Groove Management Server

ManagementServerDomainAdministratorsGuide.bookCopyright
Copyright © 2001-2005, Groove Networks, Inc. All rights reserved.
You may not reproduce or distribute any part of this document in any form or by any means, without the written permission of Groove Networks, Inc., nor may you use it to create derivative works.
Groove Networks, Groove, the interlocking circles design, Groove Virtual Office, and groove.net are registered trademarks of Groove Networks, Inc. Other product or company names may be the trademarks of their respective owners.
Use of Groove Networks, Inc. software is subject to the terms of a license agreement and applicable export and import restrictions. Restricted rights for U.S. government users.
This product includes software used under license from third parties, including those parties identified by the following notices. Copyright © 1995 - 2001 International Business Machines Corporation and others. All rights reserved. VcardParser.cpp © Copyright Apple Computer, Inc., AT&T Corp., International Business Machines Corporation and Siemens Rolm Communications Inc. Outside In® ActiveX Control © 2002 IntraNet Solu- tions Chicago, Inc. All rights reserved. This software is based in part on the work of the Independent JPEG Group. ACME Labs Freeware Copyright © 2000 by Jef Poskanzer <[email protected]>. All rights reserved.
Table of Contents
User and Device Policy Setting 3
Groove License Provisioning 4
Relay Server Provisioning 4
Domain Administration and Role Assignment 5
Password/Smart Card Login Reset and Data Recovery 5
Groove Account Backup 5
Groove Usage Monitoring 6
Hosting Groove Components 6
Groove Client Auditing 6
The Management Server Domain Administrator’s Guide 6
Getting Started 8 Before You Begin 8 Accessing the Administrative Web Site 9 Accessing the Management Server Administrative UI 10
Getting Help 10
Changing Administrative Preferences 11
Setting Up a Groove Management System 11 Distributing Activation Keys 14
Managing Groove Domains 17 Overview of Management Domains 17 Completing Domain Configuration 18 Viewing and Editing Management Domain Properties 20 Configuring Management Domain Affiliation 22 Setting Up Cross-Domain Certification 23 PKI Basics 24
Cross-Certifying Management Domains 25
Changing Reset/Recovery Private Keys and Key Locations 27
Groove Management Server Domain Administrator’s Guide Table of Contents iii
Migrating Users to Another Domain 28 Adding, Editing and Deleting Email Templates 29 Creating Management Server Email Templates 30
Editing Management Server Email Templates 31
Deleting Management Server Email Templates 31
Editing Administrator Roles 31
Managing Groove Users 33 Overview of Groove User Management 34 Managing Domain Member Groups 35 Adding Groups 35
Viewing and Editing a Group 36
Viewing Domain Groups 38
Viewing Group Members 38
Deleting a Group 39
Adding Groove Users to a Domain Group 39 Adding an Individual Member to a Domain Group 39
Adding Multiple Members from an .XML File 41
Adding Multiple Members from a .CSV File 42
Importing Members from a Directory 44
Enabling Groove Activation 47 Sending an Activation Key from the Management Server 48
Sending an Activation Key Via Personal Email 49
Provisioning Managed Groove Users 49 Viewing Domain Members 50 Viewing and Editing Domain Member Information 52 Finding Domain Members 55 Moving Domain Members to Another Group 56 Exporting Domain Members 57 Disabling and Enabling Domain Members 58 Disabling Domain Members 58
Enabling Domain Members 58
Deleting Domain Members 59 Backing Up and Restoring User Account Data 60 Backing Up Account Data 60
Restoring Account Data 61
Purging Member Relay Queues 63 Creating an LDAP Search String 64 Initiating Client Contact With a Management Server 67
Managing Identity Policies 68 Overview of Identity Policy Templates 69 Creating Identity Policy Templates 69 Editing Policy Template Names 69 Cloning Policy Templates 70 Changing Identity Policy Templates 70 Changing Identity Policy Templates for a Group 70
Groove Management Server Domain Administrator’s Guide Table of Contents iv
Changing Identity Policy Templates for a Group Member 71
Deleting Policy Templates 71 Viewing and Editing Identity Policies 71 Automatically Managing Devices During Identity Activation 72 Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later) 73 Resetting Groove Login Credentials (for Groove 3.0f or later) 74 Administer-Driven Reset of Groove Login Credentials 75
Automatic Reset of Groove Login Credentials 77
Client Login Credential Reset 77
Customizing Reset Instructions (for Groove 3.0f or later) 78 Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later) 79 Data Recovery Fundamentals 79
Recovering User Data (using the Data Recovery Tool) 80
Managing User Interaction with Unauthenticated Identities 83 Authenticated vs. Unauthenticated Groove Identities 83
Setting Up Peer Authentication 83
Setting the Default Workspace Version 86 Specifying Enterprise PKI Certificates 87 Setting Time Limit on Valid PKI Certificates 87 Enabling Groove-XMPP Communications 88 Member Policies 89 Security Policies 90
Managing Device Policies 93 Overview of Device Management 94 Registering User Devices with the Management Server 94 Overview of Device Registration 95
Registering Devices in a Management Domain 95
Deleting Managed Devices from a Domain 96
Creating Device Policy Templates 96 Changing Device Policy Templates 97 Changing Device Policy Templates for a Group 97
Changing Device Policy Templates for a Group Member 97
Administering Device Templates 98 Viewing and Editing Device Policies 98 Customizing Component Policies for Devices 99 Component Policy Basics 99
Customizing Component Install Policies 100
Editing Component Policies 104
Managing Groove Platform Upgrades 105 Prevent Platform Upgrade 106
Allow Platform Upgrade To Current Version 107
Allow Platform Upgrade To Interim Version 108
Allow Platform Upgrade and Limited New Tools 110
Allow Platform Upgrade But No New Tools 111
Groove Management Server Domain Administrator’s Guide Table of Contents v
Controlling Login Credential Reset and Data Recovery 112 Resetting Groove Login Credentials for Managed Devices 113 Administering Centralized Reset of Login Credentials 113
Client Reset of User Login Credentials 115
Customizing Reset Instructions for Managed Devices 116 Setting Up Data Recovery on Managed Devices 117 Data Recovery Fundamentals 117
Recovering User Data (using the Data Recovery Tool) 119
Controlling Groove Tool Usage on Managed Devices 121 Restricting Tool Usage 121
Tool Usage Recovery After Restriction is Removed 123
Limiting Groove Bandwidth Usage for Devices 124 Overview of Groove Bandwidth Policy 124
Setting Groove Bandwidth Limit 125
Enabling Groove Client Auditing 126 Supporting an Onsite Groove Component Server 127 Account Policies 128 Client Policies 128 Security Policies 131 Usage Policies 134 Audit Server Policies 135
Managing Groove Product Licenses 138 Overview of License Provisioning 138 Adding Groove Licenses to a Domain 139 Adding a License Set to a Domain 140 Adding Groove Domain Licenses to a Set 140 Editing License Set Names 141 Viewing Domain Licenses 141 Viewing Licenses in a Set 141 Viewing License Information 141 Finding License Users 142 Changing License Sets 142 Changing License Sets for a Group 142
Changing License Sets for a Group Member 143
Deleting Licenses from a Domain 143 Deleting Licenses from a Set 143 Deleting License Sets 144 Distributing Licenses to Unmanaged Users 144 Viewing Licenses from Unmanaged Users 145 Revoking Licenses from Unmanaged Users 146 Adding More Seats to a License Package 146 Using the Enterprise License Pack 147
Managing Groove Servers 148 Overview of Server Provisioning 148 Relay Server Provisioning 149
Groove Management Server Domain Administrator’s Guide Table of Contents vi
XMPP Proxy Server Provisioning 149
Registering a Server with a Management Domain 149 Overview of Server Registration 150
Exchanging Server Keys 150
Adding a Server Set to a Domain 152 Adding Groove Domain Servers to a Set 152 Editing Server Set Names 153 Viewing Domain Servers 154 Viewing Servers in a Set 154 Editing Server Properties 155 Finding Server Users 156 Changing Server Sets 156 Changing Server Sets for a Group 157
Changing Server Sets for a Group Member 157
Deleting Servers from a Domain 157 Removing Servers from a Set 158 Deleting Server Sets 158 Locking out and Re-enabling an Onsite Server 159 Reordering Servers in a Set 159 Synchronizing an Onsite Server 159
Viewing Groove Domain Reports 161 Viewing Reports 161 Filtering Reports 162 Exporting Reports 163 Domain Reports 163 Audit Log 164
Member Usage 166
Member Activity 173
Sample Report Filters 177 Show Audit Events for a User During Past Week 178
Show Audit Log Events for Administrator in Date Range 178
Show Most-Used Tools 178
Show Members Whose Account Has Never Been Backed Up 179
Show Members Who Used Groove Since the Last Backup Date 179
Show Members with Managed Account on Multiple Devices 179
Show Members with Accounts on Unmanaged Device 179
Troubleshooting 181 Domain Administration Problems 181 Groove User Problems 183 Data Recovery Problems 184
Appendix A. Groove Component Versions 186
Appendix B. Management Server Keys and Certificates 191
Groove Management Server Domain Administrator’s Guide Table of Contents vii
Glossary 193
Index 211
Groove Management Server Domain Administrator’s Guide Table of Contents viii
Overview of Domain Administration
The Enterprise Management Server (EMS) and Groove Hosted Management Services are Web-based applications designed to facilitate the provisioning and management of Groove users in an enterprise. EMS runs on servers operated by an enterprise while the Groove Hosted Management Services application runs on servers operated by Groove Networks®. The option employed at an organization depends on its IT practices and objectives.
