Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Size: px
Start display at page:

Download "Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide"

Transcription

1 Microsoft Office Groove Server 2007 Groove Manager Domain Administrator s Guide

2 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright 2006 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Office Excel, Office InfoPath, Office Outlook, Office PowerPoint, Office Word, and Windows SharePoint Services are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Groove Manager Domain Administrator s Guide Copyright ii

3 Table of Contents Copyright ii Table of Contents iii Overview of Groove Domain Administration 1 Domain Architecture 1 Groove Manager Domain Functionality 2 Groove User Management 3 User and Device Policy Setting 3 Relay Server Provisioning 4 Domain Administration and Role Assignment 4 Password/Smart Card Login Reset and Data Recovery 5 Groove Account Backup 5 Groove Usage Monitoring 5 Groove Client Auditing 5 The Groove Manager Domain Administration Guide 6 Getting Started 7 Before You Begin 7 Accessing the Administrative Web Site 8 Accessing the Groove Manager Administrative UI 8 Groove Manager Administrative UI Overview 9 Getting Help 9 Changing Administrative Preferences 10 Setting Up a Groove Management Domain 10 Managing Groove Domains 14 Overview of Management Domains 14 Viewing and Editing Management Domain Properties 15 Configuring Management Domain Affiliation 16 Changing Reset/Recovery Private Keys and Key Locations 17 Setting Up Cross-Domain Certification 19 PKI Basics 19 Cross-Certifying Management Domains 21 Migrating Users to Another Domain 23 Before You Begin 24 Automatically Migrating Users to Another Domain 25 Manually Migrating Users to Another Domain 29 Groove Manager Domain Administrator s Guide Table of Contents iii

4 Adding, Editing, and Deleting Templates 30 Creating Groove Manager Templates 31 Editing Groove Manager Templates 32 Deleting Groove Manager Templates 32 Editing Administrator Roles 32 Managing Groove Users 34 Overview of Groove User Management 34 Managing Domain Member Groups 36 Adding Groups 37 Viewing Domain Groups 38 Viewing and Editing Group Properties 38 Viewing Group Members 40 Deleting a Group 40 Adding Groove Users to a Domain 41 Adding an Individual Member to a Domain Group 41 Adding Multiple Members from an.xml File 42 Adding Multiple Members from a.csv File 44 Importing Members from a Directory 46 Enabling Groove Account Configuration 49 About Distributing Account Configuration Codes 49 Sending an Account Configuration Code from Groove Manager 51 Sending an Account Configuration Code Via Personal Distribution 52 Provisioning Managed Groove Users 53 Provisioning Domain Groups 54 Provisioning Domain Members 54 Viewing Domain Members 54 Viewing and Editing Domain Member Information 56 Finding Domain Members 59 Moving Domain Members to Another Group 61 Exporting Domain Members 62 Disabling and Enabling Domain Members 63 Disabling Domain Members 63 Enabling Domain Members 64 Deleting Domain Members 64 Purging Member Relay Queues 65 Creating an LDAP Search String 66 Initiating Client Contact With a Groove Manager 69 Managing Identity Policies 70 Overview of Identity Policies 71 Creating Identity Policy Templates 71 Changing Identity Policy Templates 72 Changing Identity Policy Templates for a Group 72 Changing Identity Policy Templates for a Group Member 72 Editing Policy Template Names 73 Cloning Policy Templates 73 Groove Manager Domain Administrator s Guide Table of Contents iv

5 Deleting Policy Templates 73 Viewing and Editing Identity Policies 74 Automatically Managing Devices During Account Configuration or Logon 74 Requiring Managed Devices 75 Controlling Identity Publication 76 Backing Up and Restoring User Account Data 76 Backing Up Account Data 77 Restoring Account Data 77 Controlling Login Credential Reset and Data Recovery 79 Login Credential Reset vs. Limited Data Recovery 80 Selecting a Login Credential Reset Policy 81 Resetting Groove Login Credentials 82 Before You Begin 82 Automatic Reset of Groove Login Credentials 82 Manual Reset of Groove Login Credentials 83 Client Login Credential Reset 84 Customizing Reset Instructions 85 Setting Up Data Recovery on Managed User Devices 86 Managing User Interaction with Unknown Identities 89 Verified or Certified vs. Unknown Groove Identities 89 Setting Up a User Verification Policy 91 Setting a Groove Version Requirement 91 Specifying Enterprise PKI Certificates 92 Setting Time Limit on Valid PKI Certificates 93 Blocking Files of Specific Types 93 Member Policies 94 Security Policies 96 Managing Device Policies 100 Overview of Device Policies 101 Registering User Devices with the Groove Manager 101 Overview of Device Registration 102 Registering Devices in a Management Domain 102 Stopping Device Management 103 Creating Device Policy Templates 104 Changing Device Policy Templates 104 Changing Device Policy Templates for a Group 105 Changing Device Policy Templates for a Group Member 105 Administering Device Templates 105 Viewing and Editing Device Policies 106 Preventing Multiple Accounts on a Managed Device 107 Preventing Account Import 107 Requiring Managed Domain Devices for Managed Domain Members 107 Setting Groove Login Password Policies 108 Setting Smart Card Login Policies 108 Controlling Messenger Integration 109 Groove Manager Domain Administrator s Guide Table of Contents v

6 Controlling Groove Directory Searches 110 Locking Out Accounts 110 Setting Strong Private Key Protection 111 Controlling Direct Access to Remote Web Services 111 Controlling Groove Tool Usage on Managed Devices 112 Restricting Tool Usage 112 Tool Usage Recovery After Restriction is Removed 113 Limiting Groove Bandwidth Usage for Devices 113 Overview of Groove Bandwidth Policy 113 Setting Groove Bandwidth Limit 114 Enabling Groove Client Auditing 115 Account Policies 116 Client Policies 117 Security Policies 121 Groove Audit Policies 125 Managing Groove Relay Servers 127 Overview of Relay Server Provisioning 127 Adding a Relay Server to the Groove Manager 128 Adding a Relay Server Set to a Domain 130 Adding Relay Servers to a Set 131 Editing Relay Server Set Names 131 Viewing Domain Relay Servers 132 Viewing Relay Servers in a Set 132 Changing Relay Server Sets 133 Changing Relay Server Sets for a Group 133 Changing Relay Server Sets for a Group Member 134 Reordering Relay Servers in a Set 134 Deleting Relay Servers from a Domain 134 Deleting Relay Servers from a Set 135 Deleting Relay Server Sets 135 Editing Relay Server Properties 136 Locking out and Re-enabling an Onsite Relay Server 137 Viewing Groove Domain Reports 138 Viewing Reports 138 Filtering Reports 139 Exporting Reports 140 Domain Reports 140 Audit Log 141 Member Activity 142 Groove Usage - Member 146 Groove Usage - Tool 148 Groove Usage - Workspace 150 Detailed Reports 152 Sample Report Filters 153 Show Audit Log for a User During Past Week 153 Groove Manager Domain Administrator s Guide Table of Contents vi

7 Show Audit Log for Administrator in Date Range 154 Show Most-Used Tools 154 Show Members Whose Accounts Have Never Been Backed Up 154 Show Members Who Used Groove Since the Last Backup Date 155 Show Members with Managed Accounts on Multiple Devices 155 Domain-Level Troubleshooting 156 Domain Administration Problems 156 Groove User Problems 157 Data Recovery Problems 160 Glossary 162 Appendix A. Password Reset and Data Recovery (Groove 3.0e or Earlier) 167 Controlling Login Credential Reset and Data Recovery (for Groove version 3.0e or earlier) 167 Resetting Groove Login Credentials for Managed Devices (for Groove 3.0e or earlier) 168 Administering Centralized Reset of Login Credentials 168 Client Reset of User Login Credentials 170 Customizing Reset Instructions for Managed Devices (for Groove 3.0e or earlier) 171 Setting Up Data Recovery on Managed Devices (for Groove 3.0e or earlier) 172 Data Recovery Fundamentals 172 Recovering User Data (using the Data Recovery Tool) 173 Appendix B. Setting Component Policies (Groove 3.1 or Earlier) 177 Component Policy Basics 177 Customizing Component Installation Policies 178 Deleting Component Installation Policies 182 Managing Groove Platform Upgrades 183 Prevent Platform Upgrade 183 Allow Platform Upgrade To Current Version 185 Allow Platform Upgrade To Interim Version 186 Allow Platform Upgrade But No New Tools 187 Groove Component Versions (from 2.0a to 3.1) 188 Appendix C. Managing Groove Product Licenses (Groove 3.1 or Earlier) 193 Overview of License Provisioning 194 Adding Groove Licenses to a Domain 194 Adding a License Set to a Domain 195 Adding Groove Domain Licenses to a Set 195 Editing License Set Names 196 Viewing Domain Licenses 196 Viewing Licenses in a Set 197 Viewing License Information 197 Groove Manager Domain Administrator s Guide Table of Contents vii

8 Changing License Sets 198 Changing License Sets for a Group 198 Changing License Sets for a Group Member 198 Deleting Licenses from a Domain 199 Deleting Licenses from a Set 199 Deleting License Sets 200 Distributing Licenses to Unmanaged Users 200 Viewing Licenses from Unmanaged Users 201 Revoking Licenses from Unmanaged Users 202 Adding More Seats to a License Package 202 Using the Enterprise License Pack 203 Index 204 Groove Manager Domain Administrator s Guide Table of Contents viii

9 Overview of Groove Domain Administration The Microsoft Office Groove Server 2007 Manager is a Web-based application for managing Microsoft Office Groove. The Office Groove Server 2007 Manager runs on servers installed at an enterprise site. Enterprises can also procure comparable functionality via Microsoft Office Groove Enterprise Services. Groove clients and administrators communicate with the Groove Server Manager Web site via respective interfaces. The client interface allows the Groove application to access policies and designated relay servers, and to report Groove usage statistics. The administrative interface, secured by its underlying IIS configuration, allows administrators to perform the following tasks for a defined management domain: Assemble Groove users (utilizing onsite corporate directories if integrated with an onsite Groove Manager). Define Groove usage and security policies, including account backup scheduling. Provision Groove users with Groove Relays (the Groove Relay component of an onsite Office Groove Server or comparable functionality accessed via Groove Enterprise Services). View Groove event reports. Audit Groove client activities (if the Groove Manager, with the Audit option, is installed onsite). This overview provides summary information on the following topics: Domain Architecture Groove Manager Domain Functionality The Groove Manager Domain Administration Guide Domain Architecture The Groove Server Manager (Groove Manager, henceforth) administrative interface is the interactive component of the server Web site. From this interface, administrators can manage Groove users within a management domain, set Groove usage and device policies, and assign relay servers within the organizational unit of a management domain. The management domain is defined during Groove Manager installation or Groove Enterprise Service registration and is accessible from a Web browser. Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 1

10 The Groove Manager s domain administration interface consists of a navigation pane, a display window, and a set of tabs and tools that lets administrators perform tasks associated with a selected item in the navigation tree. The navigation tree consists of the elements described in the following table: Navigation Tree Hierarchy Domain Member groups and subgroups Identity Policy Templates Description Management domain defined on the server. A domain consists of member groups, policies templates, and relay server sets. Pages for creating member groups and for creating, editing, or deleting domain member contact information. Pages for adding, editing, and deleting collections of identity policies, including: Member policies Security policies Device Policy Templates Pages for adding, editing, and deleting collections of device policies, including: Account policies Client policies Security policies Audit Server policies (onsite installations only) Relay Server Sets Legacy License Management (for Groove 3.1 or earlier) Pages for adding, configuring, and removing sets of relay servers. For version 3.1 or earlier Groove clients only. Pages for adding, configuring, and removing sets of licenses. These pages appear only if the option to support version 3.1 (and earlier) client licensing is selected on the Domain Properties page. Groove Manager Domain Functionality The Groove Manager enables centralized control of Groove usage from a server administrator-defined management domain. Supported by a SQL database that stores most of its data, the Groove Manager helps maintain productive workflow and collaboration. Administrators connect to the Groove Manager through a dedicated Web interface to set Groove usage and security policies, provision Groove users with relay servers, generate Groove usage reports, and perform other tasks essential to managing Groove use on a corporate scale. Groove clients periodically contact the Groove Manager to receive provisioning updates and report usage information. The following sections briefly describe the scope of domain management tasks that can be conducted from Groove Enterprise Services or onsite Groove Managers: Groove User Management User and Device Policy Setting Relay Server Provisioning Domain Administration and Role Assignment Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 2

11 Password/Smart Card Login Reset and Data Recovery Groove Account Backup Groove Usage Monitoring Groove Client Auditing Groove User Management Groove users must each have a managed identity in a Groove Manager domain in order to be provisioned with usage and security policies, and relay servers. If administrators need to set policies on Groove devices, as well as user policies, they can also register the Groove user devices in a Groove Manager domain. The following sections briefly describe both aspects of user administration: User Management Device Management User Management The Groove management process begins with adding user contact information to a domain group defined on the Groove Manager. This can be accomplished most efficiently by integrating a corporate directory server (such as an Active Directory server) with the Groove Manager. If directory integration is not suitable, domain administrators can enter user information manually, from an.xml or a.csv file, or imported from a corporate directory. Once domain population is complete, an automated process can be set up to silently configure managed Groove accounts on Groove client devices when prospective domain members start Groove. Or, administrators can distribute account configuration codes to prospective domain members, who then apply these codes to their Groove accounts upon startup. Configuring managed Groove accounts on client devices results in the creation of a managed, provisioned identity for each domain member. Device Management An important aspect of managing Groove users is managing the devices they use for work. Managed devices are subject to specific security policies, such as password creation rules, while unmanaged devices are not. Device management involves the distribution of Groove account, client, security, and audit policies to devices defined for managed identities. Devices running Groove must be registered with the Groove Manager in order to be managed and subject to device policies. Registration is accomplished via an identity policy set prior to account configuration, or by downloading a Groove Manager registry key to individual devices associated with managed domain members. Once the device registry is updated with the management key, the device becomes subject to device policies obtained automatically from the Groove Manager upon Groove startup, upon login/logoff, and periodically thereafter. User and Device Policy Setting The Groove Manager provides templates of default usage and security policies that apply to domain group members and any associated devices that are registered on the server. Administrators can modify the policies set in these templates or create new templates, then Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 3

12 apply the templates to designated management domain groups or users. These policies apply only to managed Groove users and devices - those defined on the Groove Manager as belonging to a specific management domain group. Policies do not affect unmanaged Groove users. The following sections summarize the policy options in each category: Identity Policies Device Policies Identity Policies User identity policy templates cover the following aspects of Groove use: Member policies, including client account backup scheduling, control of identity publication, and restriction of managed identity use to managed devices in the domain. Security policies, including control of peer authentication behavior, login credential reset, and Groove s default list of blocked file attachments. Device Policies User device policy templates cover the following aspects of Groove use: Account policies, including restriction of managed device use to managed identities in the domain, and control of multiple account creation and account import. Client policies, including control of Messenger integration and restriction of Groove tool usage. Security Policies, including control of password or smart card login, account lockout behavior, and Web services availability. Audit Server Policies, including audit event selection and periodicity (option available for Groove Manager only). Relay Server Provisioning Relay servers are a fundamental part of Microsoft Office Groove peer-to-peer communications. In a managed environment dedicated relay servers, installed onsite at an enterprise or engaged through Groove Enterprise Services, help ensure timely, uninterrupted message and data transfer between Groove peers, regardless of their location or status (online or offline) on the network. Once an enterprise has installed at least one relay server onsite or procured Groove-Enterprise Services, administrators can define a relay server on the Groove Manager and assign it to specific management domain groups or users. Domain Administration and Role Assignment A management domain, defined by a server administrator, is the top-level management unit on the server. Each domain consists of user groups and subgroups, as well as a collection of user and device policy templates, and relay server sets. Administrators can view Groove usage reports, and add, edit, or delete Groove Manager templates for their domains. In addition, if the Groove Manager administrator has enabled Role Based Access Control (RBAC) on the server, domain administrators can define roles for peer administrators. Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 4

13 Password/Smart Card Login Reset and Data Recovery In the event that a managed user forgets a Groove password or smart card login, resetting the user s password or smart card login credentials may be necessary. To prepare for this eventuality, the domain (or server) administrator can set an identity policy that allows for reset proceedings. The Groove Manager supports two centralized approaches to resetting a user passphrase or smart card login. One approach allows the Groove Manager to automatically respond to user requests for login credential resets. The other is an administrator-driven approach where administrators respond to individual user requests for login credential reset, by verifying user identity and granting (or denying) the request; if the request is granted, users can reset their own password without further administrative involvement. In addition, the Groove Manager provides a utility that domain administrators can use to access data that would otherwise be irretrievable without the user s password (for instance, when a user is removed from a management domain). Groove data that is normally stored encrypted with the managed user's password, known only to that user, is also encrypted with the administrator s public key. The data recovery tool enables the domain administrator to use a corresponding private key to recover the device owner s Groove data or reset the user password. Groove Account Backup The Groove Manager lets administrators set an identity policy that enables automatic Groove account backup at specified intervals for users in a selected domain. Backed up information includes user identity information, contact and workspace lists, and domain management settings. Without a backup system in effect, lost or corrupted Groove account data is irretrievable. Groove Usage Monitoring When a managed identity or device exists on a Groove client, the Groove software periodically reports statistics on Groove usage, providing information about managed user activities, Groove workspaces, and Groove tools being used. Administrators can view Groove usage statistics via the Groove Manager administrative Web site. Usage statistics include the amount of time domain members spend in a particular workspace or using a specific tool. Audit log reports are also available that log domain events, such as the addition of a new group to a domain. Groove Client Auditing If the Groove client auditing feature is part of the Groove Manager installation and Groove devices are registered with the Groove Manager, a device policy can require managed Groove clients to log user activities. Groove Manager device policies specify which Groove events are tracked and uploaded to Groove Manager databases. Client audit logs are collected into a database on a SQL server, and from those logs administrators can generate formatted reports using third-party reporting tools, such as Crystal Reports. Note that Groove client auditing is available for onsite Groove Manager installations only; it is not available through Microsoft-hosted Groove Enterprise Services. Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 5

14 The Groove Manager Domain Administration Guide This Groove Manager Domain Administration portion of the Help provides instructions for managing Groove domains and users, whether from an onsite server or via Groove Enterprise Services. This Domain Administration portion of the Help covers the following topics: Topic Overview Getting Started Managing Groove Domain Managing Groove Users Setting Groove Identity Policies Setting Groove Device Policies Managing Groove Relay Servers Monitoring Groove Usage Domain-level Troubleshooting Glossary Appendices Content Describes use of domains defined on Groove Managers to oversee and control Groove use in an enterprise. Provides a recommended procedure for setting up Groove users and devices at an enterprise. Provides instructions for configuring Groove management domains and domain administrator roles. Provides instructions for creating domain member groups, provisioning managed users, and administering Groove usage. Provides instructions for customizing Groove user policies. Provides instructions for customizing Groove device policies. Provides instructions for provisioning managed Groove users with Groove Relay servers. Provides instructions for accessing and reading Groove usage reports. Lists common problems related to management domains and suggests ways to address them. Defines terms used in this Guide. Provide information in support of previous Groove Manager versions. Groove Manager Domain Administrator s Guide Overview of Groove Domain Administration 6

15 Getting Started The Groove Server Manager, subsequently called Groove Manager, enables you to set up a system for effectively managing the use of Microsoft Office Groove in an enterprise. The following sections provide preliminary and instructional information for setting up a Groove domain: Before You Begin Accessing the Administrative Web Site Setting Up a Groove Management Domain Before You Begin Review the following checklist before accessing the Groove Manager administrative Web site: Category Groove Manager or Groove Enterprise Services access Confirm the following: URL of the Groove Manager Web site is available, depending on your setup: If Groove Manager is installed at your site as part of the Office Groove Server Ensure that the Groove Manager software is installed on your system as described in the Groove Manager Server Administration portion of the Help, and note the URL of the Groove Manager administrative Web site on that server. If you access Groove Manager via Groove Enterprise Services, note the URL of your company s Groove Manager administrative Web site. Browser on administrative PC Internet Explorer (IE) 6.0 (or later) is running on the administrative PC, with the following settings in place: JavaScript, Cookies, and Forms are enabled Minimum Screen Resolution: 1024 by 768 pixels Maximum Display DPI Setting: Normal size (96 DPI) Microsoft Office Groove clients Groove Relay server Groove version 3.0 (or later) is installed on end-user computers. (Groove 2007 is recommended for full feature functionality.) If your management system includes at least one onsite Groove Server Relay (subsequently called Groove Relay), the Groove Relay is installed and configured as described in the Groove Relay Administrator s Guide included with the Groove Relay application. Groove Manager Domain Administrator s Guide Getting Started 7

16 Category LDAP server Permissions Login credentials Device management Expertise Confirm the following: If your user contact information originates from a corporate directory server, your Groove Manager administrator has defined and configured the directory server on your Groove Manager, as described in the Groove Manager Server Administration portion of the Help. Note that directory server integration is possible only if a Groove Manager is installed at your site. You have full access to the domain portion of the administrative Web site. If your server administrator has enabled Role Based Access Control, you must have the role of Server Administrator or Domain Administrator. Some options may not be available to you if you have any other role. You know your login name and password for the Groove Manager, if required. If you are using the Groove Manager, this information is determined by your company s Web site authentication system. If you are using Groove Enterprise Services, this information is determined by login requirements of your Groove Enterprise Services Web site. You have considered the possibility of Groove user device management. Device management lets you set various Groove usage and security policies, including those governing Groove login. For information about device management, see Overview of Device Policies. As a domain administrator, you have the following expertise: General Groove use User account management Software usage and security policies Software usage monitoring Understanding of basic functionality provided by the Groove Manager. For more information, see the Overview of Groove Domain Administration. Accessing the Administrative Web Site The sections below provide instructions for accessing and using the Groove Manager administrative Web site: Accessing the Groove Manager Administrative UI Groove Manager Administrative UI Overview Getting Help Changing Administrative Preferences Accessing the Groove Manager Administrative UI To access the Groove Manager administrative user interface (UI), do the following: 1. From an administrative PC, open an IE Web browser that meets the requirements specified in Before You Begin. 2. If you are accessing a local Groove Manager from your own site, go to the URL of the Groove Manager, defined by the Groove Manager administrator. Groove Manager Domain Administrator s Guide Getting Started 8

17 If you are accessing a the Groove Enterprise Services Manager Web site, go to the appropriate URL, then register and set up your initial domain according to the instructions. 3. Log in to the Groove Manager using your administrator login name and password (determined by your company s Web site authentication scheme if you are using the Groove Manager). The Groove Manager home page appears, as described in Groove Manager Administrative UI Overview. You are now ready to begin populating a server domain group with members and provisioning those members, as described in subsequent sections of this Help. For information about how to get online Help at any time, see Getting Help. For information about changing administrative preferences, see Changing Administrative Preferences. Groove Manager Administrative UI Overview The Groove administrative user interface consists of a domain list on the left and a main window. The Web page has the following characteristics, which may vary, depending on the role your server administrator has assigned to you: Main window - Reflects the current selection in the navigation pane, and includes a set of tabs. When the management domain is selected, a set of domain tabs appears: Reports, , and Roles, with the Reports tab in the foreground. Toolbar - Appears at the top of the main window and displays icons appropriate for the task being performed on the current tab. Navigation tree - Appears in the left pane and displays the management domain or domains defined on this server. Selecting a domain displays the items described in the following table: Domain Constituents Members Identity Policy Template Device Policy Template Relay Server Set Description A top-level group for managing domain members and groups that you define. A container of templates for managing domain identity policies, including a Default template. A container of templates for managing domain device policies, including a Default template. A container of templates for managing Groove Relay servers or services, including a default set. Getting Help To get help using Management Services, follow these guidelines: Click the Help link in the upper left of a Groove Manager administrative Web page to access Groove Manager online Help. Groove Manager Domain Administrator s Guide Getting Started 9

18 Changing Administrative Preferences You can change administrative Web page preferences (such as setting a home page) by using the Preferences link above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins. To edit administrative preferences, follow these steps: 1. Go to the Groove Manager administrative Web interface and click the Preferences link at the top of the current page. An image of your left navigation pane appears in the dialog box. 2. To change the default number of list items that appear on any list page, select a number from the Default number of items to display drop-down box. The initial default setting is to display 25 items per page. 3. To select a start, or home, page, select an item from the Start Page tree which will appear when you start the Groove Manager administrative Web interface. 4. Click OK. Your changes should take effect immediately. Setting Up a Groove Management Domain A domain is the top-level management unit of Groove deployment on the Groove Manager. It contains one or more groups of Groove users (domain members). Your Groove Manager administrator creates domains; you or anyone with management domain-level permissions (if Role Based Access Control is configured on your server) can manage the domain. The procedure below outlines the basic steps necessary to create a user management system, following a recommended sequence. Where necessary, you can link to other sections of the guide that provide more detail. You may want to begin by performing a trial run with a sample user base and minimal customization. Note: If Role Based Access Control (RBAC) is configured on your server, administrators with limited roles (roles other than Server or Domain administrator) may not be able to see certain pages or fields discussed in this guide. RBAC and initial administrator roles are set by the Groove Manager administrator as part of the Groove Manager installation and configuration process. However, domain administrators can edit the roles of domain-level or limited domain-level administrators, as described in Editing Administrator Roles. To add Groove users to a Groove management domain and provision them with policies and relay servers, follow this basic recommended procedure: 1. Make sure that Groove is installed on user devices (or that users have access to Groove for installation). 2. Start the Groove Manager server (if onsite), and log into the Groove Manager administrative Web site, as described in the Accessing the Administrative Web Site. At least one domain appears in the navigation tree in the pane to the left of the main window. Groove Manager Domain Administrator s Guide Getting Started 10

19 3. In the navigation pane, click the domain to expand it and view the following items: Members group Identity Policy Templates Device Policy Templates Relay Server Sets If a message appears, referring you to a server or domain administrator for domain access, ask the appropriate administrator to assign you an administrative role with at least domain-level permissions. Then continue with this procedure. 4. Consider customizing the default identity policy template in the domain by clicking Identity Policy Templates to expand it, then clicking the Default template. Initial default policies are usually based on minimal security requirements. For details about editing identity policies, see Viewing and Editing Identity Policies. Important identity policies to consider include the following: Important Identity Policies Automatically manage client devices upon Groove account configuration How to Set Them Registering devices with the Groove Manager allows you to set domain device policies that control Groove password entry, client auditing, and other important device-based activities. Setting this policy automatically registers Groove user devices with the Groove Manager when Groove users configure their managed Groove accounts. This is the most efficient way to register Groove devices in a domain. Set this recommended policy if your administrative environment allows. For more information about this policy, see Automatically Managing Devices During Account Configuration or Logon. If you do not set an identity policy for automatic device configuration, you can register each device that you want to manage with the Groove Manager by downloading the device management registry key from the Groove Manager to a client-accessible location (select the default device policy template in the navigation pane, then select Download Device Management Key in the toolbar). Then copy the key to each client device. For instructions and general information about registering devices, see Registering User Devices with the Groove Manager. Allow for Groove password reset and data recovery Set the relevant identity Security Policies as needed, as described in Resetting Groove Login Credentials. Schedule automatic backup of domain member accounts Set the relevant identity Member Policy as needed, as described in Backing Up and Restoring User Account Data. 5. Consider customizing the default device policy template in the domain by clicking Device Policy Templates, then clicking the Default template. Initial default policies are usually based on minimal security requirements. For details about editing Groove Manager Domain Administrator s Guide Getting Started 11

20 device policies, see Viewing and Editing Device Policies. Important device policies to consider include the following: Important Device Policies* Set up Groove client password or smart card login controls Enable Groove client auditing How to Set Them Set the relevant device Security Policies as needed, as described in Setting Groove Login Password Policies and Setting Smart Card Login Policies. Consult your Groove Manager server administrator to ensure that the Groove client Auditing feature is configured at your site, then set the relevant device Audit Policies as needed, as described in the Enabling Groove Client Auditing. *To enact any device policies, make sure you installed device registry keys on each user device, as described earlier in this procedure. 6. If you manage users who are running Groove Virtual Office 3.1 or earlier, add Groove licenses to a domain license set, as described in Appendix C. Managing Groove Product Licenses (Groove 3.1 or Earlier). 7. If the Groove Manager is installed onsite at your organization, add Groove Relay servers to the domain. Add the Groove Relay servers by selecting Relay Server Sets for the domain, clicking the Relay Servers tab, then clicking Add Relay Server in the toolbar and entering the required information. For detailed instructions about adding relay servers to a Groove Manager domain, see Adding a Relay Server to the Groove Manager. 8. To enter user contact information in the domain, if your server manager has not already performed this step using a corporate directory server, select Members in the navigation pane and select Add Members in the toolbar, then follow the instructions in the Add Members Wizard. See Adding Groove Users to a Domain for detailed instructions about adding Groove members. Members is the default top-level domain group, to which the default policy templates and relay server sets apply. You can add sub-groups and provision users with other templates and relay server sets, as described in Managing Groove Users. If user data has already been integrated with Groove Manager member groups from a corporate directory server, skip this step and proceed to the next step. If, when you click the Members group, a domain setup window appears requesting password information, type the required information in the fields. See Private Key Name in the Groove Manager Server Administration portion of the Help for information about these fields. 9. Send managed account configuration codes to Groove users, as described in Enabling Groove Account Configuration. If your server administrator has set up Auto-Account Configuration, Groove users will receive their managed account configuration codes automatically and you can skip this step. Once the account configuration code is installed in a user s Groove software, Groove will authenticate the user and create a managed identity based on the associated user informa- Groove Manager Domain Administrator s Guide Getting Started 12

21 tion. To perform various domain management tasks, use the domain tabs, described in the following table: Domain Tabs Reports Roles Descriptions Allows you to view Groove usage reports for users, workspaces, and tools in the selected domain, as described in Viewing Reports. Allows you to add, edit, and delete Groove Manager templates for the selected domain, as described in Adding, Editing, and Deleting Templates. Allows you to configure domain-level administrator roles, as described in Editing Administrator Roles. Groove Manager Domain Administrator s Guide Getting Started 13

22 Managing Groove Domains Management domains are organizational units defined in the Groove Manager. The following sections provide information about the ongoing administration of Groove management domains defined on the Groove Manager. The following topics cover domain-based tasks: Overview of Management Domains Viewing and Editing Management Domain Properties Configuring Management Domain Affiliation Changing Reset/Recovery Private Keys and Key Locations Setting Up Cross-Domain Certification Migrating Users to Another Domain Adding, Editing, and Deleting Templates Editing Administrator Roles Overview of Management Domains Management domains are organizational units that contain templates of identity and device policies, and sets of Groove Relay servers that can be provisioned to Groove users once they become domain members. Groove Manager server administrators create domains, as described in the Groove Manager Server Administration portion of the Help. Each domain has one top-level group, within which you can add other groups and subgroups. See Managing Domain Member Groups for more information about groups. Adding Groove user information to domain groups makes them domain members. If a server administrator has not completed domain configuration, you will be prompted to provide the necessary information before you can add domain members. Clicking the name of a fully configured domain in the navigation pane of the Groove Manager administrative Web interface, displays tabs where you perform basic domain-level tasks, as described in the table below. Domain Tabs Reports Descriptions Allows you to view Groove usage reports for domain members, workspaces, and tools, as described in Viewing Reports. Groove Manager Domain Administrator s Guide Managing Groove Domains 14

23 Domain Tabs Roles Descriptions Allows you to add, edit, and delete domain templates, as described in Adding, Editing, and Deleting Templates. Allows you to configure domain-level administrator roles, as described in Editing Administrator Roles. For specific information about initial domain configuration, see Setting Up a Groove Management Domain. Viewing and Editing Management Domain Properties Your Groove Manager server administrator creates management domains. You, or anyone with a server or domain administrator role in an RBAC-supported environment, as described in Editing Administrator Roles ) can view domain information and edit a domain s configurable properties. To edit management domain properties, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click Domain Properties in the toolbar. The Domain Settings page appears. 3. From the Domain Settings page, edit the fields shown in the following table as necessary, then click OK: Domain Settings Fields Domain Name Contact Description Certificate Authority (CA) name When displaying a member s domain affiliation, show: Descriptions Specifies the name of the domain. The Groove Manager supplies an initial domain name, which you can edit as needed. Specifies the address of the contact administrator for the domain. Specifies an optional description of the domain. Information only. Appears if the Groove PKI option is selected. Displays the CA name assigned to the domain by the server administrator during domain creation, if Groove PKI is the chosen identity authentication system. Determines the level of information displayed in domain members Groove contact information, as follows: Domain only - Display s each managed user s name, followed by the management domain of which the user is a member. Domain and group - Displays each managed user name, followed by the management domain/group/subgroup... of which the user is a member. For more information about setting up domain affiliation, see Configuring Management Domain Affiliation. Default: Domain only Groove Manager Domain Administrator s Guide Managing Groove Domains 15

