# Policy settings for VNC Server: Virtual mode
# Version 7.16.0 (r14)

# Uncomment a policy setting and edit the default value to set it.

# Allow connected users to paste clipboard text on this device.
# 
#AcceptCutText=1

# Allow connected users to control this device using the keyboard.
# 
#AcceptKeyEvents=1

# Allow connected users to control this device using the mouse.
# 
#AcceptPointerEvents=1

# Binary encoding of password for "Admin" user when using VNC Password 
# authentication.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#AdminPassword=

# If printing is enabled, change this computer's default printer to the local 
# printer of the first connected user.
# 
#AllowChangeDefaultPrinter=1

# Allow cloud connections to relay data via RealVNC services, when 
# peer-to-peer connectivity is not possible (cloud connections are end-to-end 
# encrypted, and the keys never leave your device, so RealVNC is never able to 
# read relayed data).
# 
#AllowCloudRelay=1

# RealVNC Server in Service Mode only. Allow cloud connections via RealVNC 
# services.
# 
#AllowCloudRfb=1

# RealVNC Server in Virtual Mode only. Change the display resolution if 
# requested by a connected user.
# 
#AllowDynamicResolution=1

# Serve resources such as VNC Viewer for Java to web browser users.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#AllowHttp=1

# Allow direct VNC connections over TCP/UDP.
# 
#AllowIpListenRfb=1

# Allow direct VNC connections over TCP.
#
# DEPRECATED in favor of AllowIpListenRfb.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#AllowTcpListenRfb=1

# Whether to alter the Shift key state when modifiers such as Ctrl and Alt are 
# pressed
# 
#AlterShiftWithMods=1

# Determine whether multiple simultaneous connected users are allowed, in 
# conjunction with NeverShared and the connecting user's preference.
# 
#AlwaysShared=0

# Enable Audio
# 
#AudioEnable=1

# The authentication scheme(s) to offer for incoming connections (SingleSignOn 
# | SystemAuth | VncAuth | Certificate | Radius | InteractiveSystemAuth), or 
# None to turn off password protection (direct connections only, and not 
# recommended).
# 
#Authentication=SystemAuth

# The number of seconds to give connecting users time to authenticate.
# 
#AuthTimeout=900

# The number of unsuccessful authentication attempts that can be made before a 
# particular connecting device is blacklisted for a timeout period.
# 
#BlacklistThreshold=5

# The initial number of seconds during which connections from a blacklisted 
# device are rejected before the connecting user can attempt to authenticate 
# again.
# 
#BlacklistTimeout=10

# Allow inbound guest connections to this device via Code Connect.
# 
#CodeConnectInboundEnable=1

# Perform pixel comparison on framebuffer to reduce unnecessary updates.
# 
#CompareFB=1

# Specify True to display the name of the connected user throughout the 
# session, or the most recently connected if more than one.
# 
#ConnNotifyAlways=0

# The style of connection and disconnection notification messages. Specify a 
# comma-separated list of zero or more of 
# Movable,Closable,Minimizable,NoSystem.
# 
#ConnNotifyStyle=

# The number of seconds to display connection and disconnection notification 
# messages for, or 0 to disable notifications.
# 
#ConnNotifyTimeout=4

# The maximum number of seconds a connection may last, or 0 for no timeout.
# 
#ConnTimeout=0

# A name for the desktop to display to connected users.
# 
#Desktop=$HOSTNAME:$DISPLAYNUM ($USER)

# Disable the Connect to Listening RealVNC Viewer option on the shortcut menu.
# 
#DisableAddNewClient=0

# Disable the Stop RealVNC Server option on the shortcut menu.
# 
#DisableClose=0

# Prevent connected users from transferring files while this computer's 
# desktop is locked.
# 
#DisableFileTransferAtLockScreen=0

# Disable the Options option on the shortcut menu. Note that if you do this 
# you will need to manually edit the appropriate Registry key (Windows) or VNC 
# configuration file (other platforms) in order to access the Options dialog 
# again.
# 
#DisableOptions=0

# Specify 1 to hide the icon in the notification area when no users are 
# connected.
# 
#DisableTrayIcon=0

# When only one connected user at a time is allowed, determine whether that is 
# the first (False) or last (True) connected user.
# 
#DisconnectClients=1

