The following table describes Groove client policy settings. These policies control the conditions under which Groove users can or cannot install Groove components on their devices. (Groove components are features or tools developed by Groove Networks or a third party for use in the Groove virtual office application.) The default settings for these policies are generally open, allowing component installs wherever possible. Consider whether you want to edit these settings to make them more restrictive.
Device Account
Specifies that domain group members cannot create additional Groove accounts on their managed devices, once the managed account is created.
Default: unchecked
Members cannot import accounts
Specifies that domain group members cannot import Groove accounts to their managed devices.
Default: unchecked
Members can only use managed identities from this domain on devices in this domain
Specifies that domain group members can only use managed identities in this domain group on managed devices in this domain.
Checking this box disables any previously existing unmanaged identities that a user may have created on the managed device. It also prevents the user from using any identities managed by other domains.
Note: Do not check this box if you want to allow users to convert an existing identity to a managed identity. Once your users have converted any previous identities that they wish to convert, you can re-instate this policy.
Specifies whether managed users can install Groove components on their managed devices.
Selecting this policy prevents domain members from installing any components. It also blocks automatic component updates or installations.
Leaving this policy unchecked, instructs Groove to prompt users with a download choice before installing components.
You can qualify this overall policy with a custom policy, as described later in this chapter.
Default: unchecked
Deny installation of self-signed components
Specifies whether managed users can install Groove components signed with a self-signed certificate on their managed devices.
Selecting this policy prevents domain members from installing self-signed components.
Leaving this policy unchecked, allows domain members from installing self-signed components.
Default: unchecked
Prevent Groove from searching for new components
Specifies for managed users whether Groove can pro-actively search and potentially install updated versions of Groove components on users’ managed devices.
Developers of Groove components sometimes enable their components to search for updated versions. These updates are not required by the Groove virtual office software.
Selecting this policy prevents Groove from searching for and potentially installing updated Groove components.
Leaving this policy unchecked, allows Groove to search for updated component versions.
Note: This policy does not block other types of component updates or installs (such as those that may be associated with Groove workspace acceptance). Use other component installation policies to control these types of updates or installs.
Default: unchecked Advanced Install
Policies
Displays a window that lets you specify where Groove components can come from (anywhere or a specified server), and create custom policies.
Install components from Specifies that managed users can install Groove components from any source or from a named server, as follows:
• Anywhere - Select this item to specify that users can install components from any server.
• The HTTP server ___ - Enter the TCP/IP address or server name of a specific HTTP server. For example: http://
servername.
• The UNC file server ___ - Enter the full path name of the component directory on a specific Universal Network Connection (UNC) server, using the format
\\servername\directory1\...directoryN.
Note: If a Groove Component Server is installed at your site, make sure to specify its HTTP server address or UNC network location or UNC component directory location here.
Default: Anywhere
Add Policy This button displays a pop-up window that allows you to further customize component install policies for specific component versions.
For information about customizing component installation policies, see “Customizing Component Install Policies” above.
Device Client Policy Settings
Descriptions
Custom policies Displays custom policies that you created using the Add Install Policy key. Clicking an item in the policy list lets you edit it. The Define Custom Install Policy page appears, with additional install policy fields that you can fill in to qualify the overall policy.
Bandwidth Policies
Limit bandwidth to Limits the network bandwidth allowed for Groove usage on each device in a management domain to the specified value.
A blank value indicates no specified bandwidth limit, equivalent to disabling the Device Settings Policy.
Accept the blank text box to support default Groove bandwidth usage for devices in a domain. Specifying a limit for network bandwidth allowed per Groove device in a domain, often dramatically slows delivery of large messages.
Do not enter a value in the text box (and enable the device settings policy) unless you are confident that your network requirements demand such a trade-off.
Note: Enable this policy and specify a bandwidth value only if you understand the implications for Groove operation. See “Limiting Groove Bandwidth Usage for Devices” below for more detailed information about this policy.
If you entered a bandwidth value, select one of the following units from the drop-down menu:
megabits/second - Sets bandwidth limit units to megabits per second. Allowable value: whole number from 1 to 100.
kilobits/second - Sets bandwidth limit units to kilobits per second. Allowable values: whole number from 5 to 100,000.
bits/second - Sets bandwidth limit units to bits per second.
Allowable value: whole number from 4800 to 100,000,000.
percentage of bandwidth - Sets bandwidth limit to a percentage of the maximum bandwidth capacity of the Groove client communications device(s) currently in use.
Note that this percentage is applied regardless of a device’s bandwidth capacity. For example, a bandwidth limit of 50% will be applied to a dial-up modem with a maximum connection speed of 56 Kb/second, as well as to an Internet connection with a maximum of 10 Mb/second.
Therefore, the actual bandwidth available to a given client device, when defined as a percentage, varies depending on the communications device in use. This may lead to noticeably low connection speeds in a dial-up setting.
Allowable value: whole number from 1 to 99.
Default: blank value Device Client Policy
Settings
Descriptions
Security Policies
The following table describes Groove device Security policy settings:.
Device Security Policy Settings
Descriptions
Login Method Members will use passwords to login to Groove
Specifies that domain members must use passwords to login to Groove.
