This chapter describes tasks that a Parallels RAS administrator can perform to manage user devices, such as desktop computers, phones, or tablets.

RAS console and Management Portal provide custom administrators with the ability to send a support request to your organization's help desk.

To enable Help Desk support for custom administrators, do the following:

1. In the RAS Console, select the Features category.

2. Select the Overwrite the local support actions with the following URL option and specify the link to to your local support portal in the field provided. This link will open when a custom administrator clicks on Help > Request Support in RAS Console or Help and Support > Request Support in Management Portal.

To configure the appearance of Parallels Client, select the Appearance node and then configure the groups of settings described below.

• Parallels Client interface. Select the style of interface for Parallels Client for Windows.

• Prompt user to switch to Modern interface. Select this option if you want the user to see a prompt that allows them to switch to Modern interface.

Device monitoring allows you to view devices which are connected to the Farm or have established a connection at least once in the past. To monitor devices, select the Device Manager category in the Parallels RAS Console and click the Devices manager tab in the right pane. The information for a device includes:

• Device name

• IP address

• State (see below for the list of states)

• Last user (who used a device)

• MAC address

• OS version

• Parallels Client version

• Group (if a device is a member of a device group)

• Gateway name (the RAS Secure Gateway a device is connected to)

• Gateway IP address

Device states

Devices that connect to Parallels RAS can have any of the following states:

• Off: Device is switched off.

• Connected: Device is connected.

• Logged On: Devices is logged on to the system.

• Standalone: Device has previously connected to the Parallels RAS but is not using Parallels Client, therefore it cannot be managed.

• Not Support: Device is not supported by the Parallels RAS.

• Foreign Managed: Connecting to the Farm but managed by a different Farm.

• Not Manageable: Client not manageable due to incompatible client version or uninstalled component.

• Locked. Device has an active session in locked status.

• Pair Pending. Connection should be refreshed on the client side; port UDP 20009 is blocked from the client to gateway; client management port is disabled on the gateway.

Switching off device monitoring

If you use third-party endpoint management solutions and do not need Parallels RAS device monitoring, you can switch it off on the Device Manager > Options tab. It helps you to save computing resources and may improve performance of the RAS Console.

To switch off device monitoring:

1. In the RAS Console, navigate to Device Manager > Options.

2. Clear the Enable device manager option.

3. Click Yes and Apply.

As soon as you switch off device monitoring, the RAS Console stops tracking connected devices and deletes device connection history, which is displayed on the Device Manager > Device Manager tab. After that you can still view information about current connections in the Sessions category.

Items under the Session node in the Policy Properties dialog include connection, display, printing, network, and other settings that will be enforced on a client if defined and enabled.

For a particular group of settings to be enforced on a client device, it must be selected (checked). Unselected groups will not be enforced, so end users will be able to configure them themselves. For example, you can check the Connection node, but only check the Primary connection and Secondary connections groups under it. This will enforce only the two selected groups of settings on client devices.

The Policies category allows you to manage Parallels Client policies for users connecting to a Farm. By adding client policies, you can group users and push different Parallels Client settings to user devices forcing them to function as your organization requires.

Settings that can be enforced on user devices include RAS connection properties, display, printing, scanning, audio, keyboard, device, and others. Once you create a policy and push it to a client device, the user of the device cannot modify the settings that the policy enforces. In Parallels Client, this will manifest itself as hidden or disabled connection properties and global preferences.

Supported Parallels Client versions

Parallels Clients for all platforms are supported.

On the Scanning node in the Policy Properties dialog, you can specify a scanner that should be used when one is required by a published application:

• Use. Allows you to select a scanning technology. RAS Universal Scanning uses TWAIN and WIA redirection allowing an application to use either technology depending on the hardware type connected to the local computer. If you select None, scanning will disabled.

• Redirect Scanners. Select scanners attached to your computer for redirection. You can select All (all attached scanners will be redirected) or Specific only (only the scanners you select in the provided list will be redirected).

The Printing node in the Policy Properties dialog allows you to configure printing options.

In the Technology section, select the technology to use when redirecting printers to a remote computer:

• None. No printer redirection will be used.

• RAS Universal Printing technology. Select this option if you want to use RAS Universal Printing technology.

• Microsoft Basic Printing Redirection technology. Select this option if you want to use Microsoft Basic printing technology.

• RAS Universal Printing and Microsoft Basic redirection technologies. Select this option to use both Parallels RAS and Microsoft technologies.

RAS Universal Printing

If you selected RAS Universal Printing technology, use the Redirect Printers drop-down list to specify whether to redirect all printer on the client side, default printer only, or specific printers.

If you select Specific only in the step above, click Tasks > Add. Type a printer name and then click the Options button. In the dialog that opens, specify settings described below.

In the Choose Format drop-down list, select a data format for printing:

• Print Portable Document Format (PDF). Adobe PDF. This option does not require you to install any local applications capable of printing a PDF document. All the necessary libraries are already installed together with Parallels Client.

• View PDF with external application. To use this option you must have a local application installed which is capable of viewing a PDF document. Note that not all applications are supported. For example, the built-in PDF viewer in Windows is not supported, so you must have Adobe Acrobat Reader (or a similar application) installed.

• Print PDF with external application. This option works similar to the View PDF option above. It also requires an application capable of printing a PDF document installed locally.

• Enhanced Meta File (EMF). Use vector format and embedded fonts.

• Bitmap (BMP). Bitmap images.

In the Client printer preferences section, select one of the following:

• Use server preferences for all printers. If this option is selected, a generic printer preferences dialog will be shown when a user clicks Print in a remote application. The dialog has only a minimal set of options that they can choose.

• Use client preferences for all printers. With this option selected, a local printer preferences dialog will open when a user clicks Print in an application. The dialog will contain a full set of options for a particular printer that the user has installed on their local computer. If they have more than one printer installed, a native preferences dialog will open for any particular printer that they choose to print to.

• Use client preferences for the following printers. This option works similar to the Use client preferences for all printers option (above), but allows users to select which printers should use it. Select this option and then select one or more printer in the list below. If a printer is not selected, it will use the generic printer preferences dialog, similar to the first option in this list.

Default printer settings

To configure default printer settings, click the Change Default Printer settings button.

The default printer list shows printers that can be redirected by the client to the remote computer:

• To disable the default printer, select <none>.

• To redirect the default local printer, select <defaultlocalprinter>.

• When <custom printer> is selected, you can specify a custom printer. The first local printer that matches the printer name inserted in the Custom field will be set as the default printer on the remote computer.

Select Match exact printer name to match the name exactly as inserted in the Custom field. Please note that the remote printer name may not match the original printer name. Also note that local printers may not redirect due to server settings or policies.

The Force Default printer for option specifies the time period, during which a printer will be forced as default. If the default printer is changed during this time after the connection is established, the printer is reset as default.

Select the Update the remote default printer if the local default printer is changed option to change the remote default printer automatically when the local default printer is changed. Please note that the new printer must have been previously redirected.

