Saturday, February 22, 2014

Password Protect Microsoft Remote Desktop Client for OSX

Microsoft Remote Desktop client version 8.x for OSX was released and I find it particularly nice. (Way better than v. 2.1.1 anyway).

One thing I tend to do is store my passwords, but this can be a bad habit for an enterprise environment.

I've found a way to password protect launching the RDP client, and furthermore, close it when the computer sleeps -- very convenient.

Essentially, what we'll do is create an encrypted storage container, move the app inside, and launch kill/eject scripts when entering sleep-mode.

This write-up assumes OSX 10.5+; I'm on 10.9.1 (Mavericks).

First, I used Disk Utility to create an encrypted .dmg file:

Launch the Disk Utility via Applications>Utility>Disk Utility.

Select File>New>Blank Disk Image.

In the "Save As" field, find your home directory or any other preferred area.  Name it "RDP.dmg".

In then "Name" field, name it "RDP" -- we will reuse this name for the eject-function later.

I found that "Microsoft Remote" was 67.7MB, so I opted to set the "Size" field as 72MB.  You can try 68MB if you like, I assume it would be fine.

For the "Format" field, I chose "Mac OSX Extended" as i do not need it journaled.

In the "Encryption" field, I chose 128-bit AES, but you may choose 256 if you are paranoid.

For "Partitions" and "Image Format", I chose the defaults of Single GUID and read/write respectively.

You will be asked for a password.  This is permanent so choose wisely.  Also, for the "Check-box" elect NOT to "Remember Password in my keychain" so that you are required to enter your password with each launch.

Once the RDP.dmg file is created, open it with Finder if it's not already open.  Again do NOT check to "Remember password".  Using Finder, drag the Microsoft Remote Desktop application into your new RDP.dmg file.  MS-RD should be in your Applications folder if you've installed it, or in the installer .dmg if you have not.

Once you have MS-RD inside the RDP.dmg file, go ahead and launch that copy.  Now to simplify things for future usage, on OSX's Dock, right click "Microsoft Remote Desktop", select Options, and select "Keep in Dock".

Now let's test your new password protected RDP Client.  First, close the MS-RD application.  Then eject "RDP".

Now using the Dock shortcut, click to open "Microsoft Remote Desktop" -- it should again ask for your password.  Voila, you have a password protected RDP client!  The key to this is to never check-on "Remember password in my keychain."

If everything works as expected, you should delete the original MS-RD app from your applications folder if you had previously installed it.  (And remove the original Keep in Dock if you had such.)

Now the interesting part of the project -- the RDP.dmg remains mounted even if you close MS-RD.  This mean the app could be re-lauched without the password. To protect from this, you could manually eject RDP.dmg after each usage (blah), or we can find a way to both close MS-RD and eject RDP.dmg when the machine goes into sleep mode (way more convenient). 

Now there may be ways to execute the process for a screensaver trigger, but I happened across a sleep-mode trigger solution first using SleepWatcher.  In fact, upon reading, SleepWatcher does indeed have an idle-mode trigger too, but this write-up will not utilize such as I have done this on a MacBook-Air and opted for sleep-trigger due to the ability to close the screen-lid to enter sleep-mode.

This configuration process will be mostly command line oriented.

Go ahead and download and extract SleepWatcher to your ~/Desktop.  You can delete the folder/files after the configuration process. Be certain to read the ReadMe.rtf file within.  If you do not already have SleepWatcher, then do not perform the first tasks listed, instead be sure to jump to the "Installation for new SleepWatcher users" section. Go ahead and skim through the readme first; The commands are listed below for convenience.

I elected to use the "user" mode .plist and therefore this resulted in my functions to be created in the ~/.sleep file.

If you elect the same, then as per the ReadMe.rtf file, do the following:

sudo mkdir -p /usr/local/sbin /usr/local/share/man/man8

sudo cp ~/Desktop/sleepwatcher_2.2/sleepwatcher /usr/local/sbin/

sudo cp ~/Desktop/sleepwatcher_2.2/sleepwatcher.8 /usr/local/share/man/man8/

cp ~/Desktop/sleepwatcher_2.2/config/de.bernhard-baehr.sleepwatcher-20compatibility-localuser.plist ~/Library/LaunchAgents/

launchctl load ~/Library/LaunchAgents/

Be careful copy-pasting, the five commands above are all ONE LINE each. You may opt to copy-paste into a text editor first to verify ONE-LINERS.

My ~/.sleep file consisted of the following:

killall "Microsoft Remote Desktop"
/usr/sbin/diskutil eject /Volumes/RDP

Be sure to chmod +x ~/.sleep to make it executable.

The above ~/.sleep script will close MS-RD and also eject the RDP.dmg file.

If you've done the above configuration properly, then you can test the scenario by launching MS-RD and then closing your laptop lid or waiting for sleep-mode to trigger.  Your power settings in OSX are in Applications>System Preferences>Energy Saver.

Quite cool, no?

Good Luck!

No comments:

Post a Comment

Comments, Suggestions or "Thank you's" Invited!