Minimum Requirements
The following components are required at the specified minimum levels.
- MobileIron Mobile@Work application version 6.1.1 or later
- IBM Connections Meetings version 9.4.0 or later
Managed Application Management (MAM)
As described above, IBM Connections Meetings can operate in two different modes:
managed, where MobileIron Device Management is in use and manages application security, and
unmanaged, where an organization does not useMobileIron (or does not use it for managing applications). When an organization decides to deploy MobileIron, or remove it from their environment, applications must discover and switch to the new mode.
One typical case occurs when an organization has MobileIron Device Management deployed and begins to use IBM Connections Meetings. The simplest approach for managing the Meetings application is to first install the Mobile@Work client on the managed device and set up the security
Labels,
Policies, and
Configs on the MobileIron Admin Portal. When IBM Connections Meetings is installed and starts, it will detect that MobileIron is installed and configured, and will change its behavior accordingly. This may include auto-configuring the client to use the corporate meeting servers.
If an organization deploys MobileIron after Meetings is already in use, then the next time the Meetings application starts, it will detect MobileIron and change to managed mode. In either case, you can tell if Meetings is in managed by looking the "About" screen. If there is a "Managing Agent" section, then Meetings is in managed mode, if there is not, then it is in unmanaged mode.
Administration
The
Labels,
Policies, and
Configs are managed on the MobileIron Admin Portal.
Key Features of MobileIron for Connections Meetings on iOS
When a 3
rd party application such as IBM Connections Meetings incorporates the MobileIron SDK libraries, the following security features can be enabled:
- set a timeout for single sign-on login across your managed applications
- enforce device compliance checks (ie., checks for jail broken devices, hardware versions, etc)
- restrict copying data to the pasteboard in managed applications
- restrict sharing of library files to a set of white-listed applications
- receive alerts of compliance violations
- automatically deliver and update policies remotely to to the application container based on user and device security posture
- automatically deliver and update configuration data to the application
Behavioral differences when IBM Connections Meetings is in managed mode
When IBM Connections Meetings is in managed mode, the application:
- will not respect the mobile.* security parameters in the meeting server config file (the associated policies will be managed via the MobileIron Configuration Settings on the Admin Portal)
- will not allow user modifications of server configurations provided by the MobileIron configuration settings
Data Sharing Controls
The data leak prevention settings can be applied to Connections Meetings by enabling Data Loss Prevention Policies in the Container Policy settings of the Label assigned to the device.
The Restrict File Export settings in the persona are similar to functions available via mobile.* parms in the Connections Meeting server config file. For example, the server config parm
mobile.allowLibraryExport, allows administrators to restrict sharing of all library files with other apps on the device. The MobileIron Container Policy includes the same capability but at a more granular level (e.g., a white list of apps that library files can be shared with). When Connections Meetings is in a managed mode in the MobileIron environment, it follows a simple rule when deciding which policy to follow -- the Connections Meetings mobile.* server security config parms are ignored and the application behavior is dictated by the MobileIron persona and configuration file settings.
Data sharing, as it relates to Connections Meetings, deals with how documents in the library are handled. With iOS, data is shared between applications using the
Open In action. While inside a meeting room, the user can open the library view and tap a document to display an action sheet for that document. If not restricted by the administrator, Open In will be listed as one of these actions and when selected, will display a list of applications that are applicable to the selected document. Selecting an application in the list will share the document with that application. At this point, Connections Meetings can no longer protect the security of the document. With this in mind, an administrator can use settings in the Data Loss Prevention Policies section in the Container Policy to control the behavior or Open In...
- Never allow the Open In action by setting Allow Open In to No.
- Always allow the Open In action to any applicable application by setting Allow Open In to Yes and choosing All Apps.
- Always allow the Open In action to any AppConnect Application by setting Allow Open In to Yes and choosing AppConnect Apps.
