Releases: GoogleCloudPlatform/iap-desktop
2.43.1627
Release 2.43 introduces a number of Remote Desktop improvements:
-
Sign-out: You can now remotely sign out of a Remote Desktop by choosing Session > Sign out. In addition to disconnecting the session, the command terminates your Windows session on the remote VM. (#1463)
-
Reconnect: When a Remote Desktop session times out and displays the lock screen, you can now use Session > Reconnect to let IAP Desktop reconnect the session and sign you in automatically again. (#1463)
-
Disable automatic logons: IAP Desktop now offers an additional connection setting, Automatic logons. When you set this to Disabled, IAP Desktop won't try to sign you in automatically, and won't offer you to save credentials. The setting is intended for VMs that use the Always prompt for password upon connection group policy and lets you avoid duplicate credential prompts when connecting to such VMs. (#1501)
-
Display resolution: Instead of letting IAP Desktop resize the Remote Desktop session to fit your current window size, you can now use the Display resolution setting to let IAP Desktop use a fixed resolution for the Remote Desktop session.
The release also includes these new features:
-
ARM64 support: IAP Desktop now natively supports ARM64, and there is a separate installer package for ARM64 machines.
-
Intune deployment: The documentation now contain instructions for deploying IAP Desktop using Intune and customizing IAP Desktop using Intune.
In addition, the release includes several stability improvements and fixes, including:
- Connection settings: The connection settings window now properly indicates when a Windows password is being inherited.
2.42.1561
Release 2.42 introduces the following new features:
-
DPI-aware scaling: IAP Desktop now automatically scales its GUI based on the DPI settings of your primary monitor, letting the application and RDP sessions look crisp on high-DPI screens. IAP Desktop automatically scales RDP session to match your display settings, but you can optionally disable display scaling in the connection settings.
-
Remember RDP credentials: When you connect to a Windows VM and haven't stored RDP credentials before, IAP Desktop shows a credential prompt. This prompt now includes a "Remember me" option that lets you store your credentials and skip the credential prompt the next time you connect.
In addition, the release includes several stability improvements and fixes, including:
- Windows CNG: IAP Desktop now uses Windows CNG as crypto backend for SSH and no longer depends on OpenSSL. Previous versions used CNG for SSH user authentication, but relied on a bundled version of OpenSSL to handle all other cryptographic operations. CNG is a part of Windows and serviced by Windows Update.
- Dark mode: Icons have been optimized to look better in dark mode.
Additional notes:
- IAP Desktop 2.42 now requires Windows 10 14393 (also called 1607, 'Anniversary Update', or LTSB 2016), Windows Server 2016, or a later version of Windows. Older versions of Windows such as Windows 8.1 or Windows 10 1507 lack support for a Windows CNG feature that's required for SSH and therefore can't be used to run IAP Desktop anymore.
- Updates now default to the x64 (64-bit) version of IAP Desktop.
Update 08/20/2024: Updated packages to fix an issue in the upgrade progress that cause IAP Desktop to fail during startup for some users.
2.41.1463
Release 2.41 introduces the following new features:
-
RDP admin sessions: The connection settings for Windows VMs now include an additional setting, Session type. When you set this to Admin, IAP Desktop connects to the VM in administrative mode, similar to
mstsc /admin
. (#1326) -
Type clipboard text: In situations where you can't use copy/paste to copy text to a Remote Desktop session, you can now let IAP Desktop simulate keyboard input by using the Session > Type clipboard text command.
-
Instance properties: The Instance properties window now shows additional details, including VM metadata, CPU architecture, and labels.
In addition, the release includes several stability improvements and fixes, including:
- Linux usernames containing dots weren't acccepted, despite being POSIX-compliant (#1312, fix contributed by @dave-pollock)
Additional notes:
- IAP Desktop will soon drop support for Windows 8.1 and Windows 2012 R2 as these versions of Windows are past their end of life.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.40.1418
Release 2.40 introduces the following new features:
-
Faster RDP full-screen switching: Entering and leaving full-screen mode is now faster and, in most cases, no longer requires a reconnect. (#1005)
-
RDP in restricted admin mode: You can now connect to Windows VMs using RDP in restricted admin mode. You can enable restricted admin mode in the connection settings.
-
SSH password prompting: When you're using SSH with password authentication, you can now choose between saving credentials or letting IAP Desktop show a password prompt every time you connect. (#1227)
-
Tunneling: You can now use IAP Desktop to create IAP tunnels to MySQL/MariaDB, Postgres, SQL Server, and custom server applications. You can then use any tool to connect to that tunnel and the tunnel remains open until you close IAP Desktop. (#1192)
-
Session management: You can now close multiple sessions at once by using the Close all or Close others menu items in the session menu.
