ID112: Domino Policies: Deep Dive and Best Practices

Mark A. Skurla, IBMAdvisory Software Engineer, Domino Administration Team Leadmskurla@us.ibm.comTwitter: DomPolicy

IBMs statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBMs sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the users job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

Please Note

Welcome!

My background:IBMer since 1995, Domino/Notes since 1997 (R5), Policy Area Owner since 8.5

Full disclosure: this session is about policies, not policy settings! (~1,000)For a good discussion on that, see:

http://blog.darrenduke.net/darren/ddbz.nsf/dx/my-show102-using-ibm-lotus-domino-8.5-policies-to-manage-your-clients.htm

Why this session?Policies are like a Swiss army knife, very useful, but confusing

Wanted a session on policies themselves instead of the settings

Agenda

Deep DiveArchitecture

Flow

Precedence vs. scope

How To Apply Controls

Best Practices

Using Policies with the Cloud

Q & A

ppt template divider slide 1c-01.png

Deep Dive

Deep Dive
Architecture

Admin Client

Java (notes2)

dynconfig

C\C++(nlnotes)

Mail File

Directory

Server thread

Adminp

Domino Server

Policy Engine

Personal NAB

Policy Synopsis(polcysyn.nsf)

Managed Settings

Policy cache

Standard Client

Deep Dive
Client side policy flow

Java (notes2)

dynconfig

C\C++(nlnotes)

Personal NAB

Managed Settings

Standard Client

Mail File

Directory

Server thread

Adminp

Domino Server

Policy Engine

Policy cache

Read dyninfo from directoryprofile - in the PNAB

Access home mail server

During authentication, policies are examined for updates

Policy information fetched from Directory

If change is detected, dynconfig update flag is returned

Store returned dynconfig info in PNAB in directoryprofile -

Launch dynconfig and pass in the flags

Fetch policy types list from $PolicyProfile - in PNAB

For each policy type, request the effective policy for that type for the server.

If not in policy cache, calculate effective policy using info from Directory. Store in cache.

Return effective policy to client

Store policy in $Policies in PNAB

After all policies are processed, notify Java side of the client.

Fetch Policy and How To Apply information from policyhta - in PNAB

HTA applied,store settings as managed settings (Eclipse feature)

Deep Dive
Server side policy flow

Mail File

Directory

Server thread

Adminp

Domino Server

Policy Engine

Policy cache

Every 12 hours, adminp calculates the effective mail policy for the local mail users.

Use ADMINP_POLL_INTERVAL to override (in minutes)

Tell adminp process mail

And stores it in the Calendar profile in the mail file.

Deep Dive

Java (notes2)

dynconfig

C\C++(nlnotes)

Mail File

Directory

Server thread

Adminp

Domino Server

Policy Engine

Personal NAB

Managed Settings

Standard Client

When you access mail Preferences, it comes from the calendar profile. Not the $Policies in PNAB.

Deep Dive
Location, location!

The client gets the home server from the Location document:

The server gets it from the Person document:

They may be different!

Deep Dive
Location, location!

Switching domains via Location document switches policies!

Value for MailServer in Location MUST be canoncial:

Deep Dive
Precedence vs. Scope

OrganizationalDynamic

Explicit

Three policy types:

Increasing precedence

Increasing scope

Use the policy type that matches your scope!

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policy-precedence-explained

Deep Dive
Precedence vs. Scope

Where's Dynamic?!

Dynamic = Explicit policy with entries in the Policy Assignment tab

Explicit = Explicit policy with no entries in the Policy Assignment tab

You could use the same policy as both!

Deep Dive
Precedence vs. Scope

Common policy pattern:

Organizational policy has company wide setting: e.g. Password expiration

Individual features enabled via Dynamic policy: e.g. ID Vault, Managed Replica

Exceptions to feature deployment via Explicit policy: No ID Vault

Deep Dive
Precedence vs. Scope

Enforce overrides precedenceThe value will be used

Inheritance compliments precedenceThe value will be used if there is no value in the parent, otherwise that will be used

Deep Dive
How To Apply controls

Don't SetDoes NOT mean use a default, it means does not exist for this policy

Explicitly set any setting you don't intend to use to Don't Set.

Set InitialBest used for initial deployments

Old Setup policy = Desktop policy with Set Initial for all values

Set Whenever ModifiedMost commonly used

Set and Prevent Changes Use to lock down user modifiable settings

Deep Dive
How To Apply controls

'Admin only' settings only have Don't Set Value.

Set Initial, Set Whenever modified, and Set and Prevent Changes are only available when there is a user interface to change them

ppt template divider slide 1c-01.png

Best Practices

Best Practices

Is there a published set of best practices? This is it!

Use the least amount of policies to implement your needsUnnecessary policies increase your TCO

Don't create one at every level in a hierarchy

Use precedence and Inherit/Enforce controls to reduce number of policies

Re-use settings documents across policies

Modify policies on the administration server of the domain

Best Practices

Use Autopopulated groups added in Domino 8.5

Use autopopulated groups to construct a Domain group hierarchy:One autopopulated group per mail server: e.g. U2HomeServer

Group for cluster contains the mail server autopopulated groups:e.g. JoshuaTreeHomeServers = U2HomeServer, etc

One group contains all the clusters in the domain: e.g.IrisDomainHomeServer = JoshuaTreeHomeServers, etc.

Now you can e-mail users at any level or use in Policies

Best Practices

U2HomeServerJoshuaTreeHomeServersIrisDomainHomeServers

Increasing scope

(cluster)

(Collection of clusters)

Best Practices

Best Practices

How is the previous setup helpful?Example 1: New employee is on boarded, registered with a given home mail serverEmployee is added to autopopulated group for that server, gets policies

No further actions for the admin!

