Remotely Configuring and Locking Down VNC Connect Using Policy

Follow

Available-on-Ent-DA.png

If you have a subscription that includes policy management, you can remotely configure VNC Connect programs (VNC Viewer or VNC Server) using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. Programs controlled by policy are locked down and cannot be changed by users.

To get started:

  1. Download policy template files (see the Related downloads section towards the bottom of the page) containing policy settings corresponding to parameters.
  2. Import policy template files to a domain controller for use in Group Policy Management Editor (Windows), or edit the policy template files directly (Mac/Linux) in order to set parameters to particular values.
  3. Deploy policy template files using Group Policy (Windows), or distribute to target computers (Mac/Linux).
  4. Set permissions to ensure policy Registry keys (Windows) or directories (Mac/Linux) cannot be modified by users (read access is required).

Note you can also use policy to:

  • License VNC Server and VNC Viewer
  • Disable VNC Server on computers licensed with a subscription that doesn't include policy management.

For more information, see the appropriate platform-specific section below for Windows, Mac or Linux. For more information on VNC Server modes, click here.

Setting up Group Policy under Windows

Please refer to the dedicated article for Windows here: Configuring and Licensing VNC Connect on Windows using Group Policy

Setting up policy under Linux

To remotely configure and lock down a VNC Connect program:

  1. Download the appropriate policy template file archive (see the Related downloads box) for the platform of target computers.

  2. Consult the table below to see which policy template file(s) to edit for a program.

  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
VNC Server Service core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
Virtual core Xvnc Connectivity, security, locale, performance, logging, and more.  
User interface vncserverui-virtual Locale, file transfer, and chat.  
Daemon vncserver-virtuald Connectivity, security, logging. Performance controlled per-user by Xvnc.
VNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers you will need the offline license found on the Deployment page of your RealVNC account.

For VNC Server 7.x, this is the long Offline license key. If you haven't previously generated an offline license, click the Generate button.
Open the licenses/vncserver/vnc.lic policy template file in a text editor, and replace the contents with your offline license.

For VNC Server 6.x, this is a 25 character license key.
Open the licensekey policy template file in a text editor, and replace the contents with your offline license.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have subscriptions applied that do not include policy management, you can prevent VNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Setting up policy under Mac

To remotely configure and lock down a VNC Connect program:

  1. Download the policy template file archive (see the Related downloads box).

  2. Consult the table below to see which policy template file(s) to edit for each program.

  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the parameter documentation. To construct an access control list in the correct format for the VNC Server Permissionsparameter, use VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
VNC Server Service core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
VNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers you will need the offline license found on the Deployment page of your RealVNC account.

For VNC Server 7.x, this is the long Offline license key. If you haven't previously generated an offline license, click the Generate button.
Open the licenses/vncserver/vnc.lic policy template file in a text editor, and replace the contents with your offline license.

For VNC Server 6.x, this is a 25 character license key.
Open the licensekey policy template file in a text editor, and replace the contents with your offline license.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have subscriptions applied that do not include policy management, you can prevent VNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.
Was this article helpful?
4 out of 7 found this helpful

Comments

0 comments

Please sign in to leave a comment.