Cameyo: Chrome Enterprise Premium integration - March Webinar Q&A Recap

Hi everyone,

Thank you to everyone who joined our most recent webinar, Cameyo & Chrome Enterprise Premium Integration. We had a fantastic turnout and received a lot of excellent questions during the session!

To ensure you have all the info you need, we've compiled this Q&A recap, organizing the questions into categories so that you can easily find the topics that matter most to you.

Since this series of webinars have come to an end, we will be publishing the Q&As from February and December webinars soon as well, so keep your eyes peeled 👁️ 👁️

Also, if you have any further questions related to the webinar, please feel free to drop them in the comments below.

💻 Technical & Administration

Infrastructure and Deployment

• Who is responsible for securing the Windows Server (AV, backups, etc.)?
  Google and Cameyo provide the delivery platform, but the underlying Windows Server security remains a customer responsibility. However, Cameyo is designed with a "security-first" architecture: sessions run as standard users without admin privileges, isolating them to their own profiles.
   
• Can the host server’s web browser be disabled?
  Yes. You can disable web browsing on the host Cameyo Windows server through several methods, including standard Windows Group Policies.
   
• Does Cameyo support persistent/individual VMs or GCDS for LDAP?
  To keep costs low for customers, we avoid 1:1 user-to-VM mapping. Instead of persistent VMs, we use a dynamic model where user data "follows" the individual from server to server, ensuring a consistent app experience without the overhead of dedicated infrastructure.

Application & User Experience

• Can legacy apps in Cameyo connect to physical hardware (printers, scanners, etc.)?
  Yes. Printers are supported via the Cameyo Virtual Printer or WebUSB. For retail environments requiring payment or e-signature devices, many of these can be integrated through these same protocols.
   
• Does it support technical tools like PuTTY, WinSCP, or FileZilla?
  Absolutely. We have many customers successfully running these applications within the Cameyo environment today.
   
• Is there a supported list of Apps and DB connectors for developers?
  While Cameyo is generally optimized for productivity and line-of-business apps rather than intensive development environments, most apps that install on Windows Server and support multi-session environments will work. If you have a specific use case, we recommend a proof-of-concept test.

🔒 Security & Policy

Data Protection and Malware

• How do Chrome Enterprise Premium (CEP) and Cameyo protect against info-stealer malware on BYOD?
  On unmanaged/BYOD devices, you can set "read-only" personas to prevent data from leaving the secure environment. Since Cameyo streams pixels rather than code, and CEP provides built-in browser protections, local malware is blocked from injecting code into the session.
   
• Can access policies be restricted to corporate devices or specific profiles?
  Yes. You can control access using SSO groups or by creating IP address allow-lists. This ensures that even if a user is WFH, they must meet your specific identity or network requirements.

Identity and Token Security

• How does this integrate with Microsoft Entra ID?
  Cameyo and Chrome Enterprise work seamlessly with Entra ID. You can find our full setup guide for Entra ID integration here in our documentation.
   
• What protections exist for token theft and phishing?
  • Chrome Enterprise Premium: Uses Device Bound Session Credentials (DBSC) to cryptographically tie cookies to a device's TPM. If a cookie is stolen, it becomes useless on any other machine.
  • Cameyo Isolation: Because the app session lives in a secure cloud container, session tokens never actually touch the user’s local hard drive, leaving nothing for local malware to "scrape."
  • Continuous Access Evaluation (CAE): If a device's health signals change mid-session (e.g., a threat is detected), access can be revoked instantly.

BYOD & Mobile Challenges

• We have issues with Android devices and Context-Aware Access (CAA) because Endpoint Verification isn't available. Can CEL help?
  Yes! On Android, device health is reported via the Work Profile/MDM, not a browser extension. To fix access issues, you should update your CAA policies using Common Expression Language (CEL). This allows you to create a "split" policy: requiring Endpoint Verification for desktops, but checking for MDM compliance for mobile devices.