Remotely configuring, licensing and locking down RealVNC Connect using policy

Follow

Mass Deployment - Legacy.png
Mass Deployment.png

If you have a subscription that includes policy management, you can remotely configure RealVNC Viewer or RealVNC Server using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. Programs controlled by policy are locked down and cannot be changed by users.

To get started:

  1. Download policy template files containing policy settings corresponding to parameters. You can find the RealVNC Viewer template files here and the RealVNC Server template files here.
  2. Import policy template files to a domain controller for use in Group Policy Management Editor (Windows), or edit the policy template files directly (macOS/Linux) in order to set parameters to particular values.
  3. Deploy policy template files using Group Policy (Windows), or distribute to target computers (macOS/Linux).
  4. Set permissions to ensure policy Registry keys (Windows) or directories (macOS/Linux) cannot be modified by users (read access is required).

Note you can also use policy to:

  • License RealVNC Server and RealVNC Viewer
  • Disable RealVNC Server on computers licensed with a subscription that doesn't include policy management.

For more information, see the appropriate platform-specific section below for Windows, macOS or Linux. For more information on RealVNC Server modes, click here.

Setting up policy under Windows

We support Windows policy configuration using both Group Policy and Microsoft Intune.

For more information about Group Policy please see here: Configuring and Licensing RealVNC Connect for Windows using Group Policy

For more information about Microsoft Intune please see here: Configuring and Licensing RealVNC Connect for Windows using Intune

Setting up policy under Linux

To remotely configure and lock down a RealVNC Connect program:

  1. Download policy template files containing policy settings corresponding to parameters. You can find the RealVNC Viewer template files here and the RealVNC Server template files here.
  2. Consult the table below to see which policy template file(s) to edit for a program.

  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the RealVNC Viewer and RealVNC Server parameter documentation. To construct an access control list in the correct format for the RealVNC Server Permissions parameter, use the VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
RealVNC Server Service core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
Virtual core Xvnc Connectivity, security, locale, performance, logging, and more.  
User interface vncserverui-virtual Locale, file transfer, and chat.  
Daemon vncserver-virtuald Connectivity, security, logging. Performance controlled per-user by Xvnc.
RealVNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For RealVNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing RealVNC Server

To license RealVNC Server on target computers you will need the offline license found on the Device Access > Deployment page of your RealVNC account.

For RealVNC Server 7.x, this is the long Offline license key.
Open the licenses/vncserver/vnc.lic policy template file in a text editor, and replace the contents with your offline license.

For RealVNC Server 6.x, this is a 25 character license key.
Open the licensekey policy template file in a text editor, and replace the contents with your offline license.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have subscriptions applied that do not include policy management, you can prevent RealVNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Setting up policy under macOS

To remotely configure and lock down a RealVNC Connect program:

  1. Download policy template files containing policy settings corresponding to parameters. You can find the RealVNC Viewer template files here and the RealVNC Server template files here.
  2. Consult the table below to see which policy template file(s) to edit for a program.
  3. Uncomment the parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the consult the RealVNC Viewer and RealVNC Server parameter documentation. To construct an access control list in the correct format for the RealVNC Server Permissions parameter, use the VNC Permissions Creator.

    *If you do not uncomment a parameter, it will not be controlled by policy and users will be able to change that aspect of the program’s behavior.

  4. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.

  5. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.

Program Mode Process Policy template file Contains parameters for... Notes
RealVNC Server Service core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.  
User core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.  
RealVNC Viewer     vncviewer Performance, picture quality, useability, locale, logging and more.  

*For RealVNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing RealVNC Server

To license RealVNC Server on target computers you will need the offline license found on the Device Access > Deployment page of your RealVNC account.

For RealVNC Server 7.x, this is the long Offline license key.
Open the licenses/vncserver/vnc.lic policy template file in a text editor, and replace the contents with your offline license.

For RealVNC Server 6.x, this is a 25 character license key.
Open the licensekey policy template file in a text editor, and replace the contents with your offline license.

*Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-subscription deployments

If some target computers have subscriptions applied that do not include policy management, you can prevent RealVNC Server running on these computers while policy is in force:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.
Was this article helpful?
6 out of 10 found this helpful

Comments

0 comments

Article is closed for comments.