Regardless of the management server hosting option, Groove administrators and clients communicate with the management server via its Web site which provides both an administrative and a client interface. The management interface, secured by its underlying IIS configuration, allows administrators to assemble Groove users, define Groove usage and security policies, distribute Groove product licences, and deploy relay servers. The client interface allows Groove users to access policies, product licenses, and relay server assignments, and to report Groove usage statistics.
This overview provides summary information on the following topics:
• Administrative Architecture
Administrative Architecture
The management server’s Web-based administrative interface is the interactive component of the system. From this interface, administrators can manage users, set Groove usage and device policies, distribute Groove product licences, and assign relay servers within the organizational unit a management domain. This administrative interface of the management server is accessible from a URL, defined during management server installation.
This management server administrative interface consists of a navigation pane and the main display window where a set of tabs and tools let administrators access tasks associated with a selected item in the navigation tree.
Groove Management Server Domain Administrator’s Guide Overview of Domain Administration 1
The navigation tree consists of the elements described in the following table:
Management Server Functionality
Groove management servers, whether onsite or Groove Networks-hosted, enable centralized control of Groove usage. Supported by a Standard Query Language (SQL) database that stores most of its data, the management server helps maintain productive workflow and collaboration. While Groove clients periodically connect to the management server to receive provisioning updates and report usage information, administrators connect through a dedicated Web interface to perform tasks essential to managing Groove use on a corporate scale.
Onsite management servers must be installed and configured appropriately by a server administrator, as described in the Groove Management Server Administrator’s Guide. Once the server is in place, management domain-level administrators can use it to set up the management environment.
The following sections briefly describe the scope of domain management tasks that can be conducted from hosted or onsite management servers:
• Groove User Management
• Groove License Provisioning
Navigation Tree Hierarchy
Description
Domains Management domains defined on the server. Each domain consists of member groups, policies templates, license sets, and relay server sets.
Member groups and subgroups
Pages for creating member groups and for creating, editing, or deleting domain member contact information.
Identity Policy Templates
Pages for adding, editing, and deleting identity policy templates - collections of identity policies, including:
• Member policy templates
• Security policy templates
Device Policy Templates
Pages for adding, editing, and deleting device policy templates - collections of devices policies, including:
• Account policy templates
• Client policy templates
• Security policy templates
• Audit Server policy templates (EMS only)
License Sets Pages for configuring a license set’s properties (name and description), adding and deleting license sets to and from a domain group, and adding or deleting licenses within a set.
Relay Server Sets
Pages for configuring a relay set’s properties (name and description), adding and deleting relay sets to and from a domain group, and adding or deleting relay servers within a set.
• Relay Server Provisioning
• Password/Smart Card Login Reset and Data Recovery
• Groove Account Backup
• Groove Usage Monitoring
• Groove Client Auditing
Groove User Management
Groove users must each have a managed identity in a domain group in order to be provisioned with usage and security policies, Groove licenses, and relay servers. If administrators need to set policies on Groove devices, as well as user policies, they can register the Groove user device(s) in a management server domain. Any server or domain-level administrator can create domain groups and populate them with users. The following sections introduce user and device administration:
• User Management
• Device Management
User Management
Once Groove is installed on user devices, domain administrators begin the Groove management process by entering user contact information in domain groups on the management server. When this is complete, they send activation keys to each intended member of the group. Users apply these keys to their accounts, resulting in the creation of a managed, provisioned identity for each group member.
To facilitate the task of entering contact information for large numbers of users, administrators can import user specifications from an .xml or .csv file. Or, if a corporate LDAP- based directory server is installed onsite, the necessary user information can be imported or integrated from a defined data point on the directory server.
Device Management
An important aspect of managing Groove users is managing the devices they use for work. Managed devices are subject to specific security policies (such as password creation rules and component download restrictions) while unmanaged devices are not.
Device management involves the distribution of Groove account, client, and security policies to devices defined for managed identities. Devices running Groove must be registered with the management server in order to be managed and subject to device policies. Registration is accomplished by downloading a management server registry key to devices associated with managed domain members. Policies become effective on target devices, as soon as the device users activate Groove. Activating Groove on target devices automatically updates Windows registries with the management server key.
User and Device Policy Setting
The management server provides templates of default usage and security policies that
apply to domain group members and any associated devices that are registered on the server. Administrators can modify the policies set in these templates or create new templates, then apply the templates to designated management domain groups or users. These policies apply only to managed Groove users and devices - those defined on the management server as belonging to a specific management domain group. Policies do not affect unmanaged Groove users.
The following sections summarize the policy options in each category:
• Identity Policies
• Device Policies
Identity Policies
User identity policy templates cover the following aspects of Groove use:
• Member policy templates - Client account backup scheduling, client access to XMPP messaging, and identity publishing.
• Security policies - Peer authentication and, if enterprise PKI is in effect at an enterprise, the use of specified identity authentication certificates.
Device Policies
User device policy templates cover the following aspects of Groove use:
• Account policies - Multiple account creation, importing accounts, use of only managed identities from this domain on devices in this domain.
• Client policies - Component installation and bandwidth usage.
• Security Policies - Password or smart card login, password creation and reset if used, smart card login and reset if used, account lockout after repeated failed login attempts, enhanced private key protection, and Web services availability.
• Audit Server Policies - Audit server URL, logging periodicity, selected account events, and selected tool events (available for Enterprise Management Server only).
Groove License Provisioning
Managed Groove users need licenses for managed versions of Groove Virtual Office (formerly Groove Workspace). Once an enterprise has purchased the necessary licenses and made them available on a corporate network, administrators can add them to management server license sets for assignment to specific domain groups or users. Domain administrators can add and delete license sets in a management domain, and add and delete licenses within a license set.