- Only allow the Open In action to a set of trusted applications by setting Allow Open In to Yes, choosing Whitelist, and defining a white list for those trusted applications.
Data Security
In a MobileIron environment, managed apps like IBM Connections Meetings are notified by MobileIron when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been jail broken, the user has left the company, etc. When this happens, IBM Connections Meetings, like any other MobileIron managed application, will block the application UI and present the user with a message (determined by the administrator or MobileIron) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the Connections Meetings app and all local data will be erased.
Meeting Server Mobile Security policies
As mentioned above, the mobile specific security policies specified by the mobile.* parameters in the meeting server configuration file will now be managed by some aspect of MobileIron, either the data loss prevention policies or a parameter in the MobileIron configuration settings. Managed instances of the IBM Connections Meetings app will adhere to the policies set forth by MobileIron. Unmanaged apps will continue to adhere to the policy set forth by the meeting server configuration file.
Note: managed apps will still adhere to room and user policies defined by the Connections System console except in cases where the console setting is in direct conflict with a MobileIron policy. The MobileIron policy will win any conflict. In the case where the policy is managed by a parameter in the MobileIron config settings and that parameter is not specified in the MobileIron configuration settings, the policy will take on the default value. It will not in any case revert to the setting in the meetings configuration file.
The following table shows the mobile security policies that can currently be set by the meeting server configuration file, and how they will now be managed by MobileIron.
Meeting Server Configuration Parameter | How meeting server policy is managed when using MobileIron |
"mobile.allowUntrustedSSL" | server config parm Ignored - managed via the MobileIron application configuration settings |
"mobile.allowLibraryUploads" | server config parm Ignored - managed via the MobileIron application configuration settings |
"mobile.allowLibraryDownloads" | server config parm Ignored - managed via the MobileIron data security policy |
"mobile.allowLibraryExport" | server config parm Ignored - managed via the MobileIron data security policy |
"mobile.enableRoomPasswordSave" | server config parm Ignored - managed via the MobileIron application configuration settings |
"mobile.enablePasswordSave" | server config parm Ignored - managed via the MobileIron application configuration settings |
"mobile.passwordTimeout" | server config parm Ignored - managed via the MobileIron application configuration settings |
Application Specific Configuration
A key feature of the MobileIron server is the ability for an administrator to upload an application specific configuration file for each managed application. The contents of that file will be pushed to the device and made available to the managed applications at initial startup or whenever the configuration settings are changed on the Admin Portal. The configuration settings generally specify connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration file is optional but is highly encouraged so users with managed devices are up and running as soon as a managed application, such as IBM Connections Meetings, is installed and started for the first time. Please see the table below for a list of all the possible configuration parameters supported by the IBM Connections Meetings app.
In general, the IBM Connections Meetings app is self configuring when it comes to the meeting servers. When a user attempts to join a meeting room via the Schedule Meetings View, a room URL or by entering a Connections Cloud meeting ID, the associated server will be configured automatically and the user will only be prompted for their credentials. However, it should be noted that if your meeting server is secured behind a corporate firewall and your mobile devices uses an Authenticating Proxy rather than a VPN, the auto-configuration feature, in most cases, will not yield a working configuration. In this case, if a configuration file has not been provided by the administrator, the user will be required to configured the server manually.
