groove management serverdownload.microsoft.com/download/a/a/a/aaa7f161-1655-410d...groove management...

Groove Management Server

Version 3.1

Domain Administrator’s Guide

Groove Management Server Domain Administrator’s Guide Copyright ii

Copyright

Copyright © 2001-2005, Groove Networks, Inc. All rights reserved.

You may not reproduce or distribute any part of this document in any form or by any means, without the written permission of Groove Networks, Inc., nor may you use it to create derivative works.

Groove Networks, Groove, the interlocking circles design, Groove Virtual Office, and groove.net are registered trademarks of Groove Networks, Inc. Other product or company names may be the trademarks of their respective owners.

Use of Groove Networks, Inc. software is subject to the terms of a license agreement and applicable export and import restrictions. Restricted rights for U.S. government users.

This product includes software used under license from third parties, including those par-ties identified by the following notices. Copyright © 1995 - 2001 International Business Machines Corporation and others. All rights reserved. VcardParser.cpp © Copyright Apple Computer, Inc., AT&T Corp., International Business Machines Corporation and Siemens Rolm Communications Inc. Outside In® ActiveX Control © 2002 IntraNet Solu-tions Chicago, Inc. All rights reserved. This software is based in part on the work of the Independent JPEG Group. ACME Labs Freeware Copyright © 2000 by Jef Poskanzer <[email protected]>. All rights reserved.

Table of Contents

Copyright ii

Table of Contents iii

Overview of Domain Administration 1Administrative Architecture 1Management Server Functionality 2Groove User Management 3

User and Device Policy Setting 3

Groove License Provisioning 4

Relay Server Provisioning 4

XMPP Proxy Server Provisioning 5

Domain Administration and Role Assignment 5

Password/Smart Card Login Reset and Data Recovery 5

Groove Account Backup 5

Groove Usage Monitoring 6

Hosting Groove Components 6

Groove Client Auditing 6

The Management Server Domain Administrator’s Guide 6

Getting Started 8 Before You Begin 8Accessing the Administrative Web Site 9 Accessing the Management Server Administrative UI 10

Getting Help 10

Changing Administrative Preferences 11

Setting Up a Groove Management System 11Distributing Activation Keys 14

Managing Groove Domains 17Overview of Management Domains 17Completing Domain Configuration 18Viewing and Editing Management Domain Properties 20Configuring Management Domain Affiliation 22Setting Up Cross-Domain Certification 23PKI Basics 24

Cross-Certifying Management Domains 25

Changing Reset/Recovery Private Keys and Key Locations 27

Groove Management Server Domain Administrator’s Guide Table of Contents iii

Migrating Users to Another Domain 28Adding, Editing and Deleting Email Templates 29Creating Management Server Email Templates 30

Editing Management Server Email Templates 31

Deleting Management Server Email Templates 31

Editing Administrator Roles 31

Managing Groove Users 33Overview of Groove User Management 34Managing Domain Member Groups 35Adding Groups 35

Viewing and Editing a Group 36

Viewing Domain Groups 38

Viewing Group Members 38

Deleting a Group 39

Adding Groove Users to a Domain Group 39Adding an Individual Member to a Domain Group 39

Adding Multiple Members from an .XML File 41

Adding Multiple Members from a .CSV File 42

Importing Members from a Directory 44

Enabling Groove Activation 47Sending an Activation Key from the Management Server 48

Sending an Activation Key Via Personal Email 49

Provisioning Managed Groove Users 49 Viewing Domain Members 50Viewing and Editing Domain Member Information 52Finding Domain Members 55Moving Domain Members to Another Group 56Exporting Domain Members 57Disabling and Enabling Domain Members 58Disabling Domain Members 58

Enabling Domain Members 58

Deleting Domain Members 59Backing Up and Restoring User Account Data 60Backing Up Account Data 60

