---
myst:
  html_meta:
    "description lang=en": "Kasm Workspaces RDP with Smart Card Support."
    "keywords": "Kasm, Windows, RDP, Smart Card"
    "property=og:locale": "en_US"
---
```{title} Auto Opening RDP files for RDP Gateway Configuration
```

## Auto-Opening RDP files for each Client OS

#### Windows
For Windows clients, Windows will auto open downloaded RDP files by setting group policy <add group policy documentation here>.

There are also options for individual browsers that can be configured by users instead

Kasm will automatically generate a signed RDP file using the certificate and private key in [Server Settings](../settings.md#connections). This certificate or an applicable CA when providing a certificate must be installed on the client machine in the trusted certificate store and the SHA1 thumbprint must be added to the group policy as a trusted RDP publisher to avoid Windows warning that the RDP file is provided by an untrusted/unknown publisher. 

To make things easier Kasm provides a button to download the certificate and a button to copy the SHA1 thumbprint to your clipboard in order to add to your group policy.

```{figure} /images/windows/rdp_signing_cert.webp
:align: center
**RDP Public Signing Certificate**
```

The location in Group Policy is `Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> Specify SHA1 thumbprints of certificates representing trusted .rdp publishers`.

```{figure} /images/windows/rdp_waf_proxy/group_policy_editor.png
:align: center
**Group Policy Location**
```

```{figure} /images/windows/rdp_waf_proxy/trusted_publisher_sha.png
:align: center
**Setting the Trusted Publisher Certificate SHA1**
```

To prevent a user from modifying a signed RDP file and then attempting to create a connection to the RDP target there is another group policy setting that can be enabled `Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> Allow .rdp files from unknown publishers`. This does have the side effect of preventing user from opening any RDP file not signed by a verified publisher, including ones users may create on their own.

```{figure} /images/windows/rdp_waf_proxy/group_policy_disable_unknown_publishers.png
:align: center
**Deny unknown publishers**
```

##### Google Chrome
The first option would be for the user to right-click the rdp file in the download list and select `Always open files of this type`. Alternatively the user or an administrator can set a registry key `Software\Policies\Google\Chrome\AutoOpenFileTypes`. Then set values of a number and the file extension for example `Software\Policies\Google\Chrome\AutoOpenFileTypes\1 = exe`.

```{figure} /images/windows/rdp_waf_proxy/set_always_open.png
:align: center
**Always Open Files of this Type**
```

##### Firefox
For firefox when right-clicking the download there is an option `Always Open Similar Files` to have Firefox automatically open rdp files in the default client.

```{figure} /images/windows/rdp_waf_proxy/always_open_similar_files.png
:align: center
**Always Open Similar Files**
```

#### ChromeOS
For ChromeOS the Chromebook will need to be joined to a Google Workspace Enterprise account. Then the administrator can set Chrome managed policies to ensure that Chrome will automatically open the RDP file upon download.

##### Google Workspace configuration
Go to admin.google.com and log into the Google Workspace account. Then navigate to *Devices* -> *Chrome* -> *Settings* and select the *User & browser settings* tab.

```{figure} /images/windows/rdp_waf_proxy/chromeos_device_settings.png
:align: center
**ChromeOS device settings**
```

On the *User and browser settings* tab scroll down to the *Content* section and select *Auto open downloaded files* 

```{figure} /images/windows/rdp_waf_proxy/chromeos_device_content_settings.png
:align: center
**ChromeOS device content settings**
```

On this screen the administrator can configure what file extensions to have the browser auto open. Add *RDP* to the *Auto open file types*. The administrator can also restrict this setting to the url of the kasm deployment i.e. https://kasm.example.com/* 

```{figure} /images/windows/rdp_waf_proxy/chromeos_auto_open_download_settings.png
:align: center
**ChromeOS Auto open downloaded files settings**
```

#### MacOS
On macOS the RDP connection is loaded as a URL, the OS must be configured to handle that URL with the RDP client of choice. The command to configure this is `defaults write com.google.Chrome URLAllowlist -array 'rdp://*'`