The IBM Connections Meetings application on Android has the ability to be managed by MaaS360 Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MaaS360 Device Management, then you can skip this article. IBM Connections Meetings will continue to run normally in environments that are not managed by MaaS360.
Minimum Requirements
The following components are required at the specified minimum levels.
Managed Application Management (MAM)
As described above, IBM Connections Meetings can operate in two different modes: managed, where MaaS360 Device Management is in use and manages application security, and unmanaged, where an organization does not use MaaS360 (or does not use it for managing applications). When an organization decides to deploy MaaS360, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has MaaS360 Device Management deployed and begins to use IBM Connections Meetings. The simplest approach for managing the Meetings application is to first install the MaaS360 client on the managed device and set up the security policies and personas on the MaaS360 server. When IBM Connections Meetings is installed and starts, it will detect that MaaS360 is installed and configured, and will change its behavior accordingly. This may include auto-configuring the client to use the corporate meeting servers.
If an organization deploys MaaS360 after Meetings is already in use, then the next time the Meetings application starts, it will detect MaaS360 and change to managed mode. In either case, you can tell if Meetings is in managed by looking the "About" screen. If there is a "Managing Agent" section, then Meetings is in managed mode, if there is not, then it is in unmanaged mode.
Administration
The Policies, Users, and Devices managed by MaaS360 server are administered online at http://portal.fiberlink.com See the MaaS360 MDM Admin Guide for more details on how to use this web-based console.
Key Features of MaaS360 for IBM Connections Meetings on Android
When a 3rd party application such as IBM Connections Meetings incorporates the MaaS360 SDK libraries, the following security features can be enabled:
-
Set a timeout for single sign-on login across your managed applications
-
Enforce device compliance checks (ie., checks for rooted devices, etc)
-
Restrict copying to the device clipboard
-
Restrict sharing of library files to a set of white-listed applications
-
Receive real-time alerts of compliance violations
-
Automatically deliver and update policies remotely to to the application container based on user and device security posture
-
Automatically deliver and update configuration data to the application
Behavioral differences when IBM Connections Meetings is in managed mode
When IBM Connections Meetings is in managed mode, the application:
-
Will not respect the mobile.* security parameters in the meeting server config file (the associated policies will be managed via the MaaS360 Configuration File)
-
May be affected by certain MaaS360 policy restrictions such as use of the microphone or camera
-
Will not allow user modifications of server configurations provided by the MaaS360 configuration file
Data Sharing Controls
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to IBM Connections Meetings by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.
The Restrict File Export settings in the persona are similar to functions available via mobile.* parms in the Sametime Meeting server config file. For example, the server config parm mobile.allowLibraryExport, allows administrators to restrict sharing of all library files with other apps on the device. The MaaS360 persona includes the same capability but at a more granular level (e.g., a white list of apps that library files can be shared with). When IBM Connections Meetings is in a managed mode in the MaaS360 environment, it follows a simple rule when deciding which policy to follow -- the IBM Connections Meetings mobile.* server security config parms are ignored and the application behavior is dictated by the MaaS360 persona and configuration file settings.
Data sharing, as it relates to IBM Connections Meetings, deals with how documents in the library are handled. With Android, data is shared between applications by either saving data in the shared file space or by explicitly sharing data with Applications. While inside a meeting room, the user can open the library view and tap a document to display a menu of all available actions for that document. There are three such menus that relate to data sharing:
- Export - This action allows the user to download and save the library file to another directory on the device. This menu is only available if the administrator has Restrict File Export set to No in the Security section of the MaaS360 Workplace Persona.
- View - Downloads the library file and then opens it with the MaaS360 Secure Viewer. This menu is only available if the administrator has Docs Viewer enabled in the Servicessection of the MaaS360 Workplace Persona.
- Send - This action will download the file and then present the user with a list of applications with which the library file can be shared. This menu is only available if the administrator has Restrict File Export set to No in theSecuritysection of the MaaS360 Workplace Persona. If the administrator has also specified a white list of applications, then only the applicable apps on the white list will be presented to the user.
Data Security
In a MaaS360 environment, managed apps like IBM Connections Meetings are notified by MaaS360 when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been rooted, the user has left the company, etc. When this happens, IBM Connections Meetings, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the IBM Connections Meetings app and all local data will be erased.
Meeting Server Mobile Security policies
As mentioned above, the mobile specific security policies specified by the mobile.* parameters in the meeting server configuration file will now be managed by some aspect of MaaS360, either the data security policies or a parameter in a MaaS360 configuration file. Managed instances of the IBM Connections Meetings app will adhere to the policies set forth by MaaS360. Unmanaged apps will continue to adhere to the policy set forth by the meeting server configuration file.
Note: Managed apps will still adhere to room and user policies defined by the Sametime System console except in cases where the console setting is in direct conflict with a MaaS360 policy. The MaaS360 policy will win any conflict. In the case where a policy is managed by a parameter in the MaaS360 config file and that parameter is not specified in the MaaS360 configuration file, the policy will take on the default value. It will never revert to the setting in the meetings configuration file.
