I use RemoteApp on Server 2008-R2 to publish certain applications and the remote desktop. We access them from inside the office, the same way is if we were outside the office. i.e. https://server.domain.com/rdweb/pages/en-us/login.aspx This works great and I have no issues with it.
We now have some users where they should only be allowed access if they are physically in the office and logged onto a computer that is attached to our domain. If they try to log into the application from a public computer on the internet, it should
be restricted and denied. This is decided on a per-user basis.
How can I accomplish this? I thought to check off "deny this user permission to log on to remote desktop session host server" in their profile, but then they can't start a RemoteApp at all, even from inside the office. Similar
results if I try to restrict the computers they are allowed to log on to.
The only suggestion I saw that appeared to work used a logon script to check the host name of the computer against an allowed list, and log them off if it wasn't an approved system. This method would require periodic editing as desktops were replaced
over time, and isn't really all that secure, so not very elegant.
In the user account settings on the "Remote Desktop Service Profile" page there is a field for specifying a profile to be used just for remote desktop services. Perhaps something could be done here? There is also a page for "Environment" where I can start a program at logon. Or is there an "official" way that I just haven't found in my search.
Thanks -Randy-