The configuration parameters are specified as a series of key-value pairs within a Configuration Policy on the MobileIron Admin Portal. Both the key and the value are strings as shown here:
key:
com.ibm.mobile.meetings.serverURL, value:
https://acme.meeting.server.com:443
key:
com.ibm.mobile.meetings.serverName, value:
ACME Meetings Server
key:
com.ibm.mobile.meetings.allowUntrustedSSL, value:
false
All parameters specific to Connections Meetings have keys that start with
com.ibm.mobile.meetings. Keys that start with
com.ibm.mobile.meetings.appSetting are general settings that apply to the application where keys that do not have the
appSetting term apply to IBM Connections Meetings meeting server configurations. This key naming scheme allows an administrator to build one Configuration Policy for all IBM apps such as Traveler, Connections, Meetings and Chat. Each application will only read and process their own configuration parameters.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
IBM Connections Meetings General Application Setting Configuration Parameters
Key | Value | Details |
com.ibm.mobile.meetings.appSetting.problemReportEmail | The email address where problem reports are sent. (default is heyibm@us.ibm.com) | If the client crashes, then on next restart the user will be asked if they want to send in a problem report to IBM. If they say Yes, the compose email is launched and the client logs are attached to an email to the address specified by this parameter. Some customers may want to inspect the logs before they send them in to IBM so they use this parameter to route the emails to their IT department before forwarding on to IBM. |
IBM Connections Meetings Server Configuration Parameters
Key | Value | Details |
com.ibm.mobile.meetings.serverURL | The fully qualified URL used to access the IBM Connections Meetings server.
Example: https://acme.meeting.server.com:
Note: If Cloud is used as the value, then this configuration represents the Connections Cloud Meetings server. See more about configuring the Connections Cloud Meetings server in section following this table.
| This parameter is required for a valid meeting server configuration. It is the only parameter that does not have a default value and therefore the only parameter that actually needs to be specified in the configuration file if you are satisfied with the defaults for the other settings. The port is optional and if not specified will default to 80 for http servers and 443 for https servers. |
com.ibm.mobile.meetings.serverName | | The Nickname for this server. This is how the server will be identified within the IBM Connections Meetings app on your device.
|
com.ibm.mobile.meetings.allowUntrustedSSL | true or false (default is false) | This parameter determines whether or not to allow access to meeting servers secured with an untrusted SSL certification. If true is specified the user will still be promoted to accept the unsigned certificate. If false is specified the connection will not be allowed. |
com.ibm.mobile.meetings.user | The ID used to sign into the meeting server (default is blank) | This parameter along with the user supplied password is used to authenticate you with the meeting server. Generally a real user id would not be specified but an administrator may use one of the following placeholder variables so the user's ID as it is known to MobileIron will be substituted in when the configuration is pushed down to the device:
$EMAIL$ - the users email address
Example: JohnDoe@acme.com
$USERID$ - the users user ID
Example: JohnDoe
Example: acme.com |
com.ibm.mobile.meetings.authProxyEnabled | true or false (default is false) | If your meeting server is secured behind a corporate firewall and your mobile devices do not use a VPN, you may need to configure your meeting server to connect using an authenticating proxy. In this case this value must be set to true and the authProxyUrl parameter must be specified. |
com.ibm.mobile.meetings.authProxyUrl | | This parameter is required if authProxyEnabled is set to true. There is no default value so if it is not specified or invalid, an authenticating proxy will not be configured. The port is optional and if not specified will default to 80 for http proxies and 443 for https proxies. This parameter is ignored ifauthProxyEnabled is not specified as true. |
com.ibm.mobile.meetings.authProxyReuseCredentials | true or false (default is true) | True indicates that you want to use the same id and password that you have configured for the meeting server. False means the user will need to specify a different set of credentials for the proxy server. This parameter is ignored ifauthProxyEnabled is not specified as true. |
com.ibm.mobile.meetings.enableRoomPasswordSave | true or false (default is true) | An administrator can use this parameter to either enable or disable the user's capability to remember meeting room passwords. for rooms on the associated meeting server. If the parameter is not specified or If true is specified, when a user joins a meeting room and is prompted for a room password, the user will also be presented with a "Remember password" control so they can remember the password and not be prompted to enter it each time they enter that meeting room (unless the password has changed). When false is specified the user will not have the option to remember the password and will need to enter it each time they join the meeting room. |
