Applying KasmVNC DLP Policies

KasmVNC DLP settings allow for defining rate limits for the clipboard and keyboard input, visible regions, watermarking and more. This guide walks you through using the File Mapping feature to manage the KasmVNC configuration in the Kasm Admin UI for a specific Workspace.

KasmVNC Configuration

The KasmVNC configuration file has a lot of settings, to include DLP settings. For a full reference of the KasmVNC YAML configuration, see the KasmVNC Docs. It is not necessary for your custom configuration file to specify default settings, this minimizes the size of your custom configurations. The following example will enable a watermark and a visible region that blocks clicks in the non-visible region of the screen.

network:
  ssl:
    pam_certificate: ${HOME}/.vnc/self.pem
    pam_key: ${HOME}/.vnc/self.pem
  udp:
    public_ip: 127.0.0.1
data_loss_prevention:
  visible_region:
    top: 10
    left: 10
    right: -40
    bottom: -40
    concealed_region:
      allow_click_down: false
      allow_click_release: false
  watermark:
    image: /etc/kasmvnc/kasm.png
    tint: 20,20,255,60
    repeat_spacing: 50

Important

CentOS, Fedora, RedHat, and Oracle operating systems may require an empty line at the end of the yaml configuration file as shown in the example above.

Applying a KasmVNC Configuration

To apply your own custom KasmVNC configuration to Workspace sessions, use the File Mapping feature. File Mappings allow you to directly edit files with in the Kasm Workspaces Admin UI and have them mapped into user sessions. File Mappings can be defined on a Workspace, Group, or User, allowing you flexibility in determining which KasmVNC configuration is applied for different use cases. Your custom KasmVNC YAML configuration file should be mapped to the location /etc/kasmvnc/kasmvnc.yaml. The following is an example of a File Mapping definition for a KasmVNC Configuration that defines a DLP policy to enforce a visible region within the screen and a watermark.

Important

The network portion of the configuration shown is required, as those settings override KasmVNC defaults which are required for it to operate within Kasm Workspaces.

../_images/kasmvnc_dlp_file_mapping.png

File Mapping for KasmVNC Policy

A file mapping also needs to be defined for the image to be used as the watermark. Per the yaml configuration above, the image should be mapped to /etc/kasmvnc/kasm.png, however, you may change this, as long as what is defined in the yaml configuration at data_loss_prevention.watermark.image is the location defined in the file mapping.

../_images/kasmvnc_dlp_watermark_image.png

File Mapping for Watermark Image

The following screenshot shows the DLP policy in action, where the defined visible region starts 10 pixels from the top and 10 pixels from the left and ends 40 pixels from the right and 40 pixels from the bottom. The defined watermark is applied across the entire screen in a repeating pattern with 50 pixels between each image.

../_images/kasmvnc_dlp_region.png

KasmVNC Visible Region DLP Policy in Action