-
Notifications
You must be signed in to change notification settings - Fork 166
Managing IAP Desktop using group policies
📝 This Wiki page has moved. For the latest content, see Use group policies to manage IAP Desktop on the IAP Desktop documentation page. |
---|
You can centrally manage IAP Desktop by using Active Directory Group Policies.
You can use a group policy object (GPO) to automatically install IAP Desktop for your users:
-
Download the IAP Desktop MSI package and copy it to a file share that is readable by domain users.
-
In the Group Policy Management Console, create or select a GPO.
-
Link the GPO to an organizational unit that contains the users who should be able to use IAP Desktop.
Note: IAP Desktop is installed per-user, not per-computer. The scope must be configured so that it captures relevant users, not computers.
-
Right-click the GPO and select Edit.
-
Navigate to User Configuration > Policies > Software Settings > Software installation
-
In the right window pane, right click on the empty list and select New > Package.
- Enter the UNC path to the IAP Desktop MSI package.
- In the Deploy software dialog, select Assigned and click OK.
-
Right-click IAP Desktop in the list of packages and select Properties.
- Switch to the Deployment tab.
- Set Install this application at logon to Enabled.
- Click Advanced
- Set Ignore language when deploying this package to Enabled, then click OK.
- Click OK to close the properties dialog.
-
Close the Group Policy Management Editor window.
Note: If you distribute IAP Desktop by using group policy, it's best to disable automatic updates. See next section for details.
You can use a group policy object (GPO) to configure policies for IAP Desktop. Policies take precendence of user settings: When you configure a policy, users can't change the respectice setting anymore.
To configure policies, you first have to install the IAP Desktop Policy Templates:
- Download the
PolicyTemplates
package from the downloads page. - Extract the package int the
PolicyDefinitions
folder of your central store.
You can now use the IAP Desktop Policy Templates to configure policies:
-
In the Group Policy Management Console, create or select a GPO.
-
Link the GPO to an organizational unit that contains the users who should be able to use IAP Desktop.
Note: You can configure policies per-computer or per-user. Computer-based policies take precendence over user-based policies.
-
Right-click the GPO and select Edit.
-
Navigate to User (or Computer) Configuration > Policies > Administrative Templates > Google IAP Desktop and customize policies as necessary.
-
Close the Group Policy Management Editor window.
To restrict Remote Desktop features like copy/paste, you can configure appropriate group policies on the VM instance (Local Group policy) or in the domain the VM instance is joined to. You can find the server-side Remote Desktop policies in the Group Policy Management Editor under User (or Computer) Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host.
IAP Desktop is an open-source project and not an officially supported Google product.