Notification

Planning your return to office strategy? See how ChromeOS can help.

Control use of Chrome Remote Desktop

As an administrator, you can control whether users can access other computers from Chrome using Chrome Remote Desktop.

Before you begin

The parent registry keys you use to control the use of Chrome Remote Desktop may not exist even with Chrome installed. If not, you will need to create them. The "1" and "0" values are of type DWORD-32.

Turn on or off Chrome Remote Desktop

If you're an administrator of Google accounts for an organization, you can control who uses Chrome Remote Desktop from their account. You can turn Chrome Remote Desktop on or off for users in your Google Admin console. For details, see Turn Chrome Remote Desktop on or off for users.

Note: If you're a Chrome Education Upgrade customer, Chrome Remote Desktop is not automatically available. You need to turn it on in your Admin console.

Control Chrome Remote Desktop network settings

To enable Chrome Remote Desktop for local area network or VPN users only, disable firewall traversal by setting the RemoteAccessHostFirewallTraversal policy on Windows Mac and Linux machines.

To disable firewall traversal:

  • Windows: Set HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostFirewallTraversal to 0.
  • Mac: Set RemoteAccessHostFirewallTraversal to NO in ~/Library/Preferences/com.google.Chrome.plist.
  • Linux: Set  RemoteAccessHostFirewallTraversal to FALSE in /etc/opt/chrome/policies/managed/RemoteAccessHostFirewallTraversal.json.

     For details on how to define policy settings for Linux, see Set policies

Block Chrome Remote Desktop functionality

To prevent users on your network from remotely accessing other computers or to prevent computers on your network from being remotely accessed with Chrome Remote Desktop, block the appropriate Chrome Remote Desktop URLs.

Chrome Remote Desktop clients include a website (https://remotedesktop.google.com) and mobile apps for Android and iOS. All three use the same service API so blocking it will prevent all Chrome Remote Desktop functionality on your network.

Blocking https://remotedesktop-pa.googleapis.com prevents all Chrome Remote Desktop functionality for both outgoing connections from clients on your network and incoming connections to hosts on your network. Though not necessary if the API is blocked, you can also block https://remotedesktop.google.com to prevent the web client from being loaded.

Enable Curtain mode for Chrome Remote Desktop

You can enable Chrome Remote Desktop to prevent someone physically present at a host machine from seeing what a user is doing when remotely connected. For more information about Curtain mode, see Access another computer with Chrome Remote Desktop.

Steps for all Windows installations:

Note: This feature only works on Windows devices running Windows Professional, Ultimate, Enterprise, or Server.

Using Regedit, set the following keys:

  • HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain to 1.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections to 0.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication to 0.

Additional registry key for Windows 10 installations:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer to 1.

Important: If your session terminates immediately, you may have missed a step. Make sure you have completed all the steps above.

You can also copy and run the following command from an elevated command line to set the required registry key values and force them to take effect:

reg add HKLM\Software\Policies\Google\Chrome /v RemoteAccessHostRequireCurtain /d 1 /t REG_DWORD /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /d 0 /t REG_DWORD /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /d 1 /t REG_DWORD /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f && net stop chromoting && net start chromoting

For more information on these keys and values, see Configure Server Authentication and Encryption Levels.

Steps for Mac installations:

Note: This feature is no longer supported on Mac devices running macOS Big Sur or later.

  1. Open a terminal window.
  2. Set the default value of RemoteAccessHostRequireCurtain to true using the defaults command for both the current user and root:

    defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true
    sudo defaults write com.google.Chrome RemoteAccessHostRequireCurtain -boolean true

  3. To restore RemoteAccessHostRequireCurtain, delete the key from the defaults for the current user and root:

    defaults delete com.google.Chrome RemoteAccessHostRequireCurtain
    sudo defaults delete com.google.Chrome RemoteAccessHostRequireCurtain

Enable Account Name Matching for Chrome Remote Desktop

To require users to register their machines for remote access using a Google Account that matches their local machine account, set the RemoteAccessHostMatchUsername policy on Mac® Linux® and Chrome devices.

  • Mac: Set RemoteAccessHostMatchUsername to YES in ~/Library/Preferences/com.google.Chrome.plist.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
11550126941082653822
true
Search Help Center
true
true
true
true
true
410864
false
false