A Windows 10 and 11 note

Windows 10 and 11 have a feature that automatically sets the default printer to the one used most recently or more often. This can break the default printer control on RD Sessions Hosts, guest VMs, and Remote PCs. To resolve this issue, the default printer management in Windows 10 and 11 should be disabled. To disable this feature using the Group Policy, do the following:

1. Open the group policy editor.

2. Navigate to User Configuration > Administrative Templates > Control Panel > Printers.

3. Find the Turn off Windows default printer management policy and enable it.

4. Force the group policy to all computers attached to the domain.

You can also disable the default printer management in Windows 10 and 11 locally by using the GUI or the registry editor:

1. On a Windows 10 or 11 computer, click Start, then click the "gear" icon which will open the Settings page.

2. On the Printers and Scanners tab, set the Let Windows manage my default printer option to OFF.

Using the registry editor:

1. Open the registry editor (regedit).

2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows.

3. Create a new DWORD item and name it LegacyDefaultPrinterMode.

4. Change the item's Value data to hexadecimal and set the value data to 1.

In addition to disabling the default printer management, the Download over metered connections option should be enabled in Settings > Devices > Printers & Scanners.

To configure display settings, select the Display node and then configure the groups of settings described below.

Settings

Select the desired video acceleration mode and color depth.

Multi-monitor

Specify which monitors should be used for a session if more than one monitor is connected to the user's computer.

The following options are available:

• All: All displays.

• Primary: User's primary display.

• Selected: User can select one or several displays manually. To use this option for a published desktop, you need to select Full Screen in Publishing category > select the published desktop > Desktop tab > Desktop Size.

Published applications

Specify the options as follows:

• Use primary monitor only. Select this option to start published applications on the primary monitor. Other monitors connected to a user's computer will not be used.

• Use dynamic desktop resizing. Select this option if you want published resources to use the display settings of the local desktop.

Desktop options

Specify the desktop options as follows:

• Smart-sizing: Choose a smart sizing option. The Scale (fit to window) option scales a remote desktop to fit the connection window. The Resize (update resolution) option updates the resolution dynamically (without the need to reconnect) based on the window size. To disable smart sizing, select Disabled.

• Embed desktop in launcher. Enable this option to access a published desktop inside Parallels Client.

• Span desktop across all monitors. Enable this option to span published desktops across all connected monitors.

• Connection bar in full screen. Specify whether the connection bar should be pinned, unpinned, or hidden when connecting in full-screen mode.

Browser

This section applies to Parallels Web Client only. Specify whether a remote application should open in the same or a new tab in a web browser by default.

To see the additional device information, right-click a device and choose Get Device Information in the context menu. In the dialog that opens, review the following properties:

• Name: Device name.

• IPs: Device IP address (or multiple addresses if applicable).

• MAC Address: MAC address.

• State: State (see below for the list of states).

• Last User: The user who logged in from this device the last time.

• Last Logon Time: The time of last logon.

• OS Version: The operating system version running on the device. Windows portable and U3 clients are marked as "Portable".

• Client Version: Parallels Client version installed on the device.

• Gateway IP: The RAS Secure Gateway IP address (the gateway the client is using).

• Secure Gateway: The RAS Secure Gateway name.

• Last Activity: The date and time when any activity was detected from this device.

Parallels Client provides users with the ability to send a support request, together with a problem report, to your organization's help desk.

To enable Help Desk support for users, do the following:

1. In the RAS Console, select the Features category.

2. Select the Enable Helpdesk functionality in Parallels Client option and specify your help desk email address in the field provided. This email address will be updated in Parallels Client every time a user connects to Parallels RAS from it.

Help desk can be accessed in Parallels Client from the Help section (or menu). When the user selects the Request support from helpdesk item, a local email client will open. The following information will be prefilled in the email:

• Help desk email address (the one you set in the RAS Console).

• Application name.

• A screenshot.

• User name.

• Application version.

• Operating system version.

The user can provide their own description of the request.

The Scheduler tab of the Device Manager category can be used to schedule automatic power operations on devices.

Adding a new scheduler task

To schedule a task:

1. On the Scheduler tab, click Tasks > Add to open the Device Scheduler Properties dialog.

2. Select the Enable this scheduled entry option.

3. Select an action in the Action drop-down list:

   • Device group switch on

   • Device group log off

   • Device group switch off

   • Device group reboot

   • Device group lock

4. Select a device group in the Target drop-down list.

5. Specify the task start date and time.

6. Select the Repeat option from the following choices:

   • Never (a task will run only once, as specified in the Start and Time fields)

   • Every day

   • Every week

   • Every 2 weeks

   • Every month

   • Every year

   • On specific day(s) of the week. When selecting this option, select the day(s) of the week.

7. Enter a task description in the Description field.

8. Click OK to create the task.

Managing scheduled tasks

To modify an existing task, right-click it in the Schedule List and click Properties in the context menu.

To enable or disable an event, right-click it, click Properties, and then select or clear the Enable this scheduled entry option.

To execute a scheduled task immediately, right-click it and click Execute Now in the context menu.

To delete a task, right-click it and then click Delete.

To add a new client policy:

1. Select the Policies category and then click Tasks > Add in the right pane. The Policy Properties dialog opens.

2. The left pane contains a navigation tree allowing you to select a group of options to configure. You can search for options using the Find field in the upper left corner of the dialog. If multiple options are found, you can navigate between them using arrows.

3. Make sure the Policy node is selected, and then specify a policy name and an optional description.

4. In the Apply policy to section, click Tasks > Add (or click the plus sign icon) and specify rules that define what object the policy applies to (see below).

Configure rules for the client policy

By default, a client policy applies to configured users, computers, and groups in all situations. Optionally, you can specify rules that define when the policy should be applied. This functionality allows you to create different policies for the same user or computer, which will be applied depending on where the user is connecting from and from which device. Each rule consists of one or several criteria for matching against user connections. In turn, each criteria consists of one or several specific objects that can be matched.

You can match the following objects:

• User, a group the user belongs to, or the computer the user connects from.

• Secure Gateway the user connects to.

• Client device operating system.

• IP address.

• Hardware ID. The format of a hardware ID depends on the operating system of the client.

Notice the following about the rules:

• Criteria are connected by the AND operator. For example, if a rule has a criteria that matches certain IP addresses and a criteria that matches client device operating systems, the rule will be applied when a user connection matches one of the IP addresses AND one of the client operating systems.

• Objects are connected by the OR operator. For example, if you only create a criteria for matching client device operating systems, the rule will be applied if one of the operating systems matches the client connection.

• The rules are compared to a user connection starting from the top. Because of this, the priority of a rule depends on its place in the rule list. Parallels RAS will apply the first rule that matches the user connection.

• The default rule is used when no other rule is matched. You can set it to either Apply policy if no other rule matches or Do not apply policy if no other rule matches, but no criteria is available for this rule.

