Control use of Chrome Remote Desktop
As an administrator, you can control whether users can access other computers from Chrome. Users on a domain with Hangouts enabled can set up remote access using Chrome Remote Desktop. This Chrome app lets them use a computer or mobile device (client) to access files and applications on another computer (host) over the Internet.
Note: Chrome Remote Desktop requires Google Hangouts to be enabled.
Block Chrome Remote Desktop installation
To block users from installing Chrome Remote Desktop, follow the same procedures you use to block them from installing any other Chrome app. See Chrome Apps and Extensions.
Control Chrome Remote Desktop network settings
To enable Chrome Remote Desktop for local area network or VPN users only, disable firewall traversal by setting the RemoteAccessHostFirewallTraversal policy on Windows and Mac machines.
To disable firewall traversal:
- Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostFirewallTraversal to 0.
- Mac: Set RemoteAccessHostFirewallTraversal to NO in ~/Library/Preferences/com.google.Chrome.plist.
Block Chrome Remote Desktop hosts and clients
To block users on your network from remotely accessing other computers using Chrome Remote Desktop, or to prevent computers on your network from being remotely accessed with Chrome Remote Desktop, black hole the appropriate Chrome Remote Desktop DNS entries on your DNS server. To black hole an entry is to configure your DNS server to reroute traffic addressed to the entry to an invalid IP address. This causes the server to silently drop the traffic.
To block users on your network from remotely accessing other computers using Chrome Remote Desktop, black hole the chromoting-oauth.talkgadget.google.com and chromoting-client.talkgadget.google.com Chrome Remote Desktop client DNS entries.
To prevent computers on your network from being remotely accessed via Chrome Remote Desktop, black hole chromoting-host.talkgadget.google.com.
Enable Chrome Remote Desktop hosts for managed devices only
To let users remotely access managed (corporately-owned) devices on your network while blocking their access to all other devices:
- Black hole the chromoting-host.talkgadget.google.com DNS entry as described above.
- Create an entry that routes Chrome Remote Desktop host traffic to a different DNS name than the one used by default.
- Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostTalkGadgetPrefix to a literal to use a different DNS entry. For example, allowed-chromoting-host causes hosts to connect to Google Talk at allowed-chromoting-host.talkgadget.google.com.
- Mac: Set RemoteAccessHostTalkGadgetPrefix to a literal in ~/Library/Preferences/com.google.Chrome.plist. For example, allowed-chromoting-host causes hosts to connect to Google Talk at allowed-chromoting-host.talkgadget.google.com.
- Create an entry in your DNS server that maps the DNS name from step 2 to the IP address for the base talkgadget.google.com domain.
Enable Curtain Mode for Chrome Remote Desktop
To enable Chrome Remote Desktop to prevent someone physically present at a host machine from seeing what a user is doing while a remote connection is in progress, set the RemoteAccessHostRequireCurtain policy on Mac machines. What this does is block anyone physically present at the host machine from seeing your actions on the device when you’re remotely connected. Learn more about Curtain Mode under Access your computer.
- Steps for all Windows installations:
Note: The parent keys may not exist (even with Chrome installed) and will need to be created. The "1" is of type DWORD-32.
- Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain to 1.
- Enable RDP connections to the machine by selecting Control Panel\System and Security\System > Remote settings > "Allow connections from computers running any version of Remote Desktop (less secure)".
- Additional step for Windows 10 installations:
Follow the steps above for all Windows installations, and then do the following after step 2:
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 1.
For additional information on this key and value, please see Configure Server Authentication and Encryption Levels on the Microsoft Windows Server website.
- Steps for Mac installations:
Set the default value of RemoteAccessHostRequireCurtain to true using the defaults command for both the current user and root:
defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true
sudo defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true
To restore RemoteAccessHostRequireCurtain, delete the key from the defaults for the current user and root:
defaults delete com.google.Chrome RemoteAccessHostRequireCurtain
sudo defaults delete com.google.Chrome RemoteAccessHostRequireCurtain
Enable Account Name Matching for Chrome Remote Desktop
If you'd like to require that users register their machines for remote access using a Google Account that matches their local machine account, set the RemoteAccessHostMatchUsername policy on Windows and Mac machines.
- Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostMatchUsername to 1.
- Mac: Set RemoteAccessHostMatchUsername to YES in ~/Library/Preferences/com.google.Chrome.plist.