The IBM Sametime Meetings application on iOS has the ability to be managed by MaaS360 Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MaaS360 Device Management, then you can skip this article. IBM Sametime Meetings will continue to run normally in environments that are not managed by MaaS360.
The following components are required at the specified minimum levels.
Managed Application Management (MAM)
- Fiberlink MaaS360 v2.6
- IBM Sametime Meetings for iOS version 9.2.0 or later
As described above, IBM Sametime Meetings can operate in two different modes: managed, where MaaS360 Device Management is in use and manages application security, and unmanaged, where an organization does not use MaaS360 (or does not use it for managing applications). When an organization decides to deploy MaaS360, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has MaaS360 Device Management deployed and begins to use IBM Sametime Meetings. The simplest approach for managing the Meetings application is to first install the MaaS360 client on the managed device and set up the security policies and personas on the MaaS360 server. When IBM Sametime Meetings is installed and starts, it will detect that MaaS360 is installed and configured, and will change its behavior accordingly. This may include auto-configuring the client to use the corporate meeting servers
If an organization deploys MaaS360 after Meetings is already in use, then the next time the Meetings application starts, it will detect MaaS360 and change to managed mode. In either case, you can tell if Meetings is in managed by looking the "About" screen. If there is a "Managing Agent" section, then Meetings is in managed mode, if there is not, then it is in unmanaged mode.
The Policies, Users, and Devices managed by MaaS360 server are administered online at http://portal.fiberlink.com See the MaaS360 MDM Admin Guide for more details on how to use this web-based console.
Key Features of MaasS360 for Sametime Meetings on iOS
When a 3rd party application such as IBM Sametime Meetings incorporates the MaaS360 SDK libraries, the following security features can be enabled:
- set a timeout for single sign-on login across your managed applications
- enforce device compliance checks (ie., checks for jail broken devices, etc)
- restrict copy and paste to unmanaged applications
- allow sharing of library files based on file extension
- restrict sharing of library files to a set of white-listed applications
- receive alerts of compliance violations
- automatically deliver and update policies remotely to to the application container based on user and device security posture
- automatically deliver and update configuration data to the application
Behavioral differences when IBM Sametime Meetings is in managed mode
- IBM Sametime Meetings has not integrated MaaS360's screen-shot restrictions. It is possible for the user to capture an image of sensitive information displayed by the IBM Sametime Meetings application.
When IBM Sametime Meetings is in managed mode, the application:
Data Sharing Controls
- will not respect the mobile.* security parameters in the meeting server config file (the associated policies will be managed via the MaaS360 Configuration File)
- may be affected by certain MaaS360 policy restrictions such as use of the microphone or camera
- will not allow user modifications of server configurations provided by the MaaS360 configuration file
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to Sametime Meetings by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.
The Restrict File Export settings in the persona are similar to functions available via mobile.* parms in the Sametime Meeting server config file. For example, the server config parm mobile.allowLibraryExport, allows administrators to restrict sharing of all library files with other apps on the device. The MaaS360 persona includes the same capability but at a more granular level (e.g., what file types can be shared and a white list of apps that library files can be shared with). When Sametime Meetings is in a managed mode in the MaaS360 environment, it follows a simple rule when deciding which policy to follow -- the Sametime Meetings mobile.* server security config parms are ignored and the application behavior is dictated by the MaaS360 persona and configuration file settings.
Data sharing, as it relates to Sametime Meetings, deals with how documents in the library are handled. With iOS, data is shared between applications using the Open In action. While inside a meeting room, the user can open the library view and tap a document to display an action sheet for that document. If not restricted by the administrator, Open In will be listed as one of these actions and when selected, will display a list of applications that are applicable to the selected document. Selecting an application in the list will share the document with that application. At this point, Sametime Meetings can no longer protect the security of the document. With this in mind, an administrator can use settings in the Security section of the MaaS360 WorkPlace Persona to control the behavior or Open In...
- Never allow the Open In action by setting the Restrict File Export policy to Yes.
- Always allow the Open In action to any applicable application by setting the Restrict File Export policy to No.
- Only allow the Open In action to a set of trusted applications by setting the Restrict File Export policy to Yes and defining a white list for those trusted applications.
Administrators can also allow Open In for a specific set of file extensions. If the user selects a library document having one of these extensions, Open In will be allow without respect to the white list.
In a MaaS360 environment, managed apps like IBM Sametime Meetings are notified by MaaS360 when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance, the device has been jail broken, the user has left the company, etc. When this happens, IBM Sametime Meetings, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) why the app is no longer available. Additionally, if required by the policy, the server configurations used by the Sametime Meetings app and all local data will be erased.
Meeting Server Mobile Security policies
As mentioned above, the mobile specific security policies specified by the mobile.* parameters in the meeting server configuration file will now be managed by some aspect of MaaS360, either the data security policies or a parameter in a Maas360 configuration file. Managed instances of the IBM Sametime Meetings app will adhere to the policies set forth by MaaS360. Unmanaged apps will continue to adhere to the policy set forth by the meeting server configuration file.
