# Policy settings for VNC Server: Virtual mode using SystemXorg
# Version 7.9.0 (r51979)

# Uncomment a policy setting and edit the default value to set it.

# Allow connected VNC Viewer users to paste text to this computer.
# 
#AcceptCutText=1

# Allow connected VNC Viewer users to control this computer using their 
# keyboards.
# 
#AcceptKeyEvents=1

# Allow connected VNC Viewer users to control this computer using their mice.
# 
#AcceptPointerEvents=1

# Binary encoding of password for admin user.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#AdminPassword=

# If printing is enabled, change this computer's default printer to the local 
# printer of the first VNC Viewer user who connects.
# 
#AllowChangeDefaultPrinter=1

# Allow cloud connections to relay data via RealVNC services, when 
# peer-to-peer connectivity is not possible (VNC connections are end-to-end 
# encrypted, and the keys never leave your device, so RealVNC is never able to 
# read relayed data).
# 
#AllowCloudRelay=1

# RealVNC Server in Service Mode only. Allow cloud connections via RealVNC 
# services.
# 
#AllowCloudRfb=1

# Allow VNC Viewer to change the resolution of the VNC Server
# 
#AllowDynamicResolution=1

# Allow direct VNC connections over TCP/UDP.
# 
#AllowIpListenRfb=1

# Determine whether multiple VNC Viewer users can be connected at the same 
# time, in conjunction with NeverShared.
# 
#AlwaysShared=0

# Enable Audio
# 
#AudioEnable=1

# The authentication scheme(s) to offer for incoming connections (SingleSignOn 
# | SystemAuth | VncAuth | Certificate | Radius | InteractiveSystemAuth), or 
# None to turn off password protection (direct connections only, and not 
# recommended).
# 
#Authentication=SystemAuth

# The number of seconds to give connecting VNC Viewer users time to 
# authenticate.
# 
#AuthTimeout=900

# The number of unsuccessful authentication attempts that can be made before a 
# particular connecting computer is blacklisted for a timeout period.
# 
#BlacklistThreshold=5

# The initial number of seconds during which connections from a blacklisted 
# computer are rejected before the connecting user can attempt to authenticate 
# again.
# 
#BlacklistTimeout=10

# Capture screen updates using the optimal method (0), by polling (1), or by 
# forcing use of the DAMAGE extension (2). The optimal method uses DAMAGE if 
# it is enabled and responsive.
# 
#CaptureMethod=0

# Capture technology to use (x11, raspi), blank to choose automatically
# 
#CaptureTech=

# Perform pixel comparison on framebuffer to reduce unnecessary updates.
# 
#CompareFB=1

# Specify True to display the name of the connected user throughout the 
# session, or the most recently connected if more than one.
# 
#ConnNotifyAlways=0

# The number of seconds to display connection and disconnection notification 
# messages for, or 0 to disable notifications.
# 
#ConnNotifyTimeout=4

# The maximum number of seconds a connection may last, or 0 for no timeout.
# 
#ConnTimeout=0

# A name for the desktop to display to connected VNC Viewer users.
# 
#Desktop=$HOSTNAME$DPY

# Disable the Connect to Listening VNC Viewer option on the shortcut menu.
# 
#DisableAddNewClient=0

# Disable the Stop VNC Server option on the shortcut menu.
# 
#DisableClose=0

# Disable the Options option on the shortcut menu. Note that if you do this 
# you will need to manually edit the appropriate Registry key (Windows) or VNC 
# configuration file (other platforms) in order to access the Options dialog 
# again.
# 
#DisableOptions=0

# Specify 1 to hide the VNC Server icon in the notification area when no VNC 
# Viewer users are connected.
# 
#DisableTrayIcon=0

# Determine whether multiple VNC Viewer users can be connected at the same 
# time, in conjunction with AlwaysShared, NeverShared, and VNC Viewer.
# 
#DisconnectClients=1

# The X display and optionally screen number to remote to connected VNC Viewer 
# users, for example :1.0, or empty to remote the value of the DISPLAY 
# environment variable.
# 
#display=

# Value to classify network traffic to provide Quality of Service.
# 
#Dscp=0

# Configuration for the Duo authentication API, a URI of the form 
# https://<integration-key>:<secret-key>@<api-hostname>
# 
#DuoCredentials=

# Whether to list all methods for all devices (AllDevices), or the best device 
# for each method (BestDevice)
# 
#DuoDeviceChoice=BestDevice

# Send usage data to help improve RealVNC products.
# 
#EnableAnalytics=0

# Allow automatic checks for critical software patches and product updates 
# (1), do not allow automatic checks (0), or let the user decide when the VNC 
# Server user interface first appears (2).
# 
#EnableAutoUpdateChecks=1

# Allow connected VNC Viewer users to chat.
# 
#EnableChat=1

# Disable the Check for updates option on the shortcut menu.
# 
#EnableManualUpdateChecks=1

# Allow connected VNC Viewer users to print directly to their local printers.
# 
#EnableRemotePrinting=1

# Allow connected VNC Viewer users to record sessions.
# 
#EnableScreenRecording=1

# The level of encryption to offer for incoming connections (AlwaysMaximum | 
# AlwaysOn | PreferOn | PreferOff), or AlwaysOff to turn off encryption 
# (direct connections only, and not recommended).
# 
#Encryption=AlwaysOn