# Value to classify network traffic to provide Quality of Service.
# 
#Dscp=0

# Configuration for the Duo authentication API, a URI of the form 
# https://<integration-key>:<secret-key>@<api-hostname>
# 
#DuoCredentials=

# Whether to list all methods for all devices (AllDevices), or the best device 
# for each method (BestDevice)
# 
#DuoDeviceChoice=BestDevice

# Maximum resolution that the display can be dynamically set to.
# 
#DynamicResolutionMaxSize=

# Send usage data to help improve RealVNC products.
# 
#EnableAnalytics=0

# Allow automatic checks for critical software patches and product updates 
# (1), do not allow automatic checks (0), or let the user decide when the user 
# interface first appears (2).
# 
#EnableAutoUpdateChecks=1

# Allow connected users to chat.
# 
#EnableChat=1

# Disable the Check for updates option on the shortcut menu.
# 
#EnableManualUpdateChecks=1

# Allow connected users to print directly to their local printers.
# 
#EnableRemotePrinting=1

# The level of encryption to offer for incoming connections (AlwaysMaximum | 
# AlwaysOn | PreferOn | PreferOff), or AlwaysOff to turn off encryption 
# (direct connections only, and not recommended).
# 
#Encryption=AlwaysOn

# Whether to allow connected users using legacy software to connect when 
# FloorControlEnable is true (0=disallow, 1=allow view only, 2=allow to 
# control if no other user has control).
# 
#FloorControlAllowLegacyClients=1

# Enable floor control so that only one connected user has control of this 
# device at a time.
# 
#FloorControlEnable=0

# Binary encoding of password for guest access.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#GuestPassword=

# Allow guests to connect with particular permissions.
# 
#GuestPermissions=

# Filter connections by IPv4 address to allow, query, or reject particular VNC 
# Viewer computers, or + to allow connections from all.
#
# DEPRECATED in favor of IpClientAddresses.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#Hosts=+

# Directory from which to serve resources to web browser users, or <inline> to 
# serve from VNC Server.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#httpd=<inline>

# TCP/IP port on which to accept connections from web browsers.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#HttpPort=5800

# The number of seconds to wait before disconnecting idle users, or 0 to set 
# no timeout.
# 
#IdleTimeout=3600

# Binary encoding of password for "InputOnly" user when using VNC Password 
# authentication.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#InputOnlyPassword=

# Restrict connections to a particular version of the Internet Protocol only.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#InTransports=IPv6,IPv4

# Filter connections by IP address to allow, query, or reject particular 
# devices, or + to allow connections from all.
# 
#IpClientAddresses=+

# Comma-separated list of IP addresses on which to listen for TCP/UDP 
# connections, or empty to listen on all available IP addresses. Note this 
# parameter is ignored if the localhost parameter is set to True.
# 
#IpListenAddresses=

# List of protocols via which to accept direct connections (UDP, TCP)
# 
#IpListenProtocols=TCP,UDP

# The 'host' service principal name as it is registered for the computer with 
# the domain controller, for use in single sign-on authentication.
# 
#KerberosServicePrincipalName=

# The client principal name for use when authenticating to network services 
# such as LDAP.
# 
#KerberosUserPrincipalName=

# The maximum size in bytes for downloaded CRLs.
# 
#LdapCertificateCrlLimit=26214400

# Optional URL containing intermediate certificates for user public keys.  
# "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateIntermediateStore=ldap://GSSAPI@<YOUR-DC>/CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# Choose 'ActiveDirectory' to perform LDAP name mapping using 
# userPrincipalName/sAMAccountName attributes, or 'RFC2307' to use POSIX 
# uid/uidNumber attributes (which may also be enabled in Active Directory)
# 
#LdapCertificateNameMapping=ActiveDirectory

# Choose 'Enforce' to strictly check revocation for user certificates fetched 
# from LDAP (or 'EnforceOcsp' to disallow fallback to CRLs if OCSP fetching 
# fails), 'CheckIfAvailable' to allow the certificate if downloading the 
# CRL/OCSP response fails, or 'Ignore' to bypass revocation checking.
# 
#LdapCertificateRevocation=Enforce

