How to apply MFA for RemoteApp
From UserLock version 12.1, you can protect RemoteApp sessions with MFA with all available methods: push notifications, OTP codes and USB keys.
Pre-requisites
The UserLock desktop agent must be installed on the RD Host server.
How to
To enable MFA for these connections, first create a protected account for the user, group or OU that you wish to protect. Then, under multi-factor authentication, select "enable." RemoteApp sessions are considered as Terminal sessions, so under session type "Server", enable the connection types and frequency to prompt users for MFA.
Notes
- In the case of concurrent RemoteApp sessions, only one will be visible in the UserLock console and the MFA will only be asked for the first connection, even if the MFA frequency is set to "At every logon."
- Enabling MFA for server connections will apply this setting to all servers that have the UserLock desktop agent.
- When a RemoteApp windows is closed, it can be reopened within 30s without prompt a password.
Limitations
- Users cannot enroll in MFA via a RemoteApp session. For general information about enrollment, see this page. For remote users, see this page for ways to enroll them in MFA.
- It is not possible to use MFA for RemoteApp sessions that require privilege escalation (UAC).