The following table shows the mobile security policies that can currently be set by the meeting server configuration file, and how they will now be managed by MaaS360.
| Meeting Server Configuration Parameter |
How meeting server policy is managed when using MaaS360 |
| "mobile.allowUntrustedSSL" |
server config parm Ignored - managed via the MaaS360 application configuration file |
| "mobile.allowLibraryUploads" |
server config parm Ignored - managed via the MaaS360 application configuration file |
| "mobile.allowLibraryDownloads" |
server config parm Ignored - managed via the MaaS360 data security policy |
| "mobile.allowLibraryExport" |
server config parm Ignored - managed via the MaaS360 data security policy |
| "mobile.enableRoomPasswordSave" |
server config parm Ignored - managed via the MaaS360 application configuration file |
| "mobile.enablePasswordSave" |
server config parm Ignored - managed via the MaaS360 application configuration file |
| "mobile.passwordTimeout" |
server config parm Ignored - managed via the MaaS360 application configuration file |
Application Specific Configuration
A key feature of the MaaS360 server is the ability for an administrator to upload an application specific configuration file for each managed application. The contents of that file will be pushed to managed applications at initial startup or whenever the configuration file is changed. A configuration file generally specifies connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration file is optional yet highly encouraged, so users with managed devices are up and running as soon as a managed application, such as IBM Connections Meetings, is installed and started for the first time. See the table below for a list of all possible configuration parameters supported by the IBM Connections Meetings app.
In general, the IBM Connections Meetings app is self configuring when it comes to the meeting servers. When a user attempts to join a meeting room using the Schedule Meetings View, a room URL, or by entering a Connections Cloud meeting ID, the associated server will be configured automatically and the user will only be prompted for their credentials. However, it should be noted that if your meeting server is secured behind a corporate firewall and your mobile devices uses an Authenticating Proxy rather than a VPN, the auto-configuration feature, in most cases, will not yield a working configuration. In this case, if a configuration file has not been provided by the administrator, the user will be required to configure the server manually.
The configuration parameters are specified as a series of key-value pairs and the extension of the file must be .txt. Both the key and the value are strings as shown here:
com.ibm.mobile.meetings.serverURL = https://your.meeting.server.com:443
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
.
.
All parameters specific to IBM Connections Meetings have keys that start with com.ibm.mobile.meetings. Keys that start with com.ibm.mobile.meetings.appSetting are general settings that apply to the application where keys that do not have the appSetting term apply to Sametime meeting server configurations. This key naming scheme allows an administrator to build one MaaS360 configuration file for all IBM apps, such as IBM Notes Traveler, Connections, Meetings and Chat. Each application will only read and process their own configuration parameters.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
IBM Connections Meetings General Application Setting Configuration Parameters
| Key |
Value |
Details |
| com.ibm.mobile.meetings.appSetting.problemReportEmail |
The email address where problem reports are sent. (default is heyibm@us.ibm.com) |
If the client crashes, then on the next restart the user will be asked if they want to send in a problem report to IBM. If they answer Yes, the compose mail dialog is launched, addressed to the recipient specified by the parameter, and the client logs are attached to the mail. Some customers may want to inspect the logs before they send them to IBM, so this parameter routes the mail to their IT department before forwarding on to IBM.
|
IBM Connections Meetings Server Configuration Parameters
| Key |
Value |
Details |
| com.ibm.mobile.meetings.serverURL |
The fully qualified URL used to access the meetings server.
Example: https://acmd.meeting.server.com:
Note: If Cloud is used as the value, then this configuration represents the Connections Cloud Meetings server. See more about configuring the Connections Cloud meetings server in section following this table.
|
This parameter is required for a valid meeting server configuration. It is the only parameter that does not have a default value and therefore the only parameter that actually needs to be specified in the configuration file if you are satisfied with the defaults for the other settings. The port is optional and if not specified will default to 80 for http servers and 443 for https servers. |
| com.ibm.mobile.meetings.serverName |
A text string (default is the server domain)
Example: ACME Meeting Server
|
The Nickname for this server. This is how the server will be identified within the IBM Connections Meetings app on your device.
|
| com.ibm.mobile.meetings.allowUntrustedSSL |
true or false (default is false) |
This parameter determines whether or not to allow access to meeting servers secured with an untrusted SSL certification. If True is specified, the user will still be promoted to accept the unsigned certificate. If False is specified, the connection will not be allowed.
|
| com.ibm.mobile.meetings.user |
The ID used to sign into the meeting server (default is blank) |
This parameter along with the user supplied password is used to authenticate your credentials with the meeting server. Generally, a real user ID would not be specified but an administrator may use one of the following placeholder variables so the user's ID, as it is known to MaaS360, will be substituted when the configuration is pushed down to the device:
%email% - the users email address
Example: JohnDoe@acme.com
%user% - the users user ID
Example: JohnDoe
%domain% - the users domain
Example: acme.com
Note: The configuration file uploaded to MaaS360 must have an extension of .txt or the above placeholders will not be supported and replaced with appropriate values.
|
| com.ibm.mobile.meetings.authProxyEnabled |
true or false (default is false) |
If your meeting server is secured behind a corporate firewall and your mobile devices do not use a VPN, you may need to configure your meeting server to connect using an authenticating proxy. In this case, the value must be set to True and the authProxyUrlparameter must be specified.
|
| com.ibm.mobile.meetings.authProxyUrl |
The fully qualified URL used to access the authenticating proxy.