Restoring Account Data 61

Purging Member Relay Queues 63Creating an LDAP Search String 64Initiating Client Contact With a Management Server 67

Managing Identity Policies 68Overview of Identity Policy Templates 69Creating Identity Policy Templates 69Editing Policy Template Names 69Cloning Policy Templates 70Changing Identity Policy Templates 70Changing Identity Policy Templates for a Group 70

Groove Management Server Domain Administrator’s Guide Table of Contents iv

Changing Identity Policy Templates for a Group Member 71

Deleting Policy Templates 71Viewing and Editing Identity Policies 71Automatically Managing Devices During Identity Activation 72Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later) 73Resetting Groove Login Credentials (for Groove 3.0f or later) 74 Administer-Driven Reset of Groove Login Credentials 75

Automatic Reset of Groove Login Credentials 77

Client Login Credential Reset 77

Customizing Reset Instructions (for Groove 3.0f or later) 78Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later) 79Data Recovery Fundamentals 79

Recovering User Data (using the Data Recovery Tool) 80

Managing User Interaction with Unauthenticated Identities 83Authenticated vs. Unauthenticated Groove Identities 83

Setting Up Peer Authentication 83

Setting the Default Workspace Version 86Specifying Enterprise PKI Certificates 87Setting Time Limit on Valid PKI Certificates 87Enabling Groove-XMPP Communications 88Member Policies 89Security Policies 90

Managing Device Policies 93Overview of Device Management 94Registering User Devices with the Management Server 94Overview of Device Registration 95

Registering Devices in a Management Domain 95

Deleting Managed Devices from a Domain 96

Creating Device Policy Templates 96Changing Device Policy Templates 97Changing Device Policy Templates for a Group 97

Changing Device Policy Templates for a Group Member 97

Administering Device Templates 98Viewing and Editing Device Policies 98Customizing Component Policies for Devices 99Component Policy Basics 99

Customizing Component Install Policies 100

Editing Component Policies 104

Deleting Component Install Policies 105

Managing Groove Platform Upgrades 105Prevent Platform Upgrade 106

Allow Platform Upgrade To Current Version 107

Allow Platform Upgrade To Interim Version 108

Allow Platform Upgrade and Limited New Tools 110

Allow Platform Upgrade But No New Tools 111

Groove Management Server Domain Administrator’s Guide Table of Contents v

Controlling Login Credential Reset and Data Recovery 112Resetting Groove Login Credentials for Managed Devices 113Administering Centralized Reset of Login Credentials 113

Client Reset of User Login Credentials 115

Customizing Reset Instructions for Managed Devices 116Setting Up Data Recovery on Managed Devices 117Data Recovery Fundamentals 117

Recovering User Data (using the Data Recovery Tool) 119

Controlling Groove Tool Usage on Managed Devices 121Restricting Tool Usage 121

Tool Usage Recovery After Restriction is Removed 123

Limiting Groove Bandwidth Usage for Devices 124Overview of Groove Bandwidth Policy 124

Setting Groove Bandwidth Limit 125

Enabling Groove Client Auditing 126Supporting an Onsite Groove Component Server 127Account Policies 128Client Policies 128Security Policies 131Usage Policies 134Audit Server Policies 135

Managing Groove Product Licenses 138Overview of License Provisioning 138Adding Groove Licenses to a Domain 139Adding a License Set to a Domain 140Adding Groove Domain Licenses to a Set 140Editing License Set Names 141Viewing Domain Licenses 141Viewing Licenses in a Set 141Viewing License Information 141Finding License Users 142Changing License Sets 142Changing License Sets for a Group 142

Changing License Sets for a Group Member 143

Deleting Licenses from a Domain 143Deleting Licenses from a Set 143Deleting License Sets 144 Distributing Licenses to Unmanaged Users 144Viewing Licenses from Unmanaged Users 145Revoking Licenses from Unmanaged Users 146Adding More Seats to a License Package 146Using the Enterprise License Pack 147

