We have RDS setup in a way that:
A) 2FA must be used to sign into RDWeb
B) A user, as non-admin, cannot add a feed to Windows
C) Via GPO, we deny the local-login ability to the terminal servers
In this way, the only way to connect to remote desktop apps is through two-factor RDWeb; perfect.
However, I'm finding the RD Client on Android/iOS is able to still connect and get through. Any way to block this?
Ultimately what I'm looking for in the end, is to allow RD Client but only for certain delivered apps. For example, we actually only 2FA users that have access to the financial system, which is delivered as an app over RDWeb. I do not ever want them to be able to access the financial system via their mobile devices. However, I have other apps that I do want users to access via RD Client, and it just so happens that these users are users that do not access the financial application, so I could potentially see using something to the effect of two RDWeb servers. Still need to work that all out, but any solution is dependent on blocking RD Client, as I want to close the hole where an enterprising financial user could figure out how to add the feed to RD Client and get the financial applications. Until I figure this out, I don't want to advertise the service to non-financial users.