Configuring and locking down VNC using policy

You can remotely configure VNC applications using policy and then provision target computers using a suitable mechanism, for example Group Policy under Windows. VNC applications controlled by policy are locked down and cannot be changed by users.

To get started:

  1. Download policy template files containing policy settings corresponding to VNC parameters.
  2. Edit policy template files in order to set VNC parameters to particular values.
  3. Deploy policy template files using Group Policy (Windows), or distribute to target computers (other platforms).
  4. Set permissions to ensure policy Registry keys (Windows) or directories (other platforms) cannot be accessed by users.

Note you can also use policy to:

For more information, see the appropriate platform-specific section below for Windows, UNIX or Mac OS X. For more information on VNC Server modes, click here.

Setting up Group Policy under Windows

To remotely configure and lock down a VNC application:

  1. Download the appropriate policy template file archive for the operating system of target computers:
    • For Windows NT, 2000, XP, and Server 2003 computers, download the ADM format archive. Extract the files to C:\Windows\inf in order to load into Group Policy Object Editor (or equivalent snap-in).
    • For all modern Windows computers, download the ADMX + ADML format archive. Extract the hierarchy of files to C:\Windows\PolicyDefinitions in order to load into Group Policy Management Editor (or equivalent application).
  2. Consult the table below to see which policy template file(s) to edit for a VNC application.
  3. Expand the appropriate policy template file(s) and edit policy settings corresponding to the VNC parameters you want to control:
    • Choose Enabled to set a boolean VNC parameter to TRUE.
    • Choose Disabled to set a boolean VNC parameter to FALSE.
    • Choose Enabled and specify a value to set a non-boolean VNC parameter. For a list of allowed values, consult the documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use this utility.

    Note: If a policy setting retains the default state of Not Configured, the corresponding VNC parameter will not be controlled by policy and users will be able to change that aspect of the application's behavior.

  4. Deploy policy template file(s) to target computers using a suitable mechanism, for example a Group Policy Object.
  5. Check permissions on target computers to deter unauthorized access to policy Registry keys:
    • HKEY_LOCAL_MACHINE\Policies\RealVNC for the Computer Configuration policy template file (VNC Server in Service Mode).
    • HKEY_CURRENT_USER\Policies\RealVNC for all User Configuration policy template files (for each user account running VNC applications).

Note that in the Area column of the following table:

  • CC refers to Computer Configuration > Administrative Templates > RealVNC in an application such as GPME.
  • UC refers to User Configuration > Administrative Templates > RealVNC.
Application Mode Process Area Policy template file Contains VNC parameters for...
VNC Server Service core CC VNC Server > Service Mode Connectivity, security, locale, performance, logging and more.
User interface UC VNC Server > Service Mode > User Interface Locale, file transfer, and chat.
User core UC VNC Server > User Mode Connectivity, security, locale, performance, logging and more.
User interface UC VNC Server > User Mode > User Interface Locale, file transfer, and chat.
VNC Viewer UC VNC Viewer Performance, picture quality, useability, locale, logging, and more.
VNC Address Book UC VNC Address Book Various.

Note: For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Expand the CC > Licensing policy template file.
  2. Edit the License Key Code policy setting.
  3. Choose Enabled, and specify your license key as the value in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Note: Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-license deployments

To disable VNC Server with a Personal or a Free license on target computers:

  1. Expand the CC > Restrictions policy template file.
  2. Edit the Disable VNC Server if the license key does not support group policy setting.
  3. Choose Enabled.

Note: If VNC Server with a Personal or a Free license is allowed to run on a particular computer, policy will not be respected and the application will be configurable by users.

Setting up policy under UNIX

To remotely configure and lock down a VNC application:

  1. Download the appropriate policy template file archive.
  2. Consult the table below to see which policy template file(s) to edit for a VNC application.
  3. Uncomment the VNC parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use this utility.
  4. Note: If you do not uncomment a VNC parameter, it will not be controlled by policy and users will be able to change that aspect of the application's behavior.

  5. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.
  6. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.
Application Mode Process Policy template file Contains VNC parameters for... Notes
VNC Server Service core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.
Daemon vncserver-x11-serviced Various for the daemon process.
User core vncserver-x11 Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.
Virtual core Xvnc Connectivity, security, locale, performance, logging, and more.
User interface vncserverui-virtual Locale, file transfer, and chat.
VNC Server Virtual Daemon vncserver-virtuald Connectivity, security, logging. Performance controlled per-user by Xvnc.
VNC Viewer vncviewer Performance, picture quality, useability, locale, logging and more.
VNC Address Book vncaddrbook Various.

Note: For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Open the licensekey policy template file in a text editor.
  2. Enter your RealVNC™ license key code in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Note: Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-license deployments

To disable VNC Server with a Personal or a Free license on target computers:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Note: If VNC Server with a Personal or a Free license is allowed to run on a particular computer, policy will not be respected and the application will be configurable by users.

Setting up policy under Mac OS X

To remotely configure and lock down a VNC application:

  1. Download the appropriate policy template file archive.
  2. Consult the table below to see which policy template file(s) to edit for each VNC application.
  3. Uncomment the VNC parameters you want to set, and specify appropriate values. For a list of allowed values for non-boolean parameters, consult the documentation. To construct an access control list in the correct format for the VNC Server Permissions parameter, use this utility.
  4. Note: If you do not uncomment a VNC parameter, it will not be controlled by policy and users will be able to change that aspect of the application's behavior.

  5. Distribute policy template files to the /etc/vnc/policy.d directory of target computers.
  6. Check ownership and permissions on the /etc/vnc/policy.d directory to deter unauthorized access.
Application Mode Process Policy template file Contains VNC parameters for... Notes
VNC Server Service core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of User Mode as well.
User interface vncserverui-service Locale, file transfer, and chat.
User core vncserver Connectivity, security, locale, performance, logging, and more. Controls these aspects of Service Mode as well.
User interface vncserverui-user Locale, file transfer, and chat.
VNC Viewer vncviewer Performance, picture quality, useability, locale, logging and more.

Note: For VNC Server, locale can be set in multiple locations to configure different aspects of the display language, if required.

Licensing VNC Server

To license VNC Server on target computers:

  1. Open the licensekey policy template file in a text editor.
  2. Enter your RealVNC license key code in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Note: Any license keys applied directly to a particular computer will be ignored.

Locking down mixed-license deployments

To disable VNC Server with a Personal or a Free license on target computers:

  1. Open the restrictions policy template file in a text editor.
  2. Set BlockNonPolicyServers to 1.

Note: If VNC Server with a Personal or a Free license is allowed to run on a particular computer, policy will not be respected and the application will be configurable by users.