# URL containing the trusted root certificates for authenticating user public 
# keys.  "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateTrustStore=ldap://GSSAPI@<YOUR-DC>/CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# URL of the LDAP server used for authenticating user public keys, of the form 
# "ldap[s]://[credentials@][host]/[search-base]".  If the host or base is left 
# empty, the system default will be used.  Specify "GSSAPI@" for Kerberos 
# authentication, "binddn:password@" for a simple bind, or no credentials for 
# anonymous access.
# 
#LdapCertificateUserStore=ldap://GSSAPI@<YOUR-DC>/CN=Users,<PATH-TO-USERS>

# Choose LDAP security when not using LDAPS: use signatures with Kerberos and 
# StartTLS with simple binding (Auto), use StartTLS always (StartTLS), or no 
# encryption (None)
# 
#LdapSecurity=Auto

# Locale to use. Specify one of en_US, de_DE, es_ES, fr_FR, or pt_BR, or leave 
# empty to select the user or system locale as appropriate.
# 
#Locale=

# Restrict direct VNC connections to those originating from this device.
# 
#localhost=0

# Record events in the format <log>:<target>:<level>[,...].
# 
#Log=*:stderr:10

# Directory in which to store log output directed to file.
# 
#LogDir=

# File in which to store log output directed to file.
# 
#LogFile=Xvnc.log

# Keep log files for X days.
# 
#LogKeepDays=30

# The maximum number of simultaneous HTTP connections to allow.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#MaxHttpConns=50

# Determine whether multiple simultaneous connected users are allowed, in 
# conjunction with AlwaysShared and the connecting user's preference.
# 
#NeverShared=0

# Do not use nonces with OCSP requests (None), or request nonces but do not 
# mandate a nonce's presence (Request), or request and mandate a nonce 
# (Require, most secure).
# 
#OcspNonce=None

# The path to the On-Premise Console certificates file
# 
#OPCCerts=OPC.pem

# The hostname of the On-Premise Console Service
# 
#OPCHost=

# Apply account as well as authentication rules when using system 
# authentication via PAM. Specify False(0) to apply just authentication rules.
# 
#PamAccountCheck=1

# Specify vncserver.custom to use a custom PAM setup for system 
# authentication, as defined in /etc/pam.d/vncserver.custom or, under older 
# systems, in /etc/pam.conf.
# 
#PamApplicationName=vncserver

# Binary encoding of the password that a connecting user must supply when 
# using VNC Password authentication.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#Password=

# A comma-separated list of permissions for connected users. Each entry in the 
# list is of the form USER_OR_GROUP:PERMISSIONS.
# 
#Permissions=

# Warn if the system is set to sleep, or is on battery power.
# 
#PowerWarn=1

# The maximum version number of the RFB protocol to support, or empty for all.
# 
#ProtocolVersion=

# The password to use to authenticate to a proxy server.
# 
#ProxyPassword=

# The URL of a proxy server, or alternatively "<system>" to use standard proxy 
# environment variables or libproxy.
# 
#ProxyServer=<system>

# The user name with which to authenticate to a proxy server.
# 
#ProxyUserName=

# Show an accept/reject prompt for every connecting user, allowing the 
# connection to be accepted, rejected, or made view-only ("attended access").
# 
#QueryConnect=0

# Message to use on query connect prompt, maximum length 4096 utf-8 bytes. A 
# very restricted form of HTML is supported. The characters &<>"' must be 
# quoted as in HTML.
# 
#QueryConnectMessage=

# The number of seconds to show the accept/reject prompt for, before 
# connections are automatically granted QueryTimeoutRights permissions.
# 
#QueryConnectTimeout=10

# Offer a view-only choice in the accept/reject prompt.
# 
#QueryOfferViewOnly=1

# Only show the accept/reject prompt if there is likely to be a user present 
# to respond.
# 
#QueryOnlyIfLoggedOn=0

# Specify the permissions for connections which are not accepted or rejected 
# within QueryConnectTimeout seconds. Leave empty to reject connections.
# 
#QueryTimeoutRights=

# Stop RealVNC Server if the status dialog is closed.
# 
#QuitOnCloseStatusDialog=0

# The address to bind to for sending RADIUS requests, or empty to use the 
# default route to the RADIUS server
# 
#RadiusAddress=

# The authentication protocol to use (CHAP | PAP).  Note that CHAP is 
# potentially more secure than PAP, but requires the server to have access to 
# plaintext credentials, so PAP is more widely supported.
# 
#RadiusAuthenticationProtocol=CHAP