Managing Groove Servers 148Overview of Server Provisioning 148Relay Server Provisioning 149

Groove Management Server Domain Administrator’s Guide Table of Contents vi

XMPP Proxy Server Provisioning 149

Registering a Server with a Management Domain 149Overview of Server Registration 150

Exchanging Server Keys 150

Adding a Server Set to a Domain 152Adding Groove Domain Servers to a Set 152Editing Server Set Names 153Viewing Domain Servers 154Viewing Servers in a Set 154Editing Server Properties 155Finding Server Users 156Changing Server Sets 156Changing Server Sets for a Group 157

Changing Server Sets for a Group Member 157

Deleting Servers from a Domain 157Removing Servers from a Set 158Deleting Server Sets 158Locking out and Re-enabling an Onsite Server 159Reordering Servers in a Set 159Synchronizing an Onsite Server 159

Viewing Groove Domain Reports 161Viewing Reports 161Filtering Reports 162Exporting Reports 163Domain Reports 163Audit Log 164

Member Usage 166

Tool Usage Report 168

Workspace Usage 170

License Set Usage 172

Member Activity 173

Sample Report Filters 177Show Audit Events for a User During Past Week 178

Show Audit Log Events for Administrator in Date Range 178

Show Most-Used Tools 178

Show Members Whose Account Has Never Been Backed Up 179

Show Members Who Used Groove Since the Last Backup Date 179

Show Members with Managed Account on Multiple Devices 179

Show Members with Accounts on Unmanaged Device 179

Troubleshooting 181Domain Administration Problems 181Groove User Problems 183Data Recovery Problems 184

Appendix A. Groove Component Versions 186

Appendix B. Management Server Keys and Certificates 191

Groove Management Server Domain Administrator’s Guide Table of Contents vii

Glossary 193

End User License Agreement 198

Index 211

Groove Management Server Domain Administrator’s Guide Table of Contents viii

Overview of Domain Administration

The Enterprise Management Server (EMS) and Groove Hosted Management Services are Web-based applications designed to facilitate the provisioning and management of Groove users in an enterprise. EMS runs on servers operated by an enterprise while the Groove Hosted Management Services application runs on servers operated by Groove Networks®. The option employed at an organization depends on its IT practices and objectives.

Regardless of the management server hosting option, Groove administrators and clients communicate with the management server via its Web site which provides both an admin-istrative and a client interface. The management interface, secured by its underlying IIS configuration, allows administrators to assemble Groove users, define Groove usage and security policies, distribute Groove product licences, and deploy relay servers. The client interface allows Groove users to access policies, product licenses, and relay server assign-ments, and to report Groove usage statistics.

This overview provides summary information on the following topics:

• Administrative Architecture

• Management Server Functionality

• The Management Server Domain Administrator’s Guide

Administrative Architecture

The management server’s Web-based administrative interface is the interactive compo-nent of the system. From this interface, administrators can manage users, set Groove usage and device policies, distribute Groove product licences, and assign relay servers within the organizational unit a management domain. This administrative interface of the manage-ment server is accessible from a URL, defined during management server installation.

This management server administrative interface consists of a navigation pane and the main display window where a set of tabs and tools let administrators access tasks associ-ated with a selected item in the navigation tree.

Groove Management Server Domain Administrator’s Guide Overview of Domain Administration 1

The navigation tree consists of the elements described in the following table:

Management Server Functionality

Groove management servers, whether onsite or Groove Networks-hosted, enable central-ized control of Groove usage. Supported by a Standard Query Language (SQL) database that stores most of its data, the management server helps maintain productive workflow and collaboration. While Groove clients periodically connect to the management server to receive provisioning updates and report usage information, administrators connect through a dedicated Web interface to perform tasks essential to managing Groove use on a corporate scale.

Onsite management servers must be installed and configured appropriately by a server administrator, as described in the Groove Management Server Administrator’s Guide. Once the server is in place, management domain-level administrators can use it to set up the management environment.