Example: https://acme.auth.proxy.com:
|
This parameter is required if authProxyEnabled is set to True. There is no default value. If it is not specified or invalid, an authenticating proxy will not be configured. The port is optional and if not specified will default to 80 for http proxies and 443 for https proxies. This parameter is ignored ifauthProxyEnabled is not specified as True. |
| com.ibm.mobile.meetings.authProxyReuseCredentials |
true or false (default is true) |
True indicates that you want to use the same ID and password that you have configured for the meeting server. False means the user will need to specify a different set of credentials for the proxy server. This parameter is ignored if authProxyEnabled is not specified as True. |
| com.ibm.mobile.meetings.enableRoomPasswordSave |
true or false (default is true) |
An administrator can use this parameter to either enable or disable the user's capability to remember meeting room passwords. If the parameter is not specified or if True is specified, when a user joins a meeting room and is prompted for a room password, the user will also be presented with a "Remember password" control so they can remember the password and not be prompted to enter it each time they enter that meeting room (unless the password has changed). When False is specified, the user will not have the option to remember the password and will need to enter it each time they join the meeting room. |
| com.ibm.mobile.meetings.enablePasswordSave |
true or false (default is true) |
An administrator can use this parameter to determine if the password credential can be saved on the device. If the parameter is not specified or if True is specified, the user's password can be saved with the meeting server configuration. If False is specified, the user will be prompted for their password when authentication occurs. ThepasswordTimeout parameter can be used to determine how long a password will be remembered once entered, to prevent the user being constantly prompted to enter their password. |
| com.ibm.mobile.meetings.passwordTimeout |
The time (in minutes) that a users password can be remembered. (default is 720) |
This parameter is only used if theenablePasswordSave parm has been set to false. When a password is needed for authentication the time since the user last entered their password is compared with this value. If the timeout period has been exceeded, the user will be prompted for their password. If a value of -1 is specified, the timeout feature is disabled and the user will be prompted every time. |
| com.ibm.mobile.meetings.allowLibraryUploads |
true or false (default is true) |
This parameter determines if the user can upload files, photos, etc. to a room library when connected to the associated meeting server. |
Configuring Multiple Meeting Servers using the MaaS360 Configuration file
Some customers use more than one meeting server in their enterprise. When this is the case, the above list of parameters can be specified with a suffix for the second server configuration as shown here:
com.ibm.mobile.meetings.serverURL= https://acme.meetings.com
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
com.ibm.mobile.meetings.serverURL.test = https://acme.test.meetings.com
com.ibm.mobile.meetings.serverName.test = ACME Test Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL.test = true
If only one meeting server is being configured, an index is not required and the parameters can be specified as shown in the above table. All parameters for a second server should use the same index, while using a different index for a third server and so on. Parameters with matching indexes will be taken together to create a single configuration.
Note: Client specific parameters, such as com.ibm.mobile.meetings.appSetting.problemReportEmail, should not be specified with an index, as they only need to be specified once.
Modifying Meeting Servers
Once a meeting server has been configured using the MaaS360 configuration file, it cannot be modified using the application settings. The only exception is the user credentials. A user can change the user ID, password or indicate that they want to join meetings on that particular server as a guest. If the user is is modified by the user, then subsequent configuration updates will not override the value entered by the user.
If a meeting server is configured by the MaaS360 configuration file and then removed from the configuration file, the server will also be removed from the client configuration.
Configuring the IBM Connections Cloud Meeting Server
All the connectivity information needed for IBM Connections Cloud Meetings is already known by the IBM Connections Meetings mobile client. However, the administrator may still want to manage the behavior of the client when using IBM Connections Cloud meeting rooms. This can be accomplished by specifying a configuration for the IBM Connections Cloud server in the MDM Configuration file. Using a serverUrl value of Cloud will indicate that an IBM Connections Cloud server should be configured. As an example, if an administrator wants to configure the IBM Connections Cloud server but does not want the user to be able to save room passwords, the following configuration could be used:
com.ibm.mobile.meetings.serverURL= Cloud
com.ibm.mobile.meetings.enableRoomPasswordSave = false
The actual Connections Cloud data center used with this configuration will be determined by the com.ibm.mobile.meetings.user parameter. If this parameter is not specified, the user will be prompted for credentials on first use of the IBM Connections meeting server. If a user provides a user Id, it will determine the data center. If the user chooses guest access then the meeting room being joined will determine the data center.
It should be noted that once a serverUrl of Cloud has been specified, the following connectivity related configuration parameters for that server will be ignored if they are specified:
com.ibm.mobile.meetings.serverName
com.ibm.mobile.meetings.allowUntrustedSSL
com.ibm.mobile.meetings.authProxyEnabled
com.ibm.mobile.meetings.authProxyUrl
com.ibm.mobile.meetings.authProxyReuseCredentials