Note: managed apps will still adhere to room and user policies defined by the Sametime System console except in cases where the console setting is in direct conflict with a MaaS360 policy. The MaaS360 policy will win any conflict. In the case where the policy is managed by a parameter in the MaaS360 config file and that parameter is not specified in the MaaS360 configuration file, the policy will take on the default value. It will not in any case revert to the setting in the meetings configuration file.
The following table shows the mobile security policies that can currently be set by the meeting server configuration file, and how they will now be managed by MaaS360.
Application Specific Configuration
|Meeting Server Configuration Parameter||How meeting server policy is managed when using MaaS360|
|"mobile.allowUntrustedSSL"||server config parm Ignored - managed via the MaaS360 application configuration file|
|"mobile.allowLibraryUploads"||server config parm Ignored - managed via the MaaS360 application configuration file|
|"mobile.allowLibraryDownloads"||server config parm Ignored - managed via the MaaS360 data security policy|
|"mobile.allowLibraryExport"||server config parm Ignored - managed via the MaaS360 data security policy|
|"mobile.enableRoomPasswordSave"||server config parm Ignored - managed via the MaaS360 application configuration file|
|"mobile.enablePasswordSave"||server config parm Ignored - managed via the MaaS360 application configuration file|
|"mobile.passwordTimeout"||server config parm Ignored - managed via the MaaS360 application configuration file|
A key feature of the MaaS360 server is the ability for an administrator to upload an application specific configuration file for each managed application. The contents of that file will be pushed to the device and made available to the managed applications at initial startup or whenever the running app is brought back to the foreground. A configuration file generally specifies connectivity parameters for one or more enterprise servers as well as other parameters that may control how the application behaves in a managed environment. Using a configuration file is optional but is highly encouraged so users with managed devices are up and running as soon as a managed application, such as IBM Sametime Meetings, is installed and started for the first time. Please see the table below for a list of all the possible configuration parameters supported by the IBM Sametime Meetings app.
In general, the IBM Sametime Meetings app is self configuring when it comes to the meeting servers. When a user attempts to join a meeting room via the Schedule Meetings View, a room URL or by entering a SmartCloud meeting ID, the associated server will be configured automatically and the user will only be prompted for their credentials. However, it should be noted that if your meeting server is secured behind a corporate firewall and your mobile devices uses an Authenticating Proxy rather than a VPN, the auto-configuration feature, in most cases, will not yield a working configuration. In this case, if a configuration file has not been provided by the administrator, the user will be required to configured the server manually.
The configuration parameters are specified as a series of key-value pairs and the extension of the file must be .txt. Both the key and the value are strings as shown here:
com.ibm.mobile.meetings.serverURL = https://acme.meeting.server.com:443
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
All parameters specific to Sametime Meetings have keys that start with com.ibm.mobile.meetings. Keys that start with com.ibm.mobile.meetings.appSetting are general settings that apply to the application where keys that do not have the appSetting term apply to Sametime meeting server configurations. This key naming scheme allows an administrator to build one MaaS360 configuration file for all IBM apps such as Traveler, Connections, Meetings and Chat. Each application will only read and process their own configuration parameters.
The complete list of supported parameters are as follows. If a parameter is not specified in a configuration file then the default value for that parameter is assumed.
Sametime Meetings General Application Setting Configuration Parameters
Sametime Meetings Server Configuration Parameters
The email address where problem reports are sent. (default is email@example.com)
If the client crashes, then on next restart the user will be asked if they want to send in a problem report to IBM. If they say Yes, the compose email is launched and the client logs are attached to an email to the address specified by this parameter. Some customers may want to inspect the logs before they send them in to IBM so they use this parameter to route the emails to their IT department before forwarding on to IBM.
Configuring Multiple Meeting Servers using the MaaS360 Configuration file
|com.ibm.mobile.meetings.serverURL||The fully qualified URL used to access the Sametime Meetings server.
Note: If Cloud is used as the value, then this configuration represents the SmartCloud Sametime Meetings server. See more about configuring the SmartCloud meetings server in section following this table.
|This parameter is required for a valid meeting server configuration. It is the only parameter that does not have a default value and therefore the only parameter that actually needs to be specified in the configuration file if you are satisfied with the defaults for the other settings. The port is optional and if not specified will default to 80 for http servers and 443 for https servers.|
|com.ibm.mobile.meetings.serverName||A text string (default is the server domain)
Example: ACME Meeting Server
|The Nickname for this server. This is how the server will be identified within the Sametime Meetings app on your device.
|com.ibm.mobile.meetings.allowUntrustedSSL||true or false (default is false)||This parameter determines whether or not to allow access to meeting servers secured with an untrusted SSL certification. If true is specified the user will still be promoted to accept the unsigned certificate. If false is specified the connection will not be allowed. |
|com.ibm.mobile.meetings.user||The ID used to sign into the meeting server (default is blank)||This parameter along with the user supplied password is used to authenticate you with the meeting server. Generally a real user id would not be specified but an administrator may use one of the following placeholder variables so the user's ID as it is known to MaaS360 will be substituted in when the configuration is pushed down to the device:
%email% - the users email address
%username% - the users user ID
%domain% - the users domain
Note: The configuration file uploaded to MaaS360 must have an extension of .txt or the above placeholders will not be supported and replaced with appropriate values.
