If you have a subscription that includes policy management, you can remotely configure VNC Connect programs (VNC Viewer or VNC Server) using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. Programs controlled by policy are locked down and cannot be changed by users.
To get started:
- Download policy template files (see the Related downloads section towards the bottom of the page) containing policy settings corresponding to parameters.
- Import policy template files to a domain controller for use in Group Policy Management Editor (Windows), or edit the policy template files directly (Mac/Linux) in order to set parameters to particular values.
- Deploy policy template files using Group Policy (Windows), or distribute to target computers (Mac/Linux).
- Set permissions to ensure policy Registry keys (Windows) or directories (Mac/Linux) cannot be modified by users (read access is required).
Note you can also use policy to:
- License VNC Server and VNC Viewer
- Disable VNC Server on computers licensed with a subscription that doesn't include policy management.
For more information, see the appropriate platform-specific section below for Windows, Mac or Linux. For more information on VNC Server modes, click here.
Setting up Group Policy under Windows
Please refer to the dedicated article for Windows here: Configuring and Licensing VNC Connect on Windows using Group Policy
Setting up policy under Linux
To remotely configure and lock down a VNC Connect program:
-
Download the appropriate policy template file archive (see the Related downloads box) for the platform of target computers.
-
Consult the table below to see which policy template file(s) to edit for a program.
-
Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server
Permissions
parameter, use VNC Permissions Creator.*If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.
-
Distribute policy template files to the
/etc/vnc/policy.d
directory of target computers. -
Check ownership and permissions on the
/etc/vnc/policy.d
directory to deter unauthorized access.
Program | Mode | Process | Policy template file | Contains parameters for... | Notes |
---|---|---|---|---|---|
VNC Server | Service | core | vncserver-x11 |
Connectivity, security, locale, performance, logging, and more. | Controls these aspects of User Mode as well. |
User interface | vncserverui-service |
Locale, file transfer, and chat. | |||
User | core | vncserver-x11 |
Connectivity, security, locale, performance, logging, and more. | Controls these aspects of Service Mode as well. | |
User interface | vncserverui-user |
Locale, file transfer, and chat. | |||
Virtual | core | Xvnc |
Connectivity, security, locale, performance, logging, and more. | ||
User interface | vncserverui-virtual |
Locale, file transfer, and chat. | |||
Daemon | vncserver-virtuald |
Connectivity, security, logging. | Performance controlled per-user by Xvnc . |
||
VNC Viewer | vncviewer |
Performance, picture quality, useability, locale, logging and more. |
*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.
Licensing VNC Server
To license VNC Server on target computers you will need the offline license found on the Deployment page of your RealVNC account.
For VNC Server 7.x, this is the long Offline license key.
Open the licenses/vncserver/vnc.lic
policy template file in a text editor, and replace the contents with your offline license.
For VNC Server 6.x, this is a 25 character license key.
Open the licensekey
policy template file in a text editor, and replace the contents with your offline license.
*Any license keys applied directly to a particular computer will be ignored.
Locking down mixed-subscription deployments
If some target computers have subscriptions applied that do not include policy management, you can prevent VNC Server running on these computers while policy is in force:
- Open the
restrictions
policy template file in a text editor. - Set
BlockNonPolicyServers
to1
.
Setting up policy under Mac
To remotely configure and lock down a VNC Connect program:
-
Download the policy template file archive (see the Related downloads box).
-
Consult the table below to see which policy template file(s) to edit for each program.
-
Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server
Permissions
parameter, use VNC Permissions Creator.*If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.
-
Distribute policy template files to the
/etc/vnc/policy.d
directory of target computers. -
Check ownership and permissions on the
/etc/vnc/policy.d
directory to deter unauthorized access.
Program | Mode | Process | Policy template file | Contains parameters for... | Notes |
---|---|---|---|---|---|
VNC Server | Service | core | vncserver |
Connectivity, security, locale, performance, logging, and more. | Controls these aspects of User Mode as well. |
User interface | vncserverui-service |
Locale, file transfer, and chat. | |||
User | core | vncserver |
Connectivity, security, locale, performance, logging, and more. | Controls these aspects of Service Mode as well. | |
User interface | vncserverui-user |
Locale, file transfer, and chat. | |||
VNC Viewer | vncviewer |
Performance, picture quality, useability, locale, logging and more. |
*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.
Licensing VNC Server
To license VNC Server on target computers you will need the offline license found on the Deployment page of your RealVNC account.
For VNC Server 7.x, this is the long Offline license key.
Open the licenses/vncserver/vnc.lic
policy template file in a text editor, and replace the contents with your offline license.
For VNC Server 6.x, this is a 25 character license key.
Open the licensekey
policy template file in a text editor, and replace the contents with your offline license.
*Any license keys applied directly to a particular computer will be ignored.
Locking down mixed-subscription deployments
If some target computers have subscriptions applied that do not include policy management, you can prevent VNC Server running on these computers while policy is in force:
- Open the
restrictions
policy template file in a text editor. - Set
BlockNonPolicyServers
to1
.
Comments
Please sign in to leave a comment.