Articles in this section

See more

Remotely Configuring and Locking Down VNC Connect Using Policy

Avatar
Tegan
  • Updated

If you have an Enterprise subscription, you can remotely configure VNC Connect programs (VNC Viewer or Server) using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. Programs controlled by policy are locked down and cannot be changed by users.

To get started:

  1. Download policy template files (see the Related downloads box) containing policy settings corresponding to parameters.
  2. Edit policy template files in order to set parameters to particular values.
  3. Deploy policy template files using Group Policy (Windows), or distribute to target computers (other platforms).
  4. Set permissions to ensure policy Registry keys (Windows) or directories (other platforms) cannot be accessed by users.

Note you can also use policy to:

  • License VNC Server.
  • Disable VNC Server on computers with a Home or Professional subscription, since only an Enterprise subscription respects policy.

For more information, see the appropriate platform-specific section below for Windows, Linux or Mac. For more information on VNC Server modes, click here.

Setting up Group Policy under Windows

To remotely configure and lock down a VNC Connect program:

  1. Download the appropriate policy template file archive (see the Related downloads box) for the operating system of target computers:

    • For Windows Vista onwards, download the ADMX + ADML format archive. Extract the hierarchy of files to C:\Windows\PolicyDefinitions in order to load into Group Policy Management Editor (or equivalent application).
    • For Windows NT, 2000, XP, and Server 2003 computers, download the ADM format archive. Extract the files to C:\Windows\inf in order to load into Group Policy Object Editor (or equivalent snap-in).

  2. Consult the table below to see which policy template file(s) to edit for a program.

  3. Expand the appropriate policy template file(s) and edit policy settings corresponding to the parameters you want to control:

    • Choose Enabled to set a boolean parameter to TRUE.
    • Choose Disabled to set a boolean parameter to FALSE.
    • Choose Enabled and specify a value to set a non-boolean parameter. For a list of allowed values, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use VNC Permissions Creator.

    *If a policy setting retains the default state of Not configured, the corresponding parameter will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Deploy policy template file(s) to target computers using a suitable mechanism, for example a Group Policy Object.

  5. Check permissions on target computers to deter unauthorized access to policy Registry keys:

    • HKEY_LOCAL_MACHINE\Policies\RealVNC for the Computer Configuration policy template file (VNC Server in Service Mode).
    • HKEY_CURRENT_USER\Policies\RealVNC for all User Configuration policy template files (for each user account running VNC Connect programs).

Note that in the Area column of the following table:

  • CC refers to Computer Configuration > Administrative Templates > RealVNC in an application such as GPME.
  • UC refers to User Configuration > Administrative Templates > RealVNC.
Program Mode Process Area Policy template file Contains parameters for...
VNC Server Service core CC VNC Server > Service Mode Connectivity, security, locale, performance, logging and more.
UI UC VNC Server > Service Mode > User Interface Locale, file transfer, and chat.
User core UC VNC Server > User Mode Connectivity, security, locale, performance, logging and more.
UI UC VNC Server > User Mode > User Interface Locale, file transfer, and chat.
VNC Viewer UC VNC Viewer Performance, picture quality, useability, locale, logging, and more.

*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Expand the CC > Licensing policy template file.
  2. Edit the License Key Code policy setting.
  3. Choose Enabled, and specify your 25-character license key as the value. Your license key is available from the Deployment page of your RealVNC account.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:

  1. Expand the CC > Restrictions policy template file.
  2. Edit the Disable VNC Server if the license key does not support group policy setting.
  3. Choose Enabled.

Setting up policy under Linux

To remotely configure and lock down a VNC Connect program:

  1. Download the appropriate policy template file archive (see the Related downloads box) for the platform of target computers.

  2. Consult the table below to see which policy template file(s) to edit for a program.

  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissionsparameter, use VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
VNC Server Service core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
Virtual core Xvnc Connectivity, security, locale, performance, logging, and more.  
User interface vncserverui-virtual Locale, file transfer, and chat.  
Daemon vncserver-virtuald Connectivity, security, logging. Performance controlled per-user by Xvnc.
VNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Open the licensekey policy template file in a text editor.
  2. Enter your 25-character license key, available from the Deployment page of your RealVNC account.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Setting up policy under Mac

To remotely configure and lock down a VNC Connect program:

  1. Download the policy template file archive (see the Related downloads box).

  2. Consult the table below to see which policy template file(s) to edit for each program.

  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissionsparameter, use VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
VNC Server Service core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
VNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Open the licensekey policy template file in a text editor.
  2. Enter your 25-character license key, available from the Deployment page of your RealVNC account.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have Home or Professional subscriptions directly applied, you can prevent VNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Related articles

Comments

0 comments

Please sign in to leave a comment.