24 Domain Settings Fields Support license management for Groove Virtual Office clients version 3.1 and earlier Number of days that members can be inactive before being removed from the domain s contact directory Number of days that devices can be inactive before being removed from domain Descriptions Enables administrative interface features that allow you to manage licenses of management domain members who are running Groove version 3.1 or earlier. See Appendix C. Managing Groove Product Licenses (Groove 3.1 or Earlier) for more information about this property. The number of days that members can be inactive before being removed from the domain s contact directory. A member is considered inactive when not logged into Groove. Default: 15 The number of days of Groove device inactivity after which the Groove Manager removes domain member devices from device lists. A device is considered inactive when not running Groove. If a domain member logs back into Groove on a removed device, the device is re-instated in the domain upon contact with the Groove Manager. Entering a value of 0 specifies that devices will not be removed from device lists after any period of inactivity. Default: To change login credential reset (or data recovery) settings, click the Password Settings tab and edit the fields described in the Password Settings Fields table, then click Apply to apply settings without saving, and OK to save. 5. To cross-certify another domain, click the Cross Domain Certification tab and edit the fields described in the Cross Domain Certification Fields (available for Groove PKI only) table as necessary, then click Apply to apply settings without saving, and OK to save. 6. To set up automated domain migration, click the Advanced Settings tab and edit the field described in Automatically Migrating Users to Another Domain as necessary, then click Apply to apply settings without saving, and OK to save. Configuring Management Domain Affiliation The Groove Manager Domain Properties page lets you control how domain members appear in Groove contact lists. By default, the domain member s domain name appears, followed by the associated domain; no group information is included. The affiliation setting applies to the entire management domain and all groups in the domain. To configure management domain affiliation, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the Domain Properties button. The Domain Settings page appears. 3. From the Domain Settings page, edit the domain affiliation fields, as described in the Domain Settings Fields table. 4. Click OK. Groove Manager Domain Administrator s Guide Managing Groove Domains 16

25 Changing Reset/Recovery Private Keys and Key Locations The device template Domain Properties page lets you change password/smart card login private keys and key locations. Default key names include the key creation date to help distinguish keys on the Groove Manager. To replace the private key for password/smart card login reset and data recovery, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Select Domain Properties in the toolbar. The Domain Settings tab appears,. 3. Click the Password Settings tab. The login reset page appears, displaying various settings, depending on the current reset configuration for this domain template. 4. Edit the settings according to your requirements, using the Password Settings Fields table as a guide. 5. To change the reset/recovery private key location from a specified file to a Groove Manager directory, click the Save Key on Server button on the Domain Settings page. A Save Key on Server pop-up window appears. To change the private key location from the Groove Manager to a specified directory and file, click the Move Key to File button on the Domain Settings page. A Save pop-up window appears where you specify a file location for the private key, then click OK. 6. From the Save Key on Server pop-up window, browse to the target file location on the Groove Manager, enter a private key password, and click OK. To change the private key location from the Groove Manager to a specified file, enter a file location in the text box and click OK. This removes the key from the Groove Manager and places it in the specified location on your network. 7. To replace the private key, click the Change Key button. A new private key with a default name that includes the date will be added to the Groove Manager or specified file location. 8. If the key is stored on the Groove Manager and you want to change the private key password, click the Change Password button. 9. Click OK. Make sure to keep labeled copies of reset/recovery private keys in a known secure location. You may need access to these old private keys (for example, if you need to recover client data but the client has an older version of the data recovery certificate). Password Settings Fields Save Copy Descriptions Appears if the password/smart card reset private key file is stored on the server. Lets you copy the password/smart card reset private key from the Groove Manager to a specified file on your network. Clicking this button displays a standard Save dialog box where you can browse to a target directory location on your network. Groove Manager Domain Administrator s Guide Managing Groove Domains 17

26 Password Settings Fields Save Password on Server Descriptions Appears if the password/smart card reset private key file is stored in a specified file. Lets you change the storage location for the password/smart card reset private key from a network location to the Groove Manager. Clicking this button displays a pop-up window with the key name, a browse box to enter the source directory location, and a prompt for the private key password, along with an option to remember the password. Don t Save Password Appears if the automatic password reset option is set, which involves saving the login reset password on the Groove Manager. Lets you stop saving the login reset password on the server, thus blocking the automatic password reset option. If after clicking OK you need to reverse this setting and save the password on the server, return to this page and click Save Password on Server. Move Appears if the login reset private key file is stored on the Groove Manager and automatic login reset is not the selected reset option. Lets you change the storage location for the password/smart card reset private key from the Groove Manager to a specified file on your network. Clicking this button displays a standard Save dialog box where you can browse to a target directory location on your network. Note that moving the private key to a file deletes it from the Groove Manager. Download data recovery tool for Groove Workspace version For use with Groove 3.1 or earlier. Lets you select the version of Groove for which you want to download a user data recovery tool. This tool allows you to access managed user data when a user has left the company or forgotten a password (providing that device security policies allow). As of Groove 2007, the Data Recovery Administration Tool (DRAT.exe) is included in the Groove client installation. Clicking the Download button displays a pop-up window that lets you download and install the Data Recovery Administration Tool (DRAT.exe) for the specified Groove version to the current device or to a specified directory location. You install the DRAT.exe file on the Groove client device where you intend to restore Groove data. See Setting Up Data Recovery on Managed User Devices for detailed information about recovering Groove data. Default: 3.0 Change Password If the password/smart card login reset private key resides on the Groove Manager, this button lets you change the private key password. Clicking the button displays a pop-up window that lets administrators specify and confirm a new password for the password/smart card reset private key. Note: If you do not know the old private key password that you want to change, contact your server administrator. Change Key Generates another password/smart card reset private key on the Groove Manager or in a designated directory location, as specified in this Domain Settings page. The new private key has a default name that includes the date, distinguishing it from previous keys. Groove Manager Domain Administrator s Guide Managing Groove Domains 18

27 Setting Up Cross-Domain Certification PKI Basics The Groove Manager s cross certification feature lets you extend trusted collaboration beyond a single management domain, to other management domains that may or may not belong to your organization.the Groove Manager and Groove clients rely on an identity authentication scheme called Public Key Infrastructure (PKI) to support cross certification for management domains that are configured to use native Groove PKI. Cross-domain certification does not apply in the context of external enterprise PKI. Setting up cross certification requires that two administrators from different domains, both of which use Groove PKI as their identity authentication scheme, exchange and cross-register domain certificates (certificate files that contain public keys that identify one domain to another). Once cross certification has occurred, Groove contact lists use text color to distinguish Groove users from the cross-certified domain. Note that this process does not prevent certified and uncertified Groove users from communicating but simply informs users of the certification status of their contacts. You can strengthen security by setting an identity policy that controls how certified users in your domain interact with uncertified users, as described in Managing User Interaction with Unknown Identities. This section provides the following information and procedures: PKI Basics Cross-Certifying Management Domains Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies, and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security feature known as authentication (proof of identification). Understanding the role of PKI in software management involves the following basic terms: Certification Authority (CA) - An authority that Groove users trust to create and issue certificates that contain public keys. In a managed Groove environment, the Groove Manager is the certificate authority. As such, it creates and manages the certificates for managed Groove users. Certificate - A data structure containing a domain or Groove user s public key and related identification information, which is digitally signed with the private key of the CA that issued it. The certificate securely binds together the information that it contains; any attempt to tamper with it will be detected by Groove. Server administrators stipulate native Groove PKI or external Enterprise PKI for the managed environment during management domain creation. Third-party enterprises may implement PKI differently than Groove. If Groove PKI is the selected user authentication system for the domain, the Groove Manager and Groove client implement PKI according to the following process: Groove Manager Domain Administrator s Guide Managing Groove Domains 19

28 1. The server administrator generates a PKI certificate during Groove Manager domain creation. 2. User identity information is added to the Groove Manager domain, from an Active Directory server or by administrator action. 3. Managed Groove accounts are configured on Groove client devices, and a public key with associated identity information are returned to the Groove Manager, either through an automated process or via a domain administrator who sends account configuration codes and associated identity information to Groove users who then enter the account configuration codes in Groove. 4. The Groove Manager generates and signs each user certificate with the domain's certificate (using the domain s private key to bind the user s public key to the user s identity information). The Groove Manager then sends to each domain member the appropriate signed user certificate, giving each user a managed identity with domain membership. In the context of Groove PKI, if Groove validates a contact s management domain (for example, if the Groove user is a member of the contact s domain), text color distinguishes contacts as follows: Contact belongs to the same organization as the user, under either of the following conditions: Contact is in the same domain as the user. Contact is in a domain that has been cross-certified with the user s domain and is in the same organization. Contact is from an outside organization whose domain has been cross-certified with the user s domain (according to the procedure outlined below in Cross-Certifying Management Domains ). Again, third-party enterprises distinguish users as their PKI implementation dictates. Certified users (both Groove or enterprise PKI environments) are marked in the following places in the Groove client user interface: Contacts tab in the Groove launchbar Contact Properties window Member List Notifier, whenever a contact name is displayed, such as when a message is received Send Message and Send Invitation windows in the From field, when reading a message or invitation Send Message and Send Invitation windows in the To field, when sending a message or invitation to a single user Add more contacts list Message History Contact search When a Groove user moves the mouse over a contact, Groove checks if the contact belongs to the user s management domain and, if so, displays its authentication status and domain. In addition, the contact s domain and digital fingerprint appear in the Groove con- Groove Manager Domain Administrator s Guide Managing Groove Domains 20

29 tact Properties window. If a contact is not already certified, a user can manually verify the person by right-clicking the contact name to display a Verify Identity window, then contacting the individual outside of Groove (by phone, for example), verifying the associated digital fingerprint, and selecting the check box option to indicate that verification took place. Cross-Certifying Management Domains The following procedure shows how to set up cross-domain certification between two domains, both of which use Groove PKI identity authentication, specified during domain creation. This process has two parts: you send your domain certificate to the administrator of an external domain so that external domain members can establish trust with your domain, and you import a certificate from the external domain. You can also set up cross certification in one direction only; Domain A can trust Domain B without Domain B trusting Domain A. Note: Cross certification is appropriate only when administrators from cooperating domains trust each other, to the extent of securely maintaining proper bindings between each others user public keys and contact information. This section provides instructions for the following tasks: Exchanging Domain Certificates Viewing Cross-Certified Domains Deleting Cross-Certified Domains Exchanging Domain Certificates Cross-domain certification, and the following procedure, apply only in the context of Groove PKI, not third-party, enterprise PKI. To utilize cross-domain management, you must add users to a domain or group to make them managed. For information about adding users, see Adding Groove Users to a Domain. Note: You can cross-certify a foreign domain only if it has a different domain name than yours. Domain names must be unique. If you discover duplicate domain names, this condition must be corrected by assigning properly registered DNS names. To exchange certificates and set up mutual cross-domain trust with an administrator from a remote domain (in a Groove PKI setting), follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Select Domain Properties in the toolbar. The Domain Settings page appears. 3. Make sure that the Groove PKI identity authentication option is selected. If it is not this procedure will have no affect. The PKI setting is specified during domain creation and cannot be changed. 4. If Groove PKI is selected for the domain, click the Cross Domain Certification tab. This page allows you to cross-certify another domain. You can use the Cross Domain Certification Fields (available for Groove PKI only) table to see details about these fields. Groove Manager Domain Administrator s Guide Managing Groove Domains 21

30 5. Click the Export Certificate button to export the certificate (containing the domain public key) for the local domain (DomainA). A File Download pop-up window appears. 6. Click the Save option, then click OK. A Save As pop-up window appears. 7. Accept the path and default name of <domainname>.cer (in this case DomainA.cer) or edit them, then click OK. This saves the local domain certificate file in a local directory. This is the file that each administrator sends the other in order to set up cross-domain management. 8. Go to the location of your local DomainA certificate file, copy the file, and send it via or Groove to the administrator of the remote domain (DomainB, for example). 9. Request the remote DomainB administrator to send you the DomainB certificate by performing the procedure just described. 10. When you receive a certificate from the remote DomainB administrator, save it in a directory on your local computer. 11. Authenticate the remote domain (DomainB, for example) as follows: a. Contact the remote DomainB administrator by telephone or in person and make sure that you trust the person whom you are contacting. b. View the certificate you received by opening the Windows Certificate Viewer, double-clicking the domainnameb.cer file, and checking the certificate s digital fingerprint (the certificate's hash or thumbprint as shown in the Windows Certificate Viewer). Ask the remote administrator to do the same and to report the fingerprint. It should match what you see on your screen. Then, reverse the procedure and report your DomainA certificate s fingerprint to the remote administrator. 12. Return to the Cross Domain Certification tab on the Domain Properties page and click the Add Certificate button. The cross certification pop-up window appears. 13. In the File location field, enter the path and file name of the remote DomainB.cer file, clicking the Browse button if necessary. 14. Click OK. You have now set up cross-domain certification with the collaborating administrator. Cross-certified domains appear in the domain list in the lower half of the page. Contacts from cross-certified domains appear on the Groove client in a different color from local domain contacts: Cross Domain Certification Fields (available for Groove PKI only) Export Certificate Descriptions Appears only if Groove PKI is the identity authentication method. Exports domain s certificate from the Groove Manager to a specified directory location on the local device. You can then send this certificate to another domain administrator to set up crossdomain trust. See Setting Up Cross-Domain Certification for information about setting up cross-domain certification with trusted domains. Groove Manager Domain Administrator s Guide Managing Groove Domains 22

31 Cross Domain Certification Fields (available for Groove PKI only) Add Certificate Descriptions Appears only if Groove PKI is the identity authentication method. Imports a foreign domain certificate from a specified location to the Groove Manager. When you click OK, the certificate name appears in a list on this page. Certificate list Appears only if Groove PKI is the identity authentication method. Lists cross-domain certificates. The certificate name, description, and download date appear for each entry. A Delete button following each certificate lets you delete certificates. Note that you cannot delete your own (self-trust) certificate. Viewing Cross-Certified Domains To view a domain s cross-certified domains, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Select Domain Properties in the toolbar, and make sure that the Groove PKI identity authentication option is selected. 3. Click the Cross Domain Certification tab. Cross-certified domains are listed in the lower half of the page, beneath the hosting (self-certified) domain. Each entry includes the domain name, a description, and the date of certification. Deleting Cross-Certified Domains To delete a cross-certified domain and its certificates from the Groove Manager, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the Domain Properties button. 3. Click the Cross Domain Certification tab. Any cross-certified domains appear at the bottom of the page. 4. Click the Delete button for any cross-certified domain(s) that you want to delete. Migrating Users to Another Domain If you need to move Groove 2007 (or later) users from one domain to another on the Groove Manager, or from a Microsoft-hosted Groove Enterprise Services domain to an onsite Groove Manager domain, you can use the auto-migration feature provided with Groove Manager If your Groove management setup does not meet the prerequisites for auto-migration or you want to migrate users running Groove 3.1 or earlier, you can perform the procedure manually. Prerequisites and instructions for each method appear in the following sections: Before You Begin Groove Manager Domain Administrator s Guide Managing Groove Domains 23

32 Automatically Migrating Users to Another Domain Manually Migrating Users to Another Domain Before You Begin Before you start migrating Groove users to another domain, address the prerequisites and conditions listed in the following table, depending on your chosen migration method: Requirements and Conditions For Automatic Domain Migration For Manual Domain Migration Server requirements Ensure that your server administrator has enabled the automatic account configuration feature on the target server of the new domain. This requires a Groove Manager 2007 installation at your organization, configured with a target domain. Get the URL of the target Groove Manager server from the server administrator. For information about auto-account configuration and restoration, see Enabling Auto-Account Configuration/Restoration in the Server Administration portion of the Help. Ensure that a target Groove Manager 3.0 or later server has been properly installed at your site and configured with a target domain. Client requirements Ensure that Office Groove 2007 is installed on user devices. Ensure that Groove 3.0 or later is installed on user devices. RBAC requirements If Role-Based Access Control is enabled, as recommended, ensure that you have been assigned the necessary role for your task. Minimum roles on the source server are as follows: Domain administrator - To enable automatic domain migration, edit policies, or perform any other domain-level tasks recommended for domain migration. Member administrator - To mark members for migration, once a domain administrator has enabled automatic domain migration. Minimum roles on the target server are as follows: Domain administrator - To edit policies or perform other domain-level tasks recommended for domain migration. If Role-Based Access Control is enabled, as recommended, ensure that you have been assigned the necessary role for your task. Minimum roles on the source server are as follows: Domain administrator - To edit policies, or perform any other domain-level tasks recommended for domain migration. Member administrator - To export member information to.xml or.csv files. Minimum roles on the target server are as follows: Domain administrator - To create groups, edit policies, or perform any other domain-level tasks. Member administrator - To add members to the target domain groups. Groove Manager Domain Administrator s Guide Managing Groove Domains 24

33 Requirements and Conditions Temporary conditions For Automatic Domain Migration If your migration involves large numbers of users, notify Groove users that contact search results may be incomplete and contact authentication may appear incorrect temporarily until all users are migrated. You can adjust policies to mitigate this condition, as described in the following procedures for automatic and manual domain migration. For Manual Domain Migration If your migration will take place over a significant time period, notify Groove users that contact search results may be incomplete and contact authentication may appear incorrect temporarily until all users are migrated. You can adjust policies to mitigate this condition, as described in the following procedures for automatic and manual domain migration. Automatically Migrating Users to Another Domain Automatic domain migration facilitates the task of migrating members of a Groove Manager 2007 domain or group to another management domain or group, whether on the same or different servers. This method requires minimal Groove user interaction and eliminates the administrative overhead of migrating users manually, then sending account configuration codes to users. For information about manual migration if your site is not configured with Groove Manager 2007, Groove 2007 clients, and a directory server, see Manually Migrating Users to Another Domain. Automated domain migration procedures fall under the following topics: Migrating Domain Members Checking Migration Status Reviewing Migration Events Canceling Migration Migrating Domain Members This section describes how to use the automated domain migration procedure, available with Groove Manager This method allows you to migrate domain or group members to another domain on the same or a different server, or from a Groove Enterprise Services domain to an onsite Groove Manager domain, with minimal user interaction. To automatically migrate Groove users from one management domain (or group) to another on the same or different servers, follow these steps: 1. Address the requirements listed in Before You Begin. 2. To avoid disabling devices and identities, or otherwise interrupting collaboration during the domain transition, consider adjusting domain policies for members that you intend to migrate, as follows: From the source domain: Select the identity policy template assigned to members that you intend to migrate, click the Member Policies tab, and clear the following policy: Groove Manager Domain Administrator s Guide Managing Groove Domains 25

34 Identities may only be used on a managed device in this domain, then click Save Changes. If Groove devices are managed, select the device policy template assigned to members that you intend migrate, click the Account Policies tab, and clear the following policy: Members can only use managed identities from this domain on devices in this domain, then click Save Changes. Setting an identity policy that enables automatic device management for members that you intend migrate is highly recommended to help ensure a smooth migration process, as described in Automatically Managing Devices During Account Configuration or Logon. From the source domain, then the target domain: Consider cross-certifying the source and target domains, as described in Cross-Certifying Management Domains. On the source and target domains: Consider whether to temporarily loosen your user verification policy for the domain during the migration period when some members will be active in the target domain while others remain pending. To edit authentication policies, select the identity policy template assigned to members you intend to migrate, click the Security Policies tab, and change the User Verification Policy settings as needed, then click Save Changes. Note: Remember to allow time for clients to be updated with policy changes. 3. On the server where the target domain is located, go to the Groove Manager administrative Web site and update the policy templates and relay server sets as needed. 4. From the target domain, import the Groove user information for the members that you intend to migrate. For information about importing domain members, see Importing Members from a Directory. 5. On the server where the source domain is located (the Groove Enterprise Services site, if you are migrating members from a hosted services environment to an onsite server), go to the Groove Manager administrative Web site and select the original management domain in the navigation pane and click Domain Properties in the toolbar. The Domain Settings page appears. 6. From the source domain, the Domain Settings page, click the Advanced Settings tab. The Domain Migration page appears. 7. From the source domain, select Enable migration to a new Groove Manager domain. Requires Groove 2007 or later, then click OK. Selecting this checkbox exposes domain migration menu items, options, and reports. 8. From the source domain, select the domain s Members group or one of its subgroups. 9. From the source domain, click the Manage Members drop-down menu in the tool bar and select Migrate Members. The Migrate Members page appears. Groove Manager Domain Administrator s Guide Managing Groove Domains 26

35 10. From the source domain Migrate Members page, select one of the following options: Choose this Migration option: Selected members Domain members (new and existing) Group members (new and existing) To Do this: To migrate selected members to another domain. Note that this option is available only when members are selected. To migrate all members in the domain to another domain. This is the default option for domain migration. To migrate all members in the current group to another domain. This is the default option for group (subgroup migration). 11. From the source domain Migrate Members page, type the URL for the Target Groove Manager Server URL. The target server must be the Office Groove Server 2007 Manager (or a later version) that supports auto account configuration. If you already configured migration at a higher level (for example, to specify a common target server for all domain members, prior to assigning them to target groups), that URL will appear in this field by default. 12. From the source domain Migrate Members page, Click OK to enter your settings. This marks all active members for migration. When users next login to Groove, they will be active members of the target domain. Users can be marked for migration regardless of status (active, pending, or disabled), but only active users can be migrated. Any members subsequently added to the old domain will be marked for migration. Note that only those members whose contact information has been imported to the target domain from an integrated directory server will be migrated. For information about stopping migration, see Canceling Migration. 13. From the source domain, confirm migration status as described in Checking Migration Status. 14. From the target domain, ensure that when members next login to Groove, they appear as active members in the target domain. 15. If you wish, reset the device and identity policies that you turned off at the start of this procedure. When migration is complete, you can terminate the old domain on the source onsite server or discontinue from Groove Enterprises Services Manager, depending on your previous setup. Checking Migration Status You can check the status of migrating members, from the Members page in the original or source domain. To check member migration status, follow these steps: 1. Go to the administrative Web site for the source domain. Groove Manager Domain Administrator s Guide Managing Groove Domains 27

36 2. Click the Members group (or one of its subgroups). A list of active, pending, and disabled members appears; migrated members will not appear. Note: Only Active Members can be migrated. 3. To search for members of a specific migration status, click Advanced Search, then select one of the following options: Members who are pending domain migration - To find Pending Migration domain members. These are members marked for migration but not yet active in the target domain. Members who have already migrated to another domain - To find migrated domain members. These are members who have logged into Groove after being marked for migration and who are now active members of the target domain. A filtered list of members pending migration or of migrated members appears. For migrated members, the list shows the date of migration, target server URL, and target domain name for each member. For members who are pending migration, the list shows the date that each member was marked for migration, target server URL, and each member s last Groove contact date. 4. Clicking a member displays the member s Account Information page and migration details, including: Member s migration status - Pending Migration or Migrated New Groove Manager server URL New Groove Manager domain name Date since marked for migration, or Date migrated Reviewing Migration Events The automatic domain migration feature reports migration-related events to the audit log. To see migration-related events, follow these steps: 1. Go to the administrative Web site for the source domain. 2. Click the Reports tab for the domain. 3. Select Audit Log from the Reports drop-down menu. Canceling Migration To cancel domain migration, follow these steps: 1. Go to the administrative Web site for the source domain. 2. Click the Members group (or one of its subgroups) to display the members list. 3. Click the Manage Members drop-down menu in the tool bar and select Stop Member Migration. 4. Choose one of the following options, and click OK. Any members marked for migration will not be migrated.: Choose this Stop Migration option: Selected members To Do this: To stop specific members from migrating to another domain. Groove Manager Domain Administrator s Guide Managing Groove Domains 28

37 Choose this Stop Migration option: Domain members (new and existing) Group members (new and existing) To Do this: To stop all members in the domain from migrating to another domain. To stop all members in the current group from migrating to another domain. Manually Migrating Users to Another Domain This section provides a basic migration procedure for manually migrating users from one domain to another on the same server or from Groove Enterprise Services. Use this approach if domain members are running Groove 3.1 or earlier, or if the Groove Manager server administrator has not configured your site with the requisite auto-account configuration capabilities. The manual migration procedure requires users to input new account configuration codes, and it requires administrators to create a new domain group structure in the target domain, then migrate users group by group to the newly defined management domain groups. The migration must be performed on each group and subgroup in order to preserve the policy templates, and relay server sets assigned to each group. For information about automating domain migration, see Automatically Migrating Users to Another Domain. To manually migrate users from one domain to another, follow these steps for each group and subgroup in the domain, starting with the smallest subgroup: 1. Address the requirements listed in Before You Begin. 2. To avoid disabling devices and identities, or otherwise interrupting collaboration during the domain transition, consider adjusting domain policies for members that you intend to migrate, as follows: From the source domain: Select the identity policy template assigned to members that you intend to migrate, click the Member Policies tab, and clear the following policy (if it is selected): Identities may only be used on a managed device in this domain, then click Save Changes. Select the device policy template for the members that you intend to migrate, click the Account Policies tab, and clear the following policy (if it is selected): Members can only use managed identities from this domain on devices in this domain, then click Save Changes. From the source domain, then the target domain: Consider whether to temporarily loosen your user verification policy for the domain during the migration period when some members will be active in the target domain while others remain pending. To edit authentication policies, select an identity policy template for the domain, click the Security Policies tab, and change the User Verification Policy settings as needed, then click Save Changes. Note: Remember to allow time for clients to be updated with policy changes. Groove Manager Domain Administrator s Guide Managing Groove Domains 29

38 3. On the server where the source domain is located (the Groove Enterprise Services site, if you are migrating members from a hosted services environment to an onsite server), go to the Groove Manager administrative Web site and export each group member list from the domain to an.xml or.csv file, as described in Exporting Domain Members. 4. On the server where the new (or target) domain is located (the onsite Groove Manager server, if you are migrating members from a hosted services to an onsite server environment), go to the Groove Manager administrative Web site and update the policy templates and relay server sets as needed. 5. From the target domain, create the required group hierarchy. See Adding Groups, for information about creating domain groups. 6. From the target domain, select the domain s top-level Members group (or any of its sub-groups) in the navigation pane. The Members page appears. 7. From the target domain Members page, add the users to the target domain group on the Groove Manager, as described in Adding Multiple Members from an.xml File or Adding Multiple Members from a.csv File. 8. From any device, login to the Groove Manager, select the target domain group, and download the Groove Manager device registry key, as described in Registering User Devices with the Groove Manager. Apply this key to the Windows registry of any device that you intend to manage in the target domain group. 9. Shut down Groove and restart the client devices to process the registry updates. 10. From the target domain, send managed account configuration codes to each user that you are migrating, as described in Enabling Groove Account Configuration. 11. Ensure that Groove users do the following: a. Launch Groove on each client device. b. Click Help from the Groove menu and select Configure Account. c. Copy the 25-character account configuration code for each managed identity from the into the account configuration code field. d. Click Finish to activate Groove on the device. At the end of this process, the Groove user has a managed Groove identity in the target domain. 12. If you wish, reset the device and identity policies that you turned off earlier in this procedure. 13. You can terminate the old domain or discontinue from hosted Groove services, depending on your previous setup. Adding, Editing, and Deleting Templates The Groove Manager administrative interface allows you to send to accompany the account configuration code that goes to Groove users, giving give them domain membership. It also allows you to send to accompany the account backup file that you send users to restore an account. You can create and save your own templates to use as the defaults for these messages. The tab allows you to create and save templates, edit templates, or delete them. Groove Manager Domain Administrator s Guide Managing Groove Domains 30

39 The following sections explain how to accomplish the following management tasks: Creating Groove Manager Templates Editing Groove Manager Templates Deleting Groove Manager Templates Creating Groove Manager Templates The domain tab lets server and domain administrators create templates for the e- mail that the Groove Manager sends to users to configure their Groove account or to accompany a backed up account file. You also have the option of saving this as a default template. To create and save new Groove Manager templates, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the tab for the domain. The domain page appears with a list of previously defined templates. 3. Select Add in the toolbar. The Add window appears. 4. Enter the requested information in the fields as shown in the following table, then click OK. Only the Save As field is required to save this ; all fields are required to send. Create Account Configuration Code Fields Type Values Select one of the following types from the drop-down menu: Account Configuration - sent to users to accompany Groove account configuration codes. Account Restoration - sent to users to accompany a file that contains backed up account information needed to restore the user account. Save as Required Field. Enter the name of the message that you want to create. You can then use this whenever you want to send a Groove user a managed identity or account backup file. Note: When you enter a name in this field to save an edited , clicking OK renames the edited e- mail to the new name, rather than creating a copy and saving it under the new name. From Subject Enter your address if desired. Enter the subject of the , such as Account Configuration. Groove Manager Domain Administrator s Guide Managing Groove Domains 31

40 Create Account Configuration Code Fields Body Values Enter the desired text explaining that you are sending an account configuration code that will supply a new Groove identity that allows access the enterprise Groove environment. When this message goes out as default , the Groove Manager automatically includes the account configuration code, Groove Manager name, and new identity name. Make this the default for this activity Select this option to make this message the default for distributing account configuration codes or account backup files. This message will replace the current default . Leaving this check box unchecked retains the current default . Editing Groove Manager Templates To edit Groove Manager templates that you have created and saved, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the tab. The domain page appears with a list of templates. 3. Click the template that you want to edit. The Edit page appears. 4. In the Edit page, edit the fields as described in the table Create Account Configuration Code Fields. 5. Click OK. Deleting Groove Manager Templates To delete specific Groove Manager templates, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the tab. The Manage page appears with a list of templates. 3. Select the templates that you want to delete. Clicking the top box selects all the templates. 4. Select Delete Selected in the toolbar. 5. Click OK. Editing Administrator Roles If the Groove Manager administrator has set up role-based access control (RBAC) and you are assigned a role of Domain Administrator, you can edit other administrator roles from the domain Roles tab. Note that you cannot edit your own role. Groove Manager Domain Administrator s Guide Managing Groove Domains 32

41 To edit administrator roles, follow these steps: 1. Go to the Groove Manager administrative Web site and select your management domain in the navigation pane. 2. Click the Roles tab. A list of currently-defined administrators, including their name and role, appears. 3. Click the administrator name that you want to edit. The Edit Administrator page appears, showing a list of roles for the selected administrator. 4. Select the roles that you want to assign to the selected administrator, then click OK. Roles provide access to various parts of the Groove Manager s administrative Web site, as summarized in the following table: Domain-level Administrator Roles Domain Administrator Member Administrator License Administrator Support Administrator Report Administrator No role Descriptions Allows full access to all domain-level administration for the selected domain. Allows access to management domain member administration only, within the selected domain. Allows access to Groove 3.1 (and earlier) license administration only, within the selected domain. Allows access to Groove password/smart card login reset administration only, within the selected domain. Allows access to Groove usage reports for the selected domain. Displays a message instructing the user to see their server or domain administrator to gain domain access. Groove Manager Domain Administrator s Guide Managing Groove Domains 33

42 Managing Groove Users The following sections provide information about the ongoing management of Groove users via the Groove Manager. Once you add Groove users to a management domain, making them domain members, you can use the Groove Manager to oversee their usage and security policies, and provision them with Groove Relay servers, and to monitor their Groove activities via domain reports. Common member management tasks fall under these topics: Overview of Groove User Management Managing Domain Member Groups Adding Groove Users to a Domain Enabling Groove Account Configuration Provisioning Managed Groove Users Viewing Domain Members Viewing and Editing Domain Member Information Finding Domain Members Moving Domain Members to Another Group Exporting Domain Members Disabling and Enabling Domain Members Deleting Domain Members Purging Member Relay Queues Creating an LDAP Search String Initiating Client Contact With a Groove Manager For information about Groove user identity policy settings and how to change them, see Managing Identity Policies. For information about setting a peer identity authentication policy, see Managing User Interaction with Unknown Identities. For information about backing up and restoring user accounts, see Backing Up and Restoring User Account Data in the section that describes Identity policies. Overview of Groove User Management Managing Groove users from the Groove Manager requires that users become members of Groove Manager Domain Administrator s Guide Managing Groove Users 34