To create a new rule:

1. Select the Policy node.

2. In the Apply policy to section, click Tasks > Add. The New rule properties dialog opens.

3. Specify the name and the description of the rule.

4. In the Criteria section, specify criteria for the rule. You will find the following controls:

• Apply policy if and Do not apply policy if: specifies whether the policy is applied or not applied when a user connection matches all the criteria. Click on the link to switch between the two options.

• (+): adds a new criteria. If you want to match a Secure Gateway, a client device operating system, an IP address, or a hardware ID, click (+). In the context menu that appears, select the type of object that you want to match and add the specific objects in the dialog that appears. The new criteria appears on the next line.

• (X): Deletes a specific object from matching. For example, you want to delete IP address 198.51.100.1 from matching, click (X) next to it. This control appears when at least one object is added. If all objects in a criteria are deleted, the criteria is removed.

• is and is not: specifies whether the policy is applied or not applied when a user connection matches the criteria. Click on the link to switch between the two options. This control appears when at least one object is added.

• configure: edits the list of objects to be matched. Click this link to add or delete new objects. Note that for the first criteria (User, group or computer) this link is called everyone. It will change to configure once you specify objects for this criteria.

If you need to configure Parallels Client that is already installed on multiple devices in your organization, you can simplify the procedure by using one of the following mass configuration options:

• By exporting Parallels Client settings to a file and then importing them into all other Parallels Client installations.

• Using the Parallels Client URL scheme.

Exporting and importing Parallels Client settings

Parallels Client includes the Export/Import functionality that lets you export RAS or RDP connection settings to a file and then import them into Parallels Client running on another device. This functionality is available on all platforms, including desktop and mobile versions of Parallels Client (except Parallels Client for Chrome App). The Export/Import functionality is accessed in Parallels Client as follows:

• Windows, Mac, Linux:On the main menu, click File > Export Settings or File > Import Settings.

• iOS/iPadOS: To export connection settings, tap the [...] icon in the top right corner and choose Share Connection. To import, select the file that you exported earlier and choose to open it with Parallels Client.

• Android: To export connection settings, tap the menu icon (three vertical dots) in the top right corner and choose Share connections. To import, select the file that you exported earlier and choose to open it with Parallels Client.

For more information about exporting and importing connection settings, see the Parallels Client Guide for a desired platform.

Using Parallels Client URL scheme

Parallels RAS uses a URL scheme to perform actions in Parallels Client installed on user devices. Specifically, the URL scheme can be used to configure RAS and RDP connections using predefined settings. For the information about the URL scheme please see .

The URL scheme is used in invitation emails when you send an email to your users to install Parallels Client on their devices. An invitation email includes a link, which is a complete URL that uses the Parallels Client URL scheme. When you mass install Parallels Client on user devices, you simply . If you need to reconfigure existing Parallels Client installations (and don't want to do it by sending an invitation email), you can do the following:

1. Create an invitation email containing configuration profiles for all required platforms and send it to yourself.

2. Open the email and copy Parallels Client configuration URLs to a local intranet portal.

3. Let your users know where the URLs are.

4. To configure Parallels Client, your users will need to simply click a URL for their platform. This will automatically configure Parallels Client on their devices.

To configure connection properties, select the Connection node and then go through each child node configuring their respective properties.

Primary Connection

The primary connection always defaults to the primary RAS Secure Gateway, but you can modify the following connection properties:

1. Specify a friendly name for the connection.

2. Auto login: Enable or disable auto login in RAS User Portal. If the option is disabled, auto login will be disabled in User Portal and the user will not be able to change it. For more information, see .

3. In the Authentication type drop-down list, select the desired method of authentication:

   • Credentials. The user will have to enter credentials to log on.

   • Single Sign-On. This option will be included in the list only if the Single Sign-On module is installed during Parallels Client installation. The credentials that the user used to log on will be used to connect to the remote server.

   • Smart Card. Select this option to authenticate using a smart card. When connecting to the remote server, a user will need to insert a smart card into the card reader and then enter a PIN when prompted.

   • Web. If selected, the SAML SSO authentication is allowed. For more information, see .

   • Web + Credentials. The same as Web, but users are prompted to enter credentials when they launch a published application. To enable the Web + Credentials method, you must configure your IdP and RAS as described in and .

1. Select or clear Save password as needed (if credentials are used for authentication). This means forcing a client to save the password for this connection.

2. Specify the domain name (if credentials are used for authentication).

Secondary Connection

If you have more than one RAS Secure Gateway, you can define a secondary connection, which will be used as a backup connection in case the primary gateway connection fails.

To add a secondary connection:

1. Select the Secondary connections item.

2. In the Secondary connections pane, click Tasks > Add and specify a server name or IP address.

3. Select the connection mode and modify the default port number if necessary.

If you have multiple secondary connections, you can move them up or down in the list. If the primary connection cannot be established, Parallels Client will use secondary connections in the order listed.

Reconnection

In this pane, specify what to do if the connection is dropped:

• Reconnect if connection is dropped. if this option is selected, Parallels Client will try to reconnect if the connection is dropped. The Connection retries property specifies the number of retries.

• Show connection banner if reconnection is not established within. Specifies the number of seconds after which the connection banner will be displayed in Parallels Client. This will inform the user that the connection was dropped and will allow them to take actions on their own.

Computer name

Specify the name that a computer will use during a remote desktop session. If set, this will override the default computer name. Any filtering set by the administrator on the server side will make use of the Override computer name setting.

Advanced settings

• Connection timeout. The Parallels Client connection timeout value.

• Show connection banner if connection is not established within. Specifies the number of seconds after which the connection banner will be displayed. This will inform the user that the connection cannot be established and will allow them to take actions on their own.

• Show desktop if published application does not start within. If a published application is not launched within the time period specified in this field, the host server desktop will be shown instead. This is helpful if an error occurs on the server side while launching an application. By showing the server desktop, the user can see the error message.

Web authentication

• The Open browser window to complete log out option is used when the built-in browser is used. In this case, there's no control over the SAML log out, so when this option is selected, a URL will open to perform the logout from SAML. By default, this web page will not be displayed, but if you need to interact with the browser, you can enable this option.

Session prelaunch

When a user opens a remote application, a session must first be launched. Launching a session can take time, which will result in the user waiting for the application to start. To improve user experience, a session can be launched ahead of time, before the user actually opens an application.

To enable (or disable) session prelaunch, choose one of the following in the Mode drop-down list:

• Off. No session prelaunch is used.

• Basic. A session is prelaunched as soon as the user gets the application listing. The assumption is, the user will open an application within the next few minutes. The session will stay active for 10 minutes. If the user doesn't open an application during that time, the client will disconnect from the session.

• Machine Learning. When the application listing is acquired, a session is prelaunched based on user habits. With this option enabled, Parallels Client will record and analyze the user habits of launching applications on a given day of the week. A session is started a few minutes before the user usually opens an application.