Relay Server Provisioning
Relay servers are a fundamental part of Groove peer-to-peer communications. In a managed environment dedicated relay servers installed onsite at an enterprise or hosted by Groove Networks help ensure timely, uninterrupted message transfer between Groove peers regardless of their location or status (online or offline) on the network. Once an enterprise has installed at least one relay server onsite or engaged Groove-hosted relay services, administrators can add relay servers to relay server sets for assignment to specific management domain groups or users. Domain administrators can add and delete relay
server sets in a management domain, and add and delete relay servers within a set.
XMPP Proxy Server Provisioning
As of version 3.1, Groove Virtual Office provides public XMPP proxy servers to enable Groove client communication with Jabber and other XMPP clients. In a managed environment, an enterprise can install Groove XMPP proxy servers onsite, allowing administrators to provision Groove domain members to private XMPP servers similar to the way they provision users to dedicated relay servers. In addition, a management server identity policy determines whether domain members can access any Groove XMPP Proxy Servers (public or onsite).
Domain Administration and Role Assignment
Domains defined by server administrators (or Groove Networks, hosted management services are employed) are the top management unit on the server. Each domain consists of user groups and subgroups, as well as a collection of user and device policy templates, Groove license sets, and relay server sets. At the top management domain level, administrators can view Groove usage reports, and add, edit, or delete management server email templates. In addition, if the management server administrator has enabled Role Based Access Control (RBAC) on the server, domain administrators can define roles for peer administrators or for those limited to Groove user, license, data recovery, or report management.
Password/Smart Card Login Reset and Data Recovery
In the event that a managed user is removed from a management domain or forgets a Groove password or smart card login, resetting the user’s password or smart card login credentials may be necessary. To prepare for this eventuality, the domain (or server) administrator can set a device policy that allows for reset proceedings.The management server supports a centralized approach to resetting a user passphrase or smart card login. Providing that device security policies allow, administrators can respond to individual user requests for password or smart card login reset, by verifying user identity and grant- ing (or denying) the request. If the request is granted, users can reset their own password without further administrative involvement.
In addition, the management server provides a utility that domain administrators can use to access data that would otherwise be irretrievable without the user’s password. Groove data that is normally stored encrypted with the managed user's password (known only to that user) is also encrypted with the administrator’s public key. The data recovery program enables the domain administrator to use a corresponding private key to recover the device owner’s Groove data or reset the user password.
Groove Account Backup
The management server lets administrators set an identity policy that enables automatic account backup at specified intervals for users in a selected domain. Backed up information includes user contacts, workspace lists, identities and contact information, licenses and identity policies. Without a backup system in effect, lost or corrupted user account data is irretrievable.
Groove Usage Monitoring
When a managed identity or device exists on a Groove client, the Groove software periodically reports statistics on Groove usage, providing information about managed user activities, Groove workspaces, and Groove tools being used. Administrators can view Groove usage statistics via the management server administrative Web site.
Usage statistics include the amount of time users spend in a particular workspace, use a specific tool, or create workspaces. Audit log reports are also available that log domain events, such as the addition of a new group to a domain.
Hosting Groove Components
If Groove’s Component Server is installed onsite, administrators can set a device policy that directs Groove clients to that server for Groove component downloads.
Groove Client Auditing
If the Groove Audit Server is part of the management server installation, the management server can be configured to cause managed clients to log Groove user activities. Manage- ment server device policies specify which groove events are tracked and uploaded to management server databases. Client audit logs are collected onto a SQL server, and from them administrators can generate formatted reports using third-party reporting tools, such as Crystal Reports.
The Management Server Domain Administrator’s Guide
This Groove Management Server Domain Administrator’s Guide provides instructions for using Groove management services, whether onsite server or hosted by Groove Networks.
This Guide has the following sections:
• Overview - Describes management server’s role in managing Groove and its functionality.
• Getting Started - Provides a recommended procedure for initial deployment of Groove users and devices at an enterprise.
• Managing Groove Users - Provides instructions for creating domain member groups, provisioning managed users, and administering Groove usage.
• Setting Groove Identity Policies - Provides instructions for customizing managed user policies.
• Setting Groove Device Policies - Provides instructions for customizing managed device policies.
• Managing Groove Product Licenses - Provides instructions for managing Groove licenses and provisioning managed users with Groove licenses.
• Managing Groove Servers - Provides instructions for managing Groove servers such as Enterprise Relay Servers and XMPP Proxy Servers, and for provisioning managed users with access to these.
• Managing Groove Domains - Provides instructions for configuring Groove management domains and domain administrator roles.
• Monitoring Groove Usage - Provides instructions for accessing and reading Groove usage reports.
• Troubleshooting - Lists common problems related to the management server and suggests ways to address them.
• Glossary - Defines terms used in this Guide.
• Appendices - Provide information about Groove component versions and other supplementary material.
20050315
Getting Started
Groove management servers enable administrators to set up a system for overseeing Groove usage in an enterprise. This document provides instructions for using the administrative Web interface provided by your onsite Groove Enterprise Management Server (EMS) or by Groove Hosted Management Services to manage Groove users and devices at your company.
The setup process involves meeting the necessary software and information requirements, accessing the management server administrative Web site, defining Groove users to the management server, and, finally provisioning them with usage and security policies, product licenses, and relay servers.
The following sections describe details of this process:
• Before You Begin
• Setting Up a Groove Management System
• Distributing Activation Keys
Before You Begin
Review the checklists in this section before accessing the management server administrative Web site.
Note: The instructions in this guide assume that you have full access to the domain portion of the administrative Web site. If your server administrator has enabled Role Based Access Control, you must have the role of Server Man- ager or Domain Administrator. Some options may not be available to you if you have any other role.
As a domain administrator, you need the expertise in the following areas:
• General Groove use
• User account management
• Software usage monitoring
Groove Management Server Domain Administrator’s Guide Getting Started 8
• You understand the basic functionality provided by the management server. For more information, see the “Overview of Domain Administration” earlier in this guide.
• If you are using the Enterprise Management Server installed at your site, the EMS software is installed on your system as described in the Groove Enterprise Management Server Administrator’s Guide and you know the Universal Resource Locator (URL) of your company’s EMS Web site.
• The Internet Explorer 5.5 (or later) browser is installed with Frames, Cookies, and JavaScript enabled.
• Groove version 3.0 (or later) is installed on your user’s computers. See the Groove Software Deployment Administrator’s Guide for information about deploying Groove software in an enterprise.
Note: The management server supports Groove version 1.3 (or later) but many policies and other management server features, including user provisioning with specific relay servers, are available only for the latest version of Groove.
• If you intend to utilize one or more onsite relay servers, the relay server is installed and configured as described in the Groove Enterprise Relay Server Administrator’s Guide. Note that onsite relay servers require onsite management servers.
• If your user contact information originates from a corporate directory server, your management server administrator has defined and configured the directory server on your management server, as described in the Groove Enterprise Management Server Administrator’s Guide. Note that directory server integration is possible only if an Enterprise Management Server is installed at your site.
• You have on hand your login name and password for the management server if required. If you are using the Enterprise Management Server, this information is determined by your company’s Web site authentication system. If you are using Groove Hosted Management Services, this information is determined by login requirements of the Groove-hosted management server Web site.
• You have on hand the path name of the directory where your company’s Groove license files (.pkg files) reside.
• You consider the possibility of Groove user device management, which is strongly recommended although not required. Device management lets you set various Groove usage and security policies, including those that govern the types and sources of Groove components that can be downloaded onto these devices.