43 a management domain that is defined by a server administrator at your organization. If onsite Groove Manager and LDAP directory servers are part of your Groove management environment, server administrators may set up corporate directories to automate the process of populating Groove Manager domains with user identity information, as described in the Server Administration portion of this Help. Or, you may add Groove user contact information to a domain group manually, from an.xml or a.csv file, or by importing data from a corporate directory. Adding members to a domain group manually, or from a file or directory, is basically a two-step process. First, you enter identity information for each user. Then, you ensure that a managed account is configured on each Groove user device. Successful account configuration gives users a managed Groove identity with membership in a Groove management domain group. As domain members, these managed identities are subject to administratordefined Groove usage policies and provisioned with Groove Relay servers. The task of configuring managed Groove accounts on client devices can be automated by a process set up by a server administrator - the most efficient way to bring managed Groove users online (as described in the Server Administration portion of this Help). However, if your organization requires another approach, you can send a Groove account configuration package to Groove users via an message (or other secure means). The account configuration package contains a Groove account configuration code, a managed identity name, and the Groove Manager name to enable client communication with the Groove Manager. Once a user receives the that contains a managed Groove account configuration code, the user must enter the account configuration code and Groove Manager name into the Groove application. At that time, Groove typically does the following, depending on client setup: Creates a new account or allows the user to convert an old account to a new managed account. Creates a new managed identity for the user, based on the identity information associated with the account configuration code that you provided. Or, if domain device policies allow, Groove gives the user the option of converting an existing identity into a new managed identity, using the identity information that you provided. Downloads identity and device policies, and relay assignments to client machines. Signs user contact information if Groove PKI is the selected authentication system for the domain, as defined by the server administrator during domain configuration, and displayed on the Domain Properties page. You can add domain members individually, from an.xml file, or by importing from an onsite corporate directory server, depending on the size of your user base, as summarized Groove Manager Domain Administrator s Guide Managing Groove Users 35

44 in the table below: Setup at Your Site User Deployment Option Help Reference Groove Manager and LDAP-based directory server of user information installed User information stored in.xml or.csv files User information to be entered manually in Groove Manager domain group Import user information from an onsite LDAP-based directory server (if Groove Manager is installed onsite). Add multiple users from an.xml or.csv file. Add individual users manually. Importing Members from a Directory (if a directory server is installed at your site and integrated with an onsite Groove Manager) Adding Multiple Members from an.xml File or Adding Multiple Members from a.csv File Adding an Individual Member to a Domain Group Once you have added Groove users to a domain group, you can search for a member as described in Finding Domain Members, edit member information as described in Viewing and Editing Domain Member Information, and carry out other management tasks. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer users at the group level. Editing individual member information requires a role of Server, Domain, or Member administrator. Member management activities appear in the Manage Members drop-down menu in the toolbar, as listed in the following reference table: User Management Task Send Groove Account Configuration Code Move Members Export Members Disable/Enable Members Delete Members Migrate Members/Stop Member Migration Described Here: Adding Groove Users to a Domain Moving Domain Members to Another Group Exporting Domain Members Disabling and Enabling Domain Members Deleting Domain Members Migrating Users to Another Domain (appears only if domain migration is enabled) Managing Domain Member Groups Groups are subsets of management domains. For example, your company domain may contain a development group, a sales group, and a finance group. An initial top-level Groove Manager Domain Administrator s Guide Managing Groove Users 36

45 Members group is defined for each new management domain, and you can create groups and subgroups within it. Each domain contains at least one user identity template, device policy template, and relay set which are assigned to domain groups by default. You can modify these templates and sets, and change the assignments for specified groups, subgroups, or individual group members. The sections below describe the following group-related tasks: Adding Groups Viewing Domain Groups Viewing and Editing Group Properties Viewing Group Members Deleting a Group Adding Groups The Groove Manager provides a top-level Members group for each management domain. You can create groups and subgroups within the Members group, as is recommended, or you can add members directly to this top-level group (equivalent to adding members directly to the domain). To create a group, follow these steps: 1. Go to the Groove Manager administrative Web site and select click the domain s top-level Members group from the navigation pane. The Members and Groups tabs appear where you perform group-level tasks, as described in the following table: Domain Tabs Members Groups Descriptions Lists the members in the selected group and allows you to add, provision, move, export, and delete group members, as described in Managing Groove Users. Lists groups in the selected domain or group, and allows you to add, edit, and delete domain groups, as described in Managing Domain Member Groups. 2. To add a sub-group to an administrator-defined group, select the group in the navigation pane. 3. Click the Groups tab. 4. From the Groups tab, select Add Group in the toolbar. The Group Setup window appears. 5. In the Name field of the Group Setup window, type the name of the group that you want to create. 6. If you wish, type a group description in the Description text box. 7. Accept the default identity and device policy templates, and relay server set, or select another choice from one of the scrolling lists, as needed. For more information about these selections, see the corresponding Help sections: Managing Identity Policies, Managing Device Policies, Managing Groove Relay Servers. Groove Manager Domain Administrator s Guide Managing Groove Users 37

46 Note: In order to issue device policies, make sure that managed Groove devices are registered with the Groove Manager, as described in Registering User Devices with the Groove Manager. 8. Click OK. The group now appears under the selected domain in the navigation pane on the left and on the domain Groups tab. 9. To add members to a group, select the group in the navigation pane, select Add Members in the toolbar, and choose an option, as described in Adding Groove Users to a Domain. For information about deleting a group, see Deleting a Group. Viewing Domain Groups To view groups in a management domain, do the following: 1. Go to the Groove Manager administrative Web site and click the domain s top-level Members group in the navigation pane. Administrator-defined groups appear under Members and the Members page appears. 2. To view descriptions of administrator-defined groups within Members, click the Groups tab. The names and descriptions of groups within Members appear in the main window and in the domain group hierarchy in the navigation pane. 3. To view descriptions of sub-groups within administrator-defined groups, select a group in the navigation pane and click the Groups tab. Viewing and Editing Group Properties The group Properties page displays information about a selected group, some of which you can edit. From a group s Properties page, you can rename a group, or change its assigned identity policy template, device policy template or relay server set. To view or edit group properties, follow these steps: 1. Go to the Groove Manager administrative Web site and click the domain s top-level Members group in the navigation pane. The Members page appears. 2. To edit properties of the top-level Members group, click Group Properties in the tool bar. 3. To edit properties of an administrator-defined group, select that group or sub-group in the navigation pane, then click Group Properties in the tool bar or click the group name from the Groups tab in the main window. Note: Edits apply only to the selected group or sub-group, unless you select the option, Override settings for all members and subgroups, which applies edits to all members and sub-groups within the selected group. 4. Edit the fields described in the table below, as needed, then click OK. Group Properties Field Descriptions Group Setup Name Specifies a group name. Groove Manager Domain Administrator s Guide Managing Groove Users 38

47 Group Properties Description Field Descriptions Specifies an optional description of the group. Default Settings Identity Policy Template Device Policy Template Relay Server Set License Set (Groove Virtual Office 3.1 or earlier) Apply to all group members. Specifies an identity policy template - a collection of identity policy settings that govern this group. You can view and edit the settings in this template, or add a new template, as described in Managing Identity Policies. If multiple identity templates already exist, you can select another from this drop-down menu. Specifies a device policy template - a collection of device policy settings that govern this group. You can view and edit the settings in this template, or add a new template as described in Managing Device Policies. If multiple device templates already exist, you can select another from this drop-down menu. Specifies a relay server set - an ordered set of Groove Relay servers provisioned to this group. You can view and edit this relay server set, or add a new set as described in Managing Groove Relay Servers. If multiple sets already exist, you can select another from this drop-down menu. Appears only if you are supporting Groove 3.1 or earlier and have set the Domain Properties option accordingly. Contains a set of licenses provisioned to this group. You can view and edit this license set, or add a new set as described in Appendix C. Managing Groove Product Licenses (Groove 3.1 or Earlier). Applies the current group settings to all group and subgroup members. Leaving the box unchecked applies group settings to the current group only (not to its child groups). Note: To apply group settings (policy templates and relay server sets) to an entire domain, apply this option to the domain s toplevel Members group. Default: unchecked Directory Integration Settings (Appears only if automatic directory server integration is used.) Name Information only. Specifies the name of the directory server integration point, defined by the Groove Manager administrator to be the source of integrated member information. The presence of the directory integration name and related information on this page indicates that members have been automatically integrated with the Groove Manager. For more information about directory integration, see Importing Members from a Directory. From Information only. Specifies the point of integration from the directory server hierarchy. This point indicates the location on the directory server from which member identities have been integrated into this group. Groove Manager Domain Administrator s Guide Managing Groove Users 39

48 Group Properties To Field Descriptions Information only, if integration point is specified. Specifies the point of integration on the target Groove Manager (the member group defined on the second page of the integration wizard). Search Filter (on the group Properties page only) Information only. Displays the search filter, if specified. Viewing Group Members To view the members of a management domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select click the domain s top-level Members in the navigation pane. The Members page appears. Group member names appear in the main window, along with their account configuration status, address, date of last member modification, directory status, and last account backup date. 2. To view members in an administrator-defined group, select that group or sub-group in the navigation pane. The Members page appears, as described in step To search for members in the group, do one of the following: To search for named members, enter the member s full name, first name, last name, or address. Wild-card strings are acceptable. For example, you could enter jon to look for entries containing the string jon. Then click the Search button. To search for members of a certain status (active or pending), click the Advanced Search button, enter a search string in the search field if desired (as described in Finding Domain Members ), then click the Search button. Search results appear in the main window. Deleting a Group To delete a management domain group and all its members, follow these steps: 1. Go to the Groove Manager administrative Web site and select click the domain s top-level Members from the navigation pane. The Members page appears. 2. To delete an administrator-defined group, select that group or sub-group in the navigation pane. 3. Click the Groups tab. 4. Select the groups that you want to remove. 5. Click Delete Selected Groups in the toolbar. A confirmation pop-up window appears. 6. If you are satisfied that deleting the group deletes the group members, click OK. Caution:Removing a group removes all users and registered devices that you defined for this group. Groove Manager Domain Administrator s Guide Managing Groove Users 40

49 Adding Groove Users to a Domain In order to manage Groove users at your company, you add them to a management domain. Domain membership subjects members to identity policies governing Groove use and assigned managed relay servers. These policies and relay assignments do not apply to any previously existing Groove accounts that the user may have. Note that a managed identity can be a member of only one domain or group. If your Groove Manager administrator has already integrated Groove user information from an onsite directory server with an onsite Groove Manager, you may not need to add users to a domain group. See your server administrator or the Groove Manager Server Administration portion of the Help for more information about automatic integration of user data. Note: Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer users at the group level. Editing individual members requires a role of Server, Domain, or Member administrator. If the domain is configured to use Enterprise PKI for user authentication, management domain member names must exactly match the names associated with valid PKI certificates and these certificates must be accessible from Groove clients via the Internet Explorer CryptoAPI (CAPI) store. When configuring managed Groove accounts, users will be prompted to select a certificate, so be sure to set the identity policy that controls which certificates are available for selection, as described in Specifying Enterprise PKI Certificates. The following sections provide background information and instructions for adding Groove users to a group: Adding an Individual Member to a Domain Group Adding Multiple Members from an.xml File Adding Multiple Members from a.csv File Importing Members from a Directory Adding an Individual Member to a Domain Group The simplest way to add users to a domain group, making them domain members, is to enter identity information for each user manually. However, this is time consuming if you are adding more than a few members. For information about adding multiple members from a file or directory, see the procedures for Adding Multiple Members from an.xml File or Importing Members from a Directory. To add individual users to a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members and Groups tabs appear. If a domain setup window appears, requiring private key password information, enter the information in the fields as described in Private Key Name in the Groove Manager Server Administration portion of the Help. Then return here to continue with this procedure. Groove Manager Domain Administrator s Guide Managing Groove Users 41

50 2. From the Members tab, click Add Members in the toolbar. A list of user deployment options appears. 3. Click Add Single Member, then click Next. The Select Member Settings page appears. 4. From the Select Member Settings page, accept the default policy templates and relay server sets or change them, as described in the sections listed in following table: For information about: Editing or changing identity policy templates Editing or changing relay server sets See this section of the guide: Managing Identity Policies You can set device policies later, once the user has started Groove and applied any associated device keys, as described in the Managing Device Policies. Managing Groove Relay Servers 5. Click Next. The Add Single Member page appears. 6. From the Add Single Member page, type the user data into the fields to create a user s identity. This data will appear in the user s Groove Contact Properties. The following fields are required: Full name - The user s full name. - The user s address. 7. To save this member s information and create another member in the domain group, click the Save and Create Another button to repeat the above process. 8. When you finish adding member information, click the Finish button. This process makes the user a domain group member, lists the user on the domain group Members tab with a Pending Member icon, and assigns the user an account configuration code (visible by clicking the member s name to display the Account Configuration page). Repeat the previous steps for each additional user. 9. Distribute the account configuration code to Groove users, as described in Enabling Groove Account Configuration (unless your server administrator has set up Auto-Account Configuration at your organization). Once the account configuration code is installed in the user s Groove software, Groove will authenticate the user and create a managed identity based on the associated user information. Adding Multiple Members from an.xml File You can facilitate the process of creating domain members by adding multiple users to a domain from an.xml file. This is useful when you need to create managed identities for numerous users. You can also use this feature to download a member list to a new domain that you exported from an existing domain. See the Exporting Domain Members for details about exporting. For information about adding multiple users from a.csv file, see Adding Multiple Members from a.csv File. Groove Manager Domain Administrator s Guide Managing Groove Users 42

51 To add multiple users to a management domain from an.xml file, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members and Groups tabs appear. If a domain setup window appears, private key password information, enter the information in the fields as described in Private Key Name in the Groove Manager Server Administration portion of the Help. Then return here to continue with this procedure. 2. From the Members tab, click Add Members in the toolbar. A list of user deployment options appears. 3. Click Add Multiple Members (XML), then click Next. The Select Member Settings page appears. 4. From the Select Member Settings page, accept the default policy templates, and relay server sets or change them, as described in the sections listed in following table: For information about: Editing or changing identity policy templates Editing or changing relay server sets See this section of the guide: Managing Identity Policies You can set device policies later, once the user has started Groove and applied any associated device keys, as described in Managing Device Policies. Managing Groove Relay Servers 5. Click Next. The Add Multiple Members page appears. 6. Create an xml file using the template provided, as follows: a. Right-click the Download Template button and enter a location for the.xml file (ImportMembersTemplate.xml). b. Open the.xml file template in Notepad or other text editor and scroll to the <Member> section at the end of the file, which should look similar to the following: <Member> <FullName>FullName</FullName> <FirstName>FirstName</FirstName> <LastName>LastName</LastName> < > </ > <Title>Title</Title> <Company>Company</Company> <Street>Street</Street> <City>City</City> <State>State</State> <Zip>PostalCode</Zip> <CountryOrRegion>CountryOrRegion</CountryOrRegion> <Phone>Phone</Phone> Groove Manager Domain Administrator s Guide Managing Groove Users 43

52 <Fax>Fax</Fax> <Cell>Cell</Cell> </Member> 7. Supply at least a FullName and address for the user by replacing the corresponding strings between the angle-bracket <> pairs. For example: <Member> <FullName>jondoe</FullName> <FirstName>FirstName</FirstName> <LastName>LastName</LastName> < >jdoe@contoso.com</ > <Title>Title</Title> <Company>Company</Company> <Street>Street</Street> <City>City</City> <State>State</State> <Zip>PostalCode</Zip> <CountryOrRegion>CountryOrRegion</CountryOrRegion> <Phone>Phone</Phone> <Fax>Fax</Fax> <Cell>Cell</Cell> </Member> 8. Copy and paste the Member section of the XML file to enter additional members. 9. Save the file. 10. In the File Location field of the Add Multiple Members page, browse to the.xml file that you want to import. 11. Click Finish. This process makes users domain group members, lists users on the domain group Members tab with Pending Member icons, and assigns them an account configuration code (visible by clicking the member s name to display the Account Configuration page). 12. Distribute the account configuration code to Groove users, as described in Enabling Groove Account Configuration (unless your server administrator has set up Auto-Account Configuration at your organization). Once the account configuration code is installed in the user s Groove software, Groove will authenticate each user and create a managed identity based on the associated user information. Adding Multiple Members from a.csv File You can facilitate the process of creating domain members by adding multiple users to a domain from a.csv file. This is useful when you need to create managed identities for numerous users. You can also use this feature to download a member list to a new domain that you exported from an existing domain. See the Exporting Domain Members for details about exporting. Groove Manager Domain Administrator s Guide Managing Groove Users 44

53 For information about adding multiple users from an.xml file, see Adding Multiple Members from an.xml File. To add multiple users to a management domain from a.csv file, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members and Groups tabs appear. If a domain setup window appears, private key password information, enter the information in the fields as described in Private Key Name in the Groove Manager Server Administration portion of the Help. Then return here to continue with this procedure. 2. From the Members tab, click Add Members in the toolbar. A list of user deployment options appears. 3. Click Add Multiple Members (CSV), then click Next. The Select Member Settings page appears. 4. From the Select Member Settings page, accept the default policy templates and relay server sets, or change them, as described in the sections listed in following table: For information about: Editing or changing identity policy templates Editing or changing relay server sets See this section of the guide: Managing Identity Policies You can set device policies later, once the user has started Groove and applied any associated device keys, as described in Managing Device Policies. Managing Groove Relay Servers 5. Click Next. The Add Multiple Members page appears. 6. Create a.csv file using the template provided, as follows: a. If you decide to use your own.csv file instead of the template, define at least 4 columns (or up to 10 if you want to include all the columns used in the template. Also, use a comma to delimit each field, including empty fields that occur between values, and delimit each record (row) with a carriage return. Use the following steps for guidance. b. Right-click the Download Template button and enter a location for the.csv file (ImportMembersTemplate.csv). c. Open the.csv file template in Excel or other.csv editor. An Excel-like table appears with the following 10 columns: Full Name, First Name, Last Name, E- mail Address, Job Title, Company, Street, CityState, Postal Code. To use the template or your own.csv file, follow these guidelines, then save the.csc file. > Type the user information into the two required fields - Full Name and address - and any additional fields. > Enter one user record in each row, using text characters, NOT Uni-code. > If you use a comma(,) or space ( ) in a field, enclose the field in double quotation marks. Enclose double quotation marks ( ) with single quotation marks ( ). Groove Manager Domain Administrator s Guide Managing Groove Users 45

54 > When you are finished, delete the top row of column titles. 7. In the File Location field of the Add Multiple Members page, browse to the.csv file that you want to import. 8. Click Finish. This process makes users domain group members, lists users on the domain group Members tab with Pending Member icons, and assigns them an account configuration code (visible by clicking the member s name to display the Account Configuration page). 9. Send the account configuration code to Groove users, as described in Enabling Groove Account Configuration (unless your server administrator has set up Auto- Account Configuration at your organization). Once the account configuration code is installed in the user s Groove software, Groove will authenticate each user and create a managed identity based on the associated user information. Importing Members from a Directory If your server administrator registered an LDAP-based directory with an onsite Groove Manager, you can import users from a corporate directory into a domain group, making them domain members. Microsoft Active Directory, IPlanet, and Lotus Domino R5 (or later) are supported directory formats. If your Groove Manager configured a directory server integration point to add user information to Groove Manager domains automatically, users will already be listed in your domain, so you do no not need to import them and can skip this section. The following sections provide background and instructions for working with directory server user information: Working with Imported/Integrated Members Importing Members from a Directory Working with Imported/Integrated Members The Groove Manager lets administrators import or automatically integrate users into a Groove Manager domain. Any domain-level administrator can import users from an LDAP directory server once a server administrator has configured it as described in the Groove Manager Server Administration portion of the Help. However, user import is not necessary if the server administrator has set up an integration point for automatic integration of user information from the directory. The following rules apply to members imported into Groove Manager from a directory server: You cannot edit a member's vcard or contact information (including name, address, phone number) if the user information originated from a directory server. A user can be imported only once into a domain. Therefore, a user cannot be imported into more than one group in a domain. The Groove Manager uses an internal mapping scheme, shown in the table below, to automatically convert a copy of your corporate user directory into a Groove Manager-compliant format for importing. Groove Manager Domain Administrator s Guide Managing Groove Users 46

55 Table of Groove Manager-to-LDAP Attribute Mapping. Groove Manager Active Directory IPlanet Domino Full Name cn cn cn First Name givenname givenname givenname Last Name sn sn sn title title title title mail mail mail orgphone telephonenumber telephonenumber telephonenumber orgcell mobile mobile mobile orgfax facsmiletelephonenumber Fax facsimiletelephonenumber Company company o o orgstreet street street officestreetaddress orgstate st st st orgcity l l l orgcountryorre gion c c c orgpostalcode postalcode postalcode postalcode Importing Members from a Directory This section describes how to import Groove user information to the Groove Manager from an onsite LDAP directory server, properly configured with an onsite Groove Manager by a server administrator. Before you begin this procedure, have the following information on hand: Directory name that you want to import. Directory login name and password with at least read-only access to the required user attributes. To import users from a directory, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members and Groups tabs appear. If a domain setup window appears, requiring private key password information, enter the information in the fields as described in Private Key Name in the Groove Manager Server Administration portion of the Help. Then return here to continue with this procedure. 2. From the Members tab, click Add Members in the toolbar. A list of user deployment options appears. Groove Manager Domain Administrator s Guide Managing Groove Users 47

56 3. Click Import Member from a Directory, then click Next. The Select Member Settings page appears. 4. From the Select Member Settings page, accept the default policy templates and relay server sets or change them, as described in the sections listed in following table: For information about: Editing or changing identity policy templates Editing or changing relay server sets See this section of the guide: Managing Identity Policies You can set device policies later, once the user has started Groove and applied any associated device keys, as described in Managing Device Policies. Managing Groove Relay Servers 5. Click Next twice. The Import Members From a Directory page appears. 6. Enter the requested information in the fields, as shown in the following table: Directory Login and Search Criteria Fields and Buttons Directory Server Search For Descriptions Select the directory name from the drop-down menu (supplied to the Groove Manager by the server administrator). To look for a specific full name string, enter it in this field. Leaving the Search For and Enter Custom Filter fields blank allows you to import or display all users in the directory. The system treats your entry as a wild card. For example, if you enter jon, the system searches for all full names that contain the string jon. Asterisks (*) are interpreted as characters. Enter Custom Filter To use an LDAP search filter (that will override any value in the Search For text box), enter a value in this Custom Filter field. For information about entering an LDAP search filter, see Creating an LDAP Search String. Note: You must have Read rights to all attributes in your search string. Display Matching Users To preview a list of matching users first, and then import information for selected users, do the following: 1. Click the Display Matching Users button. A scrolling list of the users about to be imported appears in the window, with a green mark in the Status column indicating previously imported members. 2 Select the users that you want to import. Clicking the top check box selects all users. 3 Click the Import Selected Users button (or Finish). The selected users appear in the domain group Members list with a Directory Status of Imported. Groove Manager Domain Administrator s Guide Managing Groove Users 48

57 Directory Login and Search Criteria Fields and Buttons Import Matching Users Items per page Descriptions To import information for users that match the search criteria now, click the Import Matching Users button to submit the search criteria. The selected users appear in the domain group Members list with a Directory Status of Imported. Appears when more than 25 users are present. Select the number of users to display per page from the dropdown menu. 7. Click Finish. This process makes users domain group members, lists users on the domain group Members tab with Pending Member icons, and assigns them an account configuration code (visible by clicking the member s name to display the Account Configuration page). 8. Distribute the account configuration code to Groove users, as described in Enabling Groove Account Configuration (unless your server administrator has set up Auto-Account Configuration at your organization). Once the account configuration code is installed in the user s Groove software, Groove will authenticate each user and create a managed identity based on the associated user information. Enabling Groove Account Configuration Once Groove identities have been defined in a management domain group, as described in Adding Groove Users to a Domain, the managed accounts must be configured on Groove clients. You can initiate this process by sending an account configuration code to each prospective domain member, or the Groove Manager s Auto-Account Configuration feature is available to automate the process. Consult your server administrator or the Groove Manager Server Administration portion of the Help for information about automated Groove account configuration. You can send out Groove account configuration codes, using a Groove Manager available from the Members page, or using your own message. The sections below provide an overview of account configuration code distribution and instructions for manual account configuration using the Groove Manager or personal About Distributing Account Configuration Codes Sending an Account Configuration Code from Groove Manager Sending an Account Configuration Code Via Personal Distribution About Distributing Account Configuration Codes Groove Manager account configuration codes enable Groove users to establish their managed Groove identities. You can send account configuration codes to users from a Groove Manager or via personal distribution. Alternatively, the Groove Manager Auto- Account Configuration feature can handle this process for you. See your server administrator or the Groove Manager Server Administration portion of the Help for information about automating Groove account configuration. Groove Manager Domain Administrator s Guide Managing Groove Users 49

58 To facilitate deployment of Microsoft Office Groove in your domain, the latest Groove version should be installed on user machines before you send them containing their domain member account configuration codes. When you are ready for users to come online in your management domain and you have given each an account configuration code (associated with a managed identity), they must each enter the account configuration code in Groove. Groove user devices must be connected to the Groove Manager for managed account configuration to succeed. When a Groove user applies a managed account configuration code to a device, Groove contacts the Groove Manager, authenticates the user, and downloads the appropriate user authentication information to the user s machine. It also downloads identity policies and relay server assignments associated with the domain. If device management keys are included in the installation process, device policies are also downloaded. To use their new identities, users start Microsoft Office Groove and execute a short series of steps, varying somewhat depending on which version of Groove they are running. When the process is complete, Groove is launched on the user s device and the user is a member of the management domain, with access to managed relay servers and allegiance to policies associated with that domain. The following table provides some client guidelines: User Scenario The user receives an account configuration code via . The user is new to Groove and does not yet have a Groove account. What the User Should Do 1. Start Groove. On devices with no Groove accounts the Account Configuration Wizard (formerly called the Activation Wizard) appears and guides the user through the account configuration process. 2 Copy the administrator-supplied Account Configuration Code into the text box when prompted to do so. 3 On unmanaged devices only, copy the administrator-supplied Account Configuration Server into the text box when prompted to do so. The user receives an account configuration code via . The user already has a Groove account. 1. Start Groove, then click the Configure Account option in the Help menu to start the Account Configuration Wizard (formerly called the Activation Wizard). The Wizard guides the user through the account configuration process. 2 Copy the administrator-supplied Account Configuration Code into the Wizard text box when prompted to do so. 3 On unmanaged devices only, copy the administrator-supplied Account Configuration Server into the text box when prompted to do so. 4 Choose whether to update an existing identity to a managed identity (recommended option) or select an Advanced option. Advanced options include updating an existing identity other than the default identity and creating a new identity. The Auto-Account Configuration option is used to configure the Groove account. This feature is available only to users without existing Groove accounts. 1. Make sure that Groove client devices are registered with a management domain, as described in Registering User Devices with the Groove Manager. 2. See your server administrator or the Groove Manager Server Administration portion of the Help for information about using the Groove Auto-Account Configuration feature. Groove Manager Domain Administrator s Guide Managing Groove Users 50

59 In supporting Groove users, bear in mind the following factors pertaining to account configuration codes and managed identity creation: Users cannot install the same account configuration code and identity data into more than one account. Trying to do so will cause a message to appear, stating that the identity has already been installed. Users must get a new account configuration code from the administrator if they enter the account configuration code and identity data into the wrong account or need to delete the account where the managed identity resides for any reason. Once configured, an account configuration code cannot be re-used or re-sent for any reason, even if the account in which the identity resided has been destroyed. You must create new identity information and send a new account configuration code to a user if the user has lost domain membership for any reason. If your device policies allow and if a user already has an account on the device, the Account Configuration Wizard gives users the choice of converting an existing identity to the new managed identity, based on the identity information that you entered for them. The original identities existing Groove spaces and contact lists remain intact. If a user does not yet have a Groove account, the managed account configuration process creates a Groove account and identity. This identity is the default for that account. If a user has one or more existing Groove accounts, the managed account configuration process allows the user to choose whether to create a new account or to use a specified existing account. If the user chooses the new account option, the managed identity will become the default identity in that account. If the user specifies an existing account, they must select Configure Account from the Groove Help menu and the resulting updated account will have multiple identities: any existing one(s) and the new one which becomes the default. As described in the previous bullet, the user can convert an existing identity to the new managed identity if domain device policies allow. Sending an Account Configuration Code from Groove Manager After adding members to a domain as described in Adding Groove Users to a Domain, you need to send each member an account configuration code, unless your server administrator has set up the Groove Manager Auto-Account Configuration feature. To send a Groove account configuration code with its associated identity information to Groove users from a Groove Manager message, do the following: 1. Review About Distributing Account Configuration Codes. 2. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members page appears, showing a list of added domain group members. 3. From the Members page, select target recipients for the . Clicking the top check box selects all users. 4. Select the Manage Members drop-down menu in the tool bar, then click Send Groove Account Configuration Code. The Send Groove Account Configuration Code window appears, with an form, showing any default . The Groove Manager Domain Administrator s Guide Managing Groove Users 51

60 account configuration code, Groove Manager host name, and managed identity name do not appear in the default text but are automatically appended to the that the user receives. 5. Enter the requested information in the fields on the default page as shown in the following table: User Fields Template From Subject Message Explanations Select an template option from the drop-down menu. Select Sample account configuration to display the initial default account restoration . Enter your address. Enter the subject of this . Accept the default , edit the default, or enter a new message, as necessary. For information about creating Groove Manager e- mail templates, see Adding, Editing, and Deleting Templates. The account configuration code and the name of the Groove Manager (Account Configuration server) are automatically appended to this . Save this as a new template Make this the default for this activity Select this checkbox and enter a name in the Save As text box to save changes in a new template that will appear in the Template drop-down list. Available only if Save this as a new template is enabled. Select this option to make this message the default template for distributing account configuration codes. 6. Click the Send button when you are finished. This sends the , along with the following items: Account configuration code - Entering this code into Groove on a client device creates a managed identity or converts an existing identity, and downloads domain policies and relay assignments. Identity name - Specifies the user s new identity name. Account Configuration server - Specifies the Groove Manager name that the Groove client uses to contact the Groove Manager for updates and reporting. You have now distributed account configuration codes to Groove users. Upon receipt of an account configuration code, users enter the codes into Microsoft Office Groove. This creates a managed identity for each user and makes these users domain members. On the Members page, status for these users changes from Pending to Active. An envelope icon in the right-most column of the page indicates defined users who have not yet configured their managed Groove accounts. Sending an Account Configuration Code Via Personal Distribution After adding members to a domain as described in Adding Groove Users to a Domain, you need to send each member an account configuration code, unless your server adminis- Groove Manager Domain Administrator s Guide Managing Groove Users 52

61 trator has set up the Groove Manager Auto-Account Configuration feature. In order to distribute a Groove account configuration code yourself, rather than ing from the Groove Manager, you must retrieve the account configuration code. To retrieve an account configuration code for personal distribution to users, follow these steps: 1. Review About Distributing Account Configuration Codes. 2. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members tab appears, showing a list of added domain group members. 3. From the Members page, click the member s name. The Account Information window appears, with a Account Information tab displaying the user identity information, including the member s account configuration code. 4. Copy the account configuration code to a safe place, and note the server name and identity name. 5. Click OK. 6. Deliver the account configuration code, the Groove Manager (Account Configuration server) name, and the identity name to the user in an a private message or other transfer method. You have now distributed account configuration codes to Groove users. Upon receipt of an account configuration code, users enter the codes into Microsoft Office Groove. This creates a managed identity for each user and makes these users domain members. On the Members page, status for these users changes from Pending to Active. An envelope icon in the right-most column of the page indicates defined users who have not yet configured their managed Groove accounts. Provisioning Managed Groove Users The Groove Manager administrative Web interface lets you provision Groove users with user and device policies and Groove relay servers whenever you create a domain group or add a user to a group. Once you register devices and relay servers with a domain, as outlined in Setting Up a Groove Management Domain, the Groove Manager applies templates of default identity and device policies, and relay servers to the domain group or user being defined. You can change templates or sets for a selected domain group or member by editing the group or member information, as described in these sections: Provisioning Domain Groups Provisioning Domain Members For more information about templates and sets, see the sections listed in the following table: For information about: Editing or changing identity policy templates See this section of the guide: Managing Identity Policies Groove Manager Domain Administrator s Guide Managing Groove Users 53

