The IBM Connections Meetings application on Android has the ability to be managed by MobileIron Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MobileIron Device Management, then you can skip this article. IBM Connections Meetings will continue to run normally in environments that are not managed by MobileIron.
Minimum Requirements
The following components are required at the specified minimum levels.
IBM Connections Meetings:
- MobileIron AppConnect enabled version of IBM Connections Meetings for Android
MobileIron:
- MobileIron Core version 7.5 or later
- MobileIron Sentry version 6.0 or later
- MobileIron Mobile@Work client version 7.5.x or later for the Android device
- MobileIron Secure Apps 7.1.1 or later (Secure Apps Manager, ThinkFree Viewer, and FileManager)
Managed Application Management (MAM)
As described above, IBM Connections Meetings can operate in two different modes:
managed, where MobileIron Secure Apps Manager is in use and manages application security, and
unmanaged, where an organization does not use MobileIron (or does not use it for managing applications). The user will install IBM Connections Meetings for Android differently, depending on whether they are operating in a managed or unmanaged environment.
In an unmanaged environment, the user will simply download and install the standard edition of Connections Meetings from the Google Play store. However, in a managed environment, the user must first install the MobileIron Secure Apps Manager, and use that app to download a securely
wrapped version of IBM Connections Meetings. This wrapped version has been run through a MobileIron build process to enable it to support all the MobileIron security features.
A user cannot switch between the Google Play and MobileIron editions of IBM Connections Meetings, or carry their data over from one to the other.
Administration
The
Policies,
Users, and
Devices are managed on the MobileIron Admin Portal.
Key Features of MobileIron for IBM Connections Meetings on Android
When a 3
rd party application such as IBM Connections Meetings is wrapped by MobileIron, the following security features can be enabled:
- set a timeout for single sign-on login across your managed applications
- enforce device compliance checks (ie., checks for rooted devices, etc)
- restrict copying to the device clipboard
- restrict sharing of library files to a set of white-listed applications
- restrict screenshots within managed applications
- receive real-time alerts of compliance violations
- automatically deliver and update policies remotely to to the application container based on user and device security posture
- automatically deliver and update configuration data to the application
Behavioral differences when IBM Connections Meetings is in managed mode
When IBM Connections Meetings is in managed mode, the application:
- will not respect the mobile.* security parameters in the meeting server config file (the associated policies will be managed via the MobileIron Configuration File)
- may be affected by certain MobileIron policy restrictions such as use of the microphone or camera
- will not allow user modifications of server configurations provided by the MobileIron configuration file
Data Sharing Controls
The data leak prevention settings are described in the MobileIron administration documentation. These policies are automatically applied to wrapped instances of IBM Connections Meetings.
Data sharing, as it relates to IBM Connections Meetings, deals with how documents in the library are handled. With Android, data is shared between applications by either saving data in the shared file space or by explicitly sharing data with Applications. While inside a meeting room, the user can open the library view and tap a document to display a menu of all available actions for that document. There are three such menus that relate to data sharing:
1. Export - This action will allow the user to download and save the library file to another directory on the device. This option will never be available when the app is wrapped by MobileIron.
2. View - Downloads the library file and then opens it with a suitable file viewer in the device's Secure Apps, if one exists.
3. Send - This action will download the file and then present the user with a list of applications from Secure Apps with which the library file can be shared.
Data Security
In a MobileIron environment, managed apps like IBM Connections Meetings are notified by MobileIron when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been rooted, the user has left the company, etc. When this happens, IBM Connections Meetings, like any other MobileIron managed application, will block the application UI and present the user with a message (determined by the administrator or MobileIron) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the IBM Connections Meetings app and all local data will be erased.
Meeting Server Mobile Security policies
As mentioned above, the mobile specific security policies specified by the mobile.* parameters in the meeting server configuration file will now be managed by some aspect of MobileIron, either the data security policies or a parameter in a MobileIron configuration. Managed instances of the IBM Connections Meetings app will adhere to the policies set forth by MobileIron. Unmanaged instances will continue to adhere to the policy set forth by the meeting server configuration file.
Note: managed instances will still adhere to room and user policies defined by the Sametime System console except in cases where the console setting is in direct conflict with a MobileIron policy. The MobileIron policy will win any conflict. In the case where the policy is managed by a parameter in the MobileIron config and that parameter is not specified in the MobileIron config, the policy will take on the default value. It will not in any case revert to the setting in the meetings configuration file.
The following table shows the mobile security policies that can currently be set by the meeting server configuration file, and how they will now be managed by MobileIron.