Accessing the Administrative Web Site
The sections below provide instructions for accessing and using the management server administrative Web site:
• Accessing the Management Server Administrative UI
• Getting Help
Accessing the Management Server Administrative UI
To access the management server administrative interface, do the following:
1. From a Windows PC, open an IE Web browser.
2. If you are accessing a local Enterprise Management Server from your own site, go to the URL of the Enterprise Management Server, defined by the management server administrator.
If you are accessing Management Services from the Groove Networks Web site, go to http://groove.net.
3. Log in to the management server using your administrator login name and password (determined by your company’s Web site authentication scheme if you are using the Enterprise Management Server).
The management server home page appears, with a domain list on the left and a main window showing a set of tabs. Notice the page’s following characteristics (which may vary, depending on the role your server administrator has assigned to you):
• The main window reflects the current selection in the navigation pane.
• A navigation tree appears in the pane on the left, listing the management domain(s) defined on this server.
• At least one member group appears in the navigation pane under each management domain.
• At least one Groove identity and device policy template, license set, and relay server set, appears in the navigation pane under each management domain.
• A tool bar at the top of the main window contains icons appropriate for the task being performed on the current tab.
• When the management domain is the current selection, a set of domain tabs appears - Reports, Email, and Roles, with the Reports tab in the foreground.
Note: If, instead of domain tabs, a domain setup window appears, requiring information, fill in the fields as described in “Completing Domain Configuration” in the Managing Domains section of this guide. Then you can start using the domain management pages.
You are now ready to begin populating a server domain group with members and provisioning those members, as described below.
Getting Help
To get help using Management Services, follow these guidelines:
• Click the Help link in the upper left of a management server administrative Web page to access management services Help.
• Go to http://groove.net/go/ms (or the Groove EMS product CD) for a printable.pdf version of the Groove Management Server Domain Administrator’s Guide.
• For server-level information, see the Groove Enterprise Management Server Administrator’s Guide.
• For specific information about installing the Groove client in an enterprise, see the Groove Software Deployment Administrator’s Guide.
Changing Administrative Preferences
You can change administrative Web page preferences (such as setting a home page) by using the Preferences link next above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins.
To edit administrative preferences, follow these steps:
1. Go to the EMS administrative Web interface and click the Preferences link at the top of the current page. An image of your left navigation pane appears in the dialog box.
2. To change the default number of list items that appear on any list page, select a number from the Display drop-down box. The initial default setting is to display 25 items per page.
3. To select a start (or home) page, select an item from the Start Page tree which will appear when you start the EMS administrative Web interface.
4. Click OK.
Your changes should take effect immediately.
Setting Up a Groove Management System
A domain is the top-level management unit of Groove deployment on the management server. It contains one or more groups of Groove users (members). Your management server administrator creates domains; you or anyone with management domain-level per- missions (if Role Based Access Control is configured on your server) can create domain groups and subgroups. The management server provides an initial top-level domain group, within which you can create other groups and subgroups.
Note: Administrators with limited roles (roles other than Server or Domain administrator) may not be able to see certain pages or fields discussed in this guide. Initial administrator roles are set by the management server administrator as part of the management server installation and configuration process. However, domain administrators can edit the roles of domain-level or limited domain-level administrators, as described in “Editing Administrator Roles” in the Managing Domains section of this guide.
The procedure below outlines the basic steps necessary to create an initial user management system, following a recommended sequence. Where necessary, you can link to other sections of the guide that provide more detail. You may want to begin by performing a trial run with a sample user base and minimal customization.
To add Groove users to a Groove management domain and provision with them policies, licenses, and relay servers, follow this basic recommended procedure:
1. Startup and log into the management administrative Web site as described in the “Accessing the Administrative Web Site” section of this guide. At least one domain appears in the navigation tree in the pane to the left of the main window.
2. Select a management domain in the navigation pane.
If an administrator has fully configured the domain, a set of tabs (for Reports, Email, and Roles) appears in the main window allowing you to perform various domain tasks described later in this guide. Proceed to the next step.
If a No Roles tab appears, along with a message referring you a server or domain administrator for domain access, ask the appropriate administrator to assign you an administrative role. Then return here to continue with this procedure.
If a domain setup window appears, requiring information, fill in the fields as described in “Completing Domain Configuration” in the Managing Domains section of this guide. Then return here to continue with this procedure.
3. To apply management server device policies (that control client password entry and component downloading, for example) to Groove user devices, register each device with the management server as follows:
Note: Registering devices with the management server is highly recommended.
a. Download the device management registry key from the management server to a client-accessible location, by selecting the default device policy template in the navigation pane, then selecting Download Device Management Key in the tool bar. (See “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide for details).
b. Install the management server registry key on each user device that you want to manage in the domain. Each registered device appears with a Type of ‘Managed’ in the Member Information page of the member(s) with which it is associated, as described in “Viewing Domain Members”, in the Managing Groove Users section of this guide. For information about centralized deployment of device management keys via MSI transforms, see the Groove Software Deployment Administrator’s Guide.
4. Consider customizing the identity policy template in the domain. Initial defaults are usually based on minimal security requirements. For details about specifying identity policies, see “Viewing and Editing Identity Policies” in the Managing Identity Policies section of this guide.
Note: If you want the management server to automatically backup domain member accounts, make sure to configure the account backup policy on the Member Policies tab, as described in “Backing Up and Restoring User Account Data” in the Managing Groove Users section of this guide.
5. Consider customizing the device policy template in the domain. Initial defaults are usually based on minimal security requirements. For details about specifying device policies, see “Viewing and Editing Device Policies” in the Managing Device Policies section of this guide. In considering device policy settings, note the following:
• To enact any device policies, make sure you installed device registry keys on each user device, as described earlier in this procedure.
• If you want to allow for Groove password resetting and data recovery, make sure to set the device settings accordingly on the Security Policies tab, as described in the “Resetting Groove Login Credentials for Managed Devices”
and “Setting Up Data Recovery on Managed Devices”, in the Managing Device Policies section of this guide.
• If a Groove Audit Server is installed at your site and you want to enable the client auditing, make sure to set the device settings accordingly on the Audit Policies tab, as described in the “Enabling Groove Client Auditing” section of this guide.
• If a Groove Component Server is installed at your site, make sure to specify the server accordingly on the Advanced Install Properties page of the Client Policies tab, as described in “Supporting an Onsite Groove Component Server” in the Managing Device Policies section of this guide.
6. Add Groove licenses to a domain license set, as follows:
Note: This step is required. Omitting this step will restrict your managed users to installing the Preview version of Groove Virtual Office instead of the profes- sional version necessary for Groove use in an enterprise.
a. Select the domain’s License Sets heading in the navigation pane. The License Sets page appears with two tabs: License Sets and Licenses on the bottom of the page. The License Sets tab shows an initial default license set that does not yet contain licenses.
b. If you are using an onsite Enterprise Management Server, import a Groove license (product package) to the domain by clicking the Licenses tab, selecting Add License in the tool bar, and browsing to the file location of your organization’s Groove license files. (See “Adding Groove Licenses to a Domain” in the Managing Groove Licenses section of this guide for details.)
If you are using Groove Hosted Management Services, you can skip this step, which is handled by Groove Networks.
c. Add a Groove license to the default license set by selecting the set from the navigation panel, selecting Add License in the tool bar and selecting the license from the Add License window, as described in “Adding Groove Domain Licenses to a Set” in the Managing Groove Licenses section of this guide.