62 For information about: Editing or changing device policy templates Editing or changing relay sets See this section of the guide: Managing Device Policies Managing Groove Relay Servers Provisioning Domain Groups You provision a domain group with policy templates and relay servers by editing its properties. To edit a group s properties, follow these steps: 1. Select Members or an administrator-created group in the Groove Manager navigation pane. 2. Click Group Properties in the toolbar. The group Properties page appears. 3. Select the desired identity template, device template, and/or relay set from the dropdown menus. 4. Click OK. Provisioning Domain Members You provision an individual domain member with policy templates and relay servers by editing the member s Account Information page. To edit a group s properties, follow these steps: 1. Select Members or an administrator-created domain group in the Groove Manager navigation pane. 2. Click a member on the Members tab. The Account Information page appears. 3. Select the desired identity template, device template, and/or relay set from the dropdown menus. 4. Click OK. Viewing Domain Members The Members tab lets you display status and identification information for all or specific members of a domain group or subgroup. The page also provides tools for sending account configuration codes to selected users, moving or deleting selected members, and exporting selected member identity contacts. To view a list of managed users in a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members tab displays the members list for the select group. 2. To search for specific members, use the Search and Advanced Search buttons as described in Finding Domain Members. Groove Manager Domain Administrator s Guide Managing Groove Users 54

63 3. To navigate between screens of member names, use the arrows at the bottom of the list. 4. Click the Search button. The list of members appears as specified. The default sort order is alphabetical by full name. 5. If more than 25 users are listed for the domain group and an Items per page dropdown menu appears, you can select a number from the list to specify the number of members to display per page. 6. To change the sort order, click on the column by which you want to sort. The list displays the following columns of information: Members List Columns Status Values Icons specify the domain membership status of each user, as follows: Active members - Users who have entered a managed account configuration code into Microsoft Office Groove, gaining management domain membership. Pending members - Groove users for whom you have entered identity information but who have not yet configured their managed Groove accounts. If you need to send an account configuration code, select the user and click Send Groove Acount Configuration Code from the Manage Members drop-down menu, then click OK to resend. An envelope icon indicates that an account configuration has been sent to a pending user from the Groove Manager but the user has not yet entered the account configuration code into Microsoft Office Groove. Right-clicking the icon displays the date and time that the was sent. The time value reflects the time zone of the Groove Manager. Once the user enters the account configuration code, the user status changes to Active and the icon disappears. Disabled members - Groove users that you have temporarily disabled (suspended), as described in Disabling and Enabling Domain Members. Migrated members - Domain members whom you have migrated to another domain, as described in Migrating Users to Another Domain. Appears only if domain migration is enabled and you are searching for migrated users using the Advanced Search option. Full name address Last modified Specifies the user s full display name. Specifies the user s address. Displays the date and time of the last modification to the user record. The time value reflects the time zone of the Groove Manager. Groove Manager Domain Administrator s Guide Managing Groove Users 55

64 Members List Columns Directory Status Values If a member was imported to the domain from a directory server (as described in Importing Members from a Directory of this guide), specifies member status on the directory server as follows: Imported - Indicates that the member was imported from a directory server, with or without synchronization enabled. Disabled - Indicates that an imported member was disabled on the directory server. Deleted - Indicates that an imported member was deleted from the directory server. For information about deleting the member from the management domain, see Deleting Domain Members. For members that were not imported to the domain from a directory server, the column value is blank. Last Account Backup If you set an identity policy to schedule automatic user account backup, specifies the date of last backup. For information about scheduling account backup, see the section, Backing Up and Restoring User Account Data. Viewing and Editing Domain Member Information You can access and modify information about a specific domain member from the member s Account Information page. This page also displays devices - managed or unmanaged - that are associated with the user. Note: Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer users at the group level. Editing individual members requires a role of Server, Domain, or Member administrator. You cannot edit a member's information, such as name, address, or phone number, if the member was imported or integrated from a corporate directory server. To view or change information about a member, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members tab displays the members list for the select group. 2. To search for a specific user or category of user, use the Advanced Search and Search buttons, as described in Finding Domain Members. Groove Manager Domain Administrator s Guide Managing Groove Users 56

65 3. From the Members tab, click the member name for which you want information. The member s information page appears, displaying the tabs described in the following table: Domain Member Information Tabs Account Information Description Displays information about the selected pending or active domain member account. Includes a button for resetting domain member password or smart card login credentials. For details about Account Information fields, see the Login Credential Reset Fields table. For details about Account Information fields, see the Account Information table. Restore Account Displays information about restoring a domain member account. For details about these fields, see Restoring Account Data. Contact Information Displays contact information for the selected domain member. For details about these fields, see the Contact Information table. 4. If you need to reset a domain member s password or smart card login credentials, you can use the fields described in the following table: Login Credential Reset Fields Member: Reset Values Information only. Displays the selected domain member name. Clicking this button displays the Reset Password or Smart Card login window where you can reset a Groove password or smart card login, upon user request and providing that Groove device policies allow. For more information about resetting Groove passwords or smart card logins, see Resetting Groove Login Credentials. 5. To view or edit user account information, from the Account Information tab, use the fields described in the following table: Account Information Values Account Information Groove Account Configuration Server Information only. For pending users, specifies the name of the Groove Manager from which the Groove account configuration code was sent to this user. Groove Manager Domain Administrator s Guide Managing Groove Users 57

66 Account Information Groove Account Configuration Code Digital fingerprint Account configured Domain Group Values Information only. For pending users, specifies the Groove account configuration code sent to this user by the domain administrator. Information only. For active users, specifies the digital fingerprint associated with the domain member s managed identity. Information only. For active users, specifies the date that the user entered the Groove account configuration code sent by the Groove administrator. Information only. Specifies the domain of which the user is a member. Information only. Specifies the group of which the user is a member. Settings Identity Policy Template Lists the Groove identity policy templates available for this domain. You can change the template for the specified user by selecting another template from the drop-down menu. For more information about identity policy templates, see Managing Identity Policies. Relay Server Set Lists the Groove relay server sets available for this domain. You can change the set for the specified user by selecting another relay server set from the drop-down menu. For more information about relay server sets, see Managing Groove Relay Servers. Advanced Displays the Advance Relay Server Settings window where you can purge the queues on selected relay servers in the set for the specified user. For more information about purging queues, see Purging Member Relay Queues. Devices with this Identity Lists the managed and unmanaged devices associated with this domain member. Name Information only. Lists the managed and unmanaged devices associated with this domain member. For more information about managing devices, see Registering User Devices with the Groove Manager. Version Information only. The Groove version running on the device. Last Used Information only. The date that Groove was last used on the device. Groove Manager Domain Administrator s Guide Managing Groove Users 58

67 Account Information Type Values Information only. The type of device, as follows: Managed - Registered with the Groove Manager. and subject to Groove Manager device policies. To stop managing a device, click the Stop Managing button for that device. Unmanaged - Not registered with the Groove Manager and not subject to Groove Manager device policies. For information about how to manage a device, see Registering User Devices with the Groove Manager. Device Policy Lists the Groove identity policy templates available for this domain. You can change the template for the specified user by selecting another template from the drop-down menu. For more information about device policy templates, see Managing Device Policies. Note: The assigned device policy template affects all user accounts on a managed device. Therefore, changing the device policy template for one user affects all other users of that device. Stop Managing Button 6. To restore a user account, click the Restore Account tab, and follow the procedure described in Restoring Account Data. 7. To view or edit user Contact information, click the Contact Information tab, and use the fields described in the table below. Change the editable information on this page as necessary: Contact Information Member identity information fields Custom fields Values Specifies the full name, address, and other identity information that comprise this domain member s contact information. These fields are editable for users that were added to the domain directly or from an XML file. These fields are not editable for users that were imported to the domain from a directory server. Fields created by the server administrator when integrating an onsite directory server with Groove Manager. These fields appear below the identity contact fields (below the Fax field). 8. When you are finished, click Apply to save your changes without closing the window, then OK to save and close. Finding Domain Members You can search for members in a domain or group by first name, last name, or address. Groove Manager Domain Administrator s Guide Managing Groove Users 59

68 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members page appears, listing the members in the selected group. 2. To search for specific members, enter a search string for the name of the user that you want to find, then click the Search button. You can use wild cards without asterisks. For example, to search for all user names containing mac, enter the string: mac. 3. To search all the groups in a domain, select the Search entire domain check box. Leaving the box unchecked limits the search to the selected group. 4. To restrict the search to a specific user category, click Advanced Search, enter the required information, then click OK. The following table describes the Advanced Search Fields: Advanced Search Fields: Search For Descriptions Lets you enter a search string for the domain member name that you want to find (for example, John Doe). Wild cards (without asterisks) are acceptable. For example, enter mac to search for all names containing with mac. Groove Manager Domain Administrator s Guide Managing Groove Users 60

69 Advanced Search Fields: Drop-down menu options Descriptions Restricts the search to one of the following domain member categories: Active, pending, and disabled members - Displays active, pending, and disabled domain group members, as described for the individual items below. Active members - Displays Groove users who have entered their Groove account configuration codes into Microsoft Office Groove, and are now management domain members. Pending members - Displays Groove users in this domain or group for whom you have entered identity information but whose Groove account configuration codes have not been applied to the Groove client. Disabled members - Displays Groove users that you have temporarily disabled (suspended), as described in Disabling and Enabling Domain Members. Deleted members - Displays Groove users that you have deleted from the domain group, as described in Deleting Domain Members. Members who are pending domain migration - Displays Groove users who are marked for migration to another domain. (Appears only if domain migration is enabled.) Members who have already migrated to another domain. -Displays migrated users who have logged into Groove as members of a new management domain. (Appears only if domain migration is enabled.) Default: Active, pending, and disabled members Search entire domain Searches all groups in the domain, regardless of what is selected (when enabled) or limits the search to the selected group (disabled). Default: checked (enabled) Moving Domain Members to Another Group The Groove Manager interface allows you to move domain group members from one group to another within the same domain. If a directory server is installed at your site, note the following when moving members: You cannot perform a move if either the source or target group of the move, or any parent group, originates from an LDAP directory server integration point. Assigned relay server sets and policy templates remain unchanged when members who originated from an LDAP directory server integration point along with the directory structure move from one group to another. To move members from one group to another, follow these steps: Groove Manager Domain Administrator s Guide Managing Groove Users 61

70 1. Go to the Groove Manager administrative Web site and select a management domain group or subgroup in the navigation pane from which you want to move members. The Members tab displays the members list for the select group. 2. From the Members page, Search and navigation controls as needed, as described in Viewing Domain Members. 3. From the Members page, select the group members that you want to move. Clicking the top check box selects all members in the list. 4. Click the Manage Members drop-down list in the toolbar and select Move Members. The Move Members window appears. 5. In the Move Members window, select the group into which you want to move the selected members. 6. To move the members into a new group, with the same policy templates and relay sets as the parent group, click the Add Group button and enter a new group name. 7. To apply the policy templates and relay server set of the target group to the moved members, select the option: Change member s setting to match the group they will be moved into. To retain the moved members original templates and sets, clear this option. 8. Click OK. This moves the selected members into the selected or new group. Exporting Domain Members The domain group Members pages let you export domain group members to an.xml or a.csv file. You can then use this file to add multiple members to another domain. Note that the exported members remain in the source domain. The following columns of domain member information are exported (empty fields appear as blank values in the exported file): A. Full Name (required for import) B. First Name C. Last Name D. (required for import) E. Title F. Company G. Street H. City I. State J. Postal Code K. CountryOrRegion L. Phone M. Fax N. Cell O. Activation Key (Account Configuration code. For information only; not used for export) Groove Manager Domain Administrator s Guide Managing Groove Users 62

71 P. Status (For internal system use only; not used for export) Q. Type (For internal system use only; not used for export) To export domain group members to a file, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members page appears. 2. From the Members page, use the Search and navigation controls as needed, as described in Viewing Domain Members. 3. Click the Manage Members drop-down list in the toolbar and select Export Members. An Export pop-up window appears. 4. If you want to export only selected the members, select those members. 5. Choose the option of Selected items, or accept the default option of All items. 6. Select CSV or XML as a target file type, then click OK. A File Download pop-up window appears. 7. Click Save, enter the file location for saving the.xml or.csv file, and click Save again. You can now import this file to another domain using the Add Multiple Members link, as described in Adding Multiple Members from a.csv File or Adding Multiple Members from an.xml File. Disabling and Enabling Domain Members You can suspend members of a domain group by temporarily disabling them, then reenabling them as necessary. The following sections provide instructions for: Disabling Domain Members Enabling Domain Members Disabling Domain Members You can suspend selected members from a domain group via the Disable member option in the Manage Members drop-down list in the Member toolbar. Note: If a directory server is installed at your site, imported members that have been disabled on the directory server appear as Disabled in the Directory Status column, regardless of their Groove Manager state. To temporarily disable members in a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. 2. Click the Members tab. A list of group members appears, based on the default search criteria. 3. From the Members page, use the Search and navigation controls as needed, as described in Viewing Domain Members. 4. Select the members that you want to disable. Clicking the top check box selects all members in the list. 5. Click the Manage Members drop-down list in the toolbar and select Disable Members. Groove Manager Domain Administrator s Guide Managing Groove Users 63

72 Enabling Domain Members To re-enable members that you have disabled from a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select a management domain group from the navigation pane. 2. Click the Members tab. A list of group members appears, based on the default search criteria. 3. To change the search criteria (for example, to display Active members), use the search text box and Search button, or the Advanced Search link, as described in Finding Domain Members. 4. Select the members that you want to enable. Clicking the top check box selects all members in the list. 5. Click the Manage Members drop-down list in the toolbar and select Enable Members. Deleting Domain Members The Groove Manager interface allows you to delete domain group members. Deleting a member disables the identity on the Groove client and has the following effects: Deleted users cannot access Groove spaces to which their managed identities belonged. Deleted users can no longer access any of the Groove Relay servers associated with the domain. Deleted users are no longer subject to domain policies governing their managed identity. Deleted users devices are no longer subject to domain device policies. Files in Groove Folder Synchronization (GFS) directories will no longer be synchronized, although GFS files on deleted user devices will remain intact and accessible. If a directory server is installed at your site, note the following when deleting members from a domain group: Members that were imported from the directory to a Groove Manager domain (not automatically integrated from a directory server integration point) will be deleted. Members that were automatically integrated from a directory server integration point without the directory data structure will be deleted, but they will reappear as Pending users. You can then decide to re-instate them with new account configuration , or delete them. User information that was integrated from a directory server integration point with data structure synchronization cannot be deleted using the Groove Manager interface. Warning: The member deletion operation is NOT reversible. Once you delete a member from a domain group, you can no longer access their data unless you set a data recovery device policy that allows you to do so. You must set a data recovery policy for managed devices in order for administrators to recover data from members previously removed Groove Manager Domain Administrator s Guide Managing Groove Users 64

73 from the domain. For information about setting up a data recovery policy, see Setting Up Data Recovery on Managed User Devices. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete domain members. To delete members from a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select Members or one of its sub-groups from the navigation pane. The Members tab displays the members list for the select group. 2. From the Members page, use the Search and navigation controls as needed, as described in Viewing Domain Members. 3. From the Members page, select the group members that you want to delete. Clicking the top check box selects all members in the list. 4. Click the Manage Members drop-down list in the toolbar and select Delete Members. 5. Click OK to confirm the deletion. This deletes the selected members from the Groove Manager and any associated Groove workspaces. Purging Member Relay Queues In the event that a managed user s relay queue becomes or is expected to become overloaded (for example from large file downloads), you can purge a domain group member s relay queues from onsite Groove Relay servers via the member s Account Information page. Purging the message queues permanently deletes all queued instant messages, Groove invitations, and workspace updates for the account associated with the selected managed identity on the specified relay server. Purged instant messages and invitations can never be recovered. However, Groove can recover workspace updates even after they are purged. To purge a managed user s relay queues on a specific onsite Groove Relay server, follow these steps: 1. Go to the Groove Manager administrative Web site and select a management domain group or subgroup from the navigation pane. The Members tab displays the members list for the select group. 2. To search for a specific user or user category, use the Search and Advanced Search buttons, as described in Finding Domain Members. 3. From the Members tab, click a member name. The Account Information page appears, displaying information for the selected user. 4. From the Account Information page, click the Advanced button. The Advanced Relay Server settings page appears with a list of registered relay servers, indicating Onsite or Hosted relay types. 5. From the Action column on the Advanced Relay Server Settings page, click the Purge link for any onsite relay servers whose queues you want to purge for the specified user. Clicking the button purges the appropriate queues. Groove Manager Domain Administrator s Guide Managing Groove Users 65

74 6. Click OK to exit. For more information about relay queues, see the Groove Relay Server Administrator s Guide included with the Groove Relay application. Creating an LDAP Search String The Import Members From a Directory Server feature, accessible from the Add Members page, allows you to add users to a management domain by importing user information from a corporate LDAP-based directory installed at your site. The process provides two main search options: one that lets you search for users in the directory by full name, and another that lets you enter a Lightweight Directory Access Protocol (LDAP) search filter that overrides any full name. This section provides details about entering a custom search filter. See Importing Members from a Directory for information about importing user information from a directory and accessing the Custom Filter field. The Groove Manager maps the supported directory attributes as shown in Table 1 below. Note: The directory attribute names shown in the table may vary, depending on which directory server version you are running. Groove Manager Domain Administrator s Guide Managing Groove Users 66

75 Table 1. Groove Manager-to-LDAP Attribute Mapping Groove Manager & Groove Contact Properties Active Directory IPlanet Domino Full Name cn cn cn First Name given Name given Name given Name Last Name sn sn sn title title title title mail mail mail orgphone telephonenumber telephonenumber telephonenumber orgcell mobile mobile mobile orgfax facsmiletelephonenumber Fax facsimiletelephonenumber Company company o o orgstreet street street officestreetaddress orgstate st st st orgcity l l l orgcountryorre gion c c c orgpostalcode postalcode postalcode postalcode Unique Identifier (not in Groove Contact Properties) objectguid nsuniqueid UID Note: You must have at least Read rights to all attributes in your search string. To enter a simple LDAP search string in the Enter Custom Filter field, use the following basic format: (<filtercomp>(<attribute><filtertype><value>)(<attribute><filtertype><value>))... where <filtercomp> = An optional boolean operator, entered as a prefix to the search string, as shown in the following table: <filtercomp> & Definition And Or Groove Manager Domain Administrator s Guide Managing Groove Users 67

76 <filtercomp> Definition! Not <attribute> = An attribute from the LDAP directory table. For example, in an Active Directory table, o is an attribute representing the organization or company to which an employee belongs. See Table 1. Groove Manager-to-LDAP Attribute Mapping for a list of Active Directory, iplanet, and Domino directory attributes. <filtertype> = Any of the following symbols: <filtertype> Definition = Equals ~= Approximately > Greater than < Less than <value> = An attribute value from the LDAP directory. Note that subfilters can be nested within filters. The following table shows some sample search filters for each directory type: Search Expression Search for all employees who work for any of the contoso companies. <attribute><filtertype><value> Search for an employee whose full name is John Doe. <attribute><filtertype><value> Search for all employees except for John Doe and Jane Brown. (<filtercomp>(<filtercomp>(<attribute><filtert ype><value>))(<filtercomp>(<attribute><filte rtype><value>))) Search for all employees whose full name begins with A or B. (<filtercomp>(<filtercomp>(<attribute><filtert ype><value>))(<filtercomp>(<attribute><filte rtype><value>)))> Sample Filters Active Directory, iplanet, Domino: o=contoso* Active Directory, iplanet, or Domino: cn=john Doe Active Directory, iplanet, or Domino: (&(!(cn=john Doe))(!(cn=Jane Brown))) Active Directory, iplanet, or Domino: ( (cn=a*)(cn=b*)) Groove Manager Domain Administrator s Guide Managing Groove Users 68

77 Search Expression Search for an employee who works for Contoso Corp. and whose last name is Doe or whose full name is John D. (<filtercomp>(<attribute><filtertype><value> )(<filtercomp(<attribute><filtertype><value>) (<attribute><filtertype><value>))) Search for all employees that are members of a specified group (such as Groove*) defined on the directory server. (<filtercomp>(<attribute><filtertype><value> )(<attribute><filtertype><value>)) Sample Filters Active Directory, iplanet, or Domino: (&(o=contoso Corp.)( (sn=doe)(cn=john D*))) Active Directory: (&(objectclass=group)(cn=groove*)) iplanet: (&(objectclass=groupofuniquenames)(cn=gro ove*)) Domino: (&(objectclass=groupofnames)(cn=groove*)) (&(objectclass=dominogroup)(cn=groove*)) Initiating Client Contact With a Groove Manager Once a Groove identity or a device is designated as managed in the Groove client software, Groove polls the Groove Manager periodically (generally, every 5 hours) for updates to products and policies, and to report statistics. If you want to force client contact with the Groove Manager so that users can receive updates within a polling interval, you can manually initiate Groove Manager communications from a Groove client. To manually initiate Groove client communications with the Groove Manager, do any of the following on a Groove client: Restart Groove. Log in to Groove. Log off of Groove. Groove Manager Domain Administrator s Guide Managing Groove Users 69

78 Managing Identity Policies Identity-based usage and security policies set a foundation for Groove user management. The identity policy template assigned to a user s domain group affects all devices where the user s managed account resides. Identity policies govern Groove user practices and security. Device-based policies which apply to specific managed user devices registered with a management domain, offer an added level of control to Groove usage and security management. See Managing Device Policies for details about using device policies. The following sections describe identity policies and how to use them to achieve your Groove management objectives: Overview of Identity Policies Creating Identity Policy Templates Changing Identity Policy Templates Editing Policy Template Names Cloning Policy Templates Deleting Policy Templates Viewing and Editing Identity Policies Automatically Managing Devices During Account Configuration or Logon Requiring Managed Devices Controlling Identity Publication Backing Up and Restoring User Account Data Controlling Login Credential Reset and Data Recovery Resetting Groove Login Credentials Customizing Reset Instructions Setting Up Data Recovery on Managed User Devices Managing User Interaction with Unknown Identities Setting a Groove Version Requirement Specifying Enterprise PKI Certificates Setting Time Limit on Valid PKI Certificates Blocking Files of Specific Types Member Policies Security Policies Groove Manager Domain Administrator s Guide Managing Identity Policies 70

79 Overview of Identity Policies Identity policies control Groove activities associated with domain member identities. An identity policy template contains a collection of policy settings applied to a domain group. The policies affect all domain group members on any devices where a user s managed account resides. Related policy types are grouped on tabs as listed in the follows: Member Policies, including account backup, identity publishing, and device management policies. Security Policies, including user verification, Groove password reset, and blocked file policies.the Groove Manager provides an initial template of default policies which is assigned to domain groups by default. You can create other templates at any time. You can also modify policy settings at any time, but examining and customizing the defaults as needed is a wise first step in setting up a managed Groove environment. Enacting Groove policies requires Groove users to be members of a management domain. See Adding Groove Users to a Domain for information about adding users to a domain. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator. For information about setting complementary device policies, see Managing Device Policies. Creating Identity Policy Templates The Groove Manager provides an initial default identity policy template that contains default policy settings appropriate for typical Groove use in an enterprise. You can create additional templates at any time, using the Add Template tool from the Identity Policy Templates page. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add policy templates. To create an identity policy template, follow these steps: 1. Go to the Groove Manager administrative Web site and from the navigation pane, select Identity Policy Templates for the domain. A list of templates appears in the main window. 2. Select Add Template in the toolbar. The Add Policy Template page appears. 3. In the Add Policy Template page, enter a template name and optional description in the corresponding fields. 4. Click OK. The new template appears in the list on the Policy Templates page and in the navigation pane. Clicking the template in the navigation pane lets you view the template s default policy settings and edit them. Groove Manager Domain Administrator s Guide Managing Identity Policies 71

80 Changing Identity Policy Templates The Groove Manager provides a default identity policy template that applies to managed identities in a domain group. This initial template contains identity policy settings appropriate for typical Groove use in an enterprise. If you have defined additional identity policy templates, as described in Creating Identity Policy Templates ), you can change default template assignments for any group or member, as described in the following sections: Changing Identity Policy Templates for a Group Changing Identity Policy Templates for a Group Member Note: Note: For information about editing identity policies in a template, see Viewing and Editing Identity Policies. In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change policy templates at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. Changing Identity Policy Templates for a Group To change identity policy templates for a domain group, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s toplevel Members group in the navigation pane. The Members page appears. 2. To change templates for an administrator-defined group, select that group or subgroup in the navigation pane. The Members page appears. 3. Select Group Properties in the toolbar. 4. From the group Properties page, select the desired policy template from the Identity Policy Template drop-down menu. 5. To apply this change to all subgroups and members of this group, select the option, Override settings for all members and subgroups. Otherwise, to leave subgroup and member template assignments as is, leave the option unchecked. 6. Click OK. Changing Identity Policy Templates for a Group Member To change identity policy templates for a group member, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s toplevel Members group in the navigation pane. The Members page appears with a list of group members. 2. To change the template for a user in an administrator-defined group, select the group or sub-group in the navigation pane.the Members page appears with a list of group members. 3. From the Members page, click the member name. The Account Information page appears. 4. From the Account Information page, select the desired template from the Identity Policy Template drop-down menu. Groove Manager Domain Administrator s Guide Managing Identity Policies 72

81 5. Click Apply to save your changes without closing, or OK to change and close. Editing Policy Template Names To edit a policy name and description, follow these steps: 1. Go to the Groove Manager administrative Web site and select the Identity Policy Templates or Device Policy Templates heading in the navigation pane. A list of templates appears in the Templates window. 2. Click a template in the list (or click the template in the navigation pane, then click the Template Properties in the tool bar). The template Properties window appears. 3. In the template Properties window, edit the policy tool name and description as needed. 4. Click OK. Cloning Policy Templates You can clone a template and save it as a new template with another name, by using the Clone Template button available with each template. To clone a template, follow these steps: 1. Go to the Groove Manager administrative Web site and select the Identity Policy Templates or Device Policy Templates heading in the navigation pane. A list of templates appears in the Templates window. 2. Click the Clone Template button next to the template that you want to copy. The Clone Template window appears. 3. From the Clone Template window, enter a new template name and optional description in the appropriate fields. 4. Click OK. You can now use the cloned template as a basis for a new policy template without overwriting the original. Deleting Policy Templates You can delete policy templates only if no groups or individual members are assigned to them. You cannot delete the last template. To delete selected policy templates, follow these steps: 1. Go to the Groove Manager administrative Web site and select the Identity Policy Templates or Device Policy Templates heading in the navigation pane. A list of templates appears in the Templates window. 2. Select the templates that you want to delete. Clicking the top box selects all templates in the list. 3. Select Delete Template in the toolbar. If a template cannot be deleted because it is assigned to a group or member, a message appears indicating this condition. To delete assigned templates, make sure they are not assigned to any group or member. For information about reassigning templates, see Changing Identity Policy Templates or Changing Device Policy Templates, as appropriate. Groove Manager Domain Administrator s Guide Managing Identity Policies 73

82 Viewing and Editing Identity Policies Identity policies are grouped into templates which apply to the identities in a domain group or to an individual identity. Most of these policies concern the security of company resources. Examine the templates that contain these policy settings to make sure that they are adequate for your organization, and change them if necessary. Note: Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to edit policies. Always click Save Changes in the tool bar to save your changes on one tab before moving to the next. If you click another tab without clicking Save Changes, your edits to that page will be lost. To edit identity policies, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. Two identity policy tabs appear, as described briefly in the following table: Identity Policy Tabs Policies Member Policies Account backup scheduling Groove Workspace version requirements Identity publishing Device management Security Policies User verification Password reset Blocked files Identity authentication (appears only if Enterprise PKI was specified for the domain) 2. Click the tab for the policies that you want and edit them as necessary. 3. Click Save Changes in the toolbar (before clicking another tab). Automatically Managing Devices During Account Configuration or Logon As of Groove Manager version 3.0f, you can set an identity policy that allows the Groove Manager to automatically register Groove user devices with a management domain when users enter an account configuration code into Office Groove (or upon logon, for Groove 2007 or later). With the policy in effect, upon user acceptance during account configuration (or logon to Groove 2007 or later), the device registry key is applied to the user s local registry and the user s device is assigned a device policy template from the domain member group of which the identity is a member. Note: The Groove Manager version 3.0f or later automatically handles the required device management key update. Earlier versions of the Groove Manager require Groove Manager Domain Administrator s Guide Managing Identity Policies 74

83 administrators to download the device management key from the selected device policy template, as described in Registering Devices in a Management Domain. To set a policy that automatically adds a device to a management domain during Groove account configuration (and logon, for Groove 2007 or later), follow these steps: 1. Go to the Groove Manager administrative Web site and click a domain identity template from the navigation pane. 2. From the Member Policies tab, go to the Device Management Policies section and select the policy, Automatically manage devices at account configuration (and account logon for Groove 2007 and later). See Member Policies below for more information about this policy. 3. If you want to be sure that all devices of each managed Groove identity are managed, be sure to select the companion policy, Identities may only be used on a managed device in this domain. See Member Policies below for more information about this policy. 4. If you want to be sure that only managed identities from the device domain are used on the managed devices, select the corresponding device policy, Members can only use managed identities from this domain on devices in this domain, described in Requiring Managed Domain Devices for Managed Domain Members. 5. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. When this policy is in effect and users attempt to configure their new managed Groove account, a dialog box appears asking them to allow or reject device management. If the option, Identities may only be used on a managed device in this domain. is enabled, they will be warned that rejecting device management will prevent configuration of their managed Groove account. When a Groove 2007 user accepts device management, the key is applied to HKEY_CURRENT_USER/SOFTWARE/Microsoft/Office/Groove/ManagementDomain in the Windows registry of the client device. For information about troubleshooting device management issues, see Domain-Level Troubleshooting. Requiring Managed Devices You can enhance the security of managed domains by setting a policy that requires managed identities to operate on managed devices. Managed identities subject to this policy cannot be accessed from an unmanaged device. Note: Make sure that you have defined managed devices for each managed identity before selecting this policy. If no managed device is associated with a user, enabling this policy will prevent such users from accessing their managed identities. For information about managing devices, see Registering User Devices with the Groove Manager. To require managed devices for member identities in the domain, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. Groove Manager Domain Administrator s Guide Managing Identity Policies 75

84 2. On the Member Policies page, select the option, Identities may only be used on a managed device in this domain to disable domain member identities on unmanaged devices. 3. Click Save Changes in the tool bar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. For more information about the policy for requiring managed devices, see Member Policies. Controlling Identity Publication You can control whether managed identities appear in the globally public Groove directory by setting member identity policies accordingly. Clicking an identity in the directory displays the identity s contact information (vcard). To set an identify policy that controls the publication of member identities and contact information in the public Groove list, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. If the option, Prohibit publishing of vcard to Groove Manager directory, was enabled in a previous Groove Manager version and appears here, you can leave the check box selected to continue blocking domain member contact information from the local domain member list (your corporate domain directory), or you can clear the check box, after which the option will no longer appear. 2. To allow users to publish domain member contact information in the public Groove directory, select the option, Allow publishing of vcard to the Public Groove Directory. 3. Click Save Changes in the tool bar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. For more information about the identity publication policy, see Member Policies. Backing Up and Restoring User Account Data If a Groove user loses a managed account, you cannot retrieve the account information or the user s workspace data unless you have a backup system in effect (or unless the user has chosen to save the account as a file locally). To prevent permanent loss of valuable data, you can define a policy for your domain that directs the Groove Manager to back up account data for management domain users at periodic intervals. The backed up account is then available for restoration to the user. You can send the backed-up account to the user via an from Groove Manager or, if you prefer, you can download the account to a directory on your network and refer the user to that location. Groove accounts consist of user identity information, contact lists, the workspace list, and domain management settings, all of which is saved during Groove s account backup. User accounts do not include Groove workspace data. Groove users can retrieve workspace data from other workspace members, using the workspace list as a reference, along with the Groove Fetch capability. Groove Manager Domain Administrator s Guide Managing Identity Policies 76