When a session is prelaunched, it will all happen in the background, so the user will not see any windows or message boxes on the screen. When the user starts an application, it will open using the prelaunched session, so it will start very quickly.

You can configure rules when session prelaunch must not be used. The following options are available:

• Use the Exclude sessions prelaunch list to specify dates on which the prelaunch must not be used. Click on the plus-sign icon and select a date. The list can contain multiple entries.

• You can also exclude a published resource from the session prelaunching scheme altogether. This way, the resource is excluded from the analysis and is never considered by Parallels Client when making a decision whether to prelaunch a session. For example, when you have a server on which you never want to prelaunch sessions, you can flag all published resources hosted by that server as to be excluded from session prelaunch. To exclude a published resource from session prelaunch, in the RAS Console, navigate to Published Resources, select a resource and then select the Exclude from session prelaunch option.

Local proxy address

The setting in this section specifies to which IP address to bind the local RDP proxy. Select the Use 127.0.01 IP address when using Gateway mode in VPN scenarios option. You should have this setting enabled. Disabling it may lead to users not being able to open applications or desktops when using a VPN. This setting applies to Parallels Client for Windows only.

This section explains what happens when the Replace Desktop option is enabled and why it is useful to administrators.

When enabled, the Replace Desktop feature allows the administrator to convert a standard desktop into a limited device similar to a Thin Client without replacing the operating system.

The end user will not have access to Windows Explorer, Taskbar, or any other Windows components that usually allow them to install new applications or change system settings. The user can now only deploy applications configured within the Parallels Client, including remote applications, remote desktops, and locally configured applications. Local applications are allowed, so if a specific application is needed but is not available remotely (e.g. software that communicates with specific peripherals), the user can still deploy it.

When the Replace Desktop option is enabled, the following features take effect on the corresponding versions of Windows (7, 8, 8.1, 10, 11):

In this mode, the user also has access to the Mouse and Display Control Panel applets. The user cannot change the Parallels Client Global Options and the Client Farm Connection Options. Advanced management features can be enabled if the device is switched into administration mode.

If the Windows Desktop Replacement feature is switched off, all the restrictions are removed and the standard desktop is made available to the user.

The following are the screenshots of a Windows 10 desktop before and after the Replace Desktop option is enabled.

Before

After

The Device Manager feature allows the administrator to convert Windows devices running Windows 7 up to Windows 11 into a thin-client-like OS. In order to be managed, Windows devices must be running the latest version of Parallels Client for Windows.

Read the instructions below to learn how to set up Parallels Client on a Windows computer and how to enroll and manage it in Parallels RAS.

Installing Parallels Client on a Windows computer

To install and configure Parallels Client for Windows, follow the steps below. You can also read the Parallels Client for Windows User's Guide for complete instructions on how to install and configure Parallels Client.

1. Download the Parallels Client for Windows from .

2. Double-click the RASClient.msi or RASClient-x64.msi and follow the on-screen instructions to complete the installation wizard.

3. Create a new Parallels RAS connection by clicking File > Add New Connection..

4. Select Parallels Remote Application Server and click OK.

5. Next, configure the following connection properties:

   • Primary Connection — Specify the Parallels RAS FQDN or IP address.

   • User Credentials — Enter username, password, and domain.

6. Click OK to create the connection and then double-click it to connect to Parallels RAS.

Upon completion, the Windows device will appear in the Parallels RAS Console in Device Manager > Devices.

Windows device enrollment

You can configure Parallels RAS to enroll a Windows device automatically or you can opt to do it manually.

To manually enroll a Windows device in Parallels RAS:

1. In the RAS Console, navigate to Device Manager > Devices.

2. Select a device on the Devices tab.

3. Click Tasks > Manage Device.

The device state will change to Pair pending until the device reconnects. Ensure the Device Manager Port option is enabled for a gateway. To verify this:

1. Navigate to Farm > <Site> > Secure Gateways.

2. Select a gateway and click Tasks > Properties.

3. Click the Network tab and make sure that the Device Manager Port option is selected

Once the device reconnects, the enrollment process is complete and the device state is updated to Logged On, which indicates that it's now managed by Parallels RAS. The user running Parallels Client on their Windows PC can also verify that the PC is managed by clicking Help > About on the main Parallels Client menu. The information includes the RAS Secure Gateway information that the Parallels Client uses to communicate with Parallels RAS.

You can also set Parallels RAS to automatically manage Windows devices. To do so:

1. In the RAS Console, select the Device Manager category.

2. Click the Options tab.

3. Enable the Automatically manage Windows devices option.

The administrator can now check the state of the device and perform power operations, such as Power On, Power Off, Reboot, and Logoff.

Lock a Windows device

To lock a Windows device that has an active session, select it in the list and then click the Lock item in the toolbar at the bottom. Note that the Lock icon is only enabled when the selected device is in the Logged On state.

Shadow a Windows device

By shadowing a Windows device, you gain full access to the Windows desktop on the device and can control local and remote applications.

To shadow a Windows device:

1. In the RAS Console, navigate to Device Manager > Devices.

2. Select a device and click the Shadow item in the toolbar at the bottom.

The Windows user will be prompted to allow the administrator to take control over the device and can choose to deny access. The Request Authorization prompt can be deactivated by the administrator. To do so:

1. In the Parallels RAS Console, select the Device Manager category and click the Windows Device Groups tab in the right pane.

2. Right-click a group and choose Properties.

3. In the Windows Device Group dialog, select the Shadowing tab and clear the Request Authorization option.

Desktop replacement

The Replace desktop feature limits users from changing system settings or installing new applications. When this feature is enabled, the Windows desktop is replaced by Parallels Client, which converts it into a thin-client-like OS without actually replacing the operating system. This way the user can only deploy applications from Parallels Client, which gives the administrator a higher level of control over connected devices.

Additionally, the Kiosk mode allows you to limit the user from power cycling a device (power actions are still available in the Admin mode; see below for details.).

To enable the Replace desktop feature:

1. In the Device Manager category, select the Windows Device Groups tab.

2. Right-click a group and choose Properties.

3. Click the OS Settings tab.

4. Enable the Replace desktop option and optionally the Kiosk mode option.

5. Click OK.

Switching to the Admin mode

In User mode, the user is restricted to use only the applications provided by the administrator. In order to change system settings, switch the device to the Admin mode.

To switch to the Admin mode, right-click on the system tray icon and select Switch to admin mode. Type the password when prompted.

The following table outlines features that are available in Admin and User modes.

Configuring local applications when using Parallels Client desktop replacement

With the Replace Desktop option enabled, the administrator’s goal should be to deploy remote applications or remote desktops and use the native OS to simply deploy the software needed to connect remotely. However, in some instances, local applications may be required. The administrator still has the ability to configure local applications to be shown within the Parallels Client Desktop Replacement, however it is necessary to switch to the Admin mode prior to it.