|com.ibm.mobile.meetings.authProxyEnabled||true or false (default is false)||If your meeting server is secured behind a corporate firewall and your mobile devices do not use a VPN, you may need to configure your meeting server to connect using an authenticating proxy. In this case this value must be set to true and the authProxyUrl parameter must be specified.|
|com.ibm.mobile.meetings.authProxyUrl||The fully qualified URL used to access the authenticating proxy.
|This parameter is required if authProxyEnabled is set to true. There is no default value so if it is not specified or invalid, an authenticating proxy will not be configured. The port is optional and if not specified will default to 80 for http proxies and 443 for https proxies. This parameter is ignored if authProxyEnabled is not specified as true.|
|com.ibm.mobile.meetings.authProxyReuseCredentials||true or false (default is true)||True indicates that you want to use the same id and password that you have configured for the meeting server. False means the user will need to specify a different set of credentials for the proxy server. This parameter is ignored if authProxyEnabled is not specified as true.|
|com.ibm.mobile.meetings.enableRoomPasswordSave||true or false (default is true)||An administrator can use this parameter to either enable or disable the user's capability to remember meeting room passwords. for rooms on the associated meeting server. If the parameter is not specified or If true is specified, when a user joins a meeting room and is prompted for a room password, the user will also be presented with a "Remember password" control so they can remember the password and not be prompted to enter it each time they enter that meeting room (unless the password has changed). When false is specified the user will not have the option to remember the password and will need to enter it each time they join the meeting room.|
|com.ibm.mobile.meetings.enablePasswordSave||true or false (default is true)||An administrator can use this parameter to determine if the password credential for the associated meeting server can be saved on the device. If the parameter is not specified or if true is specified, the user's password can be saved with the meeting server configuration. If false is specified, the user will be prompted for their password when authentication occurs. The passwordTimeout parameter can be used to how long a password can be remembered once entered so the user is not constantly prompted to enter their password.|
|com.ibm.mobile.meetings.passwordTimeout||The time (in minutes) that a users password can be remembered. (default is 720)||This parameter is only used if the enablePasswordSave parm has been set to false. When a password is needed for authentication the time since the user last entered their password is compared with this value. If the timeout period has been exceeded, the user will be prompted for their password. If a value of -1 is specified, the timeout feature is disabled and the user will be prompted every time.|
|com.ibm.mobile.meetings.allowLibraryUploads||true or false (default is true)||This parameter determines if the user can upload files, photos, etc. to a room library when connected to the associated meeting server.|
Some customers use more than one meeting server in their enterprise. When this is the case the server specific parameters listed in the table above can be specified with a suffix for the second server configuration as shown here:
com.ibm.mobile.meetings.serverName = ACME Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL = false
com.ibm.mobile.meetings.serverURL.test = https://acme.test.meetings.com
com.ibm.mobile.meetings.serverName.test = ACME Test Meetings Server
com.ibm.mobile.meetings.allowUntrustedSSL.test = true
If only one meeting server is being configured, an index is not required and the parameters can be specified as shown in the above table. All parameters for a second server should use the same index, and yet a different index for a third server and so on. Parameters with matching indexes will be taken together to create a single configuration.
Note: Client specific parameters such as com.ibm.mobile.meetings.problemReportEmail should not be specified with an index as they only need to be specified once.
Modifying Meeting Servers
Once a meeting server has been configured using the MaaS360 configuration file, it cannot be modified via the application settings. The only exception is the user credentials. A user can change the user id, password or indicate that they want to join meetings on that particular server as a guest. If the user Id is is modified by the user, then subsequent configuration updates will not override the value entered by the user.
If a meeting server is configured by the MaaS360 configuration file and then is removed from the configuration file, the server will also be removed from the client configuration.
Configuring the SmartCloud Meeting Server
All the connectivity information needed for SmartCloud Meetings is already known by the Sametime Meetings mobile client. However, the administrator may still want to manage the behavior of the client when using SmartCloud meeting rooms. This can be accomplished by specifying a configuration for the SmartCloud server in the MaaS360 Configuration file. Using a serverUrl value of Cloud will indicate that a SmartCloud server should be configured. As an example, if an administrator wants to configure the SmartCloud server but does not want the user to be able to save room passwords, the following configuration could be used:
com.ibm.mobile.meetings.enableRoomPasswordSave = false
The actual SmartCloud data center used with this configuration will be determined by the com.ibm.mobile.meetings.user parameter. If this parameter is not specified, the user will be prompted for credentials on first use of the SmartCloud meeting server. If a user provides a user Id, it will determine the data center. If the user chooses guest access then the meeting room being joined will determine the data center.
It should be noted that once a serverUrl of Cloud has been specified, the following connectivity related configuration parameters for that server will be ignored if they are specified: