aeroplane, there are a number of ways to allow remote desktop through the SSL VPN. If you are allowing it through VPN Tunneling (TCP port 3389) then you lose the ability to lock it down RDP features through the SA / MAG. You would have to manage it through group policy. However you can control the RDP destinations that users are allowed to connect to through VPN Tunneling Access Control policies.
To control RDP features like file copies and drive mappings you can instead have your users use the Juniper Terminal Services Client. To do this, set up a role or a resource profile that allows Terminal Services access. You can then set up Terminal Services options and access lists to restrict the features and RDP destinations that you don't want your users to have access to.