Publish a local application according to the following steps:

1. Shadow the user’s session or use the user device station directly.

2. Switch the Parallels Client Desktop Replacement to admin mode.

3. Click File > Add New Application

4. Fill in the application information

5. Applications added will be visible in the Application Launcher.

6. Switch back to user mode once all the applications needed are configured.

Parallels RAS supports multiple platforms ranging from desktop PCs and Mac computers to mobile devices and ChromeApps. The Invitation Email feature is designed to reduce the complexities involved in the installation and client rollout process. This feature allows the administrator to send client installation and automatic configuration instructions to end users right from the Parallels RAS Console.

Before proceeding, please confirm that you've configured the mailbox as described in . To send an invitation email to users, use the Start category in the RAS Console. For more information see .

On the Keyboard node in the Policy Properties dialog, select how you want to apply key combinations (e.g. Alt+Tab) that you press on the keyboard:

• On the local computer. Key combinations will be applied to Windows running on the local computer.

• On the remote computer. Key combinations will be applied to Windows running on the remote computer.

• In full screen mode only. Key combinations will be applied to the remote computer only when in the full-screen mode.

Select or clear the Send unicode characters as needed.

Use the Local devices and resources node in the Policy Properties dialog to configure how local resources are used in a remote session.

Clipboard

Enable or disable the clipboard in a remote session. In the right pane, choose one of the following clipboard redirection options:

• Client to server only: Copy and paste from client to a server app only.

• Server to client only: Copy and paste from a server app to client only.

• Bidirectional: Copy and paste in both directions.

• Disabled: The clipboard is disabled.

The Limit clipboard to text only drop-down menu allows you to limit the functionality of the clipboard:

• No limit: All types of files can be copied in both directions.

• Client to server: Only plain text can be copied from the client to the server.

• Server to client: Only plain text can be copied from the server to the client.

• Both directions: Only plain text can be copied in both directions.

Disk drives and folders

Select the Allow disk drives and folders redirection option and select local drives you want to redirect, or select Use all disk drives available.

Select the Redirect as read-only drives option to redirect all selected disk drives in read-only mode.

If you select the Use also disk drives that I plug in later option, disk drives that you connect to a local computer later will be automatically available in a remote session.

In the Cache drop-down list, you can select whether to enable drive redirection cache hat makes file browsing and navigation on the redirected drives much faster:

• Disable: Drive redirection cache is disabled.

• Enable: Drive redirection cache is enabled.

• Fast mode: Same as above, but certain decorative features of File Explorer are disabled in favor of faster browsing.

Devices

On this pane, specify whether to redirect local devices in general, use all devices available, and also devices that will be plugged in later.

Local devices that can be redirected include supported Plug and Play devices, media players based on the Media Transfer Protocol (MTP), and digital cameras based on the Picture Transfer Protocol (PTP).

Please note that disk drives and smart cards are redirected using dedicated Disk drives and folders and Smart cards options.

Video capture devices

Specifies video capture devices to redirect from a user device to the remote session. This is a high-level redirection that allows to redirect a composite USB device, such as a webcam with a microphone.

• Allow devices redirection: Allows to choose which video capture devices to redirect.

• Use all devices available: Redirect all available devices.

• Use also devices that I plug in later: A device that is plugged in after a session is started will also be used. Note that if this option is disabled, you will need to restart a session for a newly plugged in device to become available.

Ports

Select whether to redirect LPT and COM ports.

Smart cards

Select whether to redirect smart cards. Note that if smart card is selected as the authentication type in the Primary connection pane, the smart card redirection is automatically enabled and this option is grayed out.

Pen and touch input

Enables or disables the following functions:

• Pen input redirection with pressure sensitivity support. Note: Pen input redirection is supported on remote desktops with the following operating systems: Windows Server 2016 up to Windows Server 2022, Windows 10 version 1607 up to Windows 11.

• Windows touch input redirection. Windows touch input redirection allows users to use Windows native touch gestures from touch-enabled devices, including touch, hold, and release actions. The actions are redirected to remote applications and desktops as corresponding mouse clicks. This option allows you to disable touch input redirection in case of app compatibility issues.

Multimedia redirection for AVD

Allows to watch video content played in a browser on a remote Azure Virtual Desktop host. To use this feature, you also need to configure redirection on your AVD hosts as described at https://learn.microsoft.com/en-us/azure/virtual-desktop/multimedia-redirection?tabs=edge#requirements.

File transfer

Enables file transfer in a remote session. To enable file transfer, select this node and then select a desired option in the Allow file transfer drop-down list in the right pane. For additional information, see Configuring remote file transfer.

The Experience node in the Policy Properties dialog allows you to tweak connection speed and compression.

Performance

Choose your connection speed to optimize performance: Choose a connection type according to your situation and then select experience options you want enabled. If you are connecting to a remote server on a local network that runs at 100 Mbps or higher, it is usually safe to have all of the experience options enabled. If you choose Detect connection quality automatically, the experience options will be enabled by default, but some may be dynamically disabled depending on the actual connection speed.

Enhance windows move/size: Enable this option if your users experience graphics artifacts (dark squares) while moving or resizing a remote application window on their desktops. The issue may manifest itself when a remote application is hosted on a Windows Server 2016, 2019 or 2022 and when the Show contents of window while dragging option is enabled. The issue does not appear with any other versions of Windows.

Compression

It is recommended to enable compression to have a more efficient connection. The available compression options are described below.

Enable RDP Compression: Enables compression for RDP connections.

Universal printing compression policy: The compression type should be selected based on your environment specifics. You can choose from the following options:

• Compression disabled. No compression is used.

• Best speed (uses less CPU). Compression is optimized for best speed.

• Best size (uses less network traffic). Compression is optimized to save network traffic.

• Based on connection speed. The faster the connection speed, the lower compression level and the minimum data size to compress are used.

Universal scanning compression policy: This drop-down list has the same options as the universal printing compression above. Select the compression type based on your environment specifics.

The Advanced Settings node in the Policy Properties dialog allows you to customize the default behavior or Parallels Client.

You can specify the following properties:

• Use client system colors: Enable this option to use the client system colors instead of those specified on the remote desktop.

• Use client system settings: Enable this option to use the client system settings instead of those specified on the RD Session Host.

• Create shortcuts configured on server: For each published application, the administrator can configure shortcuts that can be created on the client's desktop and the Start menu. Select this option to create the shortcuts, or clear the option if you don't want to create them.

• Register file extensions associated from the server: For each published application, the administrator can create file extension associations. Use this option to either register the associated file extensions or not.

• Redirect URLs to the client device: Enable this option to use the local web browser when opening 'http:" links.

• Redirect MAILTO to the client device: Enable this option to use the local mail client when opening ‘mailto:’ links.