# The 'Network Access Server' identifier to present to the RADIUS server, 
# which identifies this RADIUS client, or empty to send the IP address as the 
# identifier instead (RadiusAddress).
# 
#RadiusNasId=vncserver

# Strip the domain/realm component from usernames when contacting the RADIUS 
# server
# 
#RadiusNormalizeUsername=0

# The interval between RADIUS request packets (in seconds)
# 
#RadiusPacketInterval=1

# The initial prompt to present to connecting users, or empty to send a blank 
# password to the RADIUS server initially
# 
#RadiusPrompt=RADIUS password:

# The number of RADIUS request packets to send
# 
#RadiusRequestPackets=4

# The RADIUS secret
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#RadiusSecret=

# The RADIUS server to use for authentication (host/IP address with optional 
# port).  Fallback servers can be specified using a comma-separated list.
# 
#RadiusServer=

# The time spent waiting per RADIUS server; a few retries are sent, then the 
# rest of the timeout interval is spent waiting before falling back to the 
# next server.
# 
#RadiusTimeout=60

# Comma-separated list of geometries to be offered by the RANDR extension, if 
# enabled.
# 
#RandR=

# Display a continuous notification while the session is being recorded by a 
# connected user. If this is True then the RecordNotifyDuration parameter is 
# not used.
# 
#RecordNotifyAlways=0

# The number of seconds to display session recording notification messages 
# for, or 0 to disable notifications.
# 
#RecordNotifyDuration=4

# Show a prompt identifying each connected user who requests session 
# recording, enabling recording to be accepted or rejected.
# 
#RecordQuery=0

# Map or swap keyboard keys. Specify a comma-separated list of hexadecimal 
# keysyms, prefixed by 0x and separated by -> (to map) or <> (to swap).
# 
#RemapKeys=

# The security scheme(s) to offer for reverse connections, or "<auto>" to 
# determine using the Encryption and ReverseAuthentication parameters.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#ReverseSecurityTypes=<auto>

# Port on which to accept direct VNC connections.
# 
#RfbPort=5900

# Not applicable to RealVNC Server in Service Mode. Protect the system 
# credentials of connecting users from a RealVNC Server process owner who is 
# not root.
# 
#RootSecurity=0

# File containing the RSA private key.
# 
#RsaPrivateKeyFile=$VNC_PROFILE_DIR/private.key

# The security scheme(s) to offer for incoming connections, or "<auto>" to 
# determine using the Encryption and Authentication parameters.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#SecurityTypes=<auto>

# Transfer clipboard text from this device so that connected users can paste 
# it on their own devices.
# 
#SendCutText=1

# Specify 'Viewer' to use the connected user's encoding preference, or a 
# particular encoding to override it.
# 
#ServerPreferredEncoding=Viewer

# Advertise this device using Zeroconf on the local domain. Requires the 
# Bonjour library (Windows, MacOS) or Avahi (Linux).
# 
#ServiceDiscoveryEnabled=1

# Allow connected users to record sessions.
# 
#SessionRecordEnable=1

# Allow connected users to transfer files.
# 
#ShareFiles=1

# Facility for the 'syslog' log destination to use, as an integer or name. 
# Supported names: user, daemon, auth, authpriv (if available), security (if 
# available), local0..local7
# 
#SyslogFacility=user

# Comma-separated list of IP addresses on which to listen for TCP connections, 
# or empty to listen on all available IP addresses. Note this parameter is 
# ignored if the localhost parameter is set to True.
#
# DEPRECATED in favor of IpListenAddresses.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#TcpListenAddresses=

# The security strength to enforce when making TLS connections. For 'Normal', 
# TLS 1.2 is mandated, no broken fallback ciphers are allowed, and key 
# strength is checked for security (no SHA-1 or small keys). Selecting 'High' 
# limits cipher choices to AES-256 with no legacy ciphers.
# 
#TlsProfile=Normal

# The number of days to leave between automatic checks for critical software 
# patches or product updates.
# 
#UpdateCheckFrequencyDays=1

# Discover screen updates by polling (0), using the DAMAGE extension if 
# enabled and responsive (1), or always using DAMAGE if enabled (2).
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#UpdateMethod=1

# Use legacy file transfer
# 
#UseLegacyFileTransfer=0

# The authentication scheme to use.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#UserPasswdVerifier=UnixAuth

# Binary encoding of password for "ViewOnly" user when using VNC Password 
# authentication.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#ViewOnlyPassword=