85 The following sections describe the two parts of this task: Backing Up Account Data Restoring Account Data Backing Up Account Data To avoid the consequences of lost or corrupted user account data, scheduling regular backup of account data is wise practice. The Groove Manager lets you set an identity policy that enables automatic account backup at specified intervals for users in a selected domain. Backed up information includes a user s identity information contacts, workspace list, and domain settings. To minimize user disruption, the Groove Manager starts the backup at a specified interval, once a logged-in Groove user has logged into Groove and Groove has been idle for a designated interval (generally 15 minutes). A notifier appears in Groove indicating to users when a managed account backup is in progress and when it is complete. Note: Groove domain user accounts are backed up only if the account user is logged in and system have been idle for 15 minutes. If at the time of backup a user is not logged in, that account cannot be backed up. To set an identity policy to enable automatic backup of account data, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. 2. On the Member Policies page, enter a value in the field, Back up account interval in days, to specify the number of days between server backups of user account data. You must import the backed-up file within 60 days of its last backup date in order to restore it; specifying short backup intervals helps ensure that backed up accounts will be available when needed. 3. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. The server now saves user accounts at the interval you defined. You restore account data as described in the next section. For more information about the backup policy see Member Policies. Restoring Account Data Once you have enabled a user account backup policy for managed identities in the domain, as described in Backing Up Account Data, you can restore a user s account if it is lost or damaged, or configure the account on another device for that user. The version of the account available for restoration will be as of the last backup date; any data added to the account after the last backup interval will be lost. Therefore, if an account resides on multiple devices and you believe that one of these devices contains a more recent version of the account than the backed-up version, restore the account from that device instead of restoring the backed up account. For help restoring expired accounts, contact a Microsoft Support technician. Groove Manager Domain Administrator s Guide Managing Identity Policies 77

86 Note that Groove workspaces are not backed up directly. Groove users can retrieve workspaces from other active workspace members by using the workspace list and the Groove Fetch capability. As of Groove Manager 2007, an automatic account restoration feature provides a practical alternative to manual account restoration. For information about automatic account restoration, see your Groove Manager server administrator or the Server Administration portion of the Help. To manually restore a managed user s backed-up account, follow these steps: Note: You must import the backed-up file within 60 days of its last backup date. Contact a Microsoft Support technician for help in restoring expired accounts. 1. Go to the Groove Manager administrative Web site and select a domain group in the navigation pane, then click the Members tab. The Members page appears. 2. Use the Search boxes to display the desired members. 3. Click the member whose account you want to restore. The Account Information page appears. 4. Click the Restore Account tab. The Restore Account page appears. If the backup policy is in effect and accounts have been backed up, the page lists the backed up accounts, displaying details for each as described in the table below. If the Restore Account tab is greyed (not available), the backup policy is not in effect or no accounts have been backed up. Restore Account Fields Name Last backup Device Name Size Values The name of the domain member who owns the account. The date of the most recent account backup. Name of the device on which the account was backed up. Size in megabytes of the backed-up account. 5. If you do not want to send the backed-up account in to a user, click the Download button to save the backed-up account file (<identity>.grv) a specific location to which you can refer the user, then click OK. 6. Enter or edit the account restoration fields, described in the following table, then click the Send button, then click OK. This will attach the backed-up account file <identity>.grv along with the to the user for restoration. Restore Account/Send Fields Template Description Specifies the account backup templates available. Select Sample account restoration to display he initial default account restoration . Groove Manager Domain Administrator s Guide Managing Identity Policies 78

87 Restore Account/Send Fields Send To From Subject Description Specifies the destination (member s address) for the account restoration . Specifies your domain administrator address. Specifies the subject of the . Message Displays the default template. Accept the default e- mail, edit the default, or enter a new message, as necessary. For information about creating Groove Manager templates, see Adding, Editing, and Deleting Templates. Save as a new template Make this the default for this activity Available only if Allow this to be saved is enabled. Accept the supplied name to change the existing template, or enter a new name to save changes in a new template (added to the Select drop-down list for future use). Available only if Allow this to be saved is enabled. Select this option to make this message the default template for distributing account backup files. 7. Once the Groove user receives this , the user can restore the account using the New Account wizard, available by clicking the Groove icon in the system tray and selecting the option to use existing account. Restoring an account gives a Groove user a list of their workspaces. The Groove user can retrieve workspace data from other workspace members, using the workspace list as a reference, along with the Groove Fetch capability. You create, edit, and delete account restoration s, as described in Adding, Editing, and Deleting Templates. Controlling Login Credential Reset and Data Recovery In order to reset a lost password or smart card login, or to recover data for managed Groove users, you must set up the appropriate management policy and make sure your users open their managed Groove accounts after the policies are in place so that the policy will be applied to their account. The policy must be in their account for login credentials to be reset or data to be recovered. As of version 3.0f of the Groove Manager, this identity policy is available for managing users of Groove version 3.0f or later. For information about setting equivalent policies in environments with users running Groove Virtual Office 3.0e or earlier, see Appendix A. Password Reset and Data Recovery (Groove 3.0e or Earlier). The following sections provide background and instructions for setting login reset and data recovery policies: Login Credential Reset vs. Limited Data Recovery Selecting a Login Credential Reset Policy Groove Manager Domain Administrator s Guide Managing Identity Policies 79

88 Login Credential Reset vs. Limited Data Recovery Groove protects each user account with the user s Groove account password or smart card login. Account data includes identity, contact, and workspace data, as well as private and secret keys generated locally by Groove (when Groove user accounts, identities, or workspaces are created, for example). The password/smart card login protection scheme applies to both managed and unmanaged accounts. This means that by default, administrators cannot access any Groove account information, whether managed or unmanaged. However, under certain conditions, for example if a user on a managed device loses or forgets a password or smart card login, or leaves the company, an administrator may need to access a user s Groove data. Groove Manager identity policies allow administrators to recover data without knowing the user s original login credentials.these policies provide options for complete data access via password reset and limited data access, as follows: The login credential reset option allows administrators to reset a user s password or smart card login, gaining complete access to a user's account and workspace data, including access to the user's private key information. Because administrators with this level of access can impersonate users, this level of access should be used judiciously. Administrators considering this access level must weigh the risk of misuse through impersonation against the benefit of allowing user accounts to be reconfigured. The limited data recovery option, without password reset, allows administrators to access to the user's Groove data without gaining complete access to the user's account. This level prevents an administrator from accessing the user's private cryptographic information, such as the user's private and secret keys. It thus also prevents the administrator from being able to impersonate the user (for example, by sending Groove instant messages and workspace updates on behalf of the user). Because administrators cannot gain full entry to the user's account after this type of data recovery, the workspaces from a user's account are restored in another location (a specified account or directory) for future use or reference. This option limits administrative access, providing protection against misuse through impersonation while allowing limited recovery of the user's data. Both recovery levels require the use of a data recovery key pair: a public key contained in a certificate (.cer) file and a private key contained in a password/smart card-protected private key store (.xml) file. These keys are created during domain creation by the Groove Manager administrator (and can be changed subsequently by server or domain administrators). The data recovery public key is encapsulated in a data recovery policy and disseminated to all the managed devices governed by the policy. Since this feature utilizes public key cryptographic technology, an administrator can gain access to an account only if the account was first encrypted with a data recovery public key and the correct corresponding data recovery private key (to which only the data recovery administrator has access) is used to access the account. When a Groove user is governed by a data recovery policy, Groove encrypts user account and workspace data with the data recovery public key. If limited data recovery is the chosen policy level, only the user s data (including workspace data) is encrypted with the data recovery public key. If password/smart card login reset is the chosen policy level, the user s secret and private cryptographic keys are encrypted, along with the user s data. The Groove Manager Domain Administrator s Guide Managing Identity Policies 80

89 data recovery administrator uses the corresponding data recovery private key to decrypt and gain access - limited or full - to the user's account, without knowing the user's original Groove login credentials. Selecting a Login Credential Reset Policy You can set an identity policy that governs how Groove login credentials and data recovery should be handled in your organization. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server Administrator or Domain Administrator to set this policy. To set an identity policy that allows or prohibits resetting of Groove passwords or smart card logins, and/or data recovery (for Groove 3.0f or later clients), follow these steps: 1. Go to the Groove Manager administrative Web site and select an identity policy template for the domain in the navigation pane. 2. Click the Security Policies tab. 3. Scroll to the Password or Smart Card Login section and select one of the following reset/recovery options (see Login Credential Reset vs. Limited Data Recovery for information about Groove login and data protection; see the Security Policies table for more information about device security policies): Automatic password reset - Allows automatic resetting of user password/smart card login credentials, and recovery of workspace data, providing that the data recovery key and password, defined on the Domain Properties page, are stored on the Groove Manager). Manual password reset - Allows manual (administrator-controlled) resetting of password/smart card login credentials, and recovering data. Data recovery without password reset - Allows administrator-controlled data recovery without resetting of login credentials. For details about this option, see Setting Up Data Recovery on Managed User Devices. None - Prohibits resetting of login credentials and recovering data. 4. Click OK. This policy will be disseminated to each managed identity in the domain the next time the user connects to the Groove Manager. Upon receiving the policy, each managed account encrypts its on-disk data in the data recovery public key 5. Make sure that users open their managed accounts to receive the policy as soon as possible. This must be done before a password is lost, in order to retrieve data and/ or reset a password. See the Password/Smart Card Login Reset Policies section of the Security Policies table for detailed information about these policies. For detailed instructions about resetting user password or smart card logins, see the following section, Resetting Groove Login Credentials. For detailed instructions about setting up data recovery without login credential reset, see Setting Up Data Recovery on Managed User Devices. Groove Manager Domain Administrator s Guide Managing Identity Policies 81

90 Resetting Groove Login Credentials A password or smart card login is associated with each Groove user account. In a managed environment, a password and smart card login private key, generated during domain creation by the server administrator, enables the resetting of Groove passwords or smart card logins. As of version 3.0f or later of the Groove Manager, an identity policy allows login credential reset for managed users running Groove 3.0f or later, as described in the following sections. For information about resetting login credentials in environments with users running Groove 3.0e or earlier, see Controlling Login Credential Reset and Data Recovery (for Groove version 3.0e or earlier). As of version 3.0f, the Groove Manager offers two options for resetting Groove login credentials (passwords and smart card logins) for managed users running Groove version 3.0f or later: Users can reset their Groove login credentials upon receipt of permission-granting sent to them automatically from the Groove Manager after they request a password or login change from Microsoft Office Groove, as described in Automatic Reset of Groove Login Credentials. Administrators can reset Groove login credentials manually, as described in Manual Reset of Groove Login Credentials. The Before You Begin section describes preliminary steps that apply to either of the above options. The Client Login Credential Reset section describes the Groove user actions. Before You Begin Regardless of whether you use the manual or automatic login reset option, be aware of the following requirements and considerations before you begin: Upgrade all managed identities in a domain to Groove 3.0f or later before trying to use the login credential reset policies available on the 3.0f Groove Manager Identity Policy pages. Allowing reset of a forgotten Groove user password or smart card login involves the reset private key, generated during domain creation by the server administrator. Therefore, you need the reset private key file (an.xml file) and the reset private key password (if they are not stored on the server), obtainable from your server administrator. In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Support Administrator to reset passwords or smart card logins. Automatic Reset of Groove Login Credentials As of version 3.0f of the Groove Manager, you can set a policy that allows the server to automatically process managed user requests for password or smart card login reset, providing that users are running Groove 3.0f or later. Domain members can then click the Reset Password or Smart Card Login button from Groove and the Groove Manager will Groove Manager Domain Administrator s Guide Managing Identity Policies 82

91 automatically send them an containing temporary login credentials. Note: This policy depends on a companion setting, enabled by the server administrator during domain creation, which allows the necessary reset private key information to be saved to the Groove Manager. Both the policy and companion option must be set prior to a user sending a reset request. To set an identity policy that enables automatic reset of Groove login credentials in environments running Groove Manager 3.0f or later with Groove 3.0f users, follow these steps: 1. Review the Before You Begin section. 2. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. 3. Click the Security Policies tab and, from the Password Reset Policies section, select the Automatic option. 4. Click Save Changes. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. When a domain member clicks the Reset Password or Smart Card Login button from Groove, the Groove Manager will automatically send them an containing a temporary password and instructions for using it (as does the Microsoft Office Groove Web site for unmanaged users). Manual Reset of Groove Login Credentials You can set an identity policy that lets you centrally control Groove user login credential reset, once the Groove Manager and Groove clients are configured so that the necessary private key is available (on the Groove Manager or in a specified file from which you can upload it temporarily to the Groove Manager) when users need to reset their own passwords. When a domain member clicks the Forgot your password? link in the Groove Login window of Groove and notifies an administrator of this request, the administrator can use the Groove Manager s Account Information page to grant the request. To grant login credential reset permission to a managed Groove user (for Groove version 3.0f or later), follow these steps: 1. Review the Before You Begin section. 2. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. 3. From the Security Policies tab, select the Manual password/smart card login reset option. 4. Verify that Groove users have accessed their managed account (to receive the reset policy). 5. When a domain member clicks the Reset Password or Smart Card Login button from Groove and notifies you of the request, by phone or other method, go to the Groove Manager administrative Web site and in the navigation pane, click the domain group of which the user is a member. The Members tab appears with a list of group members. Groove Manager Domain Administrator s Guide Managing Identity Policies 83

92 6. From the Members tab, click the name of the member requesting the reset. The Account Information window appears. 7. From the Account Information window, click the Reset Password or Smart Card Login button (available when a member has clicked the Request Reset button from Groove). The Reset Password or Smart Card Login window appears that includes a Reset Access Code and a form for resetting the user password or smart card login. If the reset private key (generated by the server administrator during domain creation) resides in a specified file, instead of on the Groove Manager, the Reset form includes a File location text box. If the option to Remember private key login credentials has been enabled on the domain setup page and the private key is stored on the Groove Manager, a short form appears that does not involve using the reset private key. 8. If a File location text box appears, browse to the file location of the reset private key. 9. Confirm with the user that the Reset Access Code on the Groove Manager matches the Reset Access Code in Groove s Request Reset window on the user s device. Note: Make sure to verify that the user who requested the password or smart card login reset is authorized to use the Groove account. 10. If the access code on the Reset Password page does not match the user's access code, press the Refresh Access Code button to check if a new access code is available. Note that refreshing the screen discards any unsaved changes to the user information or password reset form. Therefore, a pop-up message appears allowing you to click OK to proceed and refresh the screen, or Cancel to cancel the refresh. 11. Select the option, I confirm I have verified the member s identity and the password reset access code. 12. Click OK. This action attempts to open the user s secret key file using the private key password or smart card login that you entered. If the key is in a specified file, it is uploaded to the Groove Manager at this time. If the private key password or smart card login is valid, a Reset confirmation pop-up window appears. Otherwise, an error message window appears. 13. Click OK to accept the confirmation, or to accept the error and correct your entry. The user s screen automatically refreshes and displays a form that allows them to enter a new password or select new smart card login certificates. You can customize the text instructions in this form as described in Customizing Reset Instructions. See Client Login Credential Reset for the managed Groove user s perspective of this process. Client Login Credential Reset Managed users running Groove on managed devices in a domain are subject to administrative control over their password/smart card login reset capability. Once you set up the management environment to enable users to reset their Groove passwords, as described in Manual Reset of Groove Login Credentials or Automatic Reset of Groove Login Credentials, users must request permission to reset their password or smart card login (if they have forgotten it, for example). This section describes the Groove user actions involved in Groove Manager Domain Administrator s Guide Managing Identity Policies 84

93 password resetting. Note: If the Manual Reset option is in effect, users should be prepared to authenticate themselves outside of Groove to the domain administrator when requesting a password/smart card login reset. The Groove user request for password/smart card login reset permission involves the following steps: 1. A managed Groove user assigned to an identity policy that has the reset password or reset smart card login policy enabled, requests a password by clicking the Forgot your password? or Request Smart Card Login Reset link on the Groove login window. This displays a Request Password Reset or Request Smart Card Login Reset pop-up window that contains the user s password reset or smart card login access code along with instructions to contact the administrator. If the user defined a password hint and a hint pop-up window appears with a Request Reset button, the user, reminded by the hint, can try logging in again. 2. The user contacts the domain administrator (by phone, for example) and verifies identity to the domain administrator by citing the reset access code in the Request Reset window. This code should match what appears to the administrator in the member s Account Information - Reset Password or Smart Card Login page on the Groove Manager. 3. The user presses the Request Reset button. Clicking Request Reset refreshes the Request Password/Smart Card Login Reset window, generates a reset request entry in the Groove Manager audit log, and displays a Reset Password or Reset Smart Card Login button in the Groove Manager s Account Information page for this user. Clicking the Cancel button cancels the request and returns to the Groove login window. 4. The administrator responds to the reset request, as described in Manual Reset of Groove Login Credentials, or the Groove Manager responds automatically, as described in Automatic Reset of Groove Login Credentials. 5. If a New Password window appears on the client screen, along with instructions, the user enters a new password, confirms it, and clicks OK. Groove opens the user s managed account. If a New Smart Card Login window appears, along with instructions, the user selects new certificates and clicks OK. Groove opens the user s managed account. Customizing Reset Instructions The policies that govern resetting of login credentials include a feature that lets you edit the instructions that managed users receive after requesting a password or smart card login reset (as described in Manual Reset of Groove Login Credentials ). For example, you may want to include the administrator s Help desk phone number for the user call when a reset is necessary. In environments using version 3.0f or later of the Groove Manager, with managed users of Groove 3.0f or later, you access this feature from the identity policies Security Policy tab by clicking the Edit Reset Settings button. Groove Manager Domain Administrator s Guide Managing Identity Policies 85

94 For information about customizing reset instructions for managed users with Groove 3.0e or earlier, see Customizing Reset Instructions for Managed Devices (for Groove 3.0e or earlier). To customize the password/smart card login password reset instructions sent to managed users of Groove 3.0f or later who request a reset, follow these steps: 1. Go to the Groove Manager administrative Web site and click a domain identity template in the navigation pane. 2. Click the Security Policies tab. 3. Scroll to the Password or Smart Card Login section and click the Edit Reset Settings button. A scrollable text window appears. 4. Edit the default text as necessary. 5. Click OK. The edited text will appear above the password reset access code in the client s Request Reset message. 6. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. For more information about this option, see the Password Reset Policies section of the Security Policies table. Setting Up Data Recovery on Managed User Devices Groove workspace and account data reside on Groove user devices and are protected with each user s password or smart card login credentials. This means that, by default, if a user leaves the company or forgets a password or smart card login, no one can access that user s workspaces without knowing the user s login credentials. While the Groove Manager provides options for resetting Groove login credentials which allow full access to a Groove account, the Groove Data Recovery Administration Tool enables you to access a user s workspace and related data without the need to reset login credentials. As of version 3.0f, you set a Groove Manager identity policy to allow administrative data recovery for users of Groove version 3.0f or later. Once the policy is in effect, you can use the Data Recovery Administration Tool (DRAT, included with Office Groove 2007) on a client device to access a user s Groove data. The tool requires access to the domain data recovery private key and password, generated during the domain creation process. Note: The data recovery procedure is designed to gain access to a user s existing data (or reset Groove login credentials); it does not restore data that has been corrupted or destroyed. For information about other options for resetting Groove passwords or smart card logins, see Controlling Login Credential Reset and Data Recovery. For information about backing up and restoring user accounts, see Backing Up and Restoring User Account Data. For information about setting up data recovery for managed identities with Groove 3.0e or earlier, see Setting Up Data Recovery on Managed Devices (for Groove 3.0e or earlier). Groove Manager Domain Administrator s Guide Managing Identity Policies 86

95 If you want to reset managed user passwords, consider using the centralized procedures described in Resetting Groove Login Credentials. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Support Administrator to use the data recovery tool described in the procedure below. To recover a user s Groove data or reset a user s Groove password using the Groove Data Recovery Administration Tool (DRAT), follow these steps: 1. Make sure that Groove is not running on the user s device where you are trying to restore data. 2. Ensure that your management domain identity policies are set to allow data recovery, as described in Controlling Login Credential Reset and Data Recovery. 3. For a client running Groove 2007 or later, do the following: a. From the client device where you are trying to restore data, log in to the user s Windows account with the user s login credentials. b. Locate the Data Recovery Administration Tool, DRAT.exe, included with the Groove installation, as of Groove This tool enables you to restore the password and/or data on a client machine. For a client running Groove 3.1 or earlier, do the following: a. From the client device where you are trying to restore data, open a browser and go to the Groove Manager administrative Web site. b. Click Domain Properties in the toolbar. The domain properties page appears. c. Click the Password Settings tab and select the Groove version installed on managed user devices in the Download data recovery tool for Groove version field, then click the Download button. A standard Save As pop-up window appears. d. In the Save As window, browse to the network location where you want to store the Data Recovery Administration Tool, DRAT.exe, and its associated system files, which enables you to restore the password and/or data on a client machine. 4. Run the Data Recovery Administration Tool, DRAT.exe, from its current location. Note: Do not try to run the.exe file from a remote location; you must download and run it from the client PC. 5. Select a data recovery option as follows: Reset Password - To reset the user s password and restore full access to all workspaces and account data, providing that your domain policies allow resetting a user s password. Recover Workspaces - To access Groove workspace information by copying it into another location. If you need to re-instate the workspaces in their new location, you must ask the workspace owners to invite you into them or invite other members yourself. 6. Edit the following fields, then click Next: a. In the Private Key File field, enter the file path for the private key file Groove Manager Domain Administrator s Guide Managing Identity Policies 87

96 (<keyname>.xml file) that was generated during initial Groove Manager domain setup. b. In the administrator Password field - Enter the administrator private key password that was originally defined. 7. If you chose the Reset Password option, the Reset Password page appears. Proceed as follows: a. In the Account Name field, select the name of the managed account that you want to restore. b. In the New Password field, enter a new password, then enter it again in the Confirm new password field. c. Click Finish. d. Click OK to exit. e. Launch Groove and log into the user s account after entering the new password when prompted. 8. If you chose the Recover Workspaces option, the Groove Data Recovery page appears, where you specify a data export option, as described in the following table: Recovery Options Export Spaces Into: New account Descriptions Choose this option to copy the selected workspaces to a new Groove account, then do the following: 1. Click the Next button to display a page where you enter the account name and password of the new account. 2 Enter the information, then click Next again to select a workspace. 3 Click the Finish button, then click OK when prompted. Export Spaces Into: Existing account Choose this option to copy selected workspaces into another existing account on the device, then do the following: 1. Click the Next button to display a page where you select an existing name and its correct password. 2 Enter the information, then click Next again to select workspaces. 3 Click the Finish button, then click OK when prompted. Export Spaces Into: Folder Choose this option to copy the selected workspaces into a specified directory, then do the following: 1. Click the Next button to display a page where you select a directory path and an optional password for each space. 2 Click Next again to select workspaces. 3 Click the Finish button, then click OK when prompted. 9. If you saved the workspaces in an existing account, launch Groove and open the specified account. 10. If you exported the workspaces to a folder, restore the spaces on the Groove client as follows: a. From the client device, launch Groove. b. From the File menu, choose New, then Workspace From - Archive. The Browse pop-up window appears. Groove Manager Domain Administrator s Guide Managing Identity Policies 88

97 c. Browse to the location where you saved the workspaces. d. Enter the password you defined with the Data Recovery tool. e. Click OK. The workspace appears in the Groove list of workspaces. Managing User Interaction with Unknown Identities The Groove Manager user verification policy lets you control how domain members communicate with workspace contacts, depending on whether the identities of those contacts have been verified. The following sections provide information and instructions for setting this policy: Verified or Certified vs. Unknown Groove Identities Setting Up a User Verification Policy Verified or Certified vs. Unknown Groove Identities Because Groove contact lists may include Groove identities of varying degrees of familiarity to a domain member, the Groove Manager lets you set a domain security policy that warns of or prevents communication with identities who have not been verified by the domain member or certified by a domain administrator. The default setting for this policy is to allow domain members to communicate with any contacts. Tightening this policy helps create a more secure environment for collaboration in your organization. The Groove Manager user verification policy overrides related settings on the Groove client. You can guard against careless interaction between domain members and unknown identities - in this context, those who have not been personally verified or administrator-certified - by setting a policy that requires Groove to intercept member attempts to communicate with unknown identities as follows: Display a warning to domain members when they attempt to communicate with an unknown identity. The warning encourages members to verify the identity personally, then to mark the identity as verified (currently distinguished in Groove by color). Members can verify other identities using any of the following methods: > Authenticating the user identity by confirming the identity s digital fingerprint. > Checking the identity s membership in familiar workspaces. > Contacting the user by phone or otherwise verifying the identity outside of Groove. Allow domain members to communicate only with administrator-certified contacts - those who are certified members of their domain or of a cross-certified domain. The warning or prevention policy goes into effect when a domain member attempts one of Groove Manager Domain Administrator s Guide Managing Identity Policies 89

98 the actions listed in the following User Action table. User Action Identity Security Policy Effect Sending an instant message or workspace (.grv) invitation (including light chat and MS Instant Messages), or replying to or forwarding an instant message. Policy enacted when domain members attempt to send a Groove message or invitation to recipients who are unverified or uncertified. If a warning policy is in effect, Groove displays a Verify pop-up window, prompting the sender to verify unknown users in the invite list. The sender may or may not choose to do so. If a prevention policy is in effect, Groove displays a pop-up window listing the uncertified users and explaining that communication with those users will not occur. Confirming workspace invitations. Policy enacted when domain members acceptance of a Groove invitation sent from a contact whose identity is unverified and uncertified. If a warning policy is in effect, Groove displays an invitation confirmation pop-up window to the domain member inviter. If the inviter confirms the acceptance, a Verify Identity pop-up window appears, prompting the inviter to manually verify the identity of the invitee. The inviter may or may not choose to do so. If a prevention policy is in effect, Groove does not download the workspace to the domain member s device. Opening a workspace. Appears to domain members when they attempt to open a workspace containing Groove contacts whose identities are unverified and uncertified. If a warning policy is in effect, Groove displays a Verify Identity pop-up window, prompting the domain member who is opening the workspace to manually verify the identities of the unauthenticated contacts. The member may or may not choose to do so. If a prevention policy is in effect, Groove displays a pop-up window upon user navigation to the workspace, explaining that some members of the space are uncertified. Members cannot access the space. Creating a workspace. Appears to domain members when they are about to send a Groove invitation (.grv file) to contacts whose identities are unverified and uncertified. If a warning policy is in effect, Groove displays a Verify Identity pop-up window, prompting the inviter to manually verify the identities of the unauthenticated users in the invite list. The workspace creator may or may not choose to do so. If a prevention policy is in effect, Groove displays a pop-up window stating that some invitation recipients are uncertified and prevents those contacts from joining the space. Groove Manager Domain Administrator s Guide Managing Identity Policies 90

99 User Action Identity Security Policy Effect Fetching a workspace Appears to domain members when they attempt to fetch a workspace from Groove contacts whose identities are unverified and uncertified. If a warning policy is in effect, Groove displays a Verify Identity pop-up window, prompting the domain member to manually verify the contact s identity before fetching the workspace. The member may or may not choose to do so. If a prevention policy is in effect, Groove displays a pop-up window explaining that the workspace member who is the source of the fetch is uncertified. The domain member must fetch from a certified workspace member. Setting Up a User Verification Policy Setting a user verification policy on the Groove Manager allows you to control how domain members communicate with unknown Groove contacts. The Groove Manager policy overrides a corresponding identity security policy on Groove clients. To configure a user verification policy, follow these steps: 1. Review Verified or Certified vs. Unknown Groove Identities for term clarification in the context of different PKI options. 2. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. 3. Click the Security Policies tab. Go to the User Verification Policy section of the Security Policy page and select one the policy options. For more information about these policy settings, see the Security Policies table. 4. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. Setting a Groove Version Requirement You can set an identity policy that specifies a minimum Groove version for member collaboration in new workspaces. With this policy enabled, affected domain members can only accept invitations to (or restore from an archive) the specified minimum Groove version (or a later version). The default setting for this policy for newly created domains is This means that domain members running earlier Groove versions must upgrade in order to collaborate with Groove 2007 users in new workspaces. Upgraded members can retain existing workspaces created from earlier Groove versions. To change the Groove workspace version requirement, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. 2. On the Member Policies page, under Workspace Version Policies, set a Workspace Acceptance and Restoration Policy by selecting one of the following options from the Minimum Workspace Version drop-down menu: Groove Manager Domain Administrator s Guide Managing Identity Policies 91

100 Client Default - To allow Groove client settings to determine the minimum version of Groove workspaces to which domain members can accept invitations or that they can restore. Selecting Client Default lets you set a Groove version policy for workspace creation To specify that domain members can only accept invitations to or restore workspaces created from the current Groove version.this policy supersedes any corresponding version settings on the Groove client. No Minimum - To specify that domain members can accept invitations to or restore workspaces created from any Groove version. This policy supersedes any corresponding version settings on the Groove client. Selecting No Minimum also lets you set a Groove version policy for workspace creation. 3. If you selected Client Default or No Minimum in the Workspace Acceptance and Restoration policy, set a Workspace Creation Policy by selecting one of the following options from the Default Workspace Version drop-down menu: 3.0 etc - To override the Groove client workspace version requirement (for example, to enable users in a mixed Groove environment to use a mutually compatible version of Groove tools without added steps). Client Default - To accept the Groove client workspace version requirement, (2007 for Groove 2007, 3.0 for Groove 3.0, and so on by default). 4. Click Save Changes in the tool bar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. See the Member Policies table for more information about the default workspace version policy. Specifying Enterprise PKI Certificates If Enterprise PKI is your chosen identity authentication method, specified during domain creation, domain member identity authentication depends on valid certificates listed with your company s Public Key Infrastructure (PKI) Certificate Authority (CA). Groove users will be prompted to select a certificate during account configuraiton. You can control which certificates will be available and used to authenticate domain member identies by setting an identity policy for the management domain. Filtering the selection avoids confusion over which certificate a user should select. To limit domain member identity authentication certificate choices to those signed by specific Certification Authorities (those certificates whose certificate chain contains a specific CA), follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. 2. Click the Security Policies tab. 3. From the Security Policies page, add identity authentication certificates to the identity policy template as follows: a. Click the Add CA Certificate button. A file download window appears so that you can download a CA certificate file. b. Browse to the location of your company s identity authentication certificates Groove Manager Domain Administrator s Guide Managing Identity Policies 92

101 and click OK to download the file to the identity policy template. The CA certificate appears in the certificate list, along with its issuer name. You can click the certificate name to view its contents. 4. Repeat the Add CA Certificate step for each CA certificate that you want to download. 5. To delete any unwanted CA certificates from the Groove Manager, click the Delete Certificate button next to the CA certificate that you want to delete. 6. If necessary, edit the value in the field: Consider an Identity authentication certificate invalid if revocation status has not been updated in days. 7. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. See the Security Policies table for more information about these fields. Setting Time Limit on Valid PKI Certificates If Enterprise PKI is your chosen identity authentication method, specified during domain creation, you can control when identity authentication certificates become invalid - after a number of days during which revocation status was unavailable - by setting an identity policy accordingly. To set an identity policy that specifies when an identity authentication certificate becomes invalid, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain identity policy template in the navigation pane. The Member Policies tab appears. 2. Click the Security Policies tab. 3. From the Security Policies page, edit the value in this field: Consider an identity authentication certificate invalid if revocation status has not been updated in days field. 4. Click Save Changes in the toolbar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. See the Security Policies table for more information about this policy. Blocking Files of Specific Types Microsoft Office Groove blocks files with specific extensions by default. The Groove Manager provides an identity security policy that allows you to override this list with modifications of your own, or to disable the blocking entirely. Note that removing file types from the list can increase the risk of virus entry into your system. To modify the default Groove file-blocking policy, follow these steps: 1. Go to the Groove Manager administrative Web site and click a domain identity template in the navigation pane. The Member Policies page appears. 2. Click the Security Policies tab. 3. Scroll to the Blocked Files section of the page. Groove Manager Domain Administrator s Guide Managing Identity Policies 93

102 4. To modify the Groove default list of blocked files, select the option, Override Groove s default list of blocked files. A text field appears, with the current list of default files. The types of allowed file types are the same as those specified in Microsoft Office as safe for sharing. 5. Edit the default blocked files list, as necessary, as follows: To disable file blocking, delete all files from the list. Keep the check box selected after deleting the files. To modify the list, add files to or delete files form the list. You can use the following wildcard characters in any file pattern: * To indicate any characters in that position (for example, *.txt to indicate all files that end with.txt).? To indicate one character of any value in that position (for example,?.txt to indicate all files with a one-character root, followed by the.txt extension). Note: Omitting the wild card character only specifies a file of a specific name. For example,.txt indicates a file of the name.txt. It does not indicate all files that end with.txt. 6. Click Save Changes in the tool bar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined. See Blocked Files in the Security Policies table for more information about this policy. Member Policies The following table describes Member identity policy settings: Member Identity Policy Settings Descriptions Account Backup Policies Back up account interval in days Specifies how often the Groove Manager will automatically back up user accounts for managed identities in the domain. Groove Workspace Version Policies Enter a number from 1 to 7 in the text box to enable account backup and specify the number of days between backups. Leaving the text box empty disables this policy, and accounts will not be backed up. To restore a backed-up account to a user, use the Members details page to send the user along with the information necessary for restoring the account. For details about setting this policy, see Backing Up and Restoring User Account Data. Default: 4 days (for onsite Groove Manager) 30 days (for Groove Enterprise Services Manager) Groove Manager Domain Administrator s Guide Managing Identity Policies 94

