The IBM Sametime Chat application on Android / iOS has the ability to be managed by MaaS360 Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MaaS360 Device Management, then you can skip this article. IBM Sametime Chat will continue to run normally in environments that are not managed by MaaS360.
Minimum Requirements
The following components are required at the specified minimum levels.
- Android - Fiberlink MaaS360 v5.0
- iOS - Fiberlink MaaS360 v2.60
- IBM Sametime Chat v9.2.0
Managed Application Management (MAM)
As described above, IBM Sametime Chat can operate in two different modes: managed, where MaaS360 Device Management is in use and manages application security, and unmanaged, where an organization does not use MaaS360 (or does not use it for managing applications). When an organization decides to deploy MaaS360, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has MaaS360 Device Management deployed and begins to use IBM Sametime Chat. The simplest approach for managing the Chat application is to first install the MaaS360 client on the managed device and set up the security policiesand personason the MaaS360 server. When IBM Sametime Chat is installed and starts, it will detect that MaaS360 is installed and configured, and will change its behavior accordingly. This may include auto-configuring the client to use the corporate chat servers.
If an organization deploys MaaS360 after Sametime Chat is already in use, then the next time the Chat application starts, it will detect MaaS360 and change to managed mode. In either case, you can tell if Chat on Android is in managed mode by looking at the "About" screen. If there is a "Managing Agent" section present in this screen, then Chat is in managed mode. If this section is absent from the "About" screen, then Chat is in unmanaged mode. This feature is not currently supported on iOS.
Administration
The Policies, Users, and Devicesmanaged by MaaS360 server are administered online at http://portal.fiberlink.com. See the MaaS360 MDM Admin Guide for more details on how to use this web-based console.
Key Features of MaaS360 for Sametime Chat
When a third party application such as IBM Sametime Chat incorporates the MaaS360 SDK libraries, the following security features can be enabled:
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checks for rooted / jailbroken devices)
- Restrict copying to the device clipboard
- Receive real-time alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security posture
- Automatically deliver and update configuration data to the application
Behavioral differences when IBM Sametime Chat is in managed mode
When IBM Sametime Chat is in managed mode, the application:
- May be affected by certain MaaS360 policy restrictions, such as use of the microphone or camera
- Will not allow user modifications of server configurations, beyond user credentials, that are provided by the MaaS360 configuration file
Data Security
In a MaaS360 environment, managed apps like IBM Sametime Chat are notified by MaaS360 when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been rooted, the user has left the company, and so on. When this happens, IBM Sametime Chat, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the Sametime Chat application and all local data will be erased.
Application Specific Configuration
A key feature of the MaaS360 server is the ability for an administrator to upload an application specific configuration file for each managed application. The contents of that file will be pushed to managed applications at initial startup or whenever the configuration file is changed. A configuration file generally specifies connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration file is optional but is highly encouraged so users with managed devices are up and running as soon as a managed application, such as IBM Sametime Chat, is installed and launched for the first time. Please see the table below for a list of all the possible configuration parameters supported by the IBM Sametime Chat application.
The configuration parameters are specified as a series of key-value pairs in a file that must have the extension '.txt'. A few examples of the key and value strings are shown below:
com.ibm.mobile.chat.communityName = ACME Chat Server
com.ibm.mobile.chat.serverHostName = acme.chat.server.com
com.ibm.mobile.chat.ssl = false
All parameters specific to Sametime Chat must have keys that start with 'com.ibm.mobile.chat'. This key naming scheme allows an administrator to build one MaaS360 configuration file for all IBM apps such as IBM Notes Traveler, Connections, Sametime Meetings and Chat. Each application will only read and process their own configuration parameters.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
Sametime Chat Server Configuration Parameters
| Key | Value | Details |
| com.ibm.mobile.chat.communityName | Type: A text string
Default: N/A
Example: ACME Chat Server
| This is the nickname for this configuration. This is how the server will be identified within the Sametime Chat application.
Note: Always provide this parameter.
|
| com.ibm.mobile.chat.serverURL | Type: A text string
Default: N/A
Example: https://acme.chat.server.com:443
| This parameter is the fully qualified URL for the Chat server. It must contain the server address, URL scheme, and port number.
Note: Always provide this parameter or the following two parameters: serverHostName and serverPort
|
| com.ibm.mobile.chat.serverHostName | Type: A text string
Default: N/A
Example: acme.chat.server.com
| This parameter is the URL used to access the Sametime Chat server.
Note: Do not provide the URL scheme with this parameter.
Note: Always provide this parameter if serverURL is not being used. If serverURL is being used, then do not provide this parameter.
|
| com.ibm.mobile.chat.serverPort | Type: A number
Default: N/A
Example: 443
| This parameter is the port used to access the Sametime Chat server.
Note: Always provide this parameter if serverURL is not being used. If serverURL is being used, then do not provide this parameter.
|
| com.ibm.mobile.chat.ssl | Type: A boolean (true or false)
Default: false
Example: true
| This parameter is used to indicate whether the community should use a secure connection or not.
Note: If serverURL is being used, then do not provide this parameter.
|
| com.ibm.mobile.chat.allowUntrustedSSL | Type: A boolean (true or false)
Default: false
Example: false
| This parameter is used to indicate whether the community should allow untrusted SSL.