• Always ask for credentials when starting applications: If this option is enabled, a user will be asked to enter credentials when starting an application even if the session is still active. You can use this option as added security to prevent unauthorized users to access applications. For example, if a user disconnects from a session, no one else will be able to take over the session and run remote applications. As another example, if a user leaves a device with an open User Portal displaying the app listing (with or without running RDP sessions) then any user who tries to open a new application or another instance of a running application will be prompted for credentials. Please note that the Auto login option must be disabled for this functionality to work; otherwise saved credentials will be used automatically.

• Allow Server to send commands to be executed by client: Enable this option to allow commands being received from the server to be executed by the client.

• Confirm Server commands before executing them: If this option is enabled, a message is displayed on the client to confirm any commands before they are executed from the server.

• Network Level Authentication: Check this option to enable network level authentication, which will require the client to authenticate before connecting to the server.

• Redirect POS devices: Enables the Point of Service (POS) devices such as bar code scanners or magnetic readers that are attached to the local computer to be used in the remote connection.

• Use Pre Windows 2000 login format: If this option is selected, it allows you to use legacy (pre-Windows 2000) login format.

• Disable RDP-UDP for gateway connections: Disables RDP UDP data tunneling on the client side. You can use this option when some clients experience random disconnects when RDP UDP data tunneling is enabled on the RAS Secure Gateway (the Network tab in the gateway Properties dialog), while other clients are not.

• Do not show drive redirection dialog: This option affects Parallels Client for Mac. By default, the Grant access to Home folder (drive redirection) dialog opens automatically when a Mac user connects to Parallels RAS. This happens when this option is disabled or when there's no client policy at all. The dialog allows the user to configure which folders on the local disk drive should be available to remote applications. If you enable this option, the dialog will not be shown a user. Read below for more explanation.

  Drive redirection cannot be configured via client policies, so Mac users have to do this themselves. By automatically showing the dialog, you can invite the user to go through the local folder configuration procedure. On the other hand, if there's no need for your users to redirect their local drives, you can disable the automatic opening of the dialog. Note that the dialog can still be run manually in Parallels Client for Mac at any time by opening Connection Properties > Local Resources, selecting the Disk drives option and clicking Configure.

  When the option is disabled (or when there's no client policy defined), the dialog opens at least once when the user connects to Parallels RAS for the first time. At that time, the user can either configure local folders or select the Never ask me again option. In both cases, the dialog will not be shown to the user anymore. The Mac user can reset the Never ask me selection by going to Connection Properties > Advanced and clearing the Do not show drive redirection dialog option.

Use the Server authentication node in the Policy Properties dialog to specify what should happen if authentication of an RD Session Host, Remote PC, or Guest VM fails.

In the If authentication fails drop-down list, select one of the following options:

• Connect. The user can ignore the certificate of the server and still connect.

• Warn. The user is alerted about the certificate and still has the ability to choose whether to connect or not.

• Do not connect. The user is not allowed to connect.

Use the Network node in the Policy Properties dialog to configure a proxy server for Parallels Client.

Select the Use proxy server option and then select the protocol from the following list:

• SOCKS4. Enable this option to transparently use the service of a network firewall.

• SOCKS4A. Enable this option to allow a client that cannot connect to resolve the destination host’s name to specify it.

• SOCKS5. Enable this option to be able to connect using authentication.

• HTTP 1.1. Enable this option to connect using a standard HTTP 1.1 protocol connection.

Specify the proxy host's domain name or IP address and the port number.

For SOCKS5 and HTTP 1.1 protocols, select the Proxy requires authentication option. For authentication, select the Use user logon credentials option or specify a user name and password in the fields provided.

Redirection options allow you to move your existing users from one RAS Secure Gateway to another gateway within the same Farm, or you can even redirect users to a gateway in a different Farm.

To configure redirection options:

1. Select the Redirection node in the left pane of the Policy Properties dialog.

2. In the right pane, specify the new connection properties, including:

   • Gateway address

   • Connection mode

   • Port number

   • Alternative address

When this policy is applied to user devices, the following will happen:

• Parallels Client connection settings are automatically updated on each device.

• Parallels Client tests the new connection. If succeeded, the current connection policies are removed and new policies are added.

• If Parallels Client cannot connect to Parallels RAS using new settings, the application list will not be shown and an error message will be displayed saying that the redirection policy has failed to apply. The user will be advised to contact the system administrator.

Gateway criteria

If a policy has both Redirection and Criteria settings enabled and configured, a situation may occur when the policy is applied in an infinite loop on the client side, which will result in an error. Consider the following possible scenarios when this may happen:

• Parallels Client connects to gateway "A" and applies a policy, which redirects it back to gateway "A". This will continue to loop until Parallels Client gives up and displays an error to the user, which will say, "Failed to apply redirection policy....".

• Parallels Client connects to gateway "A" and applies policy "P1", which redirects it to gateway "B". As expected, Parallels Client connects to gateway "B" and applies policy "P2", which redirects it back to gateway "A" where it all began. This will will also continue to loop until Parallels Client gives up and displays the same error message as described above.

Once again, this may only happen if the Criteria node is enabled and specified gateways conflict with each other. To avoid it, make sure that the Gateway criteria option on the Criteria pane is set to if Client is connected to one of the following gateways and that the same policy is not applied again when Parallels Client is redirected to a new gateway.

Starting with Parallels RAS v16.5, a new approach is used to manage client policies. In the previous versions, a client policy would apply the full set of parameters and replace the client settings completely hiding an enforced category. In RAS v16.5 (or newer), client policy settings are split into smaller groups with the ability to configure and enforce each group on the client side individually. For example, the administrator wants to re-design the policies to disable clipboard redirection only, leaving the rest of the local devices and resources settings available for the end users to control. In the previous version, this would not be possible. The new design allows an administrator to easily achieve this goal.

This section explains how the backward compatibility is achieved with older clients and how new clients retain compatibility with older server-side installations.

The new client policies implementation handles compatibility issues as follows:

• All settings found in older policies are sent to the client as if being sent from an older Parallels RAS server. When a client receives the policy, the Connection properties and Options/Preferences settings are set correctly from the old design point of view. If, however, the policy is configured in such a way that the user cannot change anything, the entire tab will be hidden (no need to display the options if all of them are disabled).

• The Parallels RAS Console handles old-style policy settings as if they are new and displays them using the updated graphical user interface.

• In terms of policies, when a Parallels RAS v16.5 client connects to a previous version of Parallels RAS, the client keeps working normally and all of the policy settings are functioning as expected.

The Windows device groups tab (Device Manager category) allows you to group managed Windows devices and administer them together.

Creating a Windows device group

To create a Windows Device Group:

1. Navigate to the Windows device groups tab in the Device Manager category and click Tasks > Add.

2. On the Main tab page, specify a group name and an optional description.

3. On the OS Settings tab, set the following options:

   • Disable removable drives. Disable mounting of removable drives on managed Windows device.

   • Disable Print Screen. Disable the Print Screen key.

   • Replace desktop. This feature makes a Windows computer behave like a thin client. It limits users from changing system settings or installing new applications. The administrator can add local apps (which are already installed on a computer) to the app list in addition to published resources from Parallels RAS. If you select this option, specify an administrator password in the Admin Mode Password field (below) to be used to switch a computer between user and admin modes.

