Secure apps and resources in Azure RemoteApp

[AZURE.IMPORTANT] Azure RemoteApp is being discontinued. Read the announcement for details.

Azure RemoteApp provides users access to centrally-managed Windows apps, which lets you control what your users can and can't do. This is particularly useful when the user is connecting from an unmanaged device (like their personal Macbook) and you want to control the user access or experience.

For example, if you are using Active Directory for user authentication and you want to prevent your users from copying data out of an app, you can configure a Remote Desktop Group Policy to block users from copying data.

Another example is if you want to block internet access for a particular app in your collection. You can create a Windows Firewall rule that blocks the access when you create the image for your collection.

Implementation options

Here are the key implementation options, which can be used individually or in tandem as needed:

  1. If your RemoteApp collection is domain joined you can enforce any Group Policy (with the exception of the Idle and Disconnect timeout policies described here).
  2. As an alternative to Group Policy (if your collection is not domain joined or you don't have the right privileges in AD), you can configure Local Polices into your template image. Note that group polices trump local policies when there is a conflict.
  3. Some OS/app settings are not configurable via policy, but can be via registry key using the RegEdit tool while configuring your template image.
  4. You can use Windows Firewall to control network access to and from the machine where the app is running. Just make sure you don't block the URLs and ports defined here.
  5. You can use AppLocker to control which applications and files users can run. For example, savvy users can figure out how to run applications that you did not publish but that are available in the image you used to create the collection - AppLocker can block this.

Detailed information