103 Member Identity Policy Settings Workspace Acceptance and Restoration Policy Minimum Workspace Version: Descriptions Specifies a minimum Groove version for member collaboration in new workspaces. Options are as follows: Client Default - Allows Groove client settings to determine the minimum Groove version of workspaces that they join. Under this policy, domain members can accept (or restore) workspaces created from a Groove version that complies with their own workspace version settings (the default) - Specifies that members can only accept invitations to (or restore) workspaces created from Groove 2007 workspaces. Upgraded members can retain existing workspaces created in earlier Groove versions. No Minimum - Allows members to accept invitation to (or restore) workspaces created from any Groove version, regardless of client settings. Selecting this option allows you to select a Workspace Creation Policy. For details about setting this policy, see Setting a Groove Version Requirement. Default: current Groove version Workspace Creation Policy Default Workspace Version: If Client Default or No Minimum is the selected Workspace Acceptance and Restoration policy, select one of the following version options for workspace creation: Identity Publishing Policies Prohibit publishing of vcard to Groove Manager directory Client Default - To accept the Groove client workspace version requirement To override the Groove client workspace version requirement with this setting. Default: Client Default Appears when enabled in a previous Groove Manager version. Specifies that the Groove Manager should NOT publish the managed identity contact information (vcard) of domain group members to the local Groove Manager directory of domain members. Selecting this option prohibits vcard publication in the Groove Manager domain member directory. Clear this check box to allow vcard publication in the Groove Manager member directory, after which this option will no longer appear. For details about setting this policy, see Controlling Identity Publication. Default: unchecked Allow publishing of vcard to Public Groove Directory Specifies that the Groove Manager can publish the managed identity contact information (vcard) of domain group members to the Public Groove Directory. Selecting this option allows vcard publication in the public Groove directory. Leaving the option unchecked prevents vcard publication in the Public Groove Directory. For details about setting this policy, see Controlling Identity Publication. Default: unchecked Groove Manager Domain Administrator s Guide Managing Identity Policies 95

104 Member Identity Policy Settings Descriptions Device Management Policies Identities may only be used on a managed device in this domain Specifies that managed identities in the selected domain can only be used on managed devices. Selecting this option sets the restriction. Leaving the option unchecked allows managed identities to be used on any device, managed or not. Note: If no managed device is associated with a user, enabling this policy will prevent such users from accessing their managed identities. For information about managing devices, see Registering User Devices with the Groove Manager. For details about setting this policy, see Requiring Managed Devices. Default: unchecked Automatically manage devices at account configuration (and account logon for Groove 2007 and later) Enables the Groove Manager to automatically manage Groove user devices upon account configuration (or upon account logon, for clients running Groove 2007 or a later version). For details about setting this policy, see Automatically Managing Devices During Account Configuration or Logon. Security Policies The following table describes Security identity policy settings: Security Identity Policy Settings Descriptions User Verification Policies Specifies how the Groove Manager handles domain member communication with unknown contacts. Do not warn or restrict members when communicating with any contacts. When this option is in effect, Groove will not display warnings prior to communication with unverified identities. For details about setting this and related policy option, see Managing User Interaction with Unknown Identities. This is the default option. Warn members before communicating with contacts that have been neither administratorcertified nor manually verified by the member. Only allow members to communicate with administrator-certified contacts. When this option is in effect, Groove displays a Verify Identity pop-up window, prompting users to verify an unknown identity before attempting to communicate with that identity. When this option is in effect, Groove allows communications among administrator-certified identities only. Administratorcertified identies include fellow domain members and members of any cross-certified domains. See Setting Up Cross-Domain Certification for information about cross-certifying a domain. Groove Manager Domain Administrator s Guide Managing Identity Policies 96

105 Security Identity Policy Settings Descriptions Identity Authentication Certificates Limit members identity authentication certificate choices to certificates signed by the following CAs: If the selected domain was created with Enterprise PKI, you can use this policy to limit member identity authentication certificate choices to those signed by specific Certification Authorities (CAs) in an Enterprise PKI environment. Click Add CA Certificate in the toolbar and browse to specific certificates to add those CAs to the list on the current identity policy template. You can click the Delete Certificate button next to any CA certificate that you want to delete from the Groove Manager list. Specified certificate names and associated issuers appear in the certificate list. With this policy in effect, for identity authentication, managed users may only attach to their contacts those certificates whose chain contains one of these CAs. For details about setting this policy, see Specifying Enterprise PKI Certificates. Consider an identity authentication certificate invalid if revocation status has not been updated in days If the selected domain was created with Enterprise PKI, specifies the number of days that may pass before a certificate is considered invalid because its updated revocation status has been unavailable (for example, when a managed user is offline for an extended period). For details about setting this policy, see Setting Time Limit on Valid PKI Certificates. Default: 90 Password/Smart Card Login Reset Policies (Groove 3.0f or later) Groove Manager Domain Administrator s Guide Managing Identity Policies 97

106 Security Identity Policy Settings Login Reset options (applies to Groove Manager 3.0f for use with Microsoft Office Groove 3.0f or later) Descriptions Lets you set one of the following password or smart card login reset options: Automatic reset - Allows automatic reset of user passwords/smart card logins. With this option enabled, users who request a login credential reset from Groove receive an from the onsite server or Groove Enterprise Services, supplying them with a temporary password. Note: This option requires that the data recovery key and password, defined on the Domain Properties page, are stored on the Groove Manager. Manual reset - Allows administrator-controlled reset of managed user passwords/smart card logins. Data recovery without reset - Allows administratorcontrolled recovery of managed users workspace data on managed devices without resetting of user passwords/ smart Card logins. For more information about this option, see Setting Up Data Recovery on Managed User Devices. None - Prevents reset of managed user passwords/smart card logins or recovery of member data on managed devices. Default (for new domains): Automatic reset. For details about setting these policies, see Controlling Login Credential Reset and Data Recovery. Edit Reset Settings (Requires Groove 3.0f or later) Displays a window that lets you edit the password/smart card login reset instructions that managed Groove users receive in response to a reset request. For details about setting this policy, see Customizing Reset Instructions. Blocked Files Override Microsoft Office Groove s default list of blocked files Specifies whether the Groove/Microsoft Office list of blocked files should remain in effect. Selecting this option displays the list of currently blocked files, delimited by a comma (,) or space, which you can edit. Note that removing file types from the list can increase the risk of virus entry into your system. You can use the following wildcard characters in any file pattern: * To indicate any characters in that position (for example, *.txt to indicate all files that end with.txt).? To indicate one character of any value in that position (for example,?.txt to indicate all files with a onecharacter root, followed by the.txt extension). Note: Omitting the wild card character only specifies a file of a specific name. For example,.txt indicates a file of the name.txt. It does not indicate all files that end with.txt. For details about setting this policy, see Blocking Files of Specific Types. Default: Unchecked Groove Manager Domain Administrator s Guide Managing Identity Policies 98

107 Groove Manager Domain Administrator s Guide Managing Identity Policies 99

108 Managing Device Policies Device-based installation and security policies set a foundation for Groove device management. The device policy template assigned to a user s domain group applies to specific managed user devices only; it does not affect unmanaged devices also running Groove. Once you add Groove devices to a management domain, you can use the Groove Manager to oversee Groove password creation, device-based security policies, data recovery, and other aspects of Groove use on those devices. Note: You must register devices with a management domain, as described below, in order to implement device policies. The sections below describe device policies and how to use them to achieve your Groove management objectives: Overview of Device Policies Registering User Devices with the Groove Manager Creating Device Policy Templates Changing Device Policy Templates Administering Device Templates Viewing and Editing Device Policies Preventing Multiple Accounts on a Managed Device Preventing Account Import Requiring Managed Domain Devices for Managed Domain Members Setting Groove Login Password Policies Setting Smart Card Login Policies Controlling Messenger Integration Controlling Groove Directory Searches Locking Out Accounts Setting Strong Private Key Protection Controlling Direct Access to Remote Web Services Controlling Groove Tool Usage on Managed Devices Limiting Groove Bandwidth Usage for Devices Enabling Groove Client Auditing Account Policies Client Policies Groove Manager Domain Administrator s Guide Managing Device Policies 100

109 Security Policies Groove Audit Policies Overview of Device Policies Device polices add another tier of control to Groove identity policies (described in Managing Identity Policies ). Groove devices are associated with users at the time of managed account configuration, but until they are explicitly defined as managed they remain unaffected by device policies. You must register devices with a management domain in order to implement device policies. You can register devices manually or set up automatic device registration during account configuration. This brings the devices under the control of domain device policies. Device policies control Groove activities associated with domain member devices. A device policy template contains a collection of policy settings applied to a domain group. The policies affect the managed devices associated with domain group members. Device policies are grouped on tabs, as follows: Account Policies, including multiple account management and identity management policies. Client Policies, including MS Messenger integration, directory search, and tool usage policies. Security Policies, including Groove password, account lockout, and Web Access policies. Audit Policies, including Groove client audit scheduling, Groove events, and Groove tool events. Enacting Groove device policies requires Groove devices to be members of a management domain. See Registering User Devices with the Groove Manager for information about adding devices to a domain. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator. For information about setting identity policies, see Managing Identity Policies Registering User Devices with the Groove Manager You can manage Groove devices (user computers) by updating their Windows registries with a Groove Manager key, available from any of a domain s device policy templates. This key binds the device to a management domain and makes it eligible for device policies defined in templates for that domain. You must manage your Groove devices if you want to set device-based policies. The following sections provide background and instructions for registering devices in a management domain: Groove Manager Domain Administrator s Guide Managing Device Policies 101

110 Overview of Device Registration Registering Devices in a Management Domain Stopping Device Management Overview of Device Registration Registering Groove devices with the Groove Manager enables you to apply device policies to managed user PCs. The Groove Manager recognizes registered devices as managed and under domain jurisdiction. The devices become subject to the policies set in the device policy template assigned to the managed identity s domain group. The most efficient way to register devices is by setting an identity policy that automatically manages client devices upon Groove user account configuration. For information about automatically adding a device to a management domain, see Automatically Managing Devices During Account Configuration or Logon. Alternatively, you can register devices manually. The first step in this process is to bind user devices to a domain by installing a management domain registry key on each user device that you want to manage. This registry key (.reg) file, accessible from any Groove Manager device policy page, contains Groove Manager registry settings that are added to the Windows registry of the client device. You then deploy the key to client devices individually or via a centralized software deployment system. One device registry key is associated with all device policy templates in a domain, so centralized device key deployment within a management domain is a practical approach. Note: Attempting to register a device a second time from a different domain results in overwriting the device management settings with those of the second domain. While you can register user devices at any time, registering them during initial Groove Manager setup is preferable because it allows you to enforce initial Groove password requirements. Password creation policies are device polices and so can be applied only to managed devices. Device policies become effective on a device once the device receives the policy from the Groove Manager. Devices obtain policies upon Groove startup, login/logoff, and during periodic contact with the Groove Manager (generally every 5 hours). You can view users and their devices on the members information pages, as described in Viewing and Editing Domain Member Information. For information about troubleshooting device management issues, see Domain-Level Troubleshooting. Registering Devices in a Management Domain You can register devices in a management domain manually, as described below, or you can set an identity policy that allows automatic device management registration for Groove users upon account configuration. For information about automatically adding a device to a management domain, see Automatically Managing Devices During Account Configuration or Logon. Groove Manager Domain Administrator s Guide Managing Device Policies 102

111 To add a device to a management domain, follow these steps: 1. From any client device, go to the Groove Manager administrative Web site and select a domain identity policy template, then select the policy, Identities may only be used on a managed device in this domain. Note: Setting this policy helps prevent managed users from trying to remove their device from your managed domain by deleting its registry key. 2. Open a device policy template in the domain you are managing. 3. From the selected device template, click Download Device Management Key in the tool bar. A File Download pop-up window appears. 4. Click the Open button, then OK to download the Groove Manager registry key (contained in a.reg file) to the local device. Or, click the Save button, enter a directory location, then click Save to save the registry settings in a client-accessible directory for subsequent distribution. It may then be accessed by a centralized software deployment system, if you choose. All devices in the domain share the same registry key, so if you save the registry key in a file, you can use it to update the registry of any devices that you want to manage within that domain. 5. Using your normal registry key distribution method, apply the registry settings to each Groove client device that you want to include in your domain or group. Click the.reg file to apply the registry settings to the current device. On Groove 2007 devices, this registry setting is applied to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Office/Groove/ ManagementDomain 6. Restart Groove on the client devices to update their Windows registries. Once Groove starts on the managed device, the device appears as Managed in the device list on the Groove Manager Account Information page for the managed users of this device (as described in Viewing Domain Members ). The device is then subject to the default or customized device policies templates assigned to domain groups and members. Note: Managed devices are password-protected by default. For information about making a managed device unmanaged, see Stopping Device Management. Stopping Device Management You can stop managing a domain member s device from the member s account information page. To stop managing a domain member s device, follow these steps: 1. Go to the Groove Manager administrative Web site and click the domain in the navigation pane. 2. Select Members or a Members sub-group. The Members page appears. Groove Manager Domain Administrator s Guide Managing Device Policies 103

112 3. From the Members page, select the member whose managed device that you want to stop managing. The Account Information page appears with a list of member devices in the bottom half of the page. 4. Click the Stop Managing button next to any device with Managed in the Type column. The device is no longer subject to Groove Manager device policies and no longer displays Managed as the device Type. Creating Device Policy Templates The Groove Manager provides you with an initial device policy template that contains default policy settings appropriate for typical Groove use in an enterprise. You can create additional device templates at any time, using the Add Template tool from the Device Policy Templates page. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add policy templates. To create a device policy template, follow these steps: 1. Go to the Groove Manager administrative Web site and from the navigation pane, select Device Policy Templates for a domain. A list of templates appears in the main window. 2. Click Add Template in the toolbar. The Add Policy Template page appears. 3. In the Add Policy Template page, enter a template name and optional description in the corresponding fields. 4. Click OK. The new template appears in the list on the Templates page and in the navigation pane. Clicking the template in the navigation pane lets you view the template s default policy settings and edit them. Changing Device Policy Templates The Groove Manager provides a default device policy template that applies to all devices on which managed identities in a domain group have an account. This initial template contains device policy settings appropriate for typical Groove use in an enterprise. If you have defined additional device policy templates (as described in Creating Device Policy Templates ), you can change default template assignments for any group or member. Note that an assigned device policy template affects all users of a managed device. Therefore, changing the device policy template for one user affects all other users of that device. The following sections explain how to re-assign device policy templates: Changing Device Policy Templates for a Group Changing Device Policy Templates for a Group Member Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change policy templates at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. Groove Manager Domain Administrator s Guide Managing Device Policies 104

113 Note: For information about editing device policies in a template, see Viewing and Editing Device Policies. Changing Device Policy Templates for a Group To change device policy templates for a group, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s toplevel Members group in the navigation pane. The Members page appears. 2. To change the template of an administer-defined group, select that group or subgroup in the navigation pane. The Members page appears. 3. Select Group Properties in the toolbar. 4. From the group Properties page, select the desired template from the Device Policy Template drop-down menu. 5. To apply this change to all subgroups and members of this group, select the option, Override settings for all members and subgroups. Otherwise, to leave subgroup and member template assignments as is, leave the box unchecked. 6. Click OK. Changing Device Policy Templates for a Group Member You can change the device policy template applied to any managed device associated with a group member. Device policy templates do not affect unmanaged devices. To change device policy templates for a group member, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s toplevel Members group in the navigation pane. The Members page appears with a list of group members. 2. To change the template for a user in an administrator-defined group, select the group or sub-group in the navigation pane. The Members page appears with a list of group members. 3. From the Members page, click the member name. The Account Information page appears, listing the devices associated with the user in the bottom half of the page.the type column indicates whether a device is Managed or Unmanaged. 4. Select the desired template from the Device Policy drop-down menu for each Managed device, as needed. 5. Click Apply to save your changes without closing, or OK to change and close. Administering Device Templates You can edit, clone, or delete device policy templates from the Device Policy pages on the Groove Manager. Note that in a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administrator policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator. For instructions about administering device policy templates and settings, see the appropriate sections in the Managing Identity Policies, and substitute device policy tabs, Groove Manager Domain Administrator s Guide Managing Device Policies 105

114 fields, and menus for identity policy equivalents. The following table lists the relevant references: For information about: Editing a policy template name Cloning a policy template Deleting policy templates See: Editing Policy Template Names Cloning Policy Templates Deleting Policy Templates Viewing and Editing Device Policies Device policies are grouped into templates which apply to devices associated with identities in a domain group. Most of these policies concern the security of company resources. Examine the templates that contain these policy settings to make sure that they are adequate for your organization and change them if necessary. Note: Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to edit policies. Always click Save Changes in the tool bar to save your changes on one tab before moving to the next. If you click another tab without clicking Save Changes, your edits to that page will be lost. To edit or view device policies, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. Four device policy tabs appear, as described briefly in the following table and in detail in the sections below: Device Policy Tabs Policies Account Policies Creation of multiple accounts Importing accounts Use of managed identities on managed devices Client Policies MS Messenger integration Directory search Groove component installation (for previous Groove versions) Groove tool usage Bandwidth Security Policies Groove Login method (password or smart card) Groove Password creation Groove Account lockout Strong private key protection Web Services Groove Manager Domain Administrator s Guide Managing Device Policies 106

115 Device Policy Tabs Policies Groove Audit Policies Audit server Account events Tool events 2. Click the tab for the policies that you want and edit them as necessary. 3. Click Save Changes in the toolbar (before clicking another tab). Preventing Multiple Accounts on a Managed Device You can set a device policy to prevent management domain members from creating additional accounts on their managed devices. To set a device policy that prevents domain members from creating additional accounts on their managed devices, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device template in the navigation pane. The Account Policy page appears. 2. From the Account Policy page, select the option, Members cannot create multiple accounts. 3. Click Save Changes in the toolbar. See the Account Policies table for more information about this policy. Preventing Account Import You can set a device policy to prevent management domain members from importing accounts on their managed devices. To set a device policy that prevents domain members from importing accounts on their managed devices, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device template in the navigation pane. The Account Policy page appears. 2. From the Account Policies, page select the option, Members cannot import accounts. 3. Click Save Changes in the toolbar. See the Account Policies table for more information about this policy. Requiring Managed Domain Devices for Managed Domain Members You can set a device policy to prevent the use of unmanaged identities (or identities from another domain) on managed devices. With this policy in effect, only members of the same domain as the device can use the managed device. For information about making devices managed, see Registering User Devices with the Groove Manager. Groove Manager Domain Administrator s Guide Managing Device Policies 107

116 To set a device policy that requires users of the managed device to be members of the device s domain, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device template in the navigation pane. The Account Policy page appears. 2. From the Account Policies page, select the option, Members can only use managed identities from this domain on devices in this domain. 3. Click Save Changes in the toolbar. See the Account Policies table for more information about this policy. Setting Groove Login Password Policies You can set a collection of identity policies to control the passwords created to log in to Groove. To set policies that control Groove password creation and use, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device template in the navigation pane. 2. Click the Security Policies tab. 3. Select the option, Members will log in to Groove using: Passwords. A set of password policies appears on the screen. 4. To control Groove password characters, memorization, expiration periods, and repeatability, select the appropriate policy options as needed. Note: As of Groove 2007, if you set a management domain device policy to enable Groove password memorization and you set a domain identity policy to enable Groove password reset, memorized Groove passwords on all managed devices used by managed identities in that domain are encrypted in Windows password credentials, making password memorization more secure. Note that resetting a user s Windows password results in loss of the remembered Groove password and the user is prompted to re-enter the password. For more information about setting an identity policy that enables Groove password reset, see Controlling Login Credential Reset and Data Recovery. For more information about the Microsoft Windows Data Protection API, see the Microsoft Support Web pages on How to troubleshoot the Data Protection API (DPAPI), article Q Click Save Changes in the toolbar. See Password Policies in the Security Policies table for more information about this policy. Setting Smart Card Login Policies You can set a collection of device policies to control how smart cards are used to log in to Groove on managed devices. Groove Manager Domain Administrator s Guide Managing Device Policies 108

117 To set policies that control the use of smart cards to log in to Groove on managed devices, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device template in the navigation pane. 2. Click the Security Policies tab. 3. Select the option, Members will log in to Groove using: Smart cards. A set of smart card policies appears. 4. To limit smart card login certificate choices to those signed by specific Certification Authorities (CAs) in an Enterprise PKI environment, go to the option, Limit members smart card login certificate choices to certificates signed by the following CAs: and modify the list as follows as follows: a. Click Add CA Certificate in the toolbar to add allowed CA certificates to the current Groove Manager domain. A File location window appears. b. From the File location window, browse to the certificates you want to add to the current device policy template, then click OK. c. To delete a CA certificate from the Groove Manager list, click the Delete button next to the certificate. 5. To limit the time un-updated certificates can remain valid, select the option, Enable revocation checking, and enter a value in the field Consider a smart card login invalid if revocation status has not been updated in this many days. 6. Click Save Changes in the toolbar. See Smart Card Login Policies in the Security Policies table for more information about this policy. Controlling Messenger Integration Groove allows Groove users to integrate Messenger contacts into their Groove contact lists by default. You can set a policy that prevents Messenger integration with Groove on domain members managed devices and a policy that prevents users from changing the integration setting. To set policies that overrides Groove s default Messenger integration, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Client Policies tab. 3. Select one of the following options: Enable Messenger integration - Selecting this option allows management domain members to communicate with Messenger contacts via Groove s Messenger integration feature. Disable Messenger integration - Selecting this option prevents management domain members from using Messenger integration. 4. Set the policy Allow members to change Messenger integration settings, as needed. Selecting this policy prevents Groove users from the changing Messenger Integration setting in Groove. Groove Manager Domain Administrator s Guide Managing Device Policies 109

118 5. Click Save Changes. See the Messenger Integration Policies section of the Client Policies table for more information about this policy. Controlling Groove Directory Searches Groove Manager prevents Groove users from searching the public Groove directory for contacts, the most secure setting. You can change this setting to allow public directory search for users your management domain by editing an identity policy. To control member contact searches on the public Groove directory, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Client Policies tab. 3. Clear the Directory Search policy, Prevent members from searching for contacts in the public Groove directory. 4. Click Save Changes in the tool bar. Locking Out Accounts You can set device policies to discourage repeated Groove login attempts, guarding against unauthorized access to Groove accounts on managed devices. Typically, these policies involve locking users out of their account after a designated period of repeated failed login attempts. Note: You must have a Password Reset identity policy already in place for the domain, in order to regain access to an account when a user has been locked out after failed login attempts. To set device policies that limit repeated efforts to log in to Groove accounts on managed devices, follow these steps: 1. Make sure that you have set an identity policy to allow login credential reset, as described in Controlling Login Credential Reset and Data Recovery. 2. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 3. Click the Security Policies tab and navigate to Account Lockout Policies. 4. To set the maximum number of login retries, go to the option, Number of invalid login attempts before account is locked and enter a value in the text field. 5. To set the amount of time that Groove will take to process login credentials after repeated unsuccessful login attempts on managed devices, go to the option, Maximum duration of lockout and enter a non-zero value in the text field. 6. To control how Groove responds when a login threshold is reached, select one of the following options: Allow login attempts but repeat maximum duration forever. Do not allow any more login attempts (requires password reset to unlock). Groove Manager Domain Administrator s Guide Managing Device Policies 110

119 7. Click Save Changes in the toolbar. 8. To reset a member password after they have been locked out, use your chosen reset method, as described in Resetting Groove Login Credentials. See Account Lockout Policies in the Security Policies table for more information about this policy. Setting Strong Private Key Protection If any managed domain devices are Windows 2000-based, you can set a policy that specifies whether Microsoft s CryptoAPI patch is required on managed devices in order to run Microsoft Office Groove. The link in the policy opens a Microsoft Support Web page with information about this type of protection. To set a device policy that helps further protect Groove private keys on managed devices, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Security Policies tab. 3. Select the option, Require strong private key protection (see Microsoft Knowledge Base article ). 4. Click Save Changes in the toolbar. See Strong Private Key Protection in the Security Policies table for more information about this policy. Controlling Direct Access to Remote Web Services Groove Web Services exposed on a Groove client device can be accessed by Web service applications on the same device - constituting a local Web Services connection. Or, in the case of Groove 3.1 or earlier, these applications can reside on another physical device - constituting a remote Web Services connection if device policies allow. You can set a device policy to allow remote applications to call Web Services exposed on managed Groove 3.1 or earlier devices. By default this policy is disabled. To change the remote Web Services policy for Groove 3.1 or earlier devices, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Security Policies tab. 3. Select the option, Allow direct remote web services to enable it. 4. Click Save Changes in the toolbar. See Web Services Policies in the Security Policies table for more information about this policy. Groove Manager Domain Administrator s Guide Managing Device Policies 111

120 Controlling Groove Tool Usage on Managed Devices This section describes how to restrict Groove tool usage to prohibit use of specific Groove tools. By default, all Groove tool versions are allowed for use by domain group members. You can set tool usage policies that control which Groove tools domain members can use, in order to meet organizational requirements regarding acceptable tool use and tool usage auditing. Note that Groove tool usage policies are optimized to control usage of Groove tools at higher domain group levels, not to provide data filtering or different workspace views across many small groups. Applying tool restriction policies to small groups within a larger body of users can be difficult to manage and can have unexpected results when the various policies involved conflict. The following sections provide instructions and guidelines for managing tool usage: Restricting Tool Usage Tool Usage Recovery After Restriction is Removed Restricting Tool Usage These policies control which Groove tools and components can appear on managed user devices. The default settings for these policies are generally open, allowing unrestricted use of Groove tools. Consider whether you want to edit these settings to make them more restrictive. Restricting usage of a Groove tool affects all aspects of Groove use that depend on that tool. Blocked tools appear in spaces as place-holders only, usually with a message explaining that the tool is not available for use due to policy restrictions. Tool Usage policies prevent users from accessing the user interface associated with a blocked tool. However, these policies do not affect the underlying data in a Groove workspace. In a mixed-use environment where not all users are subject to tool usage policies, all member devices will continue to receive data associated with all tools for a workspace, even if members cannot access that data through the Groove user interface. For example, if the Games tool is prohibited to User A but not to Users B and C who are members of the same workspace but belong to another management domain where Games are not blocked, the data that passes between Users B and C will also be transmitted to User A s device, although User A cannot access it from the workspace. To limit Groove tool usage, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Client Policies tab. 3. Select any of the tool-blocking options. For details about these options and their implications, see Client Policies. 4. Click Save Settings in the toolbar. See Tool Usage Recovery After Restriction is Removed for information about recovering data that has been purged due to the client purge interval being exceeded. See the Client Policies table for more information about this policy. Groove Manager Domain Administrator s Guide Managing Device Policies 112

121 Tool Usage Recovery After Restriction is Removed Once a tool usage restriction is removed, affected users can usually recover tool usage when they click on the tool, or, if the tool is not installed, by clicking an Install button from the missing tool placeholder within the workspace. However, recovery paths vary, depending upon the length of time that the tool has been blocked and whether tool data has been deleted. If the tool restriction was lifted before the client purge interval (approximately 21 days of user inactivity in a space) elapsed, users can recover tool usage when they click on the tool or via the Install button, as described previously. All data that existed locally when the tool was blocked and any data that was added to the tool while it was blocked will be available. If the tool restriction was lifted after the client purge interval (21 days) elapsed, affected users will not be able to re-install the tool by navigating to it or by clicking the Install button. In addition, in the context of Groove File Sharing (GFS) workspaces, if the Files tool or GFS restriction was not lifted before the client purge interval (21 days) elapsed, users will see alerts indicating that GFS workspaces cannot synchronize. To recover under these conditions, affected users must delete any space that includes the tool and be re-invited to the space. Limiting Groove Bandwidth Usage for Devices Groove is designed to utilize communications bandwidth efficiently during normal activity, and to restrict its bandwidth usage when running in the background. However, if conditions merit (if you anticipate a period of high network demand, for example), you may want to consider setting a Groove Manager device policy to control Groove bandwidth usage. You can set a maximum network bandwidth usage limit for Groove client devices in a management domain by defining a bandwidth policy for domain devices. The following sections summarizes bandwidth policy implications and provides instructions for setting this policy: Overview of Groove Bandwidth Policy Setting Groove Bandwidth Limit Overview of Groove Bandwidth Policy Groove does not limit its use of communications bandwidth except when addressing the requirements of sociable communications, when bandwidth usage is determined by an internal optimization protocol. This limited bandwidth use occurs under the following conditions: When Groove is running in the system tray (all Groove windows are closed). Another application is heavily using the communications device (for file download, for example). Groove starts sending or receiving a large amount of data when the communications device is already in demand by another application. The Groove bandwidth usage policy is disabled by default. Typically, this policy should remain disabled (the value field left blank). Specifying a value to limit Groove network Groove Manager Domain Administrator s Guide Managing Device Policies 113

122 bandwidth usage substantially impedes Groove performance. You may want to consider enabling the policy and specifying a value if: Your network requirements demand a limit on Groove network bandwidth usage. You want to use the results for capacity planning. Setting a finite Groove bandwidth limit per device for a known number of devices can provide helpful statistics in planning for overall Groove bandwidth use in an enterprise. Enabling a policy that limits network bandwidth use will dramatically affect Groove performance. The impacts of setting a Groove bandwidth use policy include the following: Causes Groove to constrain its use of communications devices at all times, even when Groove is active. Causes Groove to constrain its use of communications devices for all destinations, regardless of whether the destination is over a high-speed Ethernet line or a slow dial-up connection. Overrides sociable communications. Increases the time required for sending large files (a 2-megabit file, for example). Although a bandwidth policy may not have an obvious impact on delivery of small messages (such as online status messages), its impact on the large messages generated by many Groove tools can be substantial. Make sure that you understand these implications before setting a device policy on Groove bandwidth use. Test the performance impact on a representative set of tools and hardware before deploying a new policy. When you enable a bandwidth policy for domain devices, the bandwidth limit appears in Groove on the Options/Communications Manager page. Setting Groove Bandwidth Limit Before using this procedure, make sure you have read Overview of Groove Bandwidth Policy. To specify a Groove bandwidth usage limit, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 2. Click the Client Policies tab. 3. Scroll to the Bandwidth Policies section. 4. To limit Groove client bandwidth usage, select the option, Limit bandwidth, and enter a value in the text box. 5. Select one of the following units from drop-down menu: megabits/second - Sets bandwidth limit units to megabits per second. Allowable value: whole number from 1 to 100. kilobits/second - Sets bandwidth limit units to kilobits per second. Allowable values: whole number from 5 to 100,000. bits/second - Sets bandwidth limit units to bits per second. Allowable value: whole number from 4800 to 100,000,000. Groove Manager Domain Administrator s Guide Managing Device Policies 114

123 percent - Sets the bandwidth limit to a percentage of the maximum bandwidth capacity of the Groove client communications devices currently in use. Note that this percentage is applied regardless of a device s bandwidth capacity. For example, a bandwidth limit of 50% will be applied to a dial-up modem with a maximum connection speed of 56 Kb/second, as well as to an Internet connection with a maximum of 10 Mb/second. Therefore, the actual bandwidth available to a given client device, when defined as a percentage, varies depending on the communications device in use. This may lead to noticeably low connection speeds in a dial-up setting. Allowable value: whole number from 1 to Click Save Changes in the toolbar. See Bandwidth Policies in the Client Policies table for more information about bandwidth settings. Enabling Groove Client Auditing The Groove Auditing application, an option available with the Groove Manager (not Groove Enterprise Services), collects activity logs generated by Groove clients. Audited events include activities associated with Groove accounts (such as end-user logon and logoff, instant messages, and workspace invitations), or with Groove workspaces and tools (such as adding a file to the File tool), depending on how you specify domain device policies that control client auditing. You can select whether to audit account events, workspace events, both types of events, or no events by setting device audit policies. Once the Groove Audit server and Audit service have been installed and configured, as described in the Groove Manager Server Administration portion of the Help, you can set Groove Manager device policies to allow Groove client event auditing. To enable Groove client auditing and select what will be audited, follow these steps: 1. Make sure that the Groove Manager and Groove Audit feature are installed at your site, and that the Groove Audit Service is active on Groove client devices. See your server administrator or Groove Manager Server Administration portion of the Help for information about proper Groove Manager and Groove Audit installation, and Audit Service activation. 2. Go to the Groove Manager administrative Web site and select a domain device policy template in the navigation pane. 3. Click the Audit Policies tab. 4. In the Audit Policies section of the page, enter the URL for your Groove Audit server (for example, in the Audit server URL field. 5. Enter the number of days, hours, or minutes in the Upload audit logs every field to set the audit log upload interval. 6. For added security, you can select the option, Disable Groove if auditing fails. 7. In the Groove Client Events section of the page, select the user account and workspace events that you want to audit. Selecting Audit workspace events includes auditing of workspace member and role-related events. Selecting no events indicates no auditing of Groove events for devices in domains assigned to this template. Groove Manager Domain Administrator s Guide Managing Device Policies 115