Members will use smart cards to login to Groove
Specifies that domain members must use smart cards to login to Groove.
Password Policies (if passwords are the chosen Groove login method) Password must contain at
least __ characters
Specifies that Groove passwords on managed devices in the domain/group must contain at least the specified number of characters.
Default: 4
Users cannot repeat last ___ passwords
Specifies that, when changing a Groove password, managed users cannot re-use any of the specified number of previous passwords on their managed devices. For example, if you enter 3 in the text box of this field, users cannot use any of the last 3 phrases when updating a password. Leaving the text box empty specifies that users can repeat passwords.
Default: blank
Password expires every ___ days
Specifies the number of days for which a Groove password is valid, at which time Groove requires users to change their password.
Prevent password memorization on device
Specifies that users may not choose to let their managed devices memorize passwords after initial password entry.
Users must enter their password each time they log in to Groove.
Default: unchecked
Password must contain at least one alpha (a, b, c...) character.
Specifies that Groove passwords on managed devices must contain at least one alphabetic character.
Default: unchecked
Password must contain at least one numeric (1, 2, 3...) character.
Specifies that Groove passwords on managed devices must contain at least one numeric character.
Default: unchecked
Password must contain mixed-case (aBc...) characters.
Specifies that Groove passwords on managed devices must be mixed-case.
Password must contain at least one punctuation (!, ?,
$...) symbol.
Specifies that Groove passwords on managed devices must contain at least one punctuation symbol.
Default: unchecked
Edit Reset Settings (Groove 3.0e or earlier)
Lets you edit one of the following reset options for pre-3.0f versions of Groove:
• Disable password reset and data recovery. - Prevents reset of managed user passwords or recovery of member data on managed devices.
• Enable password reset and data recovery. - Allows reset of managed user passwords and recovery of workspace data on managed devices.
• Enable data recovery without password reset. - Allows recovery of managed users’ workspace data on managed devices but prohibits reset of user passwords.
For information about reset options for Groove version 3.0f or later, see “Security Policies” in the Managing Identity Policies section of this guide.
Default: Disable password reset and data recovery.
Smart Card Login Policies (if smart cards are the chosen Groove login method) Limit members’ smart card
login certificate choices to certificates signed by the following CAs:
Lets you limit smart card login certificate choices to those signed by specific Certification Authorities (CAs) in an enterprise PKI environment.
Select Add CA Certificate in the tool bar to add allowed CA certificates to the current management server domain.
Select certificates from the Certificates drop-down menu to add them to the current device policy template.
You can click the Delete Certificate button next to any CA certificate you that want to delete from the management server list.
Specified certificate names and associated issuers appear in the certificate list. With this policy in effect, managed users may only use those certificates whose chain contains one of these CAs for Smart Card Login.
Consider a smart card login invalid if revocation status has not been updated in __
days
Specifies the number of days that may pass before a certificate is considered invalid because its updated
revocation status has been unavailable (for example, when a managed user is offline for an extended period).
Selecting this policy enables certificate revocation checking.
Leaving the box unchecked disables the policy.
Default: Unchecked (disabled) Device Security Policy
Settings
Descriptions
Edit Reset Settings (Groove 3.0e or earlier)
Lets you edit one of the following reset options for pre-3.0f versions of Groove:
• Disable smart card login reset and data recovery. - Prevents reset of managed user smart card logins or recovery of member data on managed devices.
• Enable smart card login reset and data recovery. - Allows reset of smart card logins and recovery of workspace data on a managed devices.
• Enable data recovery without smart card login reset. - Allows recovery of managed users’ workspace data on managed devices but prohibits reset of smart card logins.
For information about reset options for Groove version 3.0f or later, see “Security Policies” in the Managing Identity Policies section of this guide.
Default: Disable password reset and data recovery.
Customize Smart Card Login Reset Instructions
Available only if you have already downloaded a data recovery certificate, as described above. Displays a window that lets you edit the smart card login reset instructions that managed Groove users receive in response to a smart card login reset request.
For information about customizing reset instructions, see
“Customizing Reset Instructions for Managed Devices” above.
Account Lockout Policies Threshold: __ Invalid login attempts
Specifies the maximum number of unsuccessful Groove login attempts permissible on managed devices.
Default: 20
Maximum duration: __
[units]
Specifies the maximum amount of time that Groove will take to process login credentials after repeated unsuccessful login attempts on managed devices. Enter a non-zero value in the text field and select units from the drop-down menu.
Default: 5 minutes
After threshold is reached: Specifies one of the following Groove account lockout options when the specified repeat login limit is reached on managed devices:
• Allow login attempts but repeat maximum duration forever. - Allows users to continue Groove login attempts with the maximum specified ‘wait’ before Groove accepts or denies the entry.
• Do not allow any more login attempts (requires the password or smart card login reset identity policy to unlock). - Prohibits any more Groove login attempts, whether or not the login is valid. The user must request a password or smart card login reset from the administrator in order to access Groove.
Default: Allow login attempts but repeat maximum duration forever.
Strong Private Key Protection Device Security Policy Settings
Descriptions