The following sections briefly describe the scope of domain management tasks that can be conducted from hosted or onsite management servers:

• Groove User Management

• User and Device Policy Setting

• Groove License Provisioning

Navigation Tree Hierarchy

Description

Domains Management domains defined on the server. Each domain consists of member groups, policies templates, license sets, and relay server sets.

Member groups and subgroups

Pages for creating member groups and for creating, editing, or deleting domain member contact information.

Identity Policy Templates

Pages for adding, editing, and deleting identity policy templates - collections of identity policies, including:

• Member policy templates

• Security policy templates

Device Policy Templates

Pages for adding, editing, and deleting device policy templates - collections of devices policies, including:

• Account policy templates

• Client policy templates

• Security policy templates

• Audit Server policy templates (EMS only)

License Sets Pages for configuring a license set’s properties (name and description), adding and deleting license sets to and from a domain group, and adding or deleting licenses within a set.

Relay Server Sets

Pages for configuring a relay set’s properties (name and description), adding and deleting relay sets to and from a domain group, and adding or deleting relay servers within a set.


• Relay Server Provisioning

• XMPP Proxy Server Provisioning

• Domain Administration and Role Assignment

• Password/Smart Card Login Reset and Data Recovery

• Groove Account Backup

• Groove Usage Monitoring

• Groove Client Auditing

Groove User Management

Groove users must each have a managed identity in a domain group in order to be provi-sioned with usage and security policies, Groove licenses, and relay servers. If administra-tors need to set policies on Groove devices, as well as user policies, they can register the Groove user device(s) in a management server domain. Any server or domain-level administrator can create domain groups and populate them with users. The following sec-tions introduce user and device administration:

• User Management

• Device Management

User Management

Once Groove is installed on user devices, domain administrators begin the Groove man-agement process by entering user contact information in domain groups on the manage-ment server. When this is complete, they send activation keys to each intended member of the group. Users apply these keys to their accounts, resulting in the creation of a managed, provisioned identity for each group member.

To facilitate the task of entering contact information for large numbers of users, adminis-trators can import user specifications from an .xml or .csv file. Or, if a corporate LDAP-based directory server is installed onsite, the necessary user information can be imported or integrated from a defined data point on the directory server.

Device Management

An important aspect of managing Groove users is managing the devices they use for work. Managed devices are subject to specific security policies (such as password creation rules and component download restrictions) while unmanaged devices are not.

Device management involves the distribution of Groove account, client, and security poli-cies to devices defined for managed identities. Devices running Groove must be regis-tered with the management server in order to be managed and subject to device policies. Registration is accomplished by downloading a management server registry key to devices associated with managed domain members. Policies become effective on target devices, as soon as the device users activate Groove. Activating Groove on target devices automat-ically updates Windows registries with the management server key.

User and Device Policy Setting

The management server provides templates of default usage and security policies that


apply to domain group members and any associated devices that are registered on the server. Administrators can modify the policies set in these templates or create new tem-plates, then apply the templates to designated management domain groups or users. These policies apply only to managed Groove users and devices - those defined on the manage-ment server as belonging to a specific management domain group. Policies do not affect unmanaged Groove users.

The following sections summarize the policy options in each category:

• Identity Policies

• Device Policies

Identity Policies

User identity policy templates cover the following aspects of Groove use:

• Member policy templates - Client account backup scheduling, client access to XMPP messaging, and identity publishing.

• Security policies - Peer authentication and, if enterprise PKI is in effect at an enterprise, the use of specified identity authentication certificates.

Device Policies

User device policy templates cover the following aspects of Groove use:

• Account policies - Multiple account creation, importing accounts, use of only managed identities from this domain on devices in this domain.

• Client policies - Component installation and bandwidth usage.