Meeting Server Configuration Parameter | How meeting server policy is managed when using MobileIron |
"mobile.allowUntrustedSSL" | server config parm Ignored - managed via the MobileIron application configuration |
"mobile.allowLibraryUploads" | server config parm Ignored - managed via the MobileIron application configuration |
"mobile.allowLibraryDownloads" | server config parm Ignored - managed via the MobileIron data security policy |
"mobile.allowLibraryExport" | server config parm Ignored - never available while managed by MobileIron |
"mobile.enableRoomPasswordSave" | server config parm Ignored - managed via the MobileIron application configuration |
"mobile.enablePasswordSave" | server config parm Ignored - managed via the MobileIron application configuration |
"mobile.passwordTimeout" | server config parm Ignored - managed via the MobileIron application configuration |
Application Specific Configuration
A key feature of the MobileIron server is the ability for an administrator to create application specific configuration for each managed application. The contents of that configuration will be pushed to managed applications at initial startup or whenever the configuration is changed. A configuration generally specifies connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration is optional but is highly encouraged so users with managed devices are up and running as soon as a managed application, such as IBM Connections Meetings, is installed and started for the first time. Please see the table below for a list of all the possible configuration parameters supported by the IBM Connections Meetings app.
In general, the IBM Connections Meetings app is self configuring when it comes to the meeting servers. When a user attempts to join a meeting room via the Schedule Meetings View, a room URL or by entering a Connections Cloud meeting ID, the associated server will be configured automatically and the user will only be prompted for their credentials. However, it should be noted that if your meeting server is secured behind a corporate firewall and your mobile devices uses an Authenticating Proxy rather than a VPN, the auto-configuration feature, in most cases, will not yield a working configuration. In this case, if a configuration file has not been provided by the administrator, the user will be required to configured the meeting server manually.
The configuration parameters are specified as a series of key-value pairs. Both the key and the value are strings as shown here:
com.ibm.mobile.meetings.serverURL = https://your.meeting.server.com:443
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
All parameters specific to IBM Connections Meetings have keys that start with
com.ibm.mobile.meetings. Keys that start with
com.ibm.mobile.meetings.appSetting are general settings that apply to the application where keys that do not have the
appSetting term apply to IBM Connections Meetings server configurations. This key naming scheme allows an administrator to build one MobileIron configuration for all IBM apps such as Traveler, Connections, Meetings and Chat. Each application will only read and process their own configuration parameters.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
IBM Connections Meetings General Application Setting Configuration Parameters
Key | Value | Details |
com.ibm.mobile.meetings.appSetting.problemReportEmail | The email address where problem reports are sent. (default is heyibm@us.ibm.com) | If the client crashes, then on next restart the user will be asked if they want to send in a problem report to IBM. If they say Yes, the compose email is launched and the client logs are attached to an email to the address specified by this parameter. Some customers may want to inspect the logs before they send them in to IBM so they use this parameter to route the emails to their IT department before forwarding on to IBM. |
IBM Connections Meetings Server Configuration Parameters
Key | Value | Details |
com.ibm.mobile.meetings.serverURL | The fully qualified URL used to access the IBM Connections Meetings server.
Example: https://acmd.meeting.server.com:
Note: If Cloud is used as the value, then this configuration represents the Connections Cloud Meetings server. See more about configuring the Connections Cloud meetings server in section following this table. | This parameter is required for a valid meeting server configuration. It is the only parameter that does not have a default value and therefore the only parameter that actually needs to be specified in the configuration file if you are satisfied with the defaults for the other settings. The port is optional and if not specified will default to 80 for http servers and 443 for https servers. |
com.ibm.mobile.meetings.serverName | | The Nickname for this server. This is how the server will be identified within the IBM Connections Meetings app on your device.