-
Project search: When you add a new project, you can now search for projects by any term, not just by prefix. (319229912)
-
x64: When you download IAP Desktop, you can now choose between x86 (32-bit) and x64 (64-bit). We recommend switching to the 64-bit version if you're frequently using more than ~8 RDP sessions in parallel to avoid resource exhaustion issues. (#1203)
In addition, the release includes several stability improvements and fixes, including:
- The New logon credentials command suggested an invalid username when you configured a UPN in the VM's connection settings.
- Under certain circumstances, double-clicking a file in the SSH file download dialog could cause IAP Desktop to crash. (325757513)
Additional notes:
- Support for RDP bitmap persistence has been removed.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.39.1348
Release 2.39 introduces the following new features:
-
WebAuthn over RDP: IAP Desktop can now redirect local Windows Hello/FIDO2 authenticators over RDP so that you can use them in a Remote Desktop session.
-
Improved high-DPI screen support: The application now uses GDI scaling to reduce blur on high-DPI screens.
-
OS Login with workforce identity: As a workforce identity user, you can now use IAP Desktop to connect to Linux VMs that use OS Login. Note that to use OS Login with worforce identity, you might need to update your VM's guest environment. (#1158)
-
Password/keyboard-interactive SSH authentication: For VMs that don't support public key authentication, IAP Desktop can now use password or keyboard-interactive SSH authentication. To use password or keyboard-interactive SSH authentication, open the VM's connection settings and set Public key authentication to disabled. (#743)
-
Ephemeral SSH keys: You can now configure IAP Desktop to use a new, ephemeral SSH key every time you launch the application. Using ephemeral SSH keys lets you use IAP Desktop in scenarios where the Windows CNG key store has become corrupted or inaccessible or when you're logged in using a read-only Windows profile. (303075734, 275455836, 307194658, 308161113)
-
FIPS 140-2 compatibility: IAP Desktop now works on computers that have been configured to only allow FIPS-compliant cryptographic algorithms (311436717)
In addition, the release includes several stability improvements and fixes, including:
- Using a proxy server that requires NTLM authentication could result in sporadic connection failures. (317964071, 316679392, 318732966)
- On computers that have Hyper-V installed, connecting to a VM sometimes failed because of a port conflict. (317595820, 309816619)
- Publishing an SSH key to VM metadata could fail if you only had actAs access to the VM's service account, but not to the enclosing project.
Additional notes:
- IAP Desktop no longer works with .NET 4.6.2 and instead requires .NET 4.7 or a newer version of the .NET framework.
- Google Cloud is changing the default session length to 16 hours for existing Google Cloud customers. This change affects IAP Desktop and as a result, you might soon have to re-authenticate more often.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.38.1281
Release 2.38 introduces the following new features:
-
Workforce identity: IAP Desktop now supports workforce identity federation as an alternative way to sign in to IAP Desktop.
-
Easier reauthentication: When your session expires, IAP Desktop no longer requires you to grant consent for multiple OAuth scopes, making it quicker and easier to reauthenticate.
-
Private service connect: You can now let IAP Desktop connect to Google Cloud APIs through Private Service Connect (PSC). You can use PSC to connect from corporate networks that have Cloud VPN/Interconnect access to Google Cloud, but might otherwise have limited internet access. #1028.
-
SSH rsa-sha2-512 and rsa-sha2-256 authentication: When you configure IAP Desktop to use an RSA key for SSH public key authentication, the application now defaults to using
rsa-sha2-512
orrsa-sha2-256
instead of the deprecatedrsa-ssh
algorithm. -
Port forwarding: You can now create custom tunnels by right-clicking a VM and selecting Connect client application > Forward local port. Port forwarding is an alternative to registering a custom client application and doesn't require any extra configuration. On multi-user systems such as RDS farms, IAP Desktop only allows applications from the same session to connect. #936
-
SQL Server Management Studio: When you connect to a VM using SSMS, Object Explorer now shows the name of the VM you're connected to. #1071.
-
Data sharing: To help us improve and prioritize features, you can now optionally allow IAP Desktop to collect and share usage data. Data sharing is disabled by default for all users.
-
VPC-SC: When accessing a VM failes because of a VPC service control policy, the error message now includes a troubleshooting ID and a link to the troubleshooting tool.
-
Updated group policy templates: You can now use Active Directorg group policies to manage Private Service Connect and and workforce identity federation settings across endpoints.
-
Secure Cloud Console: When you've enabled BeyondCorp certificate-based access, all links to the Cloud Console now use the secure Cloud Console (
console-secure.cloud.google.com
).
Additional notes:
- Google Cloud is changing the default session length to 16 hours for existing Google Cloud customers. This change affects IAP Desktop and as a result, you might soon have to re-authenticate more often.
- Workforce identity federation is subject to certain limitations and currently doesn't support OS Login.
- Future releases of IAP Desktop will require .NET 4.7 or later (instead of .NET 4.6.2). This change is expected to have minimal impact.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.37.1187
You can now use IAP Desktop to launch database clients and other client applications and let them securely connect to Google Cloud VMs over IAP TCP forwarding.