124 8. In the Tool Events section of the page, select the tool events that you want to audit. 9. If you want to audit the contents of files added to Groove, select the option to Audit the contents of files added to tools. Note: If you enable this option, all versions of all files added to workspaces of members affected by this policy will be sent to the audit server. If files are numerous or large, file auditing can notably tax the audit server and occupy considerable storage space on the SQL server. 10. Click Save Changes in the toolbar. For information about restricting Groove tool usage to only those tools which are auditable, see Controlling Groove Tool Usage on Managed Devices. For a description of all auditing policy options, see the Groove Audit Policies table. Account Policies The following table describes Groove device Account policy settings: Device Account Policy Settings Members cannot create multiple accounts Descriptions Specifies that domain group members cannot create additional Groove accounts on their managed devices, once the managed account is created. For details about setting this policy, see Preventing Multiple Accounts on a Managed Device. Default: unchecked Members cannot import accounts Specifies that domain group members cannot import Groove accounts to their managed devices. Members can only use managed identities from this domain on devices in this domain For details about setting this policy, see Preventing Account Import. Default: unchecked Specifies that domain group members can only use managed identities in this domain group on managed devices in this domain. Selecting this option disables any previously existing unmanaged identities that a user may have created on the managed device. It also prevents the user from using any identities managed by other domains. Note: Do not select this option if you want to allow users to convert an existing identity to a managed identity. Once your users have converted any previous identities that they wish to convert, you can re-instate this policy. For details about setting this policy, see Requiring Managed Domain Devices for Managed Domain Members. Default: unchecked Groove Manager Domain Administrator s Guide Managing Device Policies 116

125 Client Policies The following table describes Groove client policy settings. Device Client Policy Settings Descriptions Messenger Integration Policies Messenger integration options Specifies whether Microsoft Messenger is integrated with Groove on managed devices in the domain. In Groove, this integration option is a configurable property, enabled by default. Options are as follows: Enable Messenger integration - Sets the Groove Messenger integration option on managed devices to allow Messenger use with Groove (the default condition in Groove). Disable Messenger integration - Sets the Groove Messenger integration option to prevent Messenger use with Groove. For instructions on setting Messenger policies, see Controlling Messenger Integration. Default: Enable Allow members to enable/ disable Messenger integration Specifies whether managed users can change the Messenger integration setting in Groove. Selecting this option allows users to change the Messenger Integration setting in Groove. Clearing this option prevents users from changing the Messenger Integration setting in Groove. Default: Selected (checked) Directory Search Policies Prevent members from searching for contacts in the public Groove directory Specifies whether managed users can search for contacts in the public Groove directory (outside your corporate Intranet). Selecting this option prevents users from searching the public directory. Clearing this option allows users to search the public Groove directory for contacts. Default: Cleared (unchecked) Installation Policies The installation policies described below apply to managed devices running Groove Virtual Office 3.1 or earlier, and to any third-party tools in use at your organization. Standard Office Update policies control Groove component updates for managed devices running Microsoft Office Groove 2007 (or later). Groove Manager Domain Administrator s Guide Managing Device Policies 117

126 Device Client Policy Settings Prevent members from installing any component Descriptions Specifies whether users can install Groove components on their managed devices. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies apply to clients running Microsoft Office Groove 2007 or later. Selecting this policy prevents domain members from installing any components. It also blocks automatic component updates or installations. Leaving this policy unchecked instructs Groove to prompt users with a download choice before installing components. You can qualify this overall policy with additional policies. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Default: unchecked Deny installation of selfsigned components Specifies whether users can install Groove components signed with a self-signed certificate on their managed devices. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies apply to clients running Microsoft Office Groove 2007 or later. Selecting this policy prevents domain members from installing self-signed components. Leaving this policy unchecked, allows domain members from installing self-signed components. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Default: unchecked Prevent Groove from searching for new components Specifies whether Groove can actively search and potentially install updated versions of Groove components on managed devices. Unlike earlier versions of Groove, version 2007 or later does not search (seek) for new or updated Groove components. Therefore, this policy applies only to Groove 3.1 or earlier Groove clients or to third-party components. Standard Office update policies control component updating in Microsoft Office Groove 2007 or later. External, or third-party, developers of Groove components sometimes enable their components to search for updates. Selecting this policy prevents Groove from searching for and potentially installing updated Groove 3.1 or earlier components or any third-party components. Leaving this policy unchecked allows Groove 3.1 or earlier to search for updated component versions. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Default: unchecked Groove Manager Domain Administrator s Guide Managing Device Policies 118

127 Device Client Policy Settings Advanced Install Policies Descriptions Displays a window that lets you specify where Groove components can come from (anywhere or a specified server), and create custom policies. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies apply to clients running Microsoft Office Groove 2007 or later. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Install components from Specifies whether users can install Groove components onto their managed devices from any source or only from a named server. For example, you may want to specify an onsite server where you store tested and approved Groove components. Options are as follows: Anywhere - Select this item to specify that users can install components from any server. The HTTP server - Enter the TCP/IP address or server name of a specific HTTP server. For example: <servername>. The UNC file server - Enter the full path name of the component directory on a specific server defined according to the Universal Naming Convention (UNC). This name follows the format< of \\<servername>\directory1>\...<directoryn>. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies apply to clients running Microsoft Office Groove 2007 or later. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Default: Anywhere Add Policy This button displays a pop-up window that allows you to further customize component installation policies for specific component versions. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies clients running Microsoft Office Groove 2007 or later. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Custom policies Displays custom policies that you created using the Add Install Policy button. Clicking an item in the policy list lets you edit it. Note: This policy applies only to managed devices running Groove Virtual Office 3.1 or earlier. Standard Office update policies clients running Microsoft Office Groove 2007 or later. For details about setting this and related policies, see Appendix B. Setting Component Policies (Groove 3.1 or Earlier). Groove Manager Domain Administrator s Guide Managing Device Policies 119

128 Device Client Policy Settings Descriptions Tool Usage Policies Prohibit non-auditable tools If the optional Groove Client Auditing feature and its device policy are in effect at your organization, setting this policy on managed devices prohibits use of any Groove tools that are not auditable. For details about setting this and related policies, see Controlling Groove Tool Usage on Managed Devices. For information about auditable Groove tools and enabling Groove Client Auditing, see Enabling Groove Client Auditing. Prohibit use of Groove Folder Synchronization Prohibit use of Forms and Forms-based tools Prohibits use of Groove File Sharing (GFS) workspaces. Prohibits use of any Forms or forms-based tools and templates on managed devices, including the following: Discussion (Customizable Discussion version 3; Discussion version 4 and greater) Issue Tracking Status Reports InfoPath Prohibit use of Games Prohibits use of Groove games (including Chess and Tic-Tac- Toe) on managed devices. Bandwidth Policies Groove Manager Domain Administrator s Guide Managing Device Policies 120

129 Device Client Policy Settings Limit bandwidth to Descriptions Limits the network bandwidth allowed for Groove usage on each device in a management domain to the specified value. A blank value indicates no specified bandwidth limit, equivalent to disabling the Device Settings Policy. Accept the blank text box to support default Groove bandwidth usage for devices in a domain. Specifying a limit for network bandwidth allowed per Groove device in a domain, often dramatically slows delivery of large messages. Do not enter a value in the text box to enable the device settings policy unless you are confident that your network requirements demand such a trade-off. Note: Enable this policy and specify a bandwidth value only if you understand the implications for Groove operation. If you entered a bandwidth value, select one of the following units from the drop-down menu: megabits/second - Sets bandwidth limit units to megabits per second. Allowable value: whole number from 1 to 100. kilobits/second - Sets bandwidth limit units to kilobits per second. Allowable values: whole number from 5 to 100,000. bits/second - Sets bandwidth limit units to bits per second. Allowable value: whole number from 4800 to 100,000,000. percent - Sets bandwidth limit to a percentage of the maximum bandwidth capacity of the Groove client communications devices currently in use. Note that this percentage is applied regardless of a device s bandwidth capacity. For example, a bandwidth limit of 50% will be applied to a dial-up modem with a maximum connection speed of 56 Kb/second, as well as to an Internet connection with a maximum of 10 Mb/second. Therefore, the actual bandwidth available to a given client device, when defined as a percentage, varies depending on the communications device in use. This may lead to noticeably low connection speeds in a dial-up setting. Allowable value: whole number from 1 to 99. For details about setting this policy, see Limiting Groove Bandwidth Usage for Devices. Default: blank value Security Policies The following table describes Groove device Security policy settings: Device Security Policy Settings Descriptions Login Method Members will log in to Groove using: Passwords Specifies that domain members must use passwords to log in to Groove. For details about setting this policy, see Setting Groove Login Password Policies. Groove Manager Domain Administrator s Guide Managing Device Policies 121

130 Device Security Policy Settings Members will log in to Groove using: Smart cards Descriptions Specifies that domain members must use smart cards to log in to Groove. For details about setting this policy, see Setting Smart Card Login Policies. Password Policies (if passwords are the chosen Groove login method) Passwords must contain at least this many characters Specifies that Groove passwords on managed devices in the domain/group must contain at least the specified number of characters. Default: 4 Users cannot repeat previous passwords (number of previous passwords to compare with) Specifies that, when changing a Groove password, managed users cannot re-use any of the specified number of previous passwords on their managed devices. For example, if you enter 3 in the text box of this field, users cannot use any of the last 3 phrases when updating a password. Leaving the text box empty specifies that users can repeat passwords. Default: blank Password expires after this length of time (in days) Prevent password memorization on device Specifies the number of days for which a Groove password is valid, at which time Groove requires users to change their password. Specifies that users may not choose to let their managed devices memorize passwords after initial password entry. Users must enter their password each time they log in to Groove. Note: As of Groove 2007, if you set a management domain device policy to enable Groove password memorization and you set a domain identity policy to enable Groove password reset, memorized Groove passwords on all managed devices used by managed identities in that domain are encrypted in Windows password credentials making password memorization more secure. Note that resetting a user's Windows password results in loss of the remembered Groove password and the user is prompted to re-enter the password. For more information about setting an identity policy that enables Groove password reset, see Controlling Login Credential Reset and Data Recovery. For more information about the Microsoft Windows Data Protection API, see the Microsoft Support Web pages on 'How to troubleshoot the Data Protection API (DPAPI),' article Q Default: unchecked Password must contain at least one alpha (a, b, c...) character Password must contain at least one numeric (1, 2, 3...) character Specifies that Groove passwords on managed devices must contain at least one alphabetic character. Default: unchecked Specifies that Groove passwords on managed devices must contain at least one numeric character. Default: unchecked Groove Manager Domain Administrator s Guide Managing Device Policies 122

131 Device Security Policy Settings Password must contain mixed-case (abc...) characters Password must contain at least one punctuation (!,?, $...) symbol. Edit Reset Settings (Groove 3.0e or earlier) Descriptions Specifies that Groove passwords on managed devices must be mixed-case. Specifies that Groove passwords on managed devices must contain at least one punctuation symbol. Default: unchecked Lets you edit one of the following reset options for pre-3.0f versions of Groove: None - Prevents reset of managed user passwords or recovery of member data on managed devices. Manual password reset - Allows reset of managed user passwords and recovery of workspace data on managed devices. Data recovery - Allows recovery of managed users workspace data on managed devices but prohibits reset of user passwords. For information about reset options for Groove version 3.0f or later, see the identity security policies described in Security Policies. Default: None Smart Card Login Policies (if smart cards are the chosen Groove login method) Limit members smart card login certificate choices to certificates signed by the following CAs Lets you limit smart card login certificate choices to those signed by specific Certification Authorities (CAs) in an Enterprise PKI environment. Click Add CA Certificate in the toolbar to browse to and select the certificates that you want to add to the current device policy template. You can click the Delete Certificate button next to any CA certificate that you want to delete from the Groove Manager list. Specified certificate names and associated issuers appear in the certificate list. With this policy in effect, managed users may only use those certificates whose chain contains one of these CAs for Smart Card Login. See Setting Smart Card Login Policies for more information about using this and related policies. Consider a smart card login invalid if revocation status has not been updated in this many days Specifies the number of days that may pass before a certificate is considered invalid because its updated revocation status has been unavailable (for example, when a managed user is offline for an extended period). Selecting this policy and entering a value in the text field enables certificate revocation checking. Leaving the box unchecked disables the policy. Default: Unchecked (disabled) Edit Reset Settings (Groove 3.0e or earlier) See the Password Login Policies descriptions at Edit Reset Settings. Groove Manager Domain Administrator s Guide Managing Device Policies 123

132 Device Security Policy Settings Descriptions Account Lockout Policies Number of invalid login attempts before account is locked Specifies the number of unsuccessful Groove login attempts permissible on managed devices, after which the account is locked. For details about setting this and related policies, see Locking Out Accounts. Default: 20 Maximum duration of lockout Specifies the maximum amount of time that Groove will take to process login credentials after repeated unsuccessful login attempts on managed devices. Enter a non-zero value in the text field and select units from the drop-down menu. Default: 5 minutes After threshold is reached Specifies one of the following Groove account lockout options when the specified repeat login limit is reached on managed devices: Allow login attempts but repeat maximum duration forever - Allows users to continue Groove login attempts with the maximum specified wait before Groove accepts or denies the entry. Do not allow any more login attempts (requires the password or smart card login reset identity policy to unlock) - Prohibits any more Groove login attempts, whether or not the login is valid. The user must request a password or smart card login reset from the administrator in order to access Groove. Default: Allow login attempts but repeat maximum duration forever Strong Private Key Protection Require strong private key protection (see Microsoft Knowledge Base article ) If any managed domain devices are Windows 2000-based, this policy can be used to specify whether Microsoft s CryptoAPI patch is required on managed devices in order to run Groove. The link in the policy opens the following Web page: support.microsoft.com/ default.aspx?kbid= For details about setting this and related policies, see Setting Strong Private Key Protection. Default: Unchecked (disabled) Web Services Policies Groove Manager Domain Administrator s Guide Managing Device Policies 124

133 Device Security Policy Settings Allow direct remote web services Descriptions Specifies whether Groove Web Services on managed Groove 3.1 (or earlier) devices can be accessed from remote applications. Groove Web Services exposed on a client device can be accessed by Web service applications on the same device (a local Web Services connection) or on another physical device (a remote Web Services connection). Enabling this device allows remote applications to call Web Services exposed on managed devices. When this policy is disabled, only local applications can call Web Services on managed device: remote Web Services applications will not be allowed access to data on managed devices. See your Microsoft Office Groove representative for information about engaging Groove Web Services. For information about securing remote Web services connections, see the Groove Development Kit documentation. Note: Consider your corporate security requirements before enabling this policy. For details about setting this policy, see Controlling Direct Access to Remote Web Services. Default: Unchecked (disabled) Groove Audit Policies Audit policies apply to the optional Groove Audit feature, available with the onsite Groove Manager only (not for Groove Enterprise Services). The following table describes Groove device Audit policy settings: Device Audit Policy Settings (onsite Groove servers only) Descriptions Audit Server Policies Audit Server URL Specifies the Groove Manager server URL where the Groove Audit feature is enabled (for example, groove.contoso.com). For details about setting this policy, see Enabling Groove Client Auditing. Upload audit logs every minutes/ hours/days Disable Groove if auditing fails Specifies how often Groove client audit logs are uploaded from clients to the audit server. To minimize user disruption, uploads may occur slightly before or after the specified period, depending on user activity and idleness. Specifies that Microsoft Office Groove will stop functioning if auditing fails on managed devices in the domain group. Groove Client Events Groove Manager Domain Administrator s Guide Managing Device Policies 125

134 Device Audit Policy Settings (onsite Groove servers only) Audit all client events Descriptions Specifies whether client auditing captures all Groove account events, including instant messages and workspace invitations, login and logoff events, account creation, and contact list events. Or, you can select which type of Groove account events will be captured in client auditing. Note that some events - such as account creation and deletion, and logon failures - are always audited. Audit instant messages and invitations Audit login and logoff events Audit contact events Audit workspace events Specifies whether client auditing captures Groove workspace events, including the following: Member events (added, suspended, or deleted Groove workspace members) Role events (changes to workspace member permission) Tool Events Audit events that occur in the following Groove tools Specifies that client auditing captures events associated with selected Groove tools, including the following: Chat Discussion Document Review Files (including adding, editing, deleting, renaming, or moving a file) Forms Tool Groove File Sharing InfoPath Tool SharePoint Mobile Workspaces Audit the contents of files added to tools Specifies that audit events include the contents of files added to Groove tools. Note: This feature causes all versions of all files added to audited workspaces to be sent to the audit server. Therefore, enabling it can have a significant impact on bandwidth usage and disk storage. Groove Manager Domain Administrator s Guide Managing Device Policies 126

135 Managing Groove Relay Servers The Groove Manager enables administrators to provision domain groups and members with specific Groove Relay servers. The provisioning of enterprise relay servers to management domain members supersedes the use of public relay servers for maintaining successful, uninterrupted Groove client communications throughout an enterprise. Like the Groove Manager, the Groove Relay is a component of a Microsoft Office Groove Server installed onsite and, alternatively, its services may be engaged via Groove Enterprise Services. For more information about installing and configuring Groove Relay servers, see the Groove Relay Administrator s Guide, included with the Groove Relay component of the Microsoft Office Groove Server. The sections below describe the following user-related tasks: Overview of Relay Server Provisioning Adding a Relay Server to the Groove Manager Adding a Relay Server Set to a Domain Adding Relay Servers to a Set Editing Relay Server Set Names Viewing Domain Relay Servers Viewing Relay Servers in a Set Changing Relay Server Sets Reordering Relay Servers in a Set Deleting Relay Servers from a Domain Deleting Relay Servers from a Set Deleting Relay Server Sets Editing Relay Server Properties Locking out and Re-enabling an Onsite Relay Server Overview of Relay Server Provisioning Groove relay servers facilitate communications among Groove users by offering temporary storage or forwarding when users are offline, fanning-out high-volume data transmissions, providing alternative communications paths for clients operating over slow links, and performing other tasks that enable continuous virtual peer communication regardless Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 127

136 of peer status (online or offline) or network conditions. Public relay servers support unmanaged Groove users. In a managed Groove environment, you provision users to specific dedicated Groove Relay servers installed onsite at your organization, or to Microsoft-hosted relay servers engaged through Groove Enterprise Services. The Groove Manager administrative Web interface lets you define sets of Groove Relay servers to which you can provision management domain members. If you are using an onsite Groove Relay, you must first download the Groove Manager certificate (containing its public key) to the Groove Relay, preparing the servers for communications. Next, you import the Groove Relay certificate to the Groove Manager domain. The Groove Manager administrative Web pages provide the interface for this exchange. Now, you can provision managed users with onsite relay servers. You accomplish this by adding domain relay servers to a relay server set, and assigning the set to a domain group or individual member. Provisioning management domain members with Groove Relay servers involves the following high-level procedure: 1. If you are using onsite Groove Manager servers, register supporting relay servers with a management domain, as described in Adding a Relay Server to the Groove Manager. 2. If you want to create a new relay server set, create one, as described in Adding a Relay Server Set to a Domain. 3. Add the relay server to a set, as described in Adding Relay Servers to a Set. 4. Assign the relay server set to domain group or member, as described in Changing Relay Server Sets. For more information about installing and configuring onsite Groove Relay Servers, see the Groove Relay Server Administrator s Guide, included with the Groove Relay server product. Adding a Relay Server to the Groove Manager If the Groove Manager is installed at your site, you must register Groove Relay servers with the Groove Manager in order to provision Groove domain members with relay functionality. If you use Groove Enterprise Services, the hosted relay servers are already registered on the hosted Groove Manager. Onsite Groove Manager servers communicate with onsite Groove Relay servers using SOAP. To set this up, public/private key pairs are used to authenticate each server to the other and to the Groove users assigned to the relay server. An exchange of certificates (associated with these keys) is therefore required between the Groove Manager and Groove Relay, as follows: Copying the Groove Manager certificate and information onto the Groove Relay server and updating the relay registry. Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 128

137 Note: Note: To ensure proper download and processing of the Groove Manager public key on an onsite relay server, make sure to use the 64-bit Internet Explorer on the relay server. You can check the 64-bit support and version by clicking Help About Internet Explorer from the browser. The 64-bit qualifier will appear unless you are running a 32-bit browser. You can select the 64-bit version by clicking Start->Programs->Internet Explorer 64-bit. In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer relay server sets at the group level; a role of Server, Domain, or Member Administrator is required to provision individual members with relay server sets. To perform the server key exchange, follow these steps: 1. Go to the Groove Manager administrative Web site and from the navigation pane, click the domain Relay Server Sets heading in the navigation pane. The Relay Server Sets tab appears with a list of relay server sets. The Groove Manager provides an initial default relay server set, which is empty if servers have not been added to the set. Note: For convenience, if your setup allows, you can perform this procedure by logging into the Groove Manager from the Groove Relay server. 2. Click the Relay Servers tab. The Relay Servers page appears, with a list of any relay servers that have been added to the domain. 3. Click Add Relay Server in the toolbar, then select a Groove Relay server type: Onsite Relay Server - Specifies a Groove Relay server installed and managed by your organization. Hosted Relay Server - Specifies Microsoft-hosted relay services, accessed via Groove Enterprise Services. The Add Relay Server page appears. 4. Follow the series of substeps below to update the onsite Groove Relay server registry with the Groove Manager public key. a. From the Add Relay Server page, click the Download Public Key button to download ManagementServer.reg. The File Download dialogue box appears. This.reg file contains the Groove Manager s certificate with its public key and identifying information. b. Click OK, click Save, select a location for saving the file (on the local device if you are performing this procedure from the Groove Relay server), click the Save button, then click the Close button. c. If the Groove Manager public key file is not saved on the Groove Relay server, copy the ManagementServer.reg file from its current location onto the Groove Relay server. d. From the Groove Relay server, double-click the ManagementServer.reg file to update the Groove Relay registry. 5. Locate and copy the Groove Relay ID file (serverid.xml). The Groove Relay ID file is defined by the Groove Relay administrator during installation and configuration of the supporting server, and usually resides in the Groove Relay installation Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 129

138 directory. Copy the Groove Relay ID file to a safe place on disk. See the Groove Relay Administrator s Guide that accompanies the Office Groove Relay application for information about generating this.xml file on onsite servers). 6. From the Add Relay Server page on the Groove Manager, in the File location text box, type or browse to the location of the Groove Relay ID file (serverid.xml). This file contains two certificates: a SOAP certificate which is used by the Groove Manager to authenticate the Groove Relay server, and an SSTP certificate which will be used by Groove clients provisioned to this server. 7. Click OK to upload the Groove Relay ID file to the Groove Manager domain. the Groove Relay name appears in the list of servers added to the domain on the Relay server tab and in the Add Relay Server window for a selected set. Note that adding a Groove Relay to a domain automatically adds it to the default relay server set for provisioning to domain groups and members. You can delete the relay server from the default set as described in Deleting Relay Servers from a Set. You can also add relay servers to specified sets as described in Adding Relay Servers to a Set. Adding a Relay Server Set to a Domain The Groove Manager provides an initial relay server set in each management domain, to which you add relay servers. You can add other sets to the domain from the Relay Server Sets page. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add relay server sets to a domain. To add a relay server set to a management domain, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain s Relay Server Sets heading from the navigation pane. The Relay Server Sets tab appears with a list of server sets. The Groove Manager provides an initial default server set, which is empty if servers have not been added to the domain. 2. From the Relay Server Sets tab, click Add Set in the toolbar. The Add Relay Server Set window appears with a list of server sets. You can select servers from this window to add them to the selected set. 3. In the Add Relay Server Set window, enter the relay server set name and an optional description. 4. Click OK. The new server set name appears in the Relay Server Sets list, along with a list of any servers that have been added to the set. All available domain servers are added to the set by default. You can delete any unwanted servers from the set by selecting the set and clicking Delete Relay Servers in the toolbar, as described in Deleting Relay Servers from a Set. You can add relay servers imported to the domain after set creation, as described in Adding Relay Servers to a Set. Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 130

139 Adding Relay Servers to a Set Relay server sets are empty if no relay servers have been added to the domain. Once you add relay servers to the domain, all domain servers available at the time of set creation appear in the set by default. You can add relay servers that are subsequently imported to domain servers to specified sets, as described in the procedure below. Groove client devices send managed users Groove messages to the first available server, checking the relays in the order in which they appear in the relay server set s list of servers. The order in which servers are added to the set determines the default server polling order. You can change the relay polling order as described in Reordering Relay Servers in a Set. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change server sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. To add a Groove relay server to a relay server set, follow these steps: 1. Go to the Groove Manager administrative Web site and click a domain relay server set in the navigation pane. The Relay Servers page appears with a list of servers that have been added to the set. 2. From the Relay Servers page, click Add Relay Servers to Set in the toolbar. 3. From the Add Relay Server page, select the relay servers that you want to add to the set. Clicking the top box selects all servers in the list. If no servers have been imported into the domain, the menu displays No Relay Servers available. For information about listing servers with a domain, see Adding a Relay Server to the Groove Manager. 4. Click OK. The selected server appears in the set s server list. 5. Repeat this process for each server you want to add to the set. If you add multiple servers to a relay server set, managed users (identities) in this domain can contact any of the named servers for messages and updates. Users sending data to these identities will send data to the first relay available, checking servers in the order that the relays appear in the list. If multiple relay servers are listed with a set and you want to re-prioritize their usage, click the down or up arrows to reorder the entries. Users sending data will then check relay availability in the re-prioritized order. If you need to remove or lock out a specific onsite server, you can do so from the relay server set s list of servers, as described in Locking out and Re-enabling an Onsite Relay Server. Editing Relay Server Set Names You can view or edit a relay server set name and description from any server set page. To view or edit Groove relay server set properties, follow these steps: Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 131

140 1. Go to the Groove Manager administrative Web site, select the domain s Relay Server Sets heading from the navigation pane and click a relay server set in the list. Or, click a relay server set from the navigation pane and click Relay Server Set Properties in the toolbar. The relay server set Properties window appears. 2. From the relay server set Properties window, edit the relay server set name and description, as necessary. 3. Click OK. Viewing Domain Relay Servers To view Groove relay servers in a management domain, do the following: 1. Go to the Groove Manager administrative Web site and click the domain s Relay Server Sets heading from the navigation pane. The Relay Server Sets tab appears. 2. Click the Relay servers tab. The Relay Servers page appears, displaying relay servers that have been imported into the domain, including the information described in the following table: Relay Server Sets Information Server Type Descriptions Relay server s certificate Authority (CA) name (such as groovedns://hostedrelay1.msogroove.com), defined when adding Groove Relay server to Groove Manager. See Adding a Relay Server to the Groove Manager for information about adding Groove Relay servers to the Groove Manager. Information only. Indicates the relay server type, as follows: Relay Server - A Groove Relay Server installed onsite at your enterprise. Hosted Relay Server - A specific relay server hosted for your enterprise by Microsoft Office Groove Enterprise Services. Viewing Relay Servers in a Set To view servers in a Groove relay server set, do the following: 1. Go to the Groove Manager administrative Web site and navigate to a domain s Relay Server Sets in the navigation pane. 2. Click a relay server set.the relay server page appears, displaying Groove servers that have been added to the set, up and down arrows to re-order relay servers in the Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 132

141 list, and the information described in the following table. See Reordering Relay Servers in a Set for information about reordering servers in the list. Relay Server Sets Information Server Type Descriptions Relay server s certificate Authority (CA) name (such as groovedns://hostedrelay1.msogroove.com), defined when adding Groove Relay server to Groove Manager. See Adding a Relay Server to the Groove Manager for information about registering servers on the Groove Manager. Information only. Indicates the relay server type, as follows: Relay Server - A Groove Relay Server installed onsite at your enterprise. Hosted Relay Server - A specific relay server hosted for your enterprise by Microsoft Office Groove Enterprise Services. Lockout Lets you lock out onsite Groove Relay servers from use. See Locking out and Re-enabling an Onsite Relay Server for information about locking out servers. Changing Relay Server Sets The Groove Manager provides a default relay server set to managed identities in a domain group. A relay server set can contain up to five onsite servers to a set, depending on how many servers are registered in the management domain. Groove client devices contact the relay servers sequentially when sending managed user messages, in the order that the relay servers were added to the set. You can re-order servers in a set as described in Reordering Relay Servers in a Set. You can change relay server set assignments for any group or member, as described in the following sections: Changing Relay Server Sets for a Group Changing Relay Server Sets for a Group Member Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change relay server sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. Changing Relay Server Sets for a Group To change relay server sets for a group, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s toplevel Members group. 2. To change the relay server set for an administrator-defined group, select that group or sub-group in the navigation pane. 3. Click Group Properties in the toolbar. Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 133

142 4. From the group Properties page, select the desired server set from the Relay Server Sets drop-down menu. 5. To apply this change to all subgroups and members of this group, select the option, Override settings for all members and subgroups. Otherwise, to leave subgroup and individual member template assignments as is, leave the box unchecked. 6. Click OK. Changing Relay Server Sets for a Group Member To change relay server sets for a group member, follow these steps: 1. Go to the Groove Manager administrative Web site and navigate the domain tree until the member whose template you want to change appears in the main screen display list. 2. From the main screen, click the member name. The member s Account Information page appears. 3. From the Account Information page, select the desired server set from the Relay Server Sets drop-down menu. 4. Click Apply to save your changes without closing, or OK to change and close. Reordering Relay Servers in a Set If multiple relay servers are specified in a relay server set, Groove client devices send managed users Groove messages to the first available server, checking the relays in the order in which they appear in the relay server set s list of servers. The default server sequence depends on the order that servers were added to the set. You can change the relay polling order from the relay server page. To re-order relay servers in a set, follow these steps: 1. Go to the Groove Manager administrative Web site and click a domain relay server set in the navigation pane. The Relay Servers page appears, displaying Groove servers that have been added to the set. 2. Click the up or down arrow keys to move a relay server up or down in the list. Servers at the top of the list are contacted before those further down in the list. Deleting Relay Servers from a Domain You can delete a Groove relay server from a domain, permanently removing it from the Groove Manager. No managed users assigned to sets containing that server will be able to access it. If you remove all server assignments from a set, managed users assigned to that set must rely on public servers. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete relay servers from a domain. To delete selected Groove relay servers from a management domain and the relay server, follow these steps: Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 134

143 1. Go to the Groove Manager administrative Web site and select a domain s Relay Server Sets heading from the navigation pane. The Relay Servers Sets tab appears with a list of server sets. 2. Click the Relay servers tab. The Relay Servers page appears with a list of servers. 3. From the Relay servers page, select the relay servers that you want to delete from the domain. Selecting the top box selects all servers in the list. 4. Click Delete Relay Servers in the toolbar and confirm your decision. The selected servers are deleted from the relay server. Deleting Relay Servers from a Set You can delete Groove relay servers from a relay server set without deleting them from the Groove Manager, using the relay servers page. Deleting a relay server from a set means that managed users previously assigned to that set containing this server can no longer contact it, and must rely on public servers. If you want these users to be able to communicate externally or benefit from other relay services, make sure that they are assigned to other servers registered with their management domain. Note: Note: If users are assigned to a removed server, the Groove Manager redirects them to a public server. In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change server sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. To remove selected Groove relay servers from a relay server set, follow these steps: 1. Go to the Groove Manager administrative Web site and a domain relay server set in the navigation pane. The Relay Servers page appears with a list of servers. 2. From the Relay servers page, select the relay servers that you want to remove from the set. Selecting the top box selects all servers in the list. 3. Click Delete Relay Servers in the toolbar. The selected servers are removed from the relay server set, but still exist in the domain. Deleting Relay Server Sets You can delete Groove relay server sets from a domain, providing that the sets are not assigned to a group or member. The relay servers associated with the set remain as is in the domain. Note that you cannot delete the last set. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete relay server sets. To delete selected Groove relay server sets, follow these steps: 1. Go to the Groove Manager administrative Web site and select a domain s Relay Server Sets heading from the navigation pane. The Relay Server Sets tab appears with a list of server sets. Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 135