|
com.ibm.mobile.meetings.allowUntrustedSSL | true or false (default is false) | This parameter determines whether or not to allow access to meeting servers secured with an untrusted SSL certification. If true is specified the user will still be promoted to accept the unsigned certificate. If false is specified the connection will not be allowed. |
com.ibm.mobile.meetings.user | The ID used to sign into the meeting server (default is blank) | This parameter along with the user supplied password is used to authenticate you with the meeting server. Generally a real user id would not be specified but an administrator may use one of the following placeholder variables so the user's ID as it is known to MobileIron will be substituted in when the configuration is pushed down to the device:
$EMAIL$ - the users email address
Example: JohnDoe@acme.com
$USERID$ - the users user ID
Example: JohnDoe |
com.ibm.mobile.meetings.authProxyEnabled | true or false (default is false) | If your meeting server is secured behind a corporate firewall and your mobile devices do not use a VPN, you may need to configure your meeting server to connect using an authenticating proxy. In this case this value must be set to true and the authProxyUrlparameter must be specified. |
com.ibm.mobile.meetings.authProxyUrl | | This parameter is required if authProxyEnabled is set to true. There is no default value so if it is not specified or invalid, an authenticating proxy will not be configured. The port is optional and if not specified will default to 80 for http proxies and 443 for https proxies. This parameter is ignored ifauthProxyEnabled is not specified as true. |
com.ibm.mobile.meetings.authProxyReuseCredentials | true or false (default is true) | True indicates that you want to use the same id and password that you have configured for the meeting server. False means the user will need to specify a different set of credentials for the proxy server. This parameter is ignored if authProxyEnabled is not specified as true. |
com.ibm.mobile.meetings.enableRoomPasswordSave | true or false (default is true) | An administrator can use this parameter to either enable or disable the user's capability to remember meeting room passwords. If the parameter is not specified or If true is specified, when a user joins a meeting room and is prompted for a room password, the user will also be presented with a "Remember password" control so they can remember the password and not be prompted to enter it each time they enter that meeting room (unless the password has changed). When false is specified the user will not have the option to remember the password and will need to enter it each time they join the meeting room. |
com.ibm.mobile.meetings.enablePasswordSave | true or false (default is true) | An administrator can use this parameter to determine if the password credential can be saved on the device. If the parameter is not specified or if true is specified, the user's password can be saved with the meeting server configuration. If false is specified, the user will be prompted for their password when authentication occurs. ThepasswordTimeout parameter can be used to how long a password can be remembered once entered so the user is not constantly prompted to enter their password. |
com.ibm.mobile.meetings.passwordTimeout | The time (in minutes) that a users password can be remembered. (default is 720) | This parameter is only used if theenablePasswordSave parm has been set to false. When a password is needed for authentication the time since the user last entered their password is compared with this value. If the timeout period has been exceeded, the user will be prompted for their password. If a value of -1 is specified, the timeout feature is disabled and the user will be prompted every time. |
com.ibm.mobile.meetings.allowLibraryUploads | true or false (default is true) | This parameter determines if the user can upload files, photos, etc. to a room library when connected to the associated meeting server. |
Configuring Multiple Meeting Servers using a MobileIron Configuration
Some customers use more than one meeting server in their enterprise. When this is the case the above list of parameters can be specified with a suffix for the second server configuration as shown here:
com.ibm.mobile.meetings.serverURL= https://acme.meetings.com
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
com.ibm.mobile.meetings.serverURL.test = https://acme.test.meetings.com
com.ibm.mobile.meetings.serverName.test = ACME Test Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL.test = true
If only one meeting server is being configured, a suffix is not required and the parameters can be specified as shown in the above table. All parameters for a second server should use the same suffix, and yet a different suffix for a third server and so on. Parameters with matching indexes will be taken together to create a single configuration.
Note: Client specific parameters such as
com.ibm.mobile.meetings.appSetting.problemReportEmail should not be specified with an index as they only need to be specified once.
Modifying Meeting Servers
Once a meeting server has been configured using the MobileIron configuration, it cannot be modified via the application settings. The only exception is the user credentials. A user can change the user id, password or indicate that they want to join meetings on that particular server as a guest. If the user is is modified by the user, then subsequent configuration updates will not override the value entered by the user.
If a meeting server is configured by the MobileIron configuration and then is removed from the configuration on the server, the server will also be removed from the client configuration.
Configuring the Connections Cloud Meeting Server
All the connectivity information needed for Connections Cloud Meetings is already known by the IBM Connections Meetings mobile client. However, the administrator may still want to manage the behavior of the client when using Connections Cloud meeting rooms. This can be accomplished by specifying a configuration for the Connections Cloud meeting server in the MobileIron configuration. Using a serverUrl value of
Cloud will indicate that a Connections Cloud meeting server should be configured. As an example, if an administrator wants to configure the Connections Cloud meeting server but does not want the user to be able to save room passwords, the following configuration could be used:
com.ibm.mobile.meetings.serverURL= Cloud
com.ibm.mobile.meetings.enableRoomPasswordSave = false
The actual Connections Cloud data center used with this configuration will be determined by the
com.ibm.mobile.meetings.user parameter. If this parameter is not specified, the user will be prompted for credentials on first use of the Connections Cloud meeting server. If a user provides a user Id, it will determine the data center. If the user chooses guest access then the meeting room being joined will determine the data center.
It should be noted that once a serverUrl of
Cloud has been specified, the following connectivity related configuration parameters for that server will be ignored if they are specified:
com.ibm.mobile.meetings.serverName
com.ibm.mobile.meetings.allowUntrustedSSL
com.ibm.mobile.meetings.authProxyEnabled
com.ibm.mobile.meetings.authProxyUrl
com.ibm.mobile.meetings.authProxyReuseCredentials