connect 2014: id112: domino policies: deep dive and best practices
TRANSCRIPT
ID112: Domino Policies: Deep Dive and Best Practices
Mark A. Skurla, IBMAdvisory Software Engineer, Domino Administration Team [email protected]: DomPolicy
IBMs statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBMs sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the users job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
Please Note
Welcome!
My background:IBMer since 1995, Domino/Notes since 1997 (R5), Policy Area Owner since 8.5
Full disclosure: this session is about policies, not policy settings! (~1,000)For a good discussion on that, see:
http://blog.darrenduke.net/darren/ddbz.nsf/dx/my-show102-using-ibm-lotus-domino-8.5-policies-to-manage-your-clients.htm
Why this session?Policies are like a Swiss army knife, very useful, but confusing
Wanted a session on policies themselves instead of the settings
Agenda
Deep DiveArchitecture
Flow
Precedence vs. scope
How To Apply Controls
Best Practices
Using Policies with the Cloud
Q & A
ppt template divider slide 1c-01.png
Deep Dive
Deep Dive
Architecture
Admin Client
Java (notes2)
dynconfig
C\C++(nlnotes)
Mail File
Directory
Server thread
Adminp
Domino Server
Policy Engine
Personal NAB
Policy Synopsis(polcysyn.nsf)
Managed Settings
Policy cache
Standard Client
Deep Dive
Client side policy flow
Java (notes2)
dynconfig
C\C++(nlnotes)
Personal NAB
Managed Settings
Standard Client
Mail File
Directory
Server thread
Adminp
Domino Server
Policy Engine
Policy cache
Read dyninfo from directoryprofile - in the PNAB
Access home mail server
During authentication, policies are examined for updates
Policy information fetched from Directory
If change is detected, dynconfig update flag is returned
Store returned dynconfig info in PNAB in directoryprofile -
Launch dynconfig and pass in the flags
Fetch policy types list from $PolicyProfile - in PNAB
For each policy type, request the effective policy for that type for the server.
If not in policy cache, calculate effective policy using info from Directory. Store in cache.
Return effective policy to client
Store policy in $Policies in PNAB
After all policies are processed, notify Java side of the client.
Fetch Policy and How To Apply information from policyhta - in PNAB
HTA applied,store settings as managed settings (Eclipse feature)
Deep Dive
Server side policy flow
Mail File
Directory
Server thread
Adminp
Domino Server
Policy Engine
Policy cache
Every 12 hours, adminp calculates the effective mail policy for the local mail users.
Use ADMINP_POLL_INTERVAL to override (in minutes)
Tell adminp process mail
And stores it in the Calendar profile in the mail file.
Deep Dive
Java (notes2)
dynconfig
C\C++(nlnotes)
Mail File
Directory
Server thread
Adminp
Domino Server
Policy Engine
Personal NAB
Managed Settings
Standard Client
When you access mail Preferences, it comes from the calendar profile. Not the $Policies in PNAB.
Deep Dive
Location, location!
The client gets the home server from the Location document:
The server gets it from the Person document:
They may be different!
Deep Dive
Location, location!
Switching domains via Location document switches policies!
Value for MailServer in Location MUST be canoncial:
Deep Dive
Precedence vs. Scope
OrganizationalDynamic
Explicit
Three policy types:
Increasing precedence
Increasing scope
Use the policy type that matches your scope!
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policy-precedence-explained
Deep Dive
Precedence vs. Scope
Where's Dynamic?!
Dynamic = Explicit policy with entries in the Policy Assignment tab
Explicit = Explicit policy with no entries in the Policy Assignment tab
You could use the same policy as both!
Deep Dive
Precedence vs. Scope
Common policy pattern:
Organizational policy has company wide setting: e.g. Password expiration
Individual features enabled via Dynamic policy: e.g. ID Vault, Managed Replica
Exceptions to feature deployment via Explicit policy: No ID Vault
Deep Dive
Precedence vs. Scope
Enforce overrides precedenceThe value will be used
Inheritance compliments precedenceThe value will be used if there is no value in the parent, otherwise that will be used
Deep Dive
How To Apply controls
Don't SetDoes NOT mean use a default, it means does not exist for this policy
Explicitly set any setting you don't intend to use to Don't Set.
Set InitialBest used for initial deployments
Old Setup policy = Desktop policy with Set Initial for all values
Set Whenever ModifiedMost commonly used
Set and Prevent Changes Use to lock down user modifiable settings
Deep Dive
How To Apply controls
'Admin only' settings only have Don't Set Value.
Set Initial, Set Whenever modified, and Set and Prevent Changes are only available when there is a user interface to change them
ppt template divider slide 1c-01.png
Best Practices
Best Practices
Is there a published set of best practices? This is it!
Use the least amount of policies to implement your needsUnnecessary policies increase your TCO
Don't create one at every level in a hierarchy
Use precedence and Inherit/Enforce controls to reduce number of policies
Re-use settings documents across policies
Modify policies on the administration server of the domain
Best Practices
Use Autopopulated groups added in Domino 8.5
Use autopopulated groups to construct a Domain group hierarchy:One autopopulated group per mail server: e.g. U2HomeServer
Group for cluster contains the mail server autopopulated groups:e.g. JoshuaTreeHomeServers = U2HomeServer, etc
One group contains all the clusters in the domain: e.g.IrisDomainHomeServer = JoshuaTreeHomeServers, etc.
