cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
2
Helpful
1
Replies

Differentiating Between Remote Desktop Sessions and RemoteApp Sessions with Duo Winlogon

I’m currently trying to protect administrative Remote Desktop, UAC, and console access to our organization’s servers with Duo Winlogon. Most of our servers act as Remote Desktop Session hosts, and in testing I’ve found that Duo prompts for both full Remote Desktop sessions as well as RemoteApp sessions. Now the obvious solutions is to make a bypass policy for the application and an enforce policy for the administrative group which I have done and works fine.

However I’m trying to plan ahead for when we want to protect RemoteApp and Remote Desktop logons for all users. I’m concerned that I won’t be able to differentiate between the two types of traffic in Duo for creating policies that differ between applications. Is it possible to have Winlogon only pick up on full Remote Desktop sessions and ignore RemoteApp sessions?

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

I don’t believe this is possible today. The Duo credential provider recognizes RDP and Local (as in, “not RDP”) logon types, and wouldn’t distinguish between RDP for full desktop or RDP for just an app.

You can submit this as a feature request by contacting your account exec or customer success manager (if you have one), or by contacting Duo Support.

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links