• Security Policies - Password or smart card login, password creation and reset if used, smart card login and reset if used, account lockout after repeated failed login attempts, enhanced private key protection, and Web services availability.

• Audit Server Policies - Audit server URL, logging periodicity, selected account events, and selected tool events (available for Enterprise Management Server only).

Groove License Provisioning

Managed Groove users need licenses for managed versions of Groove Virtual Office (for-merly Groove Workspace). Once an enterprise has purchased the necessary licenses and made them available on a corporate network, administrators can add them to management server license sets for assignment to specific domain groups or users. Domain administra-tors can add and delete license sets in a management domain, and add and delete licenses within a license set.

Relay Server Provisioning

Relay servers are a fundamental part of Groove peer-to-peer communications. In a man-aged environment dedicated relay servers installed onsite at an enterprise or hosted by Groove Networks help ensure timely, uninterrupted message transfer between Groove peers regardless of their location or status (online or offline) on the network. Once an enterprise has installed at least one relay server onsite or engaged Groove-hosted relay ser-vices, administrators can add relay servers to relay server sets for assignment to specific management domain groups or users. Domain administrators can add and delete relay


server sets in a management domain, and add and delete relay servers within a set.

XMPP Proxy Server Provisioning

As of version 3.1, Groove Virtual Office provides public XMPP proxy servers to enable Groove client communication with Jabber and other XMPP clients. In a managed environ-ment, an enterprise can install Groove XMPP proxy servers onsite, allowing administra-tors to provision Groove domain members to private XMPP servers similar to the way they provision users to dedicated relay servers. In addition, a management server identity policy determines whether domain members can access any Groove XMPP Proxy Servers (public or onsite).

Domain Administration and Role Assignment

Domains defined by server administrators (or Groove Networks, hosted management ser-vices are employed) are the top management unit on the server. Each domain consists of user groups and subgroups, as well as a collection of user and device policy templates, Groove license sets, and relay server sets. At the top management domain level, adminis-trators can view Groove usage reports, and add, edit, or delete management server email templates. In addition, if the management server administrator has enabled Role Based Access Control (RBAC) on the server, domain administrators can define roles for peer administrators or for those limited to Groove user, license, data recovery, or report man-agement.

Password/Smart Card Login Reset and Data Recovery

In the event that a managed user is removed from a management domain or forgets a Groove password or smart card login, resetting the user’s password or smart card login credentials may be necessary. To prepare for this eventuality, the domain (or server) administrator can set a device policy that allows for reset proceedings.The management server supports a centralized approach to resetting a user passphrase or smart card login. Providing that device security policies allow, administrators can respond to individual user requests for password or smart card login reset, by verifying user identity and grant-ing (or denying) the request. If the request is granted, users can reset their own password without further administrative involvement.

In addition, the management server provides a utility that domain administrators can use to access data that would otherwise be irretrievable without the user’s password. Groove data that is normally stored encrypted with the managed user's password (known only to that user) is also encrypted with the administrator’s public key. The data recovery pro-gram enables the domain administrator to use a corresponding private key to recover the device owner’s Groove data or reset the user password.

Groove Account Backup

The management server lets administrators set an identity policy that enables automatic account backup at specified intervals for users in a selected domain. Backed up informa-tion includes user contacts, workspace lists, identities and contact information, licenses and identity policies. Without a backup system in effect, lost or corrupted user account data is irretrievable.


Groove Usage Monitoring

When a managed identity or device exists on a Groove client, the Groove software period-ically reports statistics on Groove usage, providing information about managed user activ-ities, Groove workspaces, and Groove tools being used. Administrators can view Groove usage statistics via the management server administrative Web site.

Usage statistics include the amount of time users spend in a particular workspace, use a specific tool, or create workspaces. Audit log reports are also available that log domain events, such as the addition of a new group to a domain.

Hosting Groove Components

If Groove’s Component Server is installed onsite, administrators can set a device policy that directs Groove clients to that server for Groove component downloads.