7. If you are using an onsite Enterprise Management Server, to assign specific Groove servers, including Relay and XMPP Proxy servers, to a domain server set, follow these steps:
a. Select the domain’s Server Sets heading in the navigation pane. The Server Sets page appears with two tabs: Server Sets and Servers at the bottom of the page. The Server Sets tab shows an initial default server set that does not yet contain servers.
b. Add the Groove server ID file to the domain by clicking the Servers tab, selecting Add Server in the tool bar, selecting Onsite Relay Server, Hosted Relay Server, or XMPP Proxy Server from the drop-down menu, and entering the required information. (See “Registering a Server with a Management Domain” in the Managing Servers section of this guide for details).
This server is automatically added to the initial default server set.
8. To enter user contact information in the domain (if your server manager has not already performed this step using a corporate directory server), follow the sub-steps below. If user data has already been integrated into management server member
groups from a corporate directory server, skip this series of sub-steps and proceed to next main step.
a. Select the initial domain group created for you, called Members. The Members page appears with two tabs: Members and Groups. You can add members directly to this group, but creating subgroups, as advised in the next step, is the more practical and recommended approach, particularly if you are integrating an onsite directory server with the management server.
b. Add a group to Member Groups by selecting it, clicking the Groups tab, selecting Add Group in the tool bar, and filling in the dialog box as described in “Adding Groups” in the Managing Groove Users section of this guide.
c. Select a domain group in the navigation pane, selecting Add Members in the tool bar, and select one of the Add Member options, as described in “Adding Groove Users to a Domain Group” in the Managing Users section of this guide.
9. Accept the default domain group provisioning with policies, licenses, and relay servers, or edit them by clicking the group in the navigation pane and editing its properties, as described in “Provisioning Managed Groove Users” in the Managing Users section of this guide.
10. Send activation keys to domain members, as described in “Enabling Groove Activation” in the Managing Users section of this guide.
To perform various domain-level tasks, use the domain tabs and the following table for guidance:
Distributing Activation Keys
To facilitate deployment of Groove Virtual Office (formerly Groove Workspace) in your domain, the latest Groove version should already be installed on user machines before you send them email containing their domain member activation keys. When you are ready for users to come online in your management domain and you have sent them the email that contains their identity activation keys, they must each install the activation key in Groove.
As an alternative to manual client activation, the management server offers an Auto-Acti- vation feature. See your server administrator or the Groove Enterprise Management Administrator’s Guide for information about automating Groove activation.
Groove user devices must be connected to the management server for Groove activation to
Domain Tabs Descriptions
Reports Allows you to view Groove domain usage reports for users, workspaces, and tools, as described in “Viewing Reports” in the Managing Reports section of this guide.
Email Allows you to add, edit, and delete management server email templates, as described in “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.
Roles Allows you to configure domain-level administrator roles, as described in “Editing Administrator Roles”, in the Managing Domains section of this guide.
succeed. When a Groove user applies a managed identity activation key to a PC, Groove contacts the management server (for example, groove.net if you are using Groove Hosted Management Services), authenticates the user, and downloads the appropriate user information and domain licenses to the user’s machine. It also downloads identity policies and any relay server assignments associated with the domain. If device management keys are included in the installation process, device policies are also downloaded.
To activate their new identities, users must first start up Groove Virtual Office. Subse- quent steps vary somewhat, depending on which version of Groove the user is running. The following table provides some guidelines:
In supporting Groove users, bear in mind the following factors pertaining to activation keys and managed identity creation:
• All identities in an account containing a managed identity will have access to whatever licenses are associated with that managed identity.
User Scenario What User Should do
The user is starting up a licensed version of Groove 2.0+ on a managed device for the first time
1. Double-click the Groove icon to start up the Product Activation Wizard which guides the user through the domain member activation process.
2. Copy the administrator-supplied Activation Key into the Wizard text boxes when prompted to do so.
The user is starting up Groove 2.0+ on an unmanaged device for the first time
1. Double-click the Groove icon to start up the Product Activation Wizard which guides the user through the domain member activation process.
2. Get the proper name for the management server (activation server) from the email or administrator and copy it into the Wizard text box when prompted to do so.
The user already has Groove Preview 2.0 running on their managed device
1. Start up Groove, then click the Activate Product option in the Help menu to start the Product Activation Wizard The wizard guides the user through the domain member activation process.
2. If prompted, choose whether to create the new managed identity or convert an existing identity to a managed identity. The display of this prompt depends on the administrator’s device policies.
The user already has Groove Preview 2.0 running on their unmanaged device
1. Start up Groove, then click the Activate Product option in the Help menu to start the Product Activation Wizard. The wizard guides the user through the domain member activation process.
2. When prompted, get the proper name for the management server (activation server) from the email or administrator and copy it into the Wizard text box when prompted to do so.
3. A prompt will ask the user whether to create a new managed identity or to make an existing identity managed.
Auto Activation will activate Groove
1. Make sure that Groove client devices are registered with a management domain, as described in “Registering User Devices with the Management Server” of this guide.
2. See your server administrator or the Groove Enterprise Management Server Administrator’s Guide for information about using Auto Activation.
• Users cannot install the same activation key and identity data into more than one account. Trying to do so will cause a message to appear, stating that the identity has already been installed. Users must get a new activation key from the administrator if they install the activation key and identity data into the wrong account or need to delete the account where the managed identity resides for any reason.
• Once activated, an activation key cannot be re-used or re-sent for any reason, even if the account in which the identity resided has been destroyed. You must create new identity information and send a new activation key to a user if the user has lost domain membership for any reason.
• If your device policies allow, the Product Activation Wizard gives users the choice of converting an existing identity to the new managed identity, based on the identity information that you entered for them. The original identities’ existing Groove spaces and contact lists remain intact.
• If a user does not yet have a Groove account, the Groove domain activation process creates a user account. This identity is the default for that account.
If a user has one or more existing Groove accounts, the domain activation process prompts the user to choose whether to create a new account or to use a specified existing account. If the user chooses the new account option, the managed identity will become the default identity in that account. If the user specifies an existing account, that account will have multiple identities, the existing one(s) and the new one which becomes the default. As described in the previous bullet, the user can convert an existing identity to the new managed identity if your device policies allow.
Groove is now launched on the user’s device and the user is a member of the management domain, with access to the licenses and allegiance to policies associated with that domain.
Note: For administrators of Groove-hosted services: Groove licenses reside on a Groove Network server and are accessed via Groove Networks Web site at www.groove.net. If your company uses proxy servers to control traffic out to the internet and the user has not logged into the network, the Groove client will trap any login request from the proxy and display a login window during the domain activation process. The user should enter the customary name and password in order to proceed smoothly. If a user ignores this login, the activation process will fail. If activation fails for any reason and the Groove client (user’s device) cannot communicate with the server to perform activation, the Groove client automatically tries again within an hour.
Managing Groove Domains
Management domains are organizational units defined on the management server. This document provides information about the ongoing administration of Groove management domains via the Enterprise Management Server (EMS) or Groove-Hosted Management Services. For specific information about initial domain configuration, see “Setting Up a Groove Management System” in the Getting Started section of this guide.
The sections below describe the following domain-based tasks:
• Overview of Management Domains
• Configuring Management Domain Affiliation
• Setting Up Cross-Domain Certification
• Migrating Users to Another Domain
• Adding, Editing and Deleting Email Templates
• Editing Administrator Roles
Overview of Management Domains
Management domains are organizational units that contain groups of managed Groove users, templates of identity and device policies, and sets of licenses and relay servers. Management server administrator create domains, as described in the Groove Manage- ment Server Administrator’s Guide. Each domain has one top-level group, within which you can add other groups and subgroups. You use management domains to manage Groove users and devices. See “Managing Domain Member Groups” in the Managing Users section of this guide for more information about groups.