Now you can e-mail users at any level or use in Policies
Best Practices
U2HomeServerJoshuaTreeHomeServersIrisDomainHomeServers
Increasing scope
(cluster)
(Collection of clusters)
Best Practices
Best Practices
How is the previous setup helpful?Example 1: New employee is on boarded, registered with a given home mail serverEmployee is added to autopopulated group for that server, gets policies
No further actions for the admin!
Example 2: Existing employee takes international assignment, company has different policies for regional mail serversAdmin uses mail file move to change users home mail server
Employee is removed from original home server's auto-populated group to new server's group
Employee automatically gets new policies
No further actoins for the admin!
Best Practices
Use the Protected Group feature to for critical groups: Actions->Edit Directory Profile
Best Practices
Use dynamic policies with groups not people!Specifying lots of individual people reduces performance and increases TCO
Examine hidden view to locate bad policies, $PoliciesByGroup
Best Practices
Use Policy Synopsis toolCan be used to debug problems, start with user's home mail server
Can also be used to verify new policies before going into production
Launched from Admin client's People and Group or Configuration tabs
Must re-link policies when copying themUseful when trying out changes to production in a test environment
Needed when submitting Directory to support for PMRs
Watch out for the 'Set Initial' trap! Use only for setup situations.
Best Practices
When removing a policy:Policies are a push model, don't just remove!
First change settings to 'default' values and let deploy
'Disable' the policy instead of removing themFor Explicit policies, clear Policy Assignment tab.
For Organizational polices, modify the fullname.
Allows for quick restoration in case of problem
Consider using your administrators group as a pilot group for policies
Best Practices
Consider a special ID to sign all policiesPro: Prevents Policy has been modified since signed when admin leaves the company!
Con: Can no longer tell who last modified the policy
Cloud: Signs with server ID, uses tool to re-sign admin modified policies
How to tell who signed the policy?The Signed By column in the view is NOT the way to go, it's the $Updated By value:
Best Practices
Open policy and look for the Signature or Encryption icon:
In policy view, use Actions Resign Policy to do just that
Best Practices
Use machine specific policies for special situations: laptop vs desktop, Citrix
Adding new ones: http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21474598
Troubleshooting:http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21501673
Client only
Best Practices
Exemption PolicyShould only be needed rarely
Like an Enforce for a policy, restarts the precedence tree from this policy down
Best Practices
To force a policy update from the server:For a user, just Edit/Save their person document
For a whole server:Restart the server
Load updall names.nsf -T $Policies -R
Go to the Policies view and enter: CONTROL-SHIFT
Works because policy view timestamp is part of policy update trigger
Best Practices
To force a policy update from the client:Since 8.5, just clearing the $Policies view in PNAB doesn't do it!
Run dynconfig manually from the executable directory: ndyncfg.exe 20
Best Practices
To force a policy update from the client via mailed LS button: (cont)Clear client side cached info via LotusScript: Sub Click(Source As Button)Dim db As NotesDatabaseDim doc As NotesDocumentDim s As New NotesSessionSet Db = New NotesDatabase ("","names.nsf") Set doc = Db.GetProfileDocument("directoryprofile",s.username)Call doc.Remove(True)Call doc.save(True,True)Messagebox "Cleanup Complete Restart Client" , 48, "DONE!!"End Sub
ppt template divider slide 1c-01.png
Smart Cloud Notes
Smart Cloud Notes
The service creates an Organizational policy for each customerContains pre-set settings needed for the service to operate
These settings will override any customer policy settings
Only Dynamic policies are supported, no Organizational or Explicit policies (assigned in Person documents
To simulate Organizational policies, use wildcards, e.g. */IBM, in Dynamic policy Assignment field
Use groups, only use individual user names when necessaryDon't use the following: LLNServers, LLNMailHubs, _* or SAAS*
Must be unique across directories
Archiving, Registration, Roaming, Traveler types are not supported
Smart Cloud Notes
Desktop, Mail, and Security are supported with restrictions for certain fieldsSee: http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Hybrid+Environment#action=openDocument&res_title=Policy_settings_restrictions_HY&content=pdcontent
Review and cleanup your policies before first synching with the cloud.
For multiple domains, incorporate domain name into policy and settings namesMust have unique policy names across domain
ppt template divider slide 1c-01.png
Additional Information
Additional Information
Wiki articles - http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=Policies
Policy Blog - http://www-10.lotus.com/ldd/dpdblog.nsf
Debug Decision Tree - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes__Domino_Policy_Flow_Chart
Smart Cloud Notes - http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Hybrid+Environment#action=openDocument&res_title=Using_administrative_policies_HY&content=pdcontent
Meet me in the Ask the Developers Lab!
Tuesday: 4:30pm-6pm
Wednesday: 11am-11:30am, 12:30-6pm
Thursday: 10am - noon.
Engage Online
SocialBiz User Group socialbizug.org
Join the epicenter of Notes and Collaboration user groups
Follow us on Twitter
@IBMConnect and @IBMSocialBiz
LinkedIn http://bit.ly/SBComm
Participate in the IBM Social Business group on LinkedIn:
Facebook https://www.facebook.com/IBMSocialBiz
Like IBM Social Business on Facebook
Social Business Insights blog ibm.com/blogs/socialbusiness
Read and engage with our bloggers
Engage Online
ppt template thank you 1-01.pngAccess Connect Online to complete your session surveys using any:
Web or mobile browser
Connect Online kiosk onsite
Copyright IBM Corporation 2014. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, Lotus, Notes, and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml
If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special 3rd party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others.
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Acknowledgements and Disclaimers
ppt template title slide 2-01.png 2014 IBM Corporation
IBM SP 8-bar pos_horizontal-01.png
ppt template content slide 2-01.png
ppt template content slide 2-01.png