144 2. From the Relay Server Sets tab, select the relay server sets that you want to delete. Selecting the top box selects all servers in the list. 3. Click Delete Sets in the toolbar. The selected server sets are removed. If a relay server set cannot be deleted because it is assigned to a group or member, a message appears indicating this condition. To delete assigned server sets, make sure they are not assigned to any group or member. For information about assigning server sets, see Changing Relay Server Sets. Editing Relay Server Properties If your managed environment supports onsite Groove Relay servers, the relay server Properties page lets you view and edit various server settings, including relay message life times and queue purging. The relay server queues messages that are waiting for delivery to Groove clients. You can help control relay disk space usage by adjusting message retention time. For more information about relay server message queues, see the Groove Manager Server Administration portion of the Help. Relay server properties do not apply to hosted relay services. To view and edit properties for onsite Groove Relay servers, follow these steps: 1. Go to the Groove Manager administrative Web site and select the domain s Relay Server Sets heading. The Relay Servers page appears with a list of servers. 2. From the Relay Servers page, click the relay server for which you want information. The relay server Properties window appears with the information described in the table below. 3. Edit the fields as necessary, then click OK. Server Properties Enable Quotas Quota Descriptions Sets message queue quotas on Groove Relay servers. The maximum number of megabytes that can be stored in queues for each managed user account on Groove Relay servers. When the quota is reached, Groove messages are temporarily stored on the sending device until the queue frees up again (as clients contact the relay server to collect their messages) or the messages can be delivered via direct peer-to-peer connection. Default: 15 megabytes. Enable Purge Identity message lifetime Automatically purges relay message queues. The number of days that identity messages can remain enqueued before being deleted. Identity messages consist of Groove instant messages and Groove workspace invitations. Because identity-targeted queues cannot be recovered after deletion (unlike device messages), the default holding time for these messages is longer than for device messages. Default: 90 days Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 136

145 Server Properties Device message lifetime Descriptions The number of days that device messages can remain enqueued before being deleted. Device messages consist of Groove workspace information. Default: 30 days Locking out and Re-enabling an Onsite Relay Server If you support onsite Groove Relay servers, you can lock out any relay sever from a domain or group, preventing users from accessing it. You cannot lock out Groove-hosted relay servers. To lockout an onsite Groove Relay server from a domain or group, or to re-enable it, follow these steps: 1. Go to the Groove Manager administrative Web site and select a relay server set in the navigation pane. The Relay Servers page appears, displaying Groove servers that have been added to the set, including a Lockout check box. 2. Select the Lockout option to lockout a relay server, or clear the option to re-enable the relay server. Groove Manager Domain Administrator s Guide Managing Groove Relay Servers 137

146 Viewing Groove Domain Reports The domain Reports tab on the Groove Manager Web interface lets you view various types of management domain reports, filter the reports for specific information, and export any report to a specified file. This document describes the Groove Manager domain reporting under the following topics: Viewing Reports Filtering Reports Exporting Reports Domain Reports Sample Report Filters Viewing Reports Microsoft Office Groove clients report statistics for managed identities to the Groove Manager periodically. Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Report Administrator to view management domain reports. To view Groove user reports for a management domain, follow these steps: 1. Go to the Groove Manager administrative Web site and select a management domain or group from the navigation pane. Statistics are domain-wide or groupwide, depending on the selection in the navigation pane, and available for all managed users in your domain. 2. From the Report drop-down list on the Reports tab, select a report type. See Domain Reports for a description of each report type. 3. To customize the current report, click the Filter expansion arrow and use the Filter controls as described in Filtering Reports. 4. Click the Display Report button to display the report. A list of reported items appears in the display area. 5. To navigate within the report, use the arrow controls in the page. Groove Manager Domain Administrator s Guide Viewing Groove Domain Reports 138

147 6. To sort on a specific field, click an underlined title in the column that you want to sort on. To reverse the sort order, click the title again. 7. To change the number of items displayed per page, select a value in the Items per page drop-down list below the display area. The default is 25 items per page. For information about exporting reports to a file, see Exporting Reports. Filtering Reports You can use the Groove Manager s Report Filtering controls at any time to refine your report. Filter types vary, depending on the type of user data that you request. To define one or more filters, use the Filter controls as described in the following table: 1. From the Reports tab, select a report type from the Report drop-down list. 2. Specify a date if applicable. 3. Click the Filter expansion arrow to specify filters. 4. Select a filter from the drop-down list. 5. Refine the filter as necessary. See the Report Filtering Options table for descriptions of filtering options. 6. Click the + (plus sign) button to apply the filter and add it to the filter display box. 7. To specify another filter, select AND or OR from drop-down list, and add a filter as just described. 8. To edit a filter, click the Edit Filter button, make the necessary changes in the filter editing window, and click OK. See Figure 1. Sample Audit Log Filter Specification (from Edit Filter window) for an example. 9. To delete a filter, click the - (minus sign) button next to any filter in the Edit Filter window. 10. To clear the entire filter specification, click the Clear Filter button on the main Report page. 11. Click Display Report to see the filtered report. Report Filtering Options Filter drop-down list AND/OR drop-down list Descriptions Displays a list of available filters for the selected report type. Available when at least one filter has been entered. Select one of the following: AND to specify additive filters. OR to specify alternative filters. Field selection drop-down list Lets you specify a field (column) in the report on which to filter (Type, Date, or Group for example). Groove Manager Domain Administrator s Guide Viewing Groove Domain Reports 139

148 Report Filtering Options Qualifier drop-down list Descriptions Lets you select one of the following: Is (=) Begins With (followed by text field) Ends With (followed by text field) Contains (followed by text field) On (followed by date picker) Before (<+ followed by date picker) After (>= followed by date picker) Between (begin date and end date) =, <, >, <=, >= Never (NULL) Figure 1. Sample Audit Log Filter Specification (from Edit Filter window) Exporting Reports You can export a displayed report to an.xml or a.csv file from the domain Reports page. To export a report, follow these steps: 1. Go to the Groove Manager administrative Web site and select a management domain from the navigation pane. 2. Click the Reports tab. The default report (the Audit Log) appears. 3. From the Reports page, click the Report drop-down menu, then select the type of report that you want to view, as described in Viewing Reports. 4. Click the Display Report button. The report appears. 5. Click Export Report in the toolbar. An Export pop-up window appears. 6. Select CSV or XML as a target file type, then click OK. A File Download pop-up window appears. 7. Browse to a file location for exporting the current report, then click OK. Domain Reports The tables in the following sections describe the Groove management reports that you can select from the domain Reports tab: Groove Manager Domain Administrator s Guide Viewing Groove Domain Reports 140

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide Authentication Services ActiveRoles Integration Pack 2.1.x Administration Guide Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright.

More information

x10data Application Platform v7.1 Installation Guide

x10data Application Platform v7.1 Installation Guide Copyright Copyright 2010 Automated Data Capture (ADC) Technologies, Incorporated. All rights reserved. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

More information

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE 1.0 Quest Enterprise Reporter Discovery Manager USER GUIDE 2012 Quest Software. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide

More information

Integrate Microsoft Office 365. EventTracker v8.x and above

Integrate Microsoft Office 365. EventTracker v8.x and above EventTracker v8.x and above Publication Date: March 5, 2017 Abstract This guide provides instructions to configure Office 365 to generate logs for critical events. Once EventTracker is configured to collect

More information

VMware AirWatch Certificate Authentication for EAS with ADCS

VMware AirWatch Certificate Authentication for EAS with ADCS VMware AirWatch Certificate Authentication for EAS with ADCS For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Exclaimer Mail Archiver

Exclaimer Mail Archiver Deployment Guide - Outlook Add-In www.exclaimer.com Contents About This Guide... 3 System Requirements... 4 Software... 4 Installation Files... 5 Deployment Preparation... 6 Installing the Add-In Manually...

More information

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas System Recovery 18 Management Solution Administrator's Guide Veritas System Recovery 18 Management Solution Administrator's Guide Documentation version: 18 Legal Notice Copyright 2018 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are

More information

ControlPoint. Advanced Installation Guide. September 07,

ControlPoint. Advanced Installation Guide. September 07, ControlPoint Advanced Installation Guide September 07, 2017 www.metalogix.com info@metalogix.com 202.609.9100 Copyright International GmbH., 2008-2017 All rights reserved. No part or section of the contents

More information

Using the Orchestration Console in System Center 2012 R2 Orchestrator

Using the Orchestration Console in System Center 2012 R2 Orchestrator Using the Orchestration Console in System Center 2012 R2 Orchestrator Microsoft Corporation Published: November 1, 2013 Applies To System Center 2012 - Orchestrator Orchestrator in System Center 2012 SP1

More information

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control Windows Server 2012 Hands-on lab In this experience, you will configure a

More information

Security Explorer 9.1. User Guide

Security Explorer 9.1. User Guide Security Explorer 9.1 User Guide Security Explorer 9.1 User Guide Explorer 8 Installation Guide ii 2013 by Quest Software All rights reserved. This guide contains proprietary information protected by copyright.

More information

Installation Guide Worksoft Certify

Installation Guide Worksoft Certify Installation Guide Worksoft Certify Worksoft, Inc. 15851 Dallas Parkway, Suite 855 Addison, TX 75001 www.worksoft.com 866-836-1773 Worksoft Certify Installation Guide Version 9.0.3 Copyright 2017 by Worksoft,

More information

Yubico with Centrify for Mac - Deployment Guide

Yubico with Centrify for Mac - Deployment Guide CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component

More information

x10data Smart Client 6.5 for Windows Mobile Installation Guide

x10data Smart Client 6.5 for Windows Mobile Installation Guide x10data Smart Client 6.5 for Windows Mobile Installation Guide Copyright Copyright 2009 Automated Data Capture (ADC) Technologies, Incorporated. All rights reserved. Complying with all applicable copyright

More information

Implementing and Supporting Windows Intune

Implementing and Supporting Windows Intune Implementing and Supporting Windows Intune Lab 4: Managing System Services Lab Manual Information in this document, including URL and other Internet Web site references, is subject to change without notice.

More information

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1 Microsoft Dynamics GP 2013 Web Client Installation and Administration Guide For Service Pack 1 Copyright Copyright 2013 Microsoft. All rights reserved. Limitation of liability This document is provided

More information

AvePoint Online Services for Partners 2

AvePoint Online Services for Partners 2 AvePoint Online Services for Partners 2 User Guide Service Pack 1 Issued June 2017 Table of Contents What s New in this Guide...4 About...5 Submitting Documentation Feedback to AvePoint...6 Browser Support

More information

AUTHORIZED DOCUMENTATION

AUTHORIZED DOCUMENTATION Administration Guide AUTHORIZED DOCUMENTATION Novell SecureLogin 6.1 SP1 June, 2009 www.novell.com Novell SecureLogin 6.1 SP1 Administration Guide Legal Notices Novell, Inc. makes no representations or

More information

Microsoft Office Communicator 2007 R2 Getting Started Guide. Published: December 2008

Microsoft Office Communicator 2007 R2 Getting Started Guide. Published: December 2008 Microsoft Office Communicator 2007 R2 Getting Started Guide Published: December 2008 Information in this document, including URL and other Internet Web site references, is subject to change without notice.

More information

x10data Smart Client 7.0 for Windows Mobile Installation Guide

x10data Smart Client 7.0 for Windows Mobile Installation Guide x10data Smart Client 7.0 for Windows Mobile Installation Guide Copyright Copyright 2009 Automated Data Capture (ADC) Technologies, Incorporated. All rights reserved. Complying with all applicable copyright

More information

VMware Mirage Web Manager Guide

VMware Mirage Web Manager Guide Mirage 5.3 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document,

More information

DefendX Software Control-Audit for Hitachi Installation Guide

DefendX Software Control-Audit for Hitachi Installation Guide DefendX Software Control-Audit for Hitachi Installation Guide Version 4.1 This guide details the method for the installation and initial configuration of DefendX Software Control-Audit for NAS, Hitachi

More information

Integrate Check Point Firewall. EventTracker v8.x and above

Integrate Check Point Firewall. EventTracker v8.x and above EventTracker v8.x and above Publication Date: March 23, 2017 Abstract This guide helps you in configuring Check Point and EventTracker to receive Check Point events. You will find the detailed procedures

More information

Managing the CaseMap Admin Console User Guide

Managing the CaseMap Admin Console User Guide Managing the CaseMap Admin Console User Guide CaseMap Server, Version 2.3 Accessing the CaseMap Admin Console Registering CaseMap Servers Registering SQL Servers Setting Up Roles and Users Managing SQL

More information

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database For multiple versions Have documentation feedback? Submit a Documentation Feedback support ticket using

More information

Integrate Veeam Backup and Replication. EventTracker v9.x and above

Integrate Veeam Backup and Replication. EventTracker v9.x and above Integrate Veeam Backup and Replication EventTracker v9.x and above Publication Date: September 27, 2018 Abstract This guide provides instructions to configure VEEAM to send the event logs to EventTracker

More information

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above SECURE FILE TRANSFER PROTOCOL EventTracker v8.x and above Publication Date: January 02, 2019 Abstract This guide provides instructions to configure SFTP logs for User Activities and File Operations. Once

More information

NETWRIX GROUP POLICY CHANGE REPORTER

NETWRIX GROUP POLICY CHANGE REPORTER NETWRIX GROUP POLICY CHANGE REPORTER ADMINISTRATOR S GUIDE Product Version: 7.2 November 2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute

More information

Secure Held Print Jobs

Secure Held Print Jobs Secure Held Print Jobs Version 3.0 Administrator's Guide January 2016 www.lexmark.com Contents 2 Contents Change history... 3 Overview... 4 Deployment readiness checklist...5 Configuring the printer settings...

More information

HOTPin Software Instructions. Mac Client

HOTPin Software Instructions. Mac Client HOTPin Software Instructions Mac Client The information contained in this document represents the current view of Celestix Networks on the issues discussed as of the date of publication. Because Celestix

More information

Integrate MySQL Server EventTracker Enterprise

Integrate MySQL Server EventTracker Enterprise Integrate MySQL Server EventTracker Enterprise Publication Date: Nov. 3, 2016 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract This guide provides instructions to configure

More information

One Identity Active Roles 7.2. Web Interface Administrator Guide

One Identity Active Roles 7.2. Web Interface Administrator Guide One Identity Active Roles 7.2 Web Interface Administrator Guide Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described

More information

Upgrading to Act! v20 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004)

Upgrading to Act! v20 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004) Upgrading to Act! v20 from ACT! 3.x, 4.x, 5.x (2000), or 6.x (2004) 2017 Swiftpage ACT! LLC. All Rights Reserved. Swiftpage, Act!, and the Swiftpage product and service names mentioned herein are registered

More information

Business Insights Dashboard

Business Insights Dashboard Business Insights Dashboard Sage 500 ERP 2000-2013 Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service names mentioned herein are registered trademarks or trademarks

More information

AD Summation. Administration Guide. WebBlaze

AD Summation. Administration Guide. WebBlaze AD Summation Administration Guide WebBlaze Version 3.1 Published: September 2010 COPYRIGHT INFORMATION 2009 AccessData, LLC. All rights reserved. The information contained in this document represents the

More information

Microsoft SQL Server Reporting Services (SSRS)

Microsoft SQL Server Reporting Services (SSRS) Microsoft SQL Server Reporting Services (SSRS) Installation/Configuration Guide for SharePoint Integration Mode August 2, 2007 Version 1.0 Published via the SharePoint Team Blog at http://blogs.msdn.com/sharepoint

More information

Senstar Symphony. 7.2 Installation Guide

Senstar Symphony. 7.2 Installation Guide Senstar Symphony 7.2 Installation Guide Contents Contents Introduction... 3 Symphony Server...3 Symphony Client... 3 Xnet... 3... 4 Symphony Server requirements...4 Symphony Client requirements...4 Symphony

More information

Mozy. Administrator Guide

Mozy. Administrator Guide Mozy Administrator Guide Preface 2017 Mozy, Inc. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license

More information

User Guide. BlackBerry Workspaces for Windows. Version 5.5

User Guide. BlackBerry Workspaces for Windows. Version 5.5 User Guide BlackBerry Workspaces for Windows Version 5.5 Published: 2017-03-30 SWD-20170330110027321 Contents Introducing BlackBerry Workspaces for Windows... 6 Getting Started... 7 Setting up and installing

More information

Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2

Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2 Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2 Veritas Enterprise Vault: Setting up SharePoint Server Archiving Last updated: 2017-08-10. Legal Notice Copyright 2017 Veritas Technologies

More information

Administrator's Guide

Administrator's Guide Administrator's Guide EPMWARE Version 1.0 EPMWARE, Inc. Published: July, 2015 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless

More information

Metastorm BPM Release 7.6

Metastorm BPM Release 7.6 Metastorm BPM Release 7.6 Administration Guide May 2008 Metastorm Inc. email: inquiries@metastorm.com http://www.metastorm.com Metastorm BPM Release 7.6 Copyrights and Trademarks 1996-2008 Metastorm Inc.

More information

Veritas System Recovery 16 Management Solution Administrator's Guide

Veritas System Recovery 16 Management Solution Administrator's Guide Veritas System Recovery 16 Management Solution Administrator's Guide Documentation version: 2017 Legal Notice Copyright 2017 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo

More information

One Identity Active Roles 7.2. Web Interface User Guide

One Identity Active Roles 7.2. Web Interface User Guide One Identity Active Roles 7.2 Web Interface User Guide Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in

More information

Creating Domain Templates Using the Domain Template Builder 11g Release 1 (10.3.6)

Creating Domain Templates Using the Domain Template Builder 11g Release 1 (10.3.6) [1]Oracle Fusion Middleware Creating Domain Templates Using the Domain Template Builder 11g Release 1 (10.3.6) E14139-06 April 2015 This document describes how to use the Domain Template Builder to create

More information

Sage 500 ERP 2016 Business Insights Dashboard Guide

Sage 500 ERP 2016 Business Insights Dashboard Guide Sage 500 ERP 2016 Business Insights Dashboard Guide This is a publication of Sage Software, Inc. Copyright 2015 Sage Software, Inc. All rights reserved. Sage, the Sage logos, and the Sage product and service

More information

CA SiteMinder Web Access Manager. Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

CA SiteMinder Web Access Manager. Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication CA SiteMinder Web Access Manager Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication This documentation and any related computer software help programs

More information

Integrate Saint Security Suite. EventTracker v8.x and above

Integrate Saint Security Suite. EventTracker v8.x and above EventTracker v8.x and above Publication Date: June 6, 2018 Abstract This guide provides instructions to configure Saint Security Suite to send crucial events to EventTracker Enterprise by means of syslog.

More information

Enterprise 3.4 RC1. Managing Alfresco Content from within Microsoft Office

Enterprise 3.4 RC1. Managing Alfresco Content from within Microsoft Office Enterprise 3.4 RC1 Managing Alfresco Content from within Microsoft Office Contents Copyright... 3 Typographic conventions...4 Introduction... 5 System requirements and prerequisites...5 Get started...6

More information

ANIXIS Password Reset

ANIXIS Password Reset ANIXIS Password Reset Evaluator s Guide V3.22 Copyright 2003-2018 ANIXIS. All rights reserved. ANIXIS, ANIXIS Password Reset, Password Policy Enforcer, PPE/Web, Password Policy Client, Password Policy

More information

Resource Manager System Upgrade Guide

Resource Manager System Upgrade Guide [Type the document title] 7.1.0 December 2012 3725-72106-001A Polycom RealPresence Resource Manager System Upgrade Guide Polycom Document Title 1 Trademark Information POLYCOM and the names and marks associated

More information

Copyright SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled,

Copyright SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, APM Migration Introduction... 3 General Requirements... 3 Database Requirements... 3 Stopping APM Services... 4 Creating and Restoring Orion Database Backups... 4 Creating a Database Backup File with Database

More information

Rapid Recovery DocRetriever for SharePoint User Guide

Rapid Recovery DocRetriever for SharePoint User Guide Rapid Recovery 6.1.3 Table of Contents Introduction to DocRetriever for SharePoint... 6 Using this documentation... 6 About DocRetriever for SharePoint...7 DocRetriever, AppAssure, and Rapid Recovery compatibility...

More information

ORACLE USER PRODUCTIVITY KIT UPGRADE RELEASE SERVICE PACK 2 PART NO. E

ORACLE USER PRODUCTIVITY KIT UPGRADE RELEASE SERVICE PACK 2 PART NO. E ORACLE USER PRODUCTIVITY KIT UPGRADE RELEASE 3.6.1 SERVICE PACK 2 PART NO. E17977-01 JUNE 2010 COPYRIGHT Copyright 1998, 2010, Oracle and/or its affiliates. All rights reserved. Part No. E17977-01 Oracle

More information

BusinessObjects LifeCycle Manager User's Guide

BusinessObjects LifeCycle Manager User's Guide BusinessObjects LifeCycle Manager User's Guide BusinessObjects Enterprise XI 3.1 Service Pack2 windows Copyright 2009 SAP BusinessObjects. All rights reserved. SAP BusinessObjects and its logos, BusinessObjects,

More information

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3 Enterprise Vault.cloud CloudLink Google Account Synchronization Guide CloudLink 4.0.1 to 4.0.3 Enterprise Vault.cloud: CloudLink Google Account Synchronization Guide Last updated: 2018-06-08. Legal Notice

More information

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE 22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE CONTENTS 1 Overview... 3 1.1 Netop Remote Control Portal... 3 1.2 Technical Requirements... 3 2 General... 4 2.1 Authentication... 4 2.1.1 Forgot

More information

Dell Change Auditor 6.5. Event Reference Guide

Dell Change Auditor 6.5. Event Reference Guide Dell Change Auditor 6.5 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license

More information

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Migrate from Microsoft Dynamics CRM Online to Microsoft Dynamics CRM (on-premises) Applies to: Microsoft Dynamics CRM Online 2015 Update 1

Migrate from Microsoft Dynamics CRM Online to Microsoft Dynamics CRM (on-premises) Applies to: Microsoft Dynamics CRM Online 2015 Update 1 Migrate from Microsoft Dynamics CRM Online to Microsoft Dynamics CRM (on-premises) Applies to: Microsoft Dynamics CRM Online 2015 Update 1 This document is provided "as-is". Information and views expressed

More information

Perceptive TransForm E-Forms Manager

Perceptive TransForm E-Forms Manager Perceptive TransForm E-Forms Manager Installation and Setup Guide Version: 8.x Date: February 2017 2016-2017 Lexmark. All rights reserved. Lexmark is a trademark of Lexmark International Inc., registered

More information

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide IBM Client Security Solutions Client Security Software Version 1.0 Administrator's Guide December 1999 1 Before using this information and the product it supports, be sure to read Appendix A - U.S. export

More information

Installing TextMap. User Guide. Preliminary Planning Installing TextMap Installing TextMap Binder Import Utility. TextMap, Version 9.

Installing TextMap. User Guide. Preliminary Planning Installing TextMap Installing TextMap Binder Import Utility. TextMap, Version 9. Installing TextMap User Guide TextMap, Version 9.1 Preliminary Planning Installing TextMap Installing TextMap Binder Import Utility TextMap Installation Guide No part of this work may be reproduced or

More information

Sophos Mobile. startup guide. Product Version: 8.1

Sophos Mobile. startup guide. Product Version: 8.1 Sophos Mobile startup guide Product Version: 8.1 Contents About this guide... 1 Sophos Mobile licenses... 2 Trial licenses...2 Upgrade trial licenses to full licenses... 2 Update licenses... 2 What are

More information

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Integrate Akamai Web Application Firewall EventTracker v8.x and above Integrate Akamai Web Application Firewall EventTracker v8.x and above Publication Date: May 29, 2017 Abstract This guide helps you in configuring Akamai WAF and EventTracker to receive events. In this

More information

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration.

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. Administrator Guide Find out how to set up and use MyKerio to centralize and unify your Kerio software administration. The information and content in this document is provided for informational purposes

More information

Deployment guide for Duet Enterprise for Microsoft SharePoint and SAP Server 2.0

Deployment guide for Duet Enterprise for Microsoft SharePoint and SAP Server 2.0 Deployment guide for Duet Enterprise for Microsoft SharePoint and SAP Server 2.0 Microsoft Corporation Published: October 2012 Author: Microsoft Office System and Servers Team (itspdocs@microsoft.com)

More information

Installation Manual. Fleet Maintenance Software. Version 6.4

Installation Manual. Fleet Maintenance Software. Version 6.4 Fleet Maintenance Software Installation Manual Version 6.4 6 Terri Lane, Suite 700 Burlington, NJ 08016 (609) 747-8800 Fax (609) 747-8801 Dossier@dossiersystemsinc.com www.dossiersystemsinc.com Copyright

More information

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

RSA Authentication Manager 7.1 Help Desk Administrator s Guide RSA Authentication Manager 7.1 Help Desk Administrator s Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA,

More information

Microsoft Dynamics GP Release Integration Guide For Microsoft Retail Management System Headquarters

Microsoft Dynamics GP Release Integration Guide For Microsoft Retail Management System Headquarters Microsoft Dynamics GP Release 10.0 Integration Guide For Microsoft Retail Management System Headquarters Copyright Copyright 2007 Microsoft Corporation. All rights reserved. Complying with all applicable

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure Workspace ONE UEM v9.5 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard

More information

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Certificate Authentication for Cisco IPSec VPN VMware AirWatch Certificate Authentication for Cisco IPSec VPN For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

NTP Software File Auditor for Hitachi

NTP Software File Auditor for Hitachi NTP Software File Auditor for Hitachi Installation Guide Version 3.3 This guide details the method for the installation and initial configuration of NTP Software File Auditor for NAS, Hitachi Edition,

More information

Getting Started with VMware View View 3.1

Getting Started with VMware View View 3.1 Technical Note Getting Started with VMware View View 3.1 This guide provides an overview of how to install View Manager components and provision virtual desktops. Additional View Manager documentation

More information

VMware AirWatch Integration with RSA PKI Guide

VMware AirWatch Integration with RSA PKI Guide VMware AirWatch Integration with RSA PKI Guide For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product

More information

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware AirWatch Google Sync Integration Guide Securing Your  Infrastructure VMware AirWatch Google Sync Integration Guide Securing Your Email Infrastructure AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free: EventTracker Enterprise Install Guide 8815 Centre Park Drive Publication Date: Aug 03, 2010 Columbia MD 21045 U.S. Toll Free: 877.333.1433 Abstract The purpose of this document is to help users install

More information

Integrate Fortinet Firewall. EventTracker v8.x and above

Integrate Fortinet Firewall. EventTracker v8.x and above EventTracker v8.x and above Publication Date: October 31, 2017 Abstract This guide provides instructions to configure Fortinet Firewall to send crucial events to EventTracker Enterprise by means of syslog.

More information

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide Symantec Workflow Installation and Configuration Guide The software described in this book is furnished under a license agreement

More information

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide Copyright and Trademark Statements 2014 ViewSonic Computer Corp. All rights reserved. This document contains proprietary information that

More information

INSTALL GUIDE BIOVIA INSIGHT 2016

INSTALL GUIDE BIOVIA INSIGHT 2016 INSTALL GUIDE BIOVIA INSIGHT 2016 Copyright Notice 2015 Dassault Systèmes. All rights reserved. 3DEXPERIENCE, the Compass icon and the 3DS logo, CATIA, SOLIDWORKS, ENOVIA, DELMIA, SIMULIA, GEOVIA, EXALEAD,

More information

Dell DocRetriever for SharePoint. User Guide 5.3.1

Dell DocRetriever for SharePoint. User Guide 5.3.1 Dell DocRetriever for SharePoint 5.3.1 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a

More information

Quest Enterprise Reporter 2.0 Report Manager USER GUIDE

Quest Enterprise Reporter 2.0 Report Manager USER GUIDE Quest Enterprise Reporter 2.0 Report Manager USER GUIDE 2014 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this

More information

Integrate Aventail SSL VPN

Integrate Aventail SSL VPN Publication Date: July 24, 2014 Abstract This guide provides instructions to configure Aventail SSL VPN to send the syslog to EventTracker. Once syslog is being configured to send to EventTracker Manager,

More information

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1 Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1 Setting Up Resources in VMware Identity Manager (On Premises) You can find the most up-to-date

More information

Metalogix ControlPoint 7.6. Advanced Iinstallation Guide

Metalogix ControlPoint 7.6. Advanced Iinstallation Guide Metalogix ControlPoint 7.6 Advanced Iinstallation Guide 2018 Quest Software Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this

More information

Sage Installation and System Administrator s Guide. March 2019

Sage Installation and System Administrator s Guide. March 2019 Sage 100 2019 Installation and System Administrator s Guide March 2019 2019 The Sage Group plc or its licensors. All rights reserved. Sage, Sage logos, and Sage product and service names mentioned herein

More information

Server Installation Guide

Server Installation Guide Server Installation Guide Copyright: Trademarks: Copyright 2015 Word-Tech, Inc. All rights reserved. U.S. Patent No. 8,365,080 and additional patents pending. Complying with all applicable copyright laws

More information

Dell Migration Solutions for SharePoint 4.8. User Guide

Dell Migration Solutions for SharePoint 4.8. User Guide Dell Migration Solutions for SharePoint 4.8 2015 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under

More information

Integrate EMC Isilon. EventTracker v8.x and above

Integrate EMC Isilon. EventTracker v8.x and above EventTracker v8.x and above Publication Date: March 3, 2017 Abstract This guide helps you in configuring EMC Isilon and EventTracker to receive EMC Isilon events. In this document, you will find the detailed

More information

INSTALLATION & OPERATIONS GUIDE Wavextend Calculation Framework & List Manager for CRM 4.0

INSTALLATION & OPERATIONS GUIDE Wavextend Calculation Framework & List Manager for CRM 4.0 INSTALLATION & OPERATIONS GUIDE Wavextend Calculation Framework & List Manager for CRM 4.0 COPYRIGHT Information in this document, including URL and other Internet Web site references, is subject to change

More information

Integrate NGINX. EventTracker v8.x and above

Integrate NGINX. EventTracker v8.x and above EventTracker v8.x and above Publication Date: April 11, 2018 Abstract This guide provides instructions to forward syslog generated by NGINX to EventTracker. EventTracker is configured to collect and parse

More information

Integrate Microsoft ATP. EventTracker v8.x and above

Integrate Microsoft ATP. EventTracker v8.x and above EventTracker v8.x and above Publication Date: August 20, 2018 Abstract This guide provides instructions to configure a Microsoft ATP to send its syslog to EventTracker Enterprise. Scope The configurations

More information

Veritas Desktop and Laptop Option 9.2

Veritas Desktop and Laptop Option 9.2 1. Veritas Desktop and Laptop Option 9.2 Quick Reference Guide for DLO Installation and Configuration 24-Jan-2018 Veritas Desktop and Laptop Option: Quick Reference Guide for DLO Installation and Configuration.

More information

VII. Corente Services SSL Client

VII. Corente Services SSL Client VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...

More information

Veritas SaaS Backup for Office 365

Veritas SaaS Backup for Office 365 Veritas SaaS Backup for Office 365 Documentation version: 1.0 Legal Notice Copyright 2018 Veritas Technologies LLC. All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks

More information

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1 Aspera Connect 2.6.3 Windows XP, 2003, Vista, 2008, 7 Document Version: 1 2 Contents Contents Introduction... 3 Setting Up... 4 Upgrading from a Previous Version...4 Installation... 4 Set Up Network Environment...

More information

Evaluation Guide Host Access Management and Security Server 12.4

Evaluation Guide Host Access Management and Security Server 12.4 Evaluation Guide Host Access Management and Security Server 12.4 Copyrights and Notices Copyright 2017 Attachmate Corporation, a Micro Focus company. All rights reserved. No part of the documentation materials

More information

Parallels Virtuozzo Containers 4.6 for Windows

Parallels Virtuozzo Containers 4.6 for Windows Parallels Virtuozzo Containers 4.6 for Windows Upgrade Guide Copyright 1999-2010 Parallels Holdings, Ltd. and its affiliates. All rights reserved. Parallels International GmbH Vordergasse 49 CH8200 Schaffhausen

More information

What s New in BID2WIN Service Pack 4

What s New in BID2WIN Service Pack 4 What s New in BID2WIN Service Pack 4 BID2WIN Software, Inc. Published: August, 2006 Abstract BID2WIN 2005 Service Pack 4 includes many exciting new features that add more power and flexibility to BID2WIN,

More information