ENow Exchange & Office 365 Solutions Engine Blog (ESE)

Using custom policies with Skype for Business Online

Posted by Vasil Michev MVP on Mar 7, 2017 12:54:51 PM

Another feature introduced at Ignite 2016 has now been released to the public, including the ability to create and modify Skype for Business Online Policies. Before diving into the details, here’s a short introduction of SfB policies and what they are used for.

What are policies and why do we care about them

Policies in Skype for Business and its cloud counterpart are a set of settings that control different capabilities. Depending on the type, policies can be applied to the entire organization, individual user level and even based on the location of the user.

Client policies can be used to control client features such as using emoticons in instant messages, or event tracing and logging options. Conferencing policies govern settings for multi-party conferences, such as disabling file transfer or desktop sharing. The Mobility policy allows you to configure various settings related to the use of SfB on mobile devices. Other types of policies control external access and federation, telephony and more.

While policies are not directly exposed in the SfB Online Admin Center, and some Office 365 administrators might not even be aware of their existence, they still play a very important role. You can find a comprehensive overview of policies in SfB and detailed information in the relevant documentation on TechNet. 

The list of settings you can control via policies is huge. It’s what makes them so useful. In a multi-tenant software-as-a-service (SaaS) offering such as Office 365 however, certain restrictions apply. Until now, we had a set of pre-canned policies to choose from and limited customization options for the default tenant client policy. Let’s take a look.

Viewing policies via Skype for Business Online PowerShell

In SfB Online, policies can only be managed via PowerShell, and you’ll need a SkypeOnlineConnector wrapper module to establish a remote PowerShell session. An important note – the module still does not support modern authentication, so you need to use admin account with MFA disabled.

Once you connect to SfB Online via PowerShell, you can work with the policy related cmdlets. Here’s a list of all the policies supported in Office 365 and the corresponding Get- cmdlet:

custom-policies.png

Using the Get-CsClientPolicy cmdlet will return all Client policies available in the tenant along with a lengthy list of all their settings.

To better illustrate the issues Office 365 administrators had to face previously when trying to work with SfB policies, let’s look at the following scenario:

The security folks at the company X declare the screen sharing functionality as a potential IP leak and the admin is tasked to disable it for all users except a few. As mentioned in the introduction, this setting can be controlled via the conferencing policy. Without being able to create new or modify existing conferencing policies however, the only option for the admin was to filter out the set of pre-canned policies and select one with the relevant setting pre-configured. To do so, the admin would use a cmdlet similar to this:

Get-CsConferencingPolicy -ApplicableTo user@domain.com  | ? {$_.EnableAppDesktopSharing -eq "None"} | ft Identity

If a matching policy was returned, the admin was in luck and he could apply it to the users. Unfortunately, doing so often meant blocking another feature as well. If we rerun the above example to include some more details, the following is revealed:

custom-policies2.png

While a set of four different policies that disable desktop sharing were returned, all of them also include the setting to disable file transfers. The security folks would probably commend the admin for blocking yet another potential risk by choosing one of the listed policies, but if the desired outcome was to only block screen sharing, the admin had no options available.

Due to the sheer number of controls covered by each type of policy, there’s no realistic way for Microsoft to provide a set of policies that cover each permutation (they have to account for the license type as well, which is what the -ApplicableTo parameter in the above example alludes to). Instead, after continuous feedback for numerous customers, Microsoft allowed for basic customization of the default tenant policies and finally, supported customizing the policies. 

Managing Skype for Business Online Policies

Here’s the list of policies we can now modify and the list of cmdlets that can be used to create new policies:

custom-policies3.png

With those cmdlets at hand, solving the issue we discussed above is an easy task. All we need to do is create a new policy that has the EnableAppDesktopSharing parameter configured to None, and doesn’t change any of the other values: 

New-CsConferencingPolicy -Identity DisableDesktopSharing -EnableAppDesktopSharing None

A small warning here. Once a new, custom policy is created in the tenant, the default output for the Get- cmdlets changes and they will only return policies specific for the tenant. If you want to include the pre-canned policies as well, for example in order to compare their settings, you need to supply the -Include SubscriptionDefaults parameter:

custom-policies4.png

There we have it — a policy that blocks desktop sharing, while keeping the file transfer option enabled. The example we used above was very simplistic. In reality, you should make sure to give the policy a proper name, enter a meaningful description and check the values of all parameters. The latter is especially important for the case of Client policies, as most of their settings do not have default values. 

One might wonder why instead of creating new policy, we didn’t modify the existing one. The answer is again tied to the model Microsoft uses – the same set of pre-canned policies is available for all tenants. Thus, if one tries to modify such policy, the following error message will notify them the action is not allowed:

custom-policies5.png

On the other hand, modifying the Global policy is allowed. For example, the following cmdlet sets the EnableFileTransfer option in the Global policy:

Set-CsConferencingPolicy Global -EnableFileTransfer $false 

The downside with the Global policy is that it applies to all users in the tenant by default, so making changes to it is rarely justified. The freedom we get with the creation of new policies is much welcomed in this regard.

Speaking of which, simply creating a new policy is only part of the job. In order to make sure the settings you configured in the policy apply to the users they are intended for, you must assign it. This action is performed via the Grant- cmdlets, for example in the case of Conferencing policy one will use:

Get-CsOnlineUser “John Smith” | Grant-CsConferencingPolicy -PolicyName DisableDesktopSharing

Additional examples

So far we’ve only looked at the conferencing policy, but the steps used above apply to the other types of policies can be managee in SfB Online. Client policies can be used to configure various restrictions for the SfB client, which apply across all modalities and locations the user logs in from. For example, you can force all messages to be sent and received in plain text via: 

New-CsClientPolicy -Identity PlainTextMessages -DisableHtmlIm $true -DisableRTFIM $true

Grant-CsClientPolicy -Identity “John Smith” -PolicyName PlainTextMessages

The list of parameters we can control for the Client policy are documented here. As you might notice by comparing the documentation with the list of parameters returned by Get-CsClientPolicy, not all of them can be configured in SfB Online.

Another type of policy that might be of interest is the Mobility policy, which controls various functionalities for the SfB apps on mobile devices. For example, you might want to limit access to the mobile app to specific users only, or prevent users from saving their login information on mobile devices.

Here are the cmdlets you can use for such policies:

New-CsMobilityPolicy -Identity DisableMobileApp -EnableMobility $false

New-CsMobilityPolicy -Identity DisableCredentials -AllowSaveCredentials $false

 You can find the full list of supported parameters here.

As you can see from the above examples, policies are easy to work with and provide you with a toolkit that allows you to meet almost every demand. For situations where you have more policies than you can handle, you can also use the Remove- cmdlets for a proper clean up!

Summary

This post covers the newly introduced Skype for Business Online cmdlets that govern the creation and modification of some of the most used policy types. This is a much-anticipated addition, as the limited policy choices we had in the past proved problematic for some organizations looking to move to the cloud. With the latest improvements, SfB Online is a lot closer to its on-premises sibling in terms of customizations possible. Support for additional policy types should be coming in the following weeks.

Topics: Skype for business

Gain visibility into your Office 365 Deployment

See why monitoring makes sense in a cloudy world.