip_image002

 

Figure 1: Android Remote Desktop Client with PIN policy applied

Additional Information

Over the next few weeks, we will be adding on more capabilities to manage the Remote Desktop Client iOS and Android applications including support for the Intune MAM without device enrollment. With this new improvement in Intune, you can manage the Remote Desktop application on iOS and Android devices without requiring enrollment into Intune MDM. You can also look forward to management capabilities for Remote Desktop apps for Windows 10 that will leverage Windows Enterprise Data Protection (EDP) in the near future.

For more information on Intune mobile application management, check out the article on how to ‘Control apps using mobile application management policies with Microsoft Intune’ in the Intune Documentation Library. Additionally, make sure to visit the Remote Desktop UserVoice site and Intune UserVoice site where you can submit your ideas for new product features and vote for ideas submitted by the community.