Clicking on a completely configured domain in the navigation pane of the management server administrative Web interface, displays tabs where you perform basic domain-level tasks, as described in the table below. If a domain is not yet fully configured, a pop-up domain setup window appears asking for the required information, as described in “Com-
Groove Management Server Domain Administrator’s Guide Managing Groove Domains 17
pleting Domain Configuration” later in this section.
Note: Changes or updates to user contact information apply to all members of a Groove management domain and to their Groove workspace contacts. To manage network traffic, the management server distributes these changes to Groove clients over time. Therefore, these changes may not take effect immediately. Depending on the number of Groove clients affected, the propagation can take up to several days (for example, up to 4 days for about 5,000 users). Domain-wide changes include the following:
• Management domain affiliation
• Relay server set
Completing Domain Configuration
The management server provides an initial default domain. If a server administrator did not complete initial domain configuration, clicking the domain in the navigation pane on the left displays a domain setup window, instead of the domain tabs (Reports, Directory Integration, and Roles). You cannot use the domain to provision Groove users until you supply information in the required fields.
To complete management domain configuration, follow these steps:
1. Go to the management server administrative Web site and select a domain from the navigation pane on the left. If a set of domain tabs (Reports, Emails, Roles) appears, domain configuration is complete and you do not need to perform this procedure.
2. If a domain setup window appears, fill in the fields described in the following table, then click OK.
Domain Tabs Descriptions
Reports Allows you to view Groove domain usage reports for users, workspaces, and tools, as described in “Viewing Reports” in the Managing Reports section of this guide.
Email Allows you to add, edit, and delete management server email templates, as described in “Adding, Editing and Deleting Email Templates”, later in this section.
Roles Allows you to configure domain-level administrator roles, as described in “Editing Administrator Roles”, later in this section.
Add Domain Fields* Explanations
Domain Setup
Domain Name The name of the domain, supplied automatically for the initial domain. This name is used in the management server user interface to refer to the domain. You can edit this field, if necessary.
Description Optional. A description of the domain which you can supply.
Identity Authentication Settings (cannot be undone)
Required. Click one of the following radio buttons, depending on your company’s security policies. Or accept the default of Groove PKI.
• Use Enterprise PKI to authenticate member’s identities - Select this option if your organization has an existing Public Key Infrastructure (PKI) system that you want to use with the management server.
• Use Groove PKI to authenticate member’s Identities - Select this option if you do not have a corporate PKI system in place or you prefer to use Groove’s application-specific PKI system.
Note: This decision cannot be undone after you click the OK button.
Default: Use Groove PKI
Certificate Authority name Required if the Use Groove PKI option is selected above. Enter a unique, fully qualified, registered Domain Name Service (DNS) name.
If the Use Enterprise PKI option is selected above, this field does not apply.
Password or Smartcard Reset Setup
Private Key Name Accept the default name for the password/smart card reset private key, or edit it as necessary. The default name is based on the creation date and time (such as Jan-10-2004 12 PM Key).
When you click the OK button in this dialog box, the management server generates a private key on the server or in a designated file location, as specified below. This key decrypts user data that is protected by a corresponding reset public key, allowing administrators to reset Groove passwords or smart card logins, and recover user data on managed Groove device. See “Resetting Groove Login Credentials for Managed Devices” and “Setting Up Data Recovery on Managed Devices” in the Managing devices section of this guide, for more information about resetting user passwords and recovering user data.
Note: Enabling password reset and data recovery also involves setting the appropriate policies for management domain devices as described in “Managing Device Policies” later in this guide.
Create Private Key Password
Required. Enter a password to protect access to the password/ smart card reset private key. This is the administrative password used to reset a user’s Groove password.
Note: If you lose your private key file, you must regenerate it and reset the policy. The private key always remains password- protected.
Verify Private Key Password
Viewing and Editing Management Domain Properties
Your management server administrator creates domains on the management server. You (or anyone with a server or domain administrator role in an RBAC-supported environment) can view domain information and edit a domain’s configurable properties, as described in the following sections.
To edit management domain properties, follow these steps:
1. Go to the management server administrative Web site and select a domain from the navigation pane on the left.
2. Select Domain Properties in the tool bar. The domain Properties page appears.
3. From the domain Properties page, edit the fields shown in the following table as necessary, then click OK:.
Remember Private Key Password
Available if you are storing the private key on the management server.
Select this option if you want the management server to remember the private key password that you supplied, simplifying the password reset process (described in “Resetting Groove Login Credentials for Managed Devices” in the Managing Device Policies section of this guide).
Default: checked (enabled)
Private key storage options Required. Select a private key storage option:
• Store private key on the management server - Stores the password reset private key on the management server.
• Save private key to a file - Displays a browse Window where you can browse to and specify a file location for the password reset private key.
Default: Store private key on the management server.
Domain Properties Fields
Domain Setup
Domain Name Specifies the name of the domain. The management server supplies an initial domain name, which you can edit as needed.
Description Displays an optional description of the domain. You can edit this description as needed
Certificate Authority (CA) name
Information only. Appears if the Groove PKI option is selected.
The CA name assigned to the domain by the server administrator during domain creation, if Groove PKI is the chosen identity authentication system.
Representation of Affiliation
Determines the level of information displayed in domain members’ Groove contact information, as follows:
• Show member’s domain only - Display’s each managed user’s name, followed by the management domain of which the user is a member.
• Show member’s position with the domain/group hierarchy - Displays each managed user name, followed by the management domain/group/subgroup... of which the user is a member.
Device Management
Remove devices from domain after __ days of inactivity
The number of days of inactivity after which the management server removes managed devices from the domain.
Default: 90
Password or Smart Card Reset Setup
Store Key on Server Appears if the private key file is stored in a specified file.
Lets you change the storage location for the password/smart card reset private key from a network location to the management server.
Clicking this button displays a pop-up window with the key name, a browse box to enter the source directory location, and a prompt for the private key password, along with an option to remember the password.
Move Key to File Appears if the private key file is stored on the management server.
Lets you change the storage location for the password/smart card reset private key from the management server to a specified file on your network.
Clicking this button displays a pop-up window that displays a standard Save dialog box where you can browse to a target directory location on your network. Note that moving the private key to a file deletes it from the management server.
Download data recovery tool for Groove version __
Specifies the version of Groove for which you want to download a data recovery tool. This tool allows you to access managed user data on a managed device when a user has left the company or forgotten their password (providing that device security policies allow).
Clicking the Download button displays a pop-up window that lets you download and install the data recovery tool (DataRecoveryAdminTool.exe) for the specified Groove version to the current device. Or, you can save the program file (DataRecoveryTool30.exe, which contains the data recovery tool and its associated system files) to a specified directory location. You install the data recovery tool .exe file to the Groove client device where you intend to restore Groove data. See “Setting Up Data Recovery on Managed Devices” in the Managing Groove Devices section of this guide for detailed information about recovering Groove data.
Default: 3.0
Explanations
Configuring Management Domain Affiliation
The management server domain Properties page lets you control how domain members appear in Groove contact lists. By default, the domain member’s domain name appears, followed by the associated domain; no group information is included. The affiliation setting applies to the entire management domain and all groups in the domain.
Change Private Key Password
If the password/smart card reset private key resides on the management server, this button lets you change the private key password. Clicking the button displays a pop-up window that lets administrators specify and confirm a new password for the password/smart card reset private key.
Change Key Generates another password/smart card reset private key on the management server or in a designated directory location, as specified in this domain Properties page. The new private key has a default name that includes the date, distinguishing it from previous keys.