# Binary encoding of password for guest access.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#GuestPassword=

# Allow guests to connect with particular permissions.
# 
#GuestPermissions=

# The number of seconds to wait before disconnecting idle VNC Viewer users, or 
# 0 to set no timeout.
# 
#IdleTimeout=3600

# Binary encoding of password for input-only user.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#InputOnlyPassword=

# Filter connections by IP address to allow, query, or reject particular VNC 
# Viewer computers, or + to allow connections from all.
# 
#IpClientAddresses=+

# Comma-separated list of IP addresses on which to listen for TCP/UDP 
# connections, or empty to listen on all available IP addresses. Note this 
# parameter is ignored if the localhost parameter is set to True.
# 
#IpListenAddresses=

# List of protocols via which to accept direct connections (UDP, TCP)
# 
#IpListenProtocols=TCP,UDP

# The 'host' service principal name as it is registered for the computer with 
# the domain controller, for use in single sign-on authentication.
# 
#KerberosServicePrincipalName=

# The client principal name for use when authenticating to network services 
# such as LDAP.
# 
#KerberosUserPrincipalName=

# The maximum size in bytes for downloaded CRLs.
# 
#LdapCertificateCrlLimit=26214400

# Optional URL containing intermediate certificates for user public keys.  
# "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateIntermediateStore=ldap://GSSAPI@<YOUR-DC>/CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# Choose 'ActiveDirectory' to perform LDAP name mapping using 
# userPrincipalName/sAMAccountName attributes, or 'RFC2307' to use POSIX 
# uid/uidNumber attributes (which may also be enabled in Active Directory)
# 
#LdapCertificateNameMapping=ActiveDirectory

# Choose 'Enforce' to strictly check revocation for user certificates fetched 
# from LDAP (or 'EnforceOcsp' to disallow fallback to CRLs if OCSP fetching 
# fails), 'CheckIfAvailable' to allow the certificate if downloading the 
# CRL/OCSP response fails, or 'Ignore' to bypass revocation checking.
# 
#LdapCertificateRevocation=Enforce

# URL containing the trusted root certificates for authenticating user public 
# keys.  "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateTrustStore=ldap://GSSAPI@<YOUR-DC>/CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# URL of the LDAP server used for authenticating user public keys, of the form 
# "ldap[s]://[credentials@][host]/[search-base]".  If the host or base is left 
# empty, the system default will be used.  Specify "GSSAPI@" for Kerberos 
# authentication, "binddn:password@" for a simple bind, or no credentials for 
# anonymous access.
# 
#LdapCertificateUserStore=ldap://GSSAPI@<YOUR-DC>/CN=Users,<PATH-TO-USERS>

# Choose LDAP security when not using LDAPS: use signatures with Kerberos and 
# StartTLS with simple binding (Auto), use StartTLS always (StartTLS), or no 
# encryption (None)
# 
#LdapSecurity=Auto

# Locale to use. Specify one of en_US, de_DE, es_ES, fr_FR, or pt_BR, or leave 
# empty to select the user or system locale as appropriate.
# 
#Locale=

# Restrict direct VNC connections to those originating from this computer.
# 
#localhost=0

# Record events in the format <log>:<target>:<level>[,...].
# 
#Log=*:stderr:10

# Directory in which to store log output directed to file.
# 
#LogDir=

# File in which to store log output directed to file.
# 
#LogFile=vncserver-x11-virtual.log

# The name of the monitor to remote to connected VNC Viewer users, or empty to 
# remote all monitors.
# 
#Monitor=

# Determine whether multiple VNC Viewer users can be connected at the same 
# time, in conjunction with AlwaysShared and DisconnectClients.
# 
#NeverShared=0

# Do not use nonces with OCSP requests (None), or request nonces but do not 
# mandate a nonce's presence (Request), or request and mandate a nonce 
# (Require, most secure).
# 
#OcspNonce=None

# Apply account as well as authentication rules when using system 
# authentication via PAM. Specify FALSE to apply just authentication rules.
# 
#PamAccountCheck=1

# Specify vncserver.custom to use a custom PAM setup for system 
# authentication, as defined in /etc/pam.d/vncserver.custom or, under older 
# systems, in /etc/pam.conf.
# 
#PamApplicationName=vncserver

# Binary encoding of the password that VNC Viewer users must supply in order 
# to authenticate to VNC Server.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#Password=

# Register user accounts or groups with VNC Server so connecting VNC Viewer 
# users can authenticate using familiar, securely-managed credentials. Grant 
# permissions to these users to use remote control features while connections 
# are in progress.
# 
#Permissions=

# How often to poll for cursor movement in ms.
# 
#PollCursorTime=100

# How often to poll for display updates in ms.
# 
#PollInterval=50

# The maximum version number of the RFB protocol to support, or empty for all.
# 
#ProtocolVersion=

# The password to use to authenticate to a proxy server.
# 
#ProxyPassword=

# The URL of a proxy server, or alternatively "<system>" to use standard proxy 
# environment variables or libproxy.
# 
#ProxyServer=<system>