com.ibm.mobile.meetings.enablePasswordSave | true or false (default is true) | An administrator can use this parameter to determine if the password credential for the associated meeting server can be saved on the device. If the parameter is not specified or if true is specified, the user's password can be saved with the meeting server configuration. If false is specified, the user will be prompted for their password when authentication occurs. ThepasswordTimeout parameter can be used to how long a password can be remembered once entered so the user is not constantly prompted to enter their password. |
com.ibm.mobile.meetings.passwordTimeout | The time (in minutes) that a users password can be remembered. (default is 720) | This parameter is only used if theenablePasswordSave parm has been set to false. When a password is needed for authentication the time since the user last entered their password is compared with this value. If the timeout period has been exceeded, the user will be prompted for their password. If a value of -1 is specified, the timeout feature is disabled and the user will be prompted every time. |
com.ibm.mobile.meetings.allowLibraryUploads | true or false (default is true) | This parameter determines if the user can upload files, photos, etc. to a room library when connected to the associated meeting server. |
Configuring Multiple Meeting Servers using the MobileIron Configuration Settings
Some customers use more than one meeting server in their enterprise. When this is the case the server specific parameters listed in the table above can be specified with a suffix for the second server configuration as shown here:
key:
com.ibm.mobile.meetings.serverURL, value:
https://acme.meetings.com
key:
com.ibm.mobile.meetings.serverName, value:
ACME Meetings Server
key:
com.ibm.mobile.meetings.allowUntrustedSSL, value:
false
key:
com.ibm.mobile.meetings.serverURL.test, value:
https://acme.test.meetings.com
key:
com.ibm.mobile.meetings.serverName.test, value:
ACME Test Meetings Server
key:
com.ibm.mobile.meetings.allowUntrustedSSL.test, value:
true
If only one meeting server is being configured, an index is not required and the parameters can be specified as shown in the above table. All parameters for a second server should use the same index, and yet a different index for a third server and so on. Parameters with matching indexes will be taken together to create a single configuration.
Note: Client specific parameters such as
com.ibm.mobile.meetings.appSetting.problemReportEmail should not be specified with an index as they only need to be specified once.
Modifying Meeting Servers
Once a meeting server has been configured using the MobileIron configuration settings, it cannot be modified via the application settings. The only exception is the user credentials. A user can change the user id, password or indicate that they want to join meetings on that particular server as a guest. If the user Id is is modified by the user, then subsequent configuration updates will not override the value entered by the user.
If a meeting server is configured by the MobileIron configuration settings and then is removed from the configuration file, the server will also be removed from the client configuration.
Configuring the Connections Cloud Meeting Server
All the connectivity information needed for Connections Cloud Meetings is already known by the IBM Connections Meetings mobile client. However, the administrator may still want to manage the behavior of the client when using Connections Cloud meeting rooms. This can be accomplished by specifying a configuration for the Connections Cloud Meeting server in the MobileIron Configuration settings. Using a serverUrl value of
Cloud will indicate that a Connections Cloud Meetings server should be configured. As an example, if an administrator wants to configure the Connections Cloud Meetings server but does not want the user to be able to save room passwords, the following configuration could be used:
com.ibm.mobile.meetings.serverURL= Cloud
com.ibm.mobile.meetings.enableRoomPasswordSave = false
The actual Connections Cloud data center used with this configuration will be determined by the
com.ibm.mobile.meetings.user parameter. If this parameter is not specified, the user will be prompted for credentials on first use of the Connections Cloud meeting server. If a user provides a user Id, it will determine the data center. If the user chooses guest access then the meeting room being joined will determine the data center.
It should be noted that once a serverUrl of
Cloud has been specified, the following connectivity related configuration parameters for that server will be ignored if they are specified:
com.ibm.mobile.meetings.serverName
com.ibm.mobile.meetings.allowUntrustedSSL
com.ibm.mobile.meetings.authProxyEnabled
com.ibm.mobile.meetings.authProxyUrl
com.ibm.mobile.meetings.authProxyReuseCredentials