Secure credentials management

Hi,

If there is a password stored in RDM, there is nothing to stop the user running Notepad in the RDP session and inserting the password into Notepad to reveal what it is.

Do you mean that when injecting a password through simulated typing, there's no way to ensure the right input field is currently focused in the RDP session, such that if Notepad is in focus, the password will be typed in it?

It would be great if RDM was able to scan a screen, learn what the password field is and be able to inject a password.

Can you elaborate on the specific applications which would need to be supported? Websites have a DOM structure which can be parsed, but screenshots from a remote desktop can only be OCRed to try and guess where input fields might be, to focus them automatically. This would still use simulated typing to inject the password - if the user can click a "reveal password" button in that field, they can still copy/paste the password afterward. There is a significant development effort involved, and while it might increase accuracy, it still wouldn't prevent users from grabbing those passwords.

Would love to be able to do this for program passwords so that they could be stored and used without anyone knowing what those passwords are.

If you can tell us more what those programs are, maybe we can look into ways it could be done without simulated typing

One upcoming feature you might be interested in is the new Devolutions Agent with more advanced remote execution capabilities that the previous RDM Agent. Here's a video showing remote execution through Devolutions Agent integrated with the upcoming RDM MCP server. The MCP server probably doesn't matter in your case, but there might be a way to simplify running specific scripts inside RDP sessions that would do the credential injection for known applications: https://bsky.app/profile/awakecoding.com/post/3lxdeu5tzck2n

Best regards,

We have two specific in-house built applications that we need to inject passwords in to. Our developers will be able to work with yours to determine a way to identify. That would fix our requirement, although that is a pretty customised response.