Groove Client Auditing

If the Groove Audit Server is part of the management server installation, the management server can be configured to cause managed clients to log Groove user activities. Manage-ment server device policies specify which groove events are tracked and uploaded to man-agement server databases. Client audit logs are collected onto a SQL server, and from them administrators can generate formatted reports using third-party reporting tools, such as Crystal Reports.

The Management Server Domain Administrator’s Guide

This Groove Management Server Domain Administrator’s Guide provides instructions for using Groove management services, whether onsite server or hosted by Groove Networks.

This Guide has the following sections:

• Overview - Describes management server’s role in managing Groove and its functionality.

• Getting Started - Provides a recommended procedure for initial deployment of Groove users and devices at an enterprise.

• Managing Groove Users - Provides instructions for creating domain member groups, provisioning managed users, and administering Groove usage.

• Setting Groove Identity Policies - Provides instructions for customizing managed user policies.

• Setting Groove Device Policies - Provides instructions for customizing managed device policies.

• Managing Groove Product Licenses - Provides instructions for managing Groove licenses and provisioning managed users with Groove licenses.

• Managing Groove Servers - Provides instructions for managing Groove servers such as Enterprise Relay Servers and XMPP Proxy Servers, and for provisioning managed users with access to these.

• Managing Groove Domains - Provides instructions for configuring Groove management domains and domain administrator roles.


• Monitoring Groove Usage - Provides instructions for accessing and reading Groove usage reports.

• Troubleshooting - Lists common problems related to the management server and suggests ways to address them.

• Glossary - Defines terms used in this Guide.

• Appendices - Provide information about Groove component versions and other supplementary material.

20050315


Getting Started

Groove management servers enable administrators to set up a system for overseeing Groove usage in an enterprise. This document provides instructions for using the adminis-trative Web interface provided by your onsite Groove Enterprise Management Server (EMS) or by Groove Hosted Management Services to manage Groove users and devices at your company.

The setup process involves meeting the necessary software and information requirements, accessing the management server administrative Web site, defining Groove users to the management server, and, finally provisioning them with usage and security policies, prod-uct licenses, and relay servers.

The following sections describe details of this process:

• Before You Begin

• Accessing the Administrative Web Site

• Setting Up a Groove Management System

• Distributing Activation Keys

Before You Begin

Review the checklists in this section before accessing the management server administra-tive Web site.

Note: The instructions in this guide assume that you have full access to the domain portion of the administrative Web site. If your server administrator has enabled Role Based Access Control, you must have the role of Server Man-ager or Domain Administrator. Some options may not be available to you if you have any other role.

As a domain administrator, you need the expertise in the following areas:

• General Groove use

• User account management

• Product license distribution and maintenance

• Software usage and security policies

• Software usage monitoring

Also make sure of the following:

Groove Management Server Domain Administrator’s Guide Getting Started 8

• You understand the basic functionality provided by the management server. For more information, see the “Overview of Domain Administration” earlier in this guide.

• If you are using the Enterprise Management Server installed at your site, the EMS software is installed on your system as described in the Groove Enterprise Management Server Administrator’s Guide and you know the Universal Resource Locator (URL) of your company’s EMS Web site.

• The Internet Explorer 5.5 (or later) browser is installed with Frames, Cookies, and JavaScript enabled.

• Groove version 3.0 (or later) is installed on your user’s computers. See the Groove Software Deployment Administrator’s Guide for information about deploying Groove software in an enterprise.

Note: The management server supports Groove version 1.3 (or later) but many pol-icies and other management server features, including user provisioning with specific relay servers, are available only for the latest version of Groove.

• If you intend to utilize one or more onsite relay servers, the relay server is installed and configured as described in the Groove Enterprise Relay Server Administrator’s Guide. Note that onsite relay servers require onsite management servers.