   • Kiosk mode. Enable the kiosk mode.This will disable power cycling functions (reboot, shutdown) on computers in the group. Note that power functions will still be available when the computer is switched to the Admin mode.

   • Use client as desktop. If this option is selected, Parallels Client will run in full screen mode. A user will not be able to minimize it. Select this option to overcome an issue with Parallels Client breaking out of the kiosk mode on Windows 8.x. The issue may manifest itself in the tile-based UI or while using the "drag to close" feature.

   • Admin Mode Password. Specify a password to switch between user and admin modes when a Windows desktop is replaced (see Replace desktop above).

4. On the Firewall Settings tab, enable or disable the firewall and add the inbound ports if necessary.

5. On the Shadowing tab, select the Request Authorization option to prompt a Windows device user before remotely controlling their desktop. If enabled, the user can choose to decline the connection. For more information, see Managing Windows devices.

Adding a Windows device to a group

To add a Windows device to a group:

1. Navigate to the Device Manager > Device Manager tab.

2. Select one or more devices, then click Tasks (or right-click) and choose Move to Group.

3. Select a group and click OK to save the settings.

The administrator can now perform standard Windows power operations (Power On, Power Off, Reboot, Logoff, Lock) on groups of devices.

When a policy is applied to a user device, the information about it is displayed in Parallels Client. The information can be used to verify that the correct policy was delivered to a user device. The following information is included:

• ID: The policy ID as displayed in the ID field in the Policies list in the RAS Console.

• Version: The policy version number as displayed in the Version field in the Policies list in the RAS Console.

• RAS Connection: The name of the connection through which the policy was delivered. Displayed only on mobile devices and in Web Client.

By comparing the information above in Parallels Client running on a user device and the information in the RAS Console, you can see which policy was applied to a user device.

To see the applied policy information for a connection:

• In Parallels Client for Windows / Mac / Linux, open the Connection Properties dialog. The information is displayed at the bottom of a tab page to which the policy was applied.

• In Parallels Client for Android, the information is displayed at the bottom of the Settings screen.

• In Parallels Client for iOS, open the Edit RAS Connection screen and tap View Applied Server Policy (as the bottom).

• In RAS Web Client, the information is displayed in the Settings dialog.

Please note that when all of the connection properties in Parallels Client are managed through client policies, the user can still open the Connection Properties dialog, but it will contain a single tab displaying the applied policy information. If only some of the connection properties are managed through policies, the user will be able to see those tabs and the applied policy information that they contain.

When a policy includes global policy options, you can view the applied policy information in Parallels Client as follows:

• In Parallels Client for Windows and Linux, open the Options dialog (click Tools > Options).

• In Parallels Client for Mac, open Preferences (click Parallels Client > Preferences).

The applied policy information is displayed at the bottom of the dialog, similar to how it is displayed for the connection.

This node in the Policy Properties dialog allows you to configure remote audio playback and recording settings.

In the Remote audio playback section, Use the Where drop-down list to select one of the following remote audio playback options:

• Bring to this computer. Audio from the remote computer will play on your local computer.

• Do not play. Audio from the remote computer will not play on your local computer and will be muted on the remote computer as well.

• Leave at remote computer. Audio will not play on your local computer but will play normally on the remote computer.

Use the Quality drop-down list to adjust the audio quality:

• Dynamically adjust based on available bandwidth. This option will increase or decrease the audio quality based on your connection speed. The faster the connection, the higher audio quality setting will be used.

• Always use medium audio quality. The audio quality is fixed at the medium level. You can use this option when you don't require the best possible audio quality and would rather use the available bandwidth for graphics.

• Always use uncompressed audio quality. The audio quality is fixed at the highest level. Select this option if you have a very fast connection and require the best possible audio quality.

The Enable recording (if applicable) option allows you to enable audio recording on the remote computer. For example, you can speak into a microphone on the local computer and use a sound recording application on the remote computer to record yourself.

The Client options node allows you configure client policy options. Select the node and then select and configure individual items under it as described below.

Connection

On the Connection pane, specify the following options:

• Connection Banner. Select a banner to display while establishing a connection.

• Automatically refresh connected RAS connections every [ ] minutes. Select this option and specify the time interval to automatically refresh a connection. This will refresh the published resources list in Parallels Client.

• When all sessions are closed. Specifies what happens when all user sessions are closed:

  • Do nothing. Nothing happens.

  • Lock workstation. The computer is locked.

  • Sign out from workstation. The current user is signed out from their account.

Logging

Specify a log level for Parallels Client. Choose from the following options:

• Standard

• Extended

• Verbose

You should normally use the Standard logging. When you have an issue with Parallels Client, you can temporarily raise the log level by selecting Extended or Verbose and setting start date/time and a duration. Note that start date and time correspond to the local client time zone. Parallels Client must be running in order for the logging to take place. If Parallels Client is launched when Extended or Verbose levels should be already in effect, the level will stay on for the remainder of the original duration setting. If a policy changes during this time, the actual log level settings will be reapplied accordingly.

Update

PC keyboard

To force a particular keyboard to be used, select the Force use PC keyboard and select a keyboard layout from the drop-down list. Note that the selected layout can and will only be used in a Parallels Client version that supports this particular layout.

Single sign-on

Parallels Client for Windows comes with its own SSO component that you can install and use to sign in to Parallels RAS. If you already use a third-party credential provider component on your Windows computers, you first need to try if the single sign-on works right out of the box. If it doesn't, you need to configure Parallels RAS and Parallels Client to use the Parallels RAS SSO component to function as a wrapper for the third-party credential provider component.

To use Parallels RAS SSO as a wrapper, specify a third-party component, select the Force to wrap third party credential provider component option and specify the component's GUID in the field provided. You can obtain the GUID in Parallels Client as follows:

1. Install Parallels Client on a computer that has the third-party component installed.

2. In Parallels Client, navigating to Tools > Options > Single Sign-On (tab page).

3. Select the "Force to wrap..." option and then select your provider in the drop-down list.

4. Click the Copy GUID to Clipboard button to obtain the component's GUID.

You will also need to specify the component's GUID when setting up an invitation email in the RAS Console. If you haven't set up an invitation email yet, you can do it as follows:

1. In the RAS Console, select the Start category and then click the Invite Users item in the right pane.

2. On the second page of the wizard (target platform and connection options), click the Advanced button.

3. In the dialog that opens, select the Force to wrap third party SSO component option and specify the GUID of the component.

After the policies are applied on Windows computers, Parallels Client will be automatically configured to use the specified third-party credentials provider.

Advanced

Use this pane to specify advanced client options, as described below.

Global

• Always on Top. With this feature enabled, other applications will no longer mask the launcher.

• Show connection tree. Displays the connection tree.

• Minimize to tray on close or escape. Enable this feature to place the Parallels Client into the System Tray when you click on the Close button or hit escape.

