Solution: Hello Ivan,I'm going to preface my answer by saying that the information below is based on you using a RealVNC version of VNC. As such, if you are I have been looking around regarding logging options for VNC, which seems to be the preferred remote access program for Spiceworks. Jump to In a configuration file. Both vncserver and the vnc.so module can be configured using configuration files, but the location and format of these files.
Hello Ivan,
I'm going to preface my answer by saying that the information below is based on you using a RealVNC version of VNC. As such, if you are using some other kind of open-source variant, or some kind of SW plug-in, then the instructions might be useful as a guide, but may not be exactly correct. I figured that since you hadn't received any other responses yet, this might point you in the right direction.
The short answer to your question is 'yes'. You can send logs from several VNC Servers to a central place (for example a dedicated file server somewhere) using standard Windows variables, for example:
LogFile= 'vnclogvnc${COMPUTERNAME}vncserver.log'
You will also need to set the Log parameter in the expert tab to Connections:file:30
(depending on what VNC Server you are using, the 'Log' and 'LogFile' parameters may or may not exist and may be in a different locations in the VNC Server settings).
Further to this:
Centralized Windows event logs are not actually part of the VNC product. By default, as you say, connection information is logged to the local Event Viewer. If you wanted to, you could configure all Windows Event logs to go to a central location. See:
Also:
It has similar advice to the first article but hints to some other MSDN documentation.
Some other interesting links:
Ensure you have the following line set in the VNC Server > Options > Advanced > Expert tab > Log parameter:
Connections:EventLog:30
So basically, two options:
1) have all event logs centralised - this is a Windows configuration
2) have VNC server logs centralised - this is a VNC configuration
2) have VNC server logs centralised - this is a VNC configuration
Hope this helps. Let me know if you have any questions.
Edited Jun 3, 2015 at 09:53 UTC Learning has never been so easy!
You can remotely configure VNC with an Enterprise license using policy, and then provision target Windows, Mac or Linux computers using a suitable mechanism such as Group Policy under Windows. VNC applications controlled by policy are locked down and cannot be changed by users.
VNC is controlled using VNC parameters; all of these can be remotely configured and locked down. The full list of VNC parameters can be accessed here: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/
8 Steps total
Step 1: Remotely configuring and locking down Windows computers (1/4)
These steps will show you how to use Microsoft Group Policy tools to remotely configure and lock down Windows computers.
Begin by downloading the Windows policy template files (https://www.realvnc.com/download/deployment/policy/windows/). Extract these into one of the following directories, depending on your version of Windows:
• For Windows NT, 2000, XP, and Server 2003 computers, extract the ADM files to C:Windowsinf in order to load into Group Policy Object Editor (or equivalent snap-in).
• For modern Windows computers (as per the screenshot above), extract the ADMX + ADML hierarchy of files to C:WindowsPolicyDefinitions in order to load into Group Policy Management Editor (or equivalent application).
• For modern Windows computers (as per the screenshot above), extract the ADMX + ADML hierarchy of files to C:WindowsPolicyDefinitions in order to load into Group Policy Management Editor (or equivalent application).
Step 2: Remotely configuring and locking down Windows computers (2/4)
The table in the screenshot above shows the policy template file(s) that correspond with each VNC application (the full table - with clickable 'more' links - is available here under the 'Setting up Group Policy under Windows' heading: https://www.realvnc.com/products/vnc/deployment/policy/#windows).
The ‘Area’ column represents either User Configuration > Administrative Templates > RealVNC (referred to as UC), or Computer Configuration > Administrative Templates > RealVNC (referred to as CC). The ‘Mode’ column shows whether the policy template file affects VNC Server in Service Mode or User Mode.
For example, if you want to remotely configure and lock down VNC parameters relating to the connectivity of VNC Server in User Mode, you should expand User Configuration > Administrative Templates > RealVNC > VNC Server > User Mode.
Step 3: Remotely configuring and locking down Windows computers (3/4)
Microsoft Group Policy has three states for policy settings: Disabled, Enabled, and Not Configured. These map to VNC parameters in the following ways:
![File File](/uploads/1/2/6/4/126499347/807240224.png)
• To set a boolean VNC parameter to False, choose Disabled.
• To set a boolean VNC parameter to True, choose Enabled.
• To configure a non-boolean VNC parameter, choose Enabled and edit the Value box. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
• To set a boolean VNC parameter to True, choose Enabled.
• To configure a non-boolean VNC parameter, choose Enabled and edit the Value box. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
Note that leaving a policy setting's default state of Not Configured (or changing a non-boolean VNC parameter's state to Disabled) will allow a user to configure that parameter.
Additionally, you can remotely license VNC Server by expanding the CC > Licensing policy template file and editing the License Key Code policy setting. Choose Enabled, then enter your license key into the Value box in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
Step 4: Remotely configuring and locking down Windows computers (4/4)
When you have configured your policy template files, you can provision target computers using a suitable mechanism such as a Group Policy Object (GPO).