# The user name with which to authenticate to a proxy server.
# 
#ProxyUserName=

# Show a prompt identifying each connecting VNC Viewer user, where possible, 
# enabling the connection to be accepted, rejected, or made view-only.
# 
#QueryConnect=0

# Message to use on query connect prompt, maximum length 4096 utf-8 bytes. A 
# very restricted form of HTML is supported. The characters &<>"' must be 
# quoted as in HTML.
# 
#QueryConnectMessage=

# The number of seconds to show the accept/reject prompt for, before 
# connections are automatically granted timeout permissions.
# 
#QueryConnectTimeout=10

# Offer a view-only choice in the accept/reject prompt.
# 
#QueryOfferViewOnly=1

# Only show the accept/reject prompt if there is likely to be a user present 
# to respond.
# 
#QueryOnlyIfLoggedOn=0

# Determine whether connections exceeding the accept/reject prompt's timeout 
# are accepted or made view-only. Leave empty to reject connections.
# 
#QueryTimeoutRights=

# Stop VNC Server if the status dialog is closed.
# 
#QuitOnCloseStatusDialog=0

# The address to bind to for sending RADIUS requests, or empty to use the 
# default route to the RADIUS server
# 
#RadiusAddress=

# The authentication protocol to use (CHAP | PAP).  Note that CHAP is 
# potentially more secure than PAP, but requires the server to have access to 
# plaintext credentials, so PAP is more widely supported.
# 
#RadiusAuthenticationProtocol=CHAP

# The 'Network Access Server' identifier to present to the RADIUS server, 
# which identifies this RADIUS client, or empty to send the IP address as the 
# identifier instead (RadiusAddress).
# 
#RadiusNasId=vncserver

# Strip the domain/realm component from usernames when contacting the RADIUS 
# server
# 
#RadiusNormalizeUsername=0

# The initial prompt to present to VNC Viewer users, or empty to send a blank 
# password to the RADIUS server initially
# 
#RadiusPrompt=RADIUS password:

# The RADIUS secret
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#RadiusSecret=

# The RADIUS server to use for authentication (host/IP address with optional 
# port).  Fallback servers can be specified using a comma-separated list.
# 
#RadiusServer=

# The time spent waiting per RADIUS server; a few retries are sent at 1-second 
# intervals, then the rest of the timeout interval is spent waiting before 
# falling back to the next server.
# 
#RadiusTimeout=60

# Comma-separated list of display geometries to make available via the RANDR 
# extension, if enabled.
# 
#RandR=

# Display a continuous notification while the session is being recorded by a 
# connected user. If this is True then the RecordNotifyDuration parameter is 
# not used.
# 
#RecordNotifyAlways=0

# The number of seconds to display session recording notification messages 
# for, or 0 to disable notifications.
# 
#RecordNotifyDuration=4

# Show a prompt identifying each VNC Viewer user who requests session 
# recording, enabling recording to be accepted or rejected.
# 
#RecordQuery=0

# Map or swap keyboard keys. Specify a comma-separated list of hexadecimal 
# keysyms, prefixed by 0x and separated by -> (to map) or <> (to swap).
# 
#RemapKeys=

# Port on which to accept direct VNC connections.
# 
#RfbPort=5900

# Not applicable to VNC Server in Service Mode. Protect the system credentials 
# of connecting VNC Viewer users from a VNC Server process owner who is not 
# root.
# 
#RootSecurity=0

# File containing the RSA private key.
# 
#RsaPrivateKeyFile=$VNC_PROFILE_DIR/private.key

# Allow connected VNC Viewer users to copy and paste text to their own 
# computers.
# 
#SendCutText=1

# Specify an encoding for VNC Server to use (if supported), or 'Viewer' to 
# grant the VNC Viewer preference
# 
#ServerPreferredEncoding=Viewer

# Advertise VNC Server using Zeroconf on the local domain. Requires the 
# Bonjour library (Windows, MacOS, Solaris) or Avahi (Linux).
# 
#ServiceDiscoveryEnabled=1

# Allow connected VNC Viewer users to transfer files.
# 
#ShareFiles=1

# Facility for the 'syslog' log destination to use, as an integer or name. 
# Supported names: user, daemon, auth, authpriv (if available), security (if 
# available), local0..local7
# 
#SyslogFacility=user

# The security strength to enforce when making TLS connections. For 'Normal', 
# TLS 1.2 is mandated, no broken fallback ciphers are allowed, and key 
# strength is checked for security (no SHA-1 or small keys). Selecting 'High' 
# limits cipher choices to AES-256 with no legacy ciphers.
# 
#TlsProfile=Normal

# The number of days to leave between automatic checks for critical software 
# patches or product updates.
# 
#UpdateCheckFrequencyDays=1

# Use legacy file transfer
# 
#UseLegacyFileTransfer=0

# Binary encoding of password for view-only user.
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#ViewOnlyPassword=