Cross Domain Certification (available for Groove PKI only)
Download Domain Certificate
Appears only if Groove PKI is the identity authentication method.
Downloads the selected domain’s certificate from the management server to a specified directory location on the local device. You can then send this key to another domain administrator to set up cross-domain trust. See “Setting Up Cross- Domain Certification” later in this section for information about setting up cross-domain certification with trusted domains.
Add Foreign Domain’s Certificate
Appears only if Groove PKI is the identity authentication method.
Uploads a foreign domain certificate from a specified location to the management server. When you click the OK button, the certificate name appears in the list at the bottom of the Domain Properties page.
Delete Certificates Appears only if Groove PKI is the identity authentication method.
Deletes selected cross-domain certificates. Select entries in the certificate list to mark them for deletion. Then click Delete Certificates.
Color Key Information only. Appears only if Groove PKI is the identity authentication method.
• Inside the organization - Color that identifies management domain members from within your organization.
• Outside the organization - Color that identifies Groove users from trusted domains outside the organization.
Certificate list Appears only if Groove PKI is the identity authentication method.
Lists cross-domain certificates. The certificate name, description, and download date appear for each entry. A Delete button following each certificate lets you delete certificates. Note that you cannot delete your own (self-trust) certificate.
Domain Properties Fields
Explanations
Note: Changing the affiliation setting may result in significant added network traffic and disruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.
To configure management domain affiliation, follow these steps:
1. Go to the management server administrative Web site and select a domain from the navigation pane.
2. Click the Domain Properties button. The domain Properties page appears.
3. From the domain Properties page, select one of the following affiliation representation options to specify how domain member entries should appear in Groove contact lists:
• Show member’s domain only - Displays the member’s managed identity name, followed by the member’s domain. For example, JDow/XYZCorp. This is the default setting.
• Show member’s position within the domain/group hierarchy - Displays the member’s managed identity name, followed by the member’s group and domain. For example, JDow/R&D/XYZXYZCorp.
4. To change the number of inactive days before Groove removes users from the searchable directory of domain members, edit the value in the ‘Remove members from searchable directory of domain members after ___ days of inactivity.’
5. Click OK.
Setting Up Cross-Domain Certification
The management service’s cross certification feature lets you extend trusted collaboration beyond a single domain, to domains that may or may not belong to your organization. The management server and Groove clients support cross certification using a scheme called Public Key Infrastructure (PKI) cross certification. Management server’s cross certification applies only in the context of Groove PKI (not third-party, enterprise PKI).
Setting up cross certification requires that two administrators from different domains - both of which use Groove PKI as their identity authentication scheme - exchange and cross-register domain certificates (certificate files that contain public keys that identify one domain to another).
Once cross certification has occurred, text color distinguishes the members in the certified domain as certified. Note that this process does not prevent certified and uncertified Groove users from communicating but simply informs users of the certification status of their contacts. You can strengthen security by setting an identity policy that controls how certified users in your domain interact with uncertified users. For information about setting a policy for handling uncertified Groove users, see “Managing User Interaction with Unauthenticated Identities” in the Managing Identity Policies section of this guide.
Note: To utilize cross-domain management, you must add users to a domain or group to make them managed. For information about adding users, see “Adding Groove Users to a Domain Group” in the Managing Groove Users section of this guide.
Note: You cannot cross-certify with a foreign domain that has the same domain name as yours. This condition may result any time an administrator does not obtain a registered DNS name. Domain names must be unique to the domain. If you discover duplicate domain names, this condition must be corrected by assigning properly registered DNS names.
This section provides the following information and procedures:
• PKI Basics
PKI Basics
Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security feature known as authentication (proof of identification).
Understanding the role of PKI in software management involves the following basic terms:
• Certification Authority (CA) - An authority that Groove users trust to create and issue certificates (that contain public keys). In a managed Groove environment, the management server is the certificate authority. As such, it creates and manages the certificates for managed users.
• Certificate - A data structure containing a domain or Groove user’s public key and related identification information, which is digitally signed with the private key of the CA that issued it. The certificate securely binds together the information that it contains; any attempt to tamper with it will be detected by Groove.
If Groove PKI is used in the domain configuration, the management server and Groove implement PKI according to the following process:
1. The server administrator creates a domain certificate for a management server domain, during management domain creation.
2. The domain administrator sends activation keys and associated identity information to Groove users to give them domain membership.
3. Groove users install the activation keys, automatically uploading the associated identity information and public key to the management server.
4. EMS generates and signs each user certificate with the domain's certificate (using the domain’s private key to bind the user’s public key to the user’s associated identity information). EMS then sends to each domain member the appropriate signed user certificate, giving each user a managed identity with domain membership.
Note: Management server identity policies governing certificate revocation apply to enterprise PKI authentication only, not to Groove PKI.
Third-party enterprises may implement PKI differently. Groove or Enterprise PKI is stipu- lated for the managed environment during management domain creation.
In the context of Groove PKI, if Groove accepts (validates) a contact’s management
domain (for example, if the Groove user is a member of the contact’s domain), text color distinguishes contacts as follows:
• Contacts from the same organization as the user, under either of the following conditions:
• Contact is in the same domain as the user
• Contact is in a domain that has been cross-certified with the user’s domain and is in the same organization.
• Contacts from an outside organization whose domain has been cross-certified with the user’s domain (according to the procedure outlined below in “Cross-Certifying Management Domains”).
Again, third-party enterprises distinguish users as their PKI implementation dictates.
Certified users (both Groove or enterprise PKI environments) are marked in the following places in the Groove client user interface:
• Contacts tab in the Groove launchbar
• Contacts tool
• Member List
• Notifier, whenever a contact name is displayed, such as when a message is received
• Message and Invitation windows in the From field, when reading a message or invitation
• Message and Invitation windows in the To field, when sending a message or invitation to a single user
• More contacts list
• Message History
Groove checks if the contact belongs to a management domain and, if so, displays its authentication status and domain when a user hovers over the name. In addition, the contact’s domain and digital fingerprint appear in the list accessible from the Groove Contact Properties window. The window also displays an Authentication As: check-box, so that if the contact is not already certified, a user can manually authenticate the person by contacting the individual outside of Groove (by phone, for example), verifying the associated digital fingerprint, then check-marking the checkbox to indicate that authentication took place.
Cross-Certifying Management Domains
The following procedure shows how to set up cross-domain certification between two domains, both of which use Groove PKI identity authentication (specified during domain creation). This process has two parts: you send your domain certificate to the administrator of an external domain so that external domain members can establish trust with your domain, and you import a certificate from the external domain. You can also set up cross certification in one direction only; Domain A can trust Domain B without Domain B trust- ing Domain A.
Note: Cross certification is appropriate only when administrators from cooperating domains trust each other, to the extent of securely maintaining proper bindings between each others’ user public keys and contact information.
This section provides instructions for the following tasks:
• Exchanging Domain Certificates
• Viewing Cross-Certified Domains
• Deleting Cross-Certified Domains
Exchanging Domain Certificates
Cross-domain certification (and the following procedure) apply only in the context of Groove PKI (not third-party, enterprise PKI).
To exchange certificates and set up mutual cross-domain trust with an administrator from a remote domain, follow these steps:
1. Go to the management server administrative Web site and select a management domain from the navigation pane (DomainA, for example).
3. Make sure that the Groove PKI identity authentication option is selected.
4. In the window’s Cross Domain Certification section, click the Download button to download the certificate (containing the domain public key) for the local domain (DomainA). A File Download pop-up window appears.
For a summary of management server keys, see “Appendix B. Management Server Keys and Certificates” of this guide.