You should also lock down the following registry keys to prevent users making changes to policy locally:
• HKEY_LOCAL_MACHINEPoliciesRealVNC for the Computer Configuration policy template file (VNC Server in Service Mode).
• HKEY_CURRENT_USERPoliciesRealVNC for all User Configuration policy template files (for each user account running VNC applications).
• HKEY_CURRENT_USERPoliciesRealVNC for all User Configuration policy template files (for each user account running VNC applications).
For instructions on how to deploy VNC using Group Policy, you can read our previous How-to here: https://community.spiceworks.com/how_to/119937-deploying-realvnc-software-msis-using-group-policy.
Step 5: Remotely configuring and locking down Linux/UNIX computers (1/2)
Begin by downloading the Linux/UNIX policy template files (https://www.realvnc.com/download/deployment/policy/) and extracting them to a directory of your choice.
The table in the screenshot above shows the policy template file(s) that correspond with each VNC application. For example, to configure VNC parameters relating to connectivity for VNC Server in Service Mode, edit the vncserver-x11 file.
The full table - with clickable 'more' links - is available here: https://www.realvnc.com/products/vnc/deployment/policy/#unix.
Step 6: Remotely configuring and locking down Linux/UNIX computers (2/2)
Open each policy template file you wish to edit in a text editor. To lock down a VNC parameter, locate it in the text file and uncomment it. Note that any VNC parameters you leave commented out will be configurable by users.
You can lock down a VNC parameter in the following ways:
•To set a boolean VNC parameter to False, change its value to 0.
•To set a boolean VNC parameter to True, change its value to 1.
•To configure a non-boolean VNC parameter, enter an allowed value. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
•To set a boolean VNC parameter to True, change its value to 1.
•To configure a non-boolean VNC parameter, enter an allowed value. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
In the screenshot above, users will *not* be able to configure the ringed AcceptCutText, AllowHttp and AuthTimeout VNC parameters (they will still be able to configure the other VNC parameters, as they remain commented out).
Additionally, you can remotely license VNC Server by opening the licensekey file and entering your license key in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
Once your policy template files are edited, provision the /etc/vnc/policy.d directory of target computers. It is also recommended you update users' permissions so they cannot access this directory. Otherwise, they may be able to bypass policy by editing the policy template files locally.
Step 7: Remotely configuring and locking down Mac OS X Computers (1/2)
Begin by downloading the Mac OS X policy template files (https://www.realvnc.com/download/deployment/policy/macosx/) and extracting them to a directory of your choice.
The table in the screenshot above shows the policy template file(s) that correspond with each VNC application. For example, to configure VNC parameters relating to connectivity for VNC Server in Service Mode, edit the vncserver file.
The full table - with clickable 'more' links - is available here: https://www.realvnc.com/products/vnc/deployment/policy/#mac.
Step 8: Remotely configuring and locking down Mac OS X Computers (2/2)
Open each policy template file you wish to edit in a text editor. To lock down a VNC parameter, locate it in the text file and uncomment it. Note that any VNC parameters you leave commented out will be configurable by users.
![Options Options](https://symwisedownload.symantec.com/library/SYMWISE/ENTERPRISE/Brycen%20Medart/Remote%20Screen%20Sharing/remotetools.png?__gda__=1578489422_9d5882ff525bf73a908f062fb234324b)
You can lock down a VNC parameter in the following ways:
•To set a boolean VNC parameter to False, change its value to 0.
•To set a boolean VNC parameter to True, change its value to 1.
•To configure a non-boolean VNC parameter, enter an allowed value. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
•To set a boolean VNC parameter to True, change its value to 1.
•To configure a non-boolean VNC parameter, enter an allowed value. Select a VNC parameter from this page to see its allowed values: https://www.realvnc.com/products/vnc/documentation/5.2/parameters/.
In the screenshot above, users will *not* be able to configure the circled AutoSelectLossy, ColorLevel and Emulate3 VNC parameters (they will still be able to configure the other VNC parameters, as they remain commented out).
Additionally, you can remotely license VNC Server by opening the licensekey file and entering your license key in the following format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX.
Once your policy template files are edited, provision the /etc/vnc/policy.d directory of target computers. It is also recommended you update users' permissions to stop them accessing this directory. Otherwise, they may be able to bypass your restrictions by editing the policy template files locally.
Published: Sep 18, 2015 · Last Updated: Sep 22, 2015
3 Comments
- DatilBrit Hefty Sep 22, 2015 at 12:13amI had no idea that RealVNC had a GP module. I had previously just done it by registry and copying values. Great how-to, I'll see if I can put it into practice after spiceworld.
- ChipotleJoe (RealVNC) Sep 22, 2015 at 05:50amThanks Brit.Swing by and see us at the stand in Austin.
- Pimientoboedillard Nov 15, 2017 at 08:10pmWould love a policy to INSTALL VNC. I have the msi - I've tried a couple of MSTs but it doesn't install.