Applying KasmVNC DLP Policies
KasmVNC DLP settings allow for defining rate limits for the clipboard and keyboard input, visible regions, watermarking and more. This guide walks shows examples of DLP configurations and then walks through managing KasmVNC configurations using the [File Mapping](../guide/file_mappings.md) feature.
KasmVNC Configuration
The KasmVNC configuration file located at /etc/kasmvnc/kasmvnc.yaml, has a lot of configuration options, to include data loss prevention (DLP) settings. For a full reference of the KasmVNC YAML configuration, see the KasmVNC Docs. It is not necessary for your custom configuration file to specify default settings, this minimizes the size of your custom configurations. You may use File Mappings to manage the kasmvnc.yaml file and any referenced images for the watermark. This ensures that a custom image is not needed in order to enable watermarking or other custom KasmVNC configurations. The following example will enable an image based watermark and a visible region that blocks clicks in the non-visible region of the screen.
network:
ssl:
pam_certificate: ${HOME}/.vnc/self.pem
pam_key: ${HOME}/.vnc/self.pem
udp:
public_ip: 127.0.0.1
data_loss_prevention:
visible_region:
top: 10
left: 10
right: -40
bottom: -40
concealed_region:
allow_click_down: false
allow_click_release: false
watermark:
image: /etc/kasmvnc/kasm.png
tint: 20,20,255,60
repeat_spacing: 50
Image Watermark
The following example defines a water mark with repeating text, where the text includes the Kasm Workspaces username, user ID, and a timestamp. The text is repeated over the entire display(s) with 50 pixels of padding. For the Kasm username to be available, the expose_user_environment_vars Group Setting must be enabled.
network:
ssl:
pem_certificate: ${HOME}/.vnc/self.pem
pem_key: ${HOME}/.vnc/self.pem
udp:
public_ip: 127.0.0.1
data_loss_prevention:
watermark:
repeat_spacing: 50
tint: 200,200,235,60
text:
template: "Kasm Workspaces User ${KASM_USER} (${KASM_ID}) at %F %H:%M"
font: auto
font_size: 24
timezone_name: Asia/Taipei
Text Watermark
Important
CentOS, Fedora, RedHat, and Oracle operating systems may require an empty line at the end of the yaml configuration file as shown in the example above.
Applying a KasmVNC Configuration
To apply your own custom KasmVNC configuration to Workspace sessions, use the File Mapping feature. File Mappings allow you to directly edit files with in the Kasm Workspaces Admin UI and have them mapped into user sessions. File Mappings can be defined on a Workspace, Group, or User, allowing you flexibility in determining which KasmVNC configuration is applied for different use cases. Your custom KasmVNC YAML configuration file should be mapped to the location /etc/kasmvnc/kasmvnc.yaml. The following is an example of a File Mapping definition for a KasmVNC Configuration that defines a DLP policy to enforce a visible region within the screen and a watermark.
Important
The network portion of the configuration shown is required, as those settings override KasmVNC defaults which are required for it to operate within Kasm Workspaces.
File Mapping for KasmVNC Policy
A file mapping also needs to be defined for the image to be used as the watermark. Per the yaml configuration above, the image should be mapped to /etc/kasmvnc/kasm.png, however, you may change this, as long as what is defined in the yaml configuration at data_loss_prevention.watermark.image is the location defined in the file mapping.
File Mapping for Watermark Image
The following screenshot shows the DLP policy in action, where the defined visible region starts 10 pixels from the top and 10 pixels from the left and ends 40 pixels from the right and 40 pixels from the bottom. The defined watermark is applied across the entire screen in a repeating pattern with 50 pixels between each image.
KasmVNC Visible Region DLP Policy in Action