• If your user contact information originates from a corporate directory server, your management server administrator has defined and configured the directory server on your management server, as described in the Groove Enterprise Management Server Administrator’s Guide. Note that directory server integration is possible only if an Enterprise Management Server is installed at your site.

• You have on hand your login name and password for the management server if required. If you are using the Enterprise Management Server, this information is determined by your company’s Web site authentication system. If you are using Groove Hosted Management Services, this information is determined by login requirements of the Groove-hosted management server Web site.

• You have on hand the path name of the directory where your company’s Groove license files (.pkg files) reside.

• You consider the possibility of Groove user device management, which is strongly recommended although not required. Device management lets you set various Groove usage and security policies, including those that govern the types and sources of Groove components that can be downloaded onto these devices.

Accessing the Administrative Web Site

The sections below provide instructions for accessing and using the management server administrative Web site:

• Accessing the Management Server Administrative UI

• Getting Help

• Changing Administrative Preferences


Accessing the Management Server Administrative UI

To access the management server administrative interface, do the following:

1. From a Windows PC, open an IE Web browser.

2. If you are accessing a local Enterprise Management Server from your own site, go to the URL of the Enterprise Management Server, defined by the management server administrator.

If you are accessing Management Services from the Groove Networks Web site, go to http://groove.net.

3. Log in to the management server using your administrator login name and password (determined by your company’s Web site authentication scheme if you are using the Enterprise Management Server).

The management server home page appears, with a domain list on the left and a main window showing a set of tabs. Notice the page’s following characteristics (which may vary, depending on the role your server administrator has assigned to you):

• The main window reflects the current selection in the navigation pane.

• A navigation tree appears in the pane on the left, listing the management domain(s) defined on this server.

• At least one member group appears in the navigation pane under each management domain.

• At least one Groove identity and device policy template, license set, and relay server set, appears in the navigation pane under each management domain.

• A tool bar at the top of the main window contains icons appropriate for the task being performed on the current tab.

• When the management domain is the current selection, a set of domain tabs appears - Reports, Email, and Roles, with the Reports tab in the foreground.

Note: If, instead of domain tabs, a domain setup window appears, requiring infor-mation, fill in the fields as described in “Completing Domain Configuration” in the Managing Domains section of this guide. Then you can start using the domain management pages.

You are now ready to begin populating a server domain group with members and provi-sioning those members, as described below.

Getting Help

To get help using Management Services, follow these guidelines:

• Click the Help link in the upper left of a management server administrative Web page to access management services Help.

• Go to http://groove.net/go/ms (or the Groove EMS product CD) for a printable.pdf version of the Groove Management Server Domain Administrator’s Guide.

• For server-level information, see the Groove Enterprise Management Server Administrator’s Guide.


• For specific information about installing the Groove client in an enterprise, see the Groove Software Deployment Administrator’s Guide.

Changing Administrative Preferences

You can change administrative Web page preferences (such as setting a home page) by using the Preferences link next above the left navigation pane. Changes apply only to the administrator who set the preferences; they do not affect other administrative logins.

To edit administrative preferences, follow these steps:

1. Go to the EMS administrative Web interface and click the Preferences link at the top of the current page. An image of your left navigation pane appears in the dialog box.

2. To change the default number of list items that appear on any list page, select a number from the Display drop-down box. The initial default setting is to display 25 items per page.

3. To select a start (or home) page, select an item from the Start Page tree which will appear when you start the EMS administrative Web interface.

4. Click OK.

Your changes should take effect immediately.

Setting Up a Groove Management System

A domain is the top-level management unit of Groove deployment on the management server. It contains one or more groups of Groove users (members). Your management server administrator creates domains; you or anyone with management domain-level per-missions (if Role Based Access Control is configured on your server) can create domain groups and subgroups. The management server provides an initial top-level domain group, within which you can create other groups and subgroups.