Note: This parameter is only available if the 'ssl' parameter is set to true. Otherwise, this parameter will always be stored as false.
|
| com.ibm.mobile.chat.user | Type: A text string
Default: N/A
Example: JohnDoe@acme.com
| This parameter is used to authenticate the user with the chat server. As the MaaS administrator, you are able to use a specific login username. However, MaaS also provides the ability to substitute values that are specific to the individual user. The below three variables are available:
%email% - Will be replaced with the email associated with the MaaS user.
%user% - Will be replaced with the user ID associated with the MaaS user.
%domain% - Will be replaced with the domain associated with the MaaS user.
|
| com.ibm.mobile.chat.password | Type: A text string
Default: N/A
Example: abc123
| This parameter is used to authenticate the user with the chat server. |
| com.ibm.mobile.chat.cloudCommunity | Type: A boolean (true or false)
Default: false
Example: false
| This parameter is used to indicate whether the community is a cloud community. Setting this parameter to 'true' will indicate that the configuration is a cloud community.
Note: If community is a cloud community, some of these parameters are no longer applicable. Refer to the below section for configuring cloud communities.
|
| com.ibm.mobile.chat.authProxyEnabled | Type: A boolean (true or false)
Default: true
Example: true
| This parameter is used to indicate whether the Chat application should attempt to login through an authenticating proxy. |
| com.ibm.mobile.chat.photoPort | Type: A number
Default: N/A
Example: 444
| This parameter is used to denote a separate port for providing contact photos to the application. |
| com.ibm.mobile.chat.authProxyReuseCredentials | Type: A boolean (true or false)
Default: true
Example: true
| This parameter is used to indicate whether the Chat application should reuse the basic username and password for the authenticating proxy. |
| com.ibm.mobile.chat.authProxyUser | Type: A text string
Default: N/A
Example: JohnDoe@acme.com
| This parameter is used to specify a separate username for use with the authenticating proxy. |
| com.ibm.mobile.chat.authProxyPassword | Type: A text string
Default: N/A
Example: abc123
| This parameter is used to specify a separate password for use with the authenticating proxy. |
| com.ibm.mobile.chat.disablePasswordSave | Type: A boolean (true or false)
Default: false
Example: true
| This parameter is used to indicate to the application whether is should store the user's password or not. |
Configuring Multiple Chat Servers using the MaaS360 Configuration file
Some customers use more than one Sametime Chat server in their enterprise. For these scenarios, the administrator can configure additional communities by appending an index to the end of the parameter name for each additional community. The first community does not need this index, but each additional community will need their own index for association. For example, the administrator may create a configuration file with three communities. The first community simply specifies the parameters without an index. The second community could use the index of '2' and the third community could use the index of 'test'.
com.ibm.mobile.chat.serverURL = https://acme.chat.com:443
com.ibm.mobile.chat.serverName = ACME Chat Server
com.ibm.mobile.chat.allowUntrustedSSL = false
com.ibm.mobile.chat.serverHostName.2 = acme.2.chat.com
com.ibm.mobile.chat.serverPort.2 = 443
com.ibm.mobile.chat.ssl.2 = true
com.ibm.mobile.chat.serverName.2 = ACME 2nd Chat Server
com.ibm.mobile.chat.allowUntrustedSSL.2 = true
com.ibm.mobile.chat.serverURL.test = http://acme.test.chat.com:1080
com.ibm.mobile.chat.serverName.test = ACME Test Chat Server
com.ibm.mobile.chat.allowUntrustedSSL.test = false
If only one Chat server is being configured, the index is not required and the parameters can be specified as shown in the above table. All parameters for subsequent servers should use the same index per community. Parameters with matching indexes will be grouped together to create a single configuration.
Modifying Chat Servers
Once a Chat server has been configured using the MaaS360 configuration file, it cannot be modified by the user through either the application settings or URL configurations. The only exception to this rule is the user credentials. A user is able to modify both username and password. Due to this capability, any configuration updates for user credentials will be ignored by the application. Again, after the initial configuration is sent down to the device, the MaaS administrator will be unable to push down any changes to user credentials.
Any community configurations that are sent down to the device by MaaS360 are denoted as MDM configurations. If this configuration is ever removed from the configuration file, then it will be designated as an orphan community and immediately removed from the device.
Configuring the SmartCloud Chat Server
All the connectivity information needed for SmartCloud Meetings is already known by the Sametime Meetings mobile client. However, the administrator may still want to manage the behavior of the client when using SmartCloud for Chat. This can be accomplished by specifying a configuration for the SmartCloud server in the MDM Configuration file. In order to denote that a configuration is for SmartCloud, simply specify the cloudCommunity parameter as true:
com.ibm.mobile.chat.cloudCommunity = true
The actual SmartCloud data center used with this configuration will be determined by the com.ibm.mobile.chat.user parameter. If this parameter is not specified in the configuration file, the user will be prompted for credentials when attempting to login to the SmartCloud chat server. The ID the user provides will determine the data center to be used.
When configuring for a SmartCloud community, the following parameters are the only ones that will be recognized:
com.ibm.mobile.chat.communityName
com.ibm.mobile.chat.cloudCommunity
com.ibm.mobile.chat.user
com.ibm.mobile.chat.password
com.ibm.mobile.chat.disablePasswordSave
All other parameters will be ignored.