Control use of Chrome Remote Desktop
As an administrator, you can control whether users can access other computers from Chrome using Chrome Remote Desktop.
Control Chrome Remote Desktop network settings
To enable Chrome Remote Desktop for local area network or VPN users only, disable firewall traversal by setting the RemoteAccessHostFirewallTraversal policy on Windows and Mac machines.
To disable firewall traversal:
- Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostFirewallTraversal to 0.
- Mac: Set RemoteAccessHostFirewallTraversal to NO in ~/Library/Preferences/com.google.Chrome.plist.
Block Chrome Remote Desktop functionality
To prevent users on your network from remotely accessing other computers or to prevent computers on your network from being remotely accessed with Chrome Remote Desktop, block the appropriate Chrome Remote Desktop URLs.
Chrome Remote Desktop clients include a website (https://remotedesktop.google.com) and mobile apps for Android and iOS. All three use the same service API so blocking it will prevent all Chrome Remote Desktop functionality on your network.
Blocking https://remotedesktop-pa.googleapis.com will prevent all Chrome Remote Desktop functionality for both outgoing connections from clients on your network and incoming connections to hosts on your network. Though not necessary if the API is blocked, you may also block https://remotedesktop.google.com which will prevent the web client from being loaded.
Enable Curtain Mode for Chrome Remote Desktop
To enable Chrome Remote Desktop to prevent someone physically present at a host machine from seeing what a user is doing while a remote connection is in progress, set the RemoteAccessHostRequireCurtain policy on Mac machines. This policy will block anyone physically present at the host machine from seeing your actions on the device when you’re remotely connected. Learn more about Curtain Mode under Access your computer.
Steps for all Windows installations:
Note: The parent keys may not exist (even with Chrome installed) and will need to be created. The "1" is of type DWORD-32.
- Using Regedit, set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain to 1.
- Enable RDP connections to the machine by unchecking Control Panel\System and Security\System > Remote settings > "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".
Additional step for Windows 10 installations:
Follow the steps above for all Windows installations, and then do the following after step 2:
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 1.
For additional information on this key and value, please see Configure Server Authentication and Encryption Levels on the Microsoft Windows Server website.
Steps for Mac installations:
Open a terminal window and set the default value of RemoteAccessHostRequireCurtain to true using the defaults command for both the current user and root:
defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true
sudo defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true
To restore RemoteAccessHostRequireCurtain, delete the key from the defaults for the current user and root:
defaults delete com.google.Chrome RemoteAccessHostRequireCurtain
sudo defaults delete com.google.Chrome RemoteAccessHostRequireCurtain
Enable Account Name Matching for Chrome Remote Desktop
If you'd like to require that users register their machines for remote access using a Google Account that matches their local machine account, set the RemoteAccessHostMatchUsername policy on Windows and Mac machines.
- Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostMatchUsername to 1.
- Mac: Set RemoteAccessHostMatchUsername to YES in ~/Library/Preferences/com.google.Chrome.plist.