• Enable graphic acceleration (Chrome client).

• Do not warn if server certificate is not verified. When connected to a RAS Secure Gateway over SSL, and the certificate is not verified, a warning message will be displayed. You can disable this warning message by enabling this option.

• Swap mouse buttons. When enabling this setting, the mouse buttons will be swapped on the remote computer.

• DPI aware. This will force a published application to be DPI-aware depending on the client's DPI settings. This feature works on Windows 8.1 or higher.

• Add RAS Connection automatically when starting web or shortcuts items. This option will add the connection preferences in the Parallels Client when starting an item contained in a connection that is not yet listed.

• Do not show prompt message for auto add RAS connection. Enable this option to disable prompt messages when adding auto connections.

• Close error messages automatically. When a session disconnects because of an error, the error is automatically dismissed after 15 seconds.

• Clear session cookies on exit. When a user logs on, a Parallels RAS logon cookie is kept on the client side. This will allow the user to connect again with Parallels RAS without re-authenticating. Check this option to delete any cookies when the user closes the Parallels Client.

• Enable extended logging. Enables extended logging.

• Turn off UDP on Client: Turns off UDP traffic from Parallels Client for Windows.

Language

Specify a language that Parallels Client should use. The Default option uses the main language used by the client's operating system.

Printing

• Install missing fonts automatically. If automatic fonts are installed on the server, they will be available when a session connects.

• Raw printing support. When enabling this setting, printing will still work for applications sending data in RAW format.

• Convert non distributable fonts data to images. During RAS Universal Printing, if a document includes non-distributable fonts, each page is converted to an image.

• Cache printers hardware information. Caching of printer hardware information locally to speed-up RAS universal printer redirection.

• Refresh printer hardware information every 30 days. Forces the printer hardware information cache update even if nothing has changed in 30 days. When this option is off, the cache will only be refreshed if there were known changes.

• Cache RAS Universal Printing embedded fonts. Caching of embedded fonts locally to speed-up RAS universal printing process time.

Windows client

• Hide Launcher when application is launched. If this option is enabled, the launcher will be minimized in the system tray after an application is launched.

• Launch automatically at Windows startup. This option will place a shortcut in the start menu folder of the client and the Parallels Client will launch automatically on Windows startup.

RemoteFX USB redirection

• Allow RDP redirection of other supported RemoteFX USB devices to all users. This setting applies to Parallels Client for Windows only. Outside Parallels RAS, the standard RemoteFX USB redirection feature must be enabled via Group Policy in order to work. When you select the "Allow RDP redirection ..." option on this screen, it will do the same as GPO, which is update the corresponding registry setting in Windows on a client machine. Parallels Client for Windows relies on this feature to be enabled in Windows registry in order to redirect USB devices. When the policy containing this setting is applied on a client machine, the user will see a message that RemoteFX USB redirection was enabled and that they will need to restart Windows.

Customer Experience Program

Control settings options allow you to control various actions on the client side. These options affect the following Parallels Clients:

• Windows

• Linux

• Mac

• Android

• iOS

Connections

On the Connections pane, select (or clear) the following options:

• Prohibit adding of RAS connections. When a user presses the Add Connection button, an RDP connection is always created.

• Prohibit adding standard RDP connections. When a user presses the Add Connection button, a RAS connection is always created

Password

On the Password pane, specify the following options:

• Prohibit saving username. Parallels Client will not display the username of the last user who logged in. Selecting this option automatically enables the Prohibit saving password option.

• Prohibit saving password. The option to save the password will not be shown to the user for that particular connection. A password is never saved on a disk, but kept in memory until the user closes the application.

• Prohibit changing password. The option to change the password will not be shown in the context menu for that particular connection.

Import and export

On the Import and Export pane:

• Prohibit importing settings. If this option is selected, the user cannot import connection settings to Parallels Client.

• Prohibit exporting settings. If this option is selected, the user cannot export connection settings from Parallels Client.

To configure remote file transfer in User Portal, do the following:

1. In the Parallels RAS Console, navigate to Farm > <Site> > Secure Gateways.

2. Right-click a desired RAS Secure Gateway in the right pane and choose Properties.

3. Select the User Portal tab.

4. Select the Allow file transfer command option and click the Configure button. In the dialog that opens, select one of the following:

   • Client to server only: Transfer files from client to server only.

   • Server to client only: Transfer files from server to client only.

   • Bidirectional: Transfer files in both directions.

For more information about configuring User Portal, see Configure User Portal.

To configure remote file transfer for an RD Session Host, Provider, or Remote PC, do the following:

1. In the Parallels RAS Console, select the Farm category and then select a desired server type (RD Session Host, Provider, Remote PCs) in the middle pane.

2. Right-click a desired server in the right pane and choose Properties.

3. Select the Agent Settings tab.

4. Select the Allow file transfer command option and click the Configure button. A dialog opens where you can specify remote file transfer options as described below.

5. In the Direction drop-down list, select one of the following:

   • Client to server only: Transfer files from client to server only.

   • Server to client only: Transfer files from server to client only.

   • Bidirectional: Transfer files in both directions.

6. In the Location field, specify a UNC path to a folder to be used as the default upload location. This path will also be used as the default source location when a user tries to download a file from a remote server. You can select from one of the locations predefined in the drop-down list or you can specify your own. Standard Windows environment variables, such %USERNAME%, %USERDOMAIN%, %USERPROFILE%, can be used. If the location is not found during an upload or download operation, the standard (default) download location will be used.

7. The Do not allow to change location option prohibits the user to change the UNC path specified in the Location field. If the option is enabled, the user cannot select a different location while trying to upload or download a file. If the option is cleared, the user can specify a different location.

Parallels RAS provides end users with the ability to transfer files remotely to and from a remote server.

To make the remote file transfer functionality flexible, Parallels RAS allows you to configure it on the following three levels:

• RD Session Host, Provider, or Remote PC

• RAS User Portal

• Gateway settings in Web Client

• Client policy

File transfer settings that you configure on each level take precedence in the order listed above. For example, if you enable file transfer on a User Portal, but disable it on an RD Session Host, file transfer will be disabled for all users who connect to the given RD Session Host through the given User Portal. As another example, you can enable file transfer on an RD Session Host and then disable it for a particular Client policy (or an User Portal). This way you can control which clients can use file transfer and which cannot.

Read the subsequent sections to learn how to configure file transfer on each level.

To configure remote file transfer for a client policy, do the following:

1. In the RAS Console, select the Policies category.

2. Right-click a desired policy in the right pane and choose Properties.

3. In the left pane, navigate to Session > Local devices and resources.

4. Select the File transfer node.

5. In the right pane, select one of the following in the Allow file transfer drop-down list:

   • Client to server only: Transfer files from client to server only.

   • Server to client only: Transfer files from server to client only.

   • Bidirectional: Transfer files in both directions.

For additional information about client policies, see .