If you have an Enterprise subscription, you can remotely configure VNC Connect programs (VNC Viewer or Server) using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. Programs controlled by policy are locked down and cannot be changed by users.
To get started:
- Download policy template files (see the Related downloads box) containing policy settings corresponding to parameters.
- Edit policy template files in order to set parameters to particular values.
- Deploy policy template files using Group Policy (Windows), or distribute to target computers (other platforms).
- Set permissions to ensure policy Registry keys (Windows) or directories (other platforms) cannot be accessed by users.
Note you can also use policy to:
- License VNC Server.
- Disable VNC Server on computers with a Home or Professional subscription, since only an Enterprise subscription respects policy.
For more information, see the appropriate platform-specific section below for Windows, Linux or Mac. For more information on VNC Server modes, click here.
Setting up Group Policy under Windows
To remotely configure and lock down a VNC Connect program:
-
Download the appropriate policy template file archive (see the Related downloads box) for the operating system of target computers:
- For Windows Vista onwards, download the ADMX + ADML format archive. Extract the hierarchy of files to C:\Windows\PolicyDefinitions in order to load into Group Policy Management Editor (or equivalent application).
- For Windows NT, 2000, XP, and Server 2003 computers, download the ADM format archive. Extract the files to C:\Windows\inf in order to load into Group Policy Object Editor (or equivalent snap-in).
- Consult the table below to see which policy template file(s) to edit for a program.
-
Expand the appropriate policy template file(s) and edit policy settings corresponding to the parameters you want to control:
- Choose Enabled to set a boolean parameter to TRUE.
- Choose Disabled to set a boolean parameter to FALSE.
- Choose Enabled and specify a value to set a non-boolean parameter. For a list of allowed values, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use VNC Permissions Creator.
- Deploy policy template file(s) to target computers using a suitable mechanism, for example a Group Policy Object.
-
Check permissions on target computers to deter unauthorized access to policy Registry keys:
- HKEY_LOCAL_MACHINE\Policies\RealVNC for the Computer Configuration policy template file (VNC Server in Service Mode).
- HKEY_CURRENT_USER\Policies\RealVNC for all User Configuration policy template files (for each user account running VNC Connect programs).
Note that in the Area column of the following table:
- CC refers to Computer Configuration > Administrative Templates > RealVNC in an application such as GPME.
- UC refers to User Configuration > Administrative Templates > RealVNC.
Program | Mode | Process | Area | Policy template file | Contains parameters for... |
---|---|---|---|---|---|
VNC Server | Service | core | CC | VNC Server > Service Mode | Connectivity, security, locale, performance, logging and more. |
UI | UC | VNC Server > Service Mode > User Interface | Locale, file transfer, and chat. | ||
User | core | UC | VNC Server > User Mode | Connectivity, security, locale, performance, logging and more. | |
UI | UC | VNC Server > User Mode > User Interface | Locale, file transfer, and chat. | ||
VNC Viewer | UC | VNC Viewer | Performance, picture quality, useability, locale, logging, and more. |
*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.
Licensing VNC Server
To license VNC Server on target computers:
- Expand the CC > Licensing policy template file.
- Edit the License Key Code policy setting.
- Choose Enabled, and specify your 25-character license key as the value. Your license key is available from the Deployment page of your RealVNC account.
*Any license keys applied directly to a particular computer will be ignored.
Locking down mixed-subscription deployments
If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:
- Expand the CC > Restrictions policy template file.
- Edit the Disable VNC Server if the license key does not support group policy setting.
- Choose Enabled.
Setting up policy under Linux
To remotely configure and lock down a VNC Connect program:
- Download the appropriate policy template file archive (see the Related downloads box) for the platform of target computers.
- Consult the table below to see which policy template file(s) to edit for a program.
- Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissionsparameter, use VNC Permissions Creator. *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.
- Distribute policy template files to the /etc/vnc/policy.d directory of target computers.
- Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.
Program | Mode | Process | Policy template file | Contains parameters for... | Notes |
---|---|---|---|---|---|
VNC Server | Service | core | vncserver-x11 | Connectivity, security, locale, performance, logging, and more. | Controls these aspects of User Mode as well. |
User interface | vncserverui-service | Locale, file transfer, and chat. | |||
User | core | vncserver-x11 | Connectivity, security, locale, performance, logging, and more. | Controls these aspects of Service Mode as well. | |
User interface | vncserverui-user | Locale, file transfer, and chat. | |||
Virtual | core | Xvnc | Connectivity, security, locale, performance, logging, and more. | ||
User interface | vncserverui-virtual | Locale, file transfer, and chat. | |||
Daemon | vncserver-virtuald | Connectivity, security, logging. | Performance controlled per-user by Xvnc. | ||
VNC Viewer | vncviewer | Performance, picture quality, useability, locale, logging and more. |
*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.
Licensing VNC Server
To license VNC Server on target computers:
- Open the licensekey policy template file in a text editor.
- Enter your 25-character license key, available from the Deployment page of your RealVNC account.
*Any license keys applied directly to a particular computer will be ignored.
Locking down mixed-subscription deployments
If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:
- Open the restrictions policy template file in a text editor.
- Set BlockNonPolicyServers to 1.
Setting up policy under Mac
To remotely configure and lock down a VNC Connect program:
- Download the policy template file archive (see the Related downloads box).
- Consult the table below to see which policy template file(s) to edit for each program.
- Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissionsparameter, use VNC Permissions Creator. *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.
- Distribute policy template files to the /etc/vnc/policy.d directory of target computers.
- Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.
Program | Mode | Process | Policy template file | Contains parameters for... | Notes |
---|---|---|---|---|---|
VNC Server | Service | core | vncserver | Connectivity, security, locale, performance, logging, and more. | Controls these aspects of User Mode as well. |
User interface | vncserverui-service | Locale, file transfer, and chat. | |||
User | core | vncserver | Connectivity, security, locale, performance, logging, and more. | Controls these aspects of Service Mode as well. | |
User interface | vncserverui-user | Locale, file transfer, and chat. | |||
VNC Viewer | vncviewer | Performance, picture quality, useability, locale, logging and more. |
*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.
Licensing VNC Server
To license VNC Server on target computers:
- Open the licensekey policy template file in a text editor.
- Enter your 25-character license key, available from the Deployment page of your RealVNC account.
*Any license keys applied directly to a particular computer will be ignored.
Locking down mixed-subscription deployments
If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:
- Open the restrictions policy template file in a text editor.
- Set BlockNonPolicyServers to 1.
Comments
Please sign in to leave a comment.