Example 2: Existing employee takes international assignment, company has different policies for regional mail serversAdmin uses mail file move to change users home mail server

Employee is removed from original home server's auto-populated group to new server's group

Employee automatically gets new policies

No further actoins for the admin!

Best Practices

Use the Protected Group feature to for critical groups: Actions->Edit Directory Profile

Best Practices

Use dynamic policies with groups not people!Specifying lots of individual people reduces performance and increases TCO

Examine hidden view to locate bad policies, $PoliciesByGroup

Best Practices

Use Policy Synopsis toolCan be used to debug problems, start with user's home mail server

Can also be used to verify new policies before going into production

Launched from Admin client's People and Group or Configuration tabs

Must re-link policies when copying themUseful when trying out changes to production in a test environment

Needed when submitting Directory to support for PMRs

Watch out for the 'Set Initial' trap! Use only for setup situations.

Best Practices

When removing a policy:Policies are a push model, don't just remove!

First change settings to 'default' values and let deploy

'Disable' the policy instead of removing themFor Explicit policies, clear Policy Assignment tab.

For Organizational polices, modify the fullname.

Allows for quick restoration in case of problem

Consider using your administrators group as a pilot group for policies

Best Practices

Consider a special ID to sign all policiesPro: Prevents Policy has been modified since signed when admin leaves the company!

Con: Can no longer tell who last modified the policy

Cloud: Signs with server ID, uses tool to re-sign admin modified policies

How to tell who signed the policy?The Signed By column in the view is NOT the way to go, it's the $Updated By value:

Best Practices

Open policy and look for the Signature or Encryption icon:

In policy view, use Actions Resign Policy to do just that

Best Practices

Use machine specific policies for special situations: laptop vs desktop, Citrix

Adding new ones: http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21474598

Troubleshooting:http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21501673

Client only

Best Practices

Exemption PolicyShould only be needed rarely

Like an Enforce for a policy, restarts the precedence tree from this policy down

Best Practices

To force a policy update from the server:For a user, just Edit/Save their person document

For a whole server:Restart the server

Load updall names.nsf -T $Policies -R

Go to the Policies view and enter: CONTROL-SHIFT

Works because policy view timestamp is part of policy update trigger

Best Practices

To force a policy update from the client:Since 8.5, just clearing the $Policies view in PNAB doesn't do it!

Run dynconfig manually from the executable directory: ndyncfg.exe 20

Best Practices

To force a policy update from the client via mailed LS button: (cont)Clear client side cached info via LotusScript: Sub Click(Source As Button)Dim db As NotesDatabaseDim doc As NotesDocumentDim s As New NotesSessionSet Db = New NotesDatabase ("","names.nsf") Set doc = Db.GetProfileDocument("directoryprofile",s.username)Call doc.Remove(True)Call doc.save(True,True)Messagebox "Cleanup Complete Restart Client" , 48, "DONE!!"End Sub

ppt template divider slide 1c-01.png

Smart Cloud Notes

Smart Cloud Notes

The service creates an Organizational policy for each customerContains pre-set settings needed for the service to operate

These settings will override any customer policy settings

Only Dynamic policies are supported, no Organizational or Explicit policies (assigned in Person documents

To simulate Organizational policies, use wildcards, e.g. */IBM, in Dynamic policy Assignment field

Use groups, only use individual user names when necessaryDon't use the following: LLNServers, LLNMailHubs, _* or SAAS*

Must be unique across directories

Archiving, Registration, Roaming, Traveler types are not supported

Smart Cloud Notes

Desktop, Mail, and Security are supported with restrictions for certain fieldsSee: http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Hybrid+Environment#action=openDocument&res_title=Policy_settings_restrictions_HY&content=pdcontent

Review and cleanup your policies before first synching with the cloud.

For multiple domains, incorporate domain name into policy and settings namesMust have unique policy names across domain

ppt template divider slide 1c-01.png

Additional Information

Additional Information

Wiki articles - http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=Policies

Policy Blog - http://www-10.lotus.com/ldd/dpdblog.nsf

Debug Decision Tree - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes__Domino_Policy_Flow_Chart

Smart Cloud Notes - http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Hybrid+Environment#action=openDocument&res_title=Using_administrative_policies_HY&content=pdcontent

Meet me in the Ask the Developers Lab!

Tuesday: 4:30pm-6pm

Wednesday: 11am-11:30am, 12:30-6pm

Thursday: 10am - noon.

Engage Online

SocialBiz User Group socialbizug.org

Join the epicenter of Notes and Collaboration user groups

Follow us on Twitter

@IBMConnect and @IBMSocialBiz

LinkedIn http://bit.ly/SBComm

Participate in the IBM Social Business group on LinkedIn:

Facebook https://www.facebook.com/IBMSocialBiz

Like IBM Social Business on Facebook

Social Business Insights blog ibm.com/blogs/socialbusiness

Read and engage with our bloggers

Engage Online

ppt template thank you 1-01.pngAccess Connect Online to complete your session surveys using any:

Web or mobile browser

Connect Online kiosk onsite

Copyright IBM Corporation 2014. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, Lotus, Notes, and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml

If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special 3rd party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others.

Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Acknowledgements and Disclaimers

ppt template title slide 2-01.png 2014 IBM Corporation

IBM SP 8-bar pos_horizontal-01.png

ppt template content slide 2-01.png

ppt template content slide 2-01.png