5. Click the Save this file to disk option, then click OK. A Save As pop-up window appears.
6. Accept the path and default name of domainname.cer (in this case DomainA.cer) or edit them, then click OK. This saves the local domain certificate file in a local directory. This is the file that each administrator sends the other in order to set up cross-domain management.
7. Go to the location of your local DomainA certificate file, copy the file, and send it via email or Groove to the administrator of the remote domain (DomainB, for example).
8. Request the remote DomainB administrator to send you the DomainB certificate by performing the procedure just described.
9. When you receive a certificate from the remote DomainB administrator, save it in a directory on your local computer.
10. Authenticate the remote domain (DomainB, for example) as follows:
a. Contact the remote DomainB administrator by telephone or in person and make sure that you trust the person whom you are contacting.
b. View the certificate you received by opening the Windows Certificate Viewer, double-clicking the domainnameB.cer file, and checking the certificate’s digital fingerprint (the certificate's hash or “thumbprint” as shown in the Windows Certificate Viewer). Ask the remote administrator to do the same and to report the fingerprint. It should match what you see on your screen.
Then, reverse the procedure and report your DomainA certificate’s fingerprint to the remote administrator.
11. Return to the Cross Domain Certification portion of the Domain Properties page and click the Add Foreign Domain’s Certificate button. The cross certification pop- up window appears.
12. In the File location field, enter the path and file name of the remote DomainB.cer file, clicking the Browse button if necessary.
13. Click the OK button.
You have now set up cross-domain certification with the collaborating administrator. Cross-certified domains appear in the domain list in the lower half of the page. Contacts from cross-certified domains appear on the Groove client in a different color from local domain contacts, as shown in the Color Key section of the domain Properties page.
Viewing Cross-Certified Domains
To view a domain and its cross-certified domains, follow these steps:
1. Select the domain in the management server Web site navigation pane.
2. Select Domain Properties in the tool bar. Cross-certified domains are listed in the lower half of the page. Each entry includes the domain name, a description of the domain (as defined by the server administrator), and the date of certification.
Deleting Cross-Certified Domains
To delete a cross-certified domain and its certificates from the management server, follow these steps:
1. Go to the management server administrative Web site and select a domain from the navigation pane and click the Domain Properties button. The domain Properties page appears with any cross-certified domains listed at the bottom.
2. In the Cross Domain Certification portion of the domain Properties page, click the Delete button for cross-certified domain(s) that you want to delete.
Changing Reset/Recovery Private Keys and Key Locations
The device template Domain Properties page lets you change password/smart card login private keys and key locations. Default key names include a key creation date to help distinguish keys on the management server.
To replace the private key for password/smart card login reset and data recovery, follow these steps:
1. Go to the management server administrative Web site and select a domain.
3. To change the reset/recovery private key location from a specified file to a management server directory, in the domain Properties page, click the Store Key on Server button. A Store Key on Server pop-up window appears.
To change the private key location from the management server to a specified directory and file, in the domain Properties page, click the Move Key to File button.
A Save pop-up window appears where you specify a file location for the private key, then click OK.
4. From the Store Key on Server pop-up window, browse to the target file location on the management server (the default is C:), enter a private key password, and click OK.
To change the private key location from the management server to a specified file, enter a file location in the text box and click OK. This removes the key from the management server and places it in the specified location on your network.
5. To replace the private key, click the Change Key button. A new private key with a default name that includes the date will be added to the management server or specified file location.
6. If the key is stored on the management server and you want to change the private key password, click the Change Private Key Password button.
7. Click OK.
Make sure to keep labeled copies of reset/recovery private keys in a known secure location. You may need access to these old private keys (for example, if you need to recover client data but the client has an older version of the data recovery certificate).
Migrating Users to Another Domain
If you are changing from Groove Hosted Management Services to an onsite Enterprise Management Server, you must create a new domain group structure on your newly installed server. Once you have done this, you migrate your managed Groove users, group by group, to the newly defined management domain groups. The migration must be performed on each group and subgroup in order to preserve the policy templates, license sets, and relay server sets assigned to each group.
This section provides a basic migration procedure for use whenever you need to migrate users from one domain to another. Currently, this procedure must be performed manually and involves the Groove-hosted Web site, the onsite Enterprise Management Server, and on the Groove client devices.
Before you begin, ask your management server administrator to create a new domain on the Enterprise Management Server so that you can have a destination domain for migrating your users.
To migrate users from one domain to another, follow these steps for each group and subgroup in the domain, starting with the smallest subgroup:
1. Log into the Enterprise Management Server administrative Web site and re-create the group hierarchy from your hosted management environment on your onsite management server. See “Adding Groups” in the Managing Users section of this guide, for information about creating domain groups.
2. Log into the Groove Hosted Management Server administrative Web site and, from the navigation pane, select a group in the domain from which you want to migrate users.
3. Configure two identity and device policies as follows in order to avoid disabling devices and identities during the domain transition:
• Select the appropriate identity policy template, click the Member Policies tab and UNcheck the following policy (if it is selected): Identity may only be used on a managed device, then click OK.
• For the same device policy template, click the Account Policies tab and UNcheck the following policy (if it is selected): Members can only use managed identities from this domain on devices in this domain, then click OK.
Note: Remember to allow time for clients to be updated with policy changes.
4. Export each group member list from the domain, as described in “Exporting Domain Members” in the Managing Users section of this guide.
5. Log into to your Enterprise Management Server administrative Web site and select a group in the target management domain. (Your server administrator should have already created this domain.)
6. Select the appropriate identity and device templates and UNcheck the two policies specified in step 2 (if these policies are checked).
7. Use the domain group member list to add the users to the new domain group on the management server, as described in “Adding Multiple Members from an .XML File” in the Managing Groove Users section of this guide.
8. From any device, log into the management server, select the new domain group, and download the EMS registry keys, as described in “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide. Apply these keys to the Windows registries of all the devices that you intend to manage in the new domain group.
9. Restart the client devices to update their Windows registries with the management server device information (and completely shut down Groove).
10. From the management server, send managed identity activation keys to each user to add that you are migrating the new domain, as described in “Adding Multiple Members from an .XML File” in the Managing Groove Users section of this guide.
11. Launch Groove on each client device.
12. On each client device, click Help from the Groove Home page and select Activate Product.
13. Copy the 25-character activation key for each managed identity from the email into the activation key field.
14. Click Finish to activate Groove on the device.
15. If you wish, reset the device and identity policies that you turned off earlier in this procedure.
Adding, Editing and Deleting Email Templates
The management server administrative interface lets you send email to accompany the identity activation key that you send Groove users to give them domain membership. It also lets you send email to accompany the account backup file that you send users to
restore an account. You can also create and save your own templates to use as the defaults for these email messages. The Email tab allows you to create and save email templates, edit email templates, or delete them.
The following sections explain how to accomplish the following email management tasks:
• Creating Management Server Email Templates
• Editing Management Server Email Templates
• Deleting Management Server Email Templates
Creating Management Server Email Templates
The domain Email tab lets server and domain administrators create templates for the email that the management server sends to users to activate their domain identity or to accompany a backed up account file. You also have the option of saving this email as a default template.
To create and save new management server email templates, follow these steps:
1. Go to the management server administrative Web site and select a management domain from the navigation pane.
2. Click the Email tab. The Manage Email page appears with a list of previously defined email templates.
3. Select Add Email in the tool bar. The Add Email window appears.
4. Fill in the fields as shown in the following table, then click OK. Only the Save Email As field is required to save this email; all fields are required to send:
Create Activation Key Email Fields
Values
Email Type Selec

Groove Management Server

Documents

Transcript of Groove Management Server