To use the feature, right-click a VM in the Project Explorer window and select Connect client application. IAP Desktop then creates an IAP TCP forwarding tunnel, launches the application, and lets the application connect to Google Cloud through the tunnel.
You can use this feature with the following client applications:
-
SQL Server Management Studio (SSMS): You can launch SSMS and let it authenticate and connect to SQL Server using either Windows authentication or SQL Server authentication. You can use Windows authentication even if your workstation is not domain-joined or if it's joined to a different domain than your SQL Server instance.
-
MySQL Shell: You can launch the MySQL command-line client to connect to MySQL servers.
-
Chrome: You can launch Chrome to connect to management portals or other websites that are only available inside your VPC on port 80 or 8080.
-
Custom applications: You can extend the feature by registering your own applications.
Other new features include:
-
Multiple RDP sessions to same VM: You can now create multiple sessions to the same Windows VM by right-clicking a VM in the Project Explorer window and selecting Connect as user.
-
Enhanced Properties window The Properties Window now shows additional details about a VM's security settings
In addition, the release includes several stability improvements and fixes, including:
- Several improvements to the dark theme
- A fix for an issue that caused the options dialog to fail when the connection limit was set to lower-than default value (283811054)
- IAP Desktop now closes unused tunnels as soon as they're not used anymore, freeing up system resources
Additional notes:
- Google Cloud is changing the default session length to 16 hours for existing Google Cloud customers. This change affects IAP Desktop and as a result, you might have to re-authenticate more often.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.36.1101
Release 2.36 introduces the following new features:
-
Connect via VPN/Interconnect: In situations where you can't use IAP TCP forwarding, you can now
configure IAP Desktop to directly connect to the private IP address of a VM. You can find the new setting in
the Connection Settings window and you can configure it for individual VMs, zones, or entire projects. (#870) -
Tab coloring: IAP Desktop now uses different tab colors to help distinguish different types of sessions:
- Blue indicates that a session was connected via IAP TCP forwarding
- Gold indicates that a session was connected via VPN/Interconnect
- Plum/purple indicates that a session was initiated from a browser
-
Session tooltips: Hovering over a tab now shows information about the session, including the user you
used to authenticate. -
Automatic theme selection: IAP Desktop now automatically selects a theme (light/dark) based on your
Windows settings. -
Credential callbacks: When launching IAP Desktop from a browser, you can now optionally provide a
credential callback URL that IAP Desktop can use to automatically obtain user credentials. (#872)
In addition, the release includes several stability improvements and fixes, including:
- After minimizing and restoring a full-screen RDP session, the window wasn't properly restored. (280783689)
- Opening an
iap-rdp:///
URL didn't work
correctly if you were already connected to the same VM and the IAP Desktop window was minimized. - If you set an operating system filter in the Project Explorer window, the filter was persisted.
This was inconsistent with how other filters worked. (273494372, 280659989) - In some circumstances, launching a second copy of IAP Desktop caused the first copy to fail (280666330, 278929559).
Additional notes:
- Google Cloud is changing the default session length to 16 hours for existing Google Cloud customers. This change affects IAP Desktop and as a result, you might soon have to re-authenticate more often.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.35.1020
Release 2.35 introduces the following new features:
- Dark mode: You can now choose between the (default) light theme and a new dark theme by going to Tools > Options > Appearance. Dark mode works on Windows 11 and recent versions of Windows 10 (20H1 or newer). (#715)
- Updated theme and icons: Both themes have been updated to look more modern and are now using a new set of icons.
In addition, the release includes several stability improvements and fixes, including:
- You can now launch multiple instances of IAP Desktop as the same user across different Windows sessions. Previously, launching IAP Desktop failed with an error "All pipe instances are busy" if another instance was running as the same user, but in a different (RDP) session. (270097766)
Additional notes:
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.
2.34.988
Release 2.34 introduces the following new features:
- Windows Defender integration: Files downloaded from a Linux VM are now automatically scanned by Windows Defender.
- Sign in with Chrome in guest mode: The Sign-in dialog now provides an option to sign in with Chrome in guest mode, making it easier to sign in for secondary profiles.
In addition, the release includes several stability improvements and fixes, including:
- You can now configure the maximum number of concurrent TCP connections IAP Desktop uses per endpoint. You can use this setting in situations where a proxy server doesn't permit more than a certain number of connections in parallel (#851).
- You can now customize the RDP connection timeout in the connection settings. Extending the timeout can be useful when entering credentials manually instead of using saved credentials.
- The minimum window size has been reduced, making it easier to use IAP Desktop on 1080p displays (#841).
- Downloading a file from a Linux VM failed if the file used file name that's not supported by Windows (#828).
Additional notes:
- Windows 8.1 is now out of support and future releases of IAP Desktop will no longer be tested to work on Windows 8.1.
- Future releases of IAP Desktop might only be made available for 64-bit versions of Windows.