Note: Administrators with limited roles (roles other than Server or Domain administra-tor) may not be able to see certain pages or fields discussed in this guide. Initial administrator roles are set by the management server administrator as part of the management server installation and configuration process. However, domain administrators can edit the roles of domain-level or limited domain-level adminis-trators, as described in “Editing Administrator Roles” in the Managing Domains section of this guide.

The procedure below outlines the basic steps necessary to create an initial user manage-ment system, following a recommended sequence. Where necessary, you can link to other sections of the guide that provide more detail. You may want to begin by performing a trial run with a sample user base and minimal customization.

To add Groove users to a Groove management domain and provision with them policies, licenses, and relay servers, follow this basic recommended procedure:

1. Startup and log into the management administrative Web site as described in the “Accessing the Administrative Web Site” section of this guide. At least one domain appears in the navigation tree in the pane to the left of the main window.


2. Select a management domain in the navigation pane.

If an administrator has fully configured the domain, a set of tabs (for Reports, Email, and Roles) appears in the main window allowing you to perform various domain tasks described later in this guide. Proceed to the next step.

If a No Roles tab appears, along with a message referring you a server or domain administrator for domain access, ask the appropriate administrator to assign you an administrative role. Then return here to continue with this procedure.

If a domain setup window appears, requiring information, fill in the fields as described in “Completing Domain Configuration” in the Managing Domains section of this guide. Then return here to continue with this procedure.

3. To apply management server device policies (that control client password entry and component downloading, for example) to Groove user devices, register each device with the management server as follows:

Note: Registering devices with the management server is highly recommended.

a. Download the device management registry key from the management server to a client-accessible location, by selecting the default device policy template in the navigation pane, then selecting Download Device Management Key in the tool bar. (See “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide for details).

b. Install the management server registry key on each user device that you want to manage in the domain. Each registered device appears with a Type of ‘Managed’ in the Member Information page of the member(s) with which it is associated, as described in “Viewing Domain Members”, in the Managing Groove Users section of this guide. For information about centralized deployment of device management keys via MSI transforms, see the Groove Software Deployment Administrator’s Guide.

4. Consider customizing the identity policy template in the domain. Initial defaults are usually based on minimal security requirements. For details about specifying identity policies, see “Viewing and Editing Identity Policies” in the Managing Identity Policies section of this guide.

Note: If you want the management server to automatically backup domain member accounts, make sure to configure the account backup policy on the Member Policies tab, as described in “Backing Up and Restoring User Account Data” in the Managing Groove Users section of this guide.

5. Consider customizing the device policy template in the domain. Initial defaults are usually based on minimal security requirements. For details about specifying device policies, see “Viewing and Editing Device Policies” in the Managing Device Policies section of this guide. In considering device policy settings, note the following:

• To enact any device policies, make sure you installed device registry keys on each user device, as described earlier in this procedure.

• If you want to allow for Groove password resetting and data recovery, make sure to set the device settings accordingly on the Security Policies tab, as described in the “Resetting Groove Login Credentials for Managed Devices”


and “Setting Up Data Recovery on Managed Devices”, in the Managing Device Policies section of this guide.

• If a Groove Audit Server is installed at your site and you want to enable the client auditing, make sure to set the device settings accordingly on the Audit Policies tab, as described in the “Enabling Groove Client Auditing” section of this guide.

• If a Groove Component Server is installed at your site, make sure to specify the server accordingly on the Advanced Install Properties page of the Client Policies tab, as described in “Supporting an Onsite Groove Component Server” in the Managing Device Policies section of this guide.

6. Add Groove licenses to a domain license set, as follows:

Note: This step is required. Omitting this step will restrict your managed users to installing the Preview version of Groove Virtual Office instead of the profes-sional version necessary for Groove use in an enterprise.

a. Select the domain’s License Sets heading in the navigation pane. The License Sets page appears with two tabs: License Sets and Licenses on the bottom of the page. The License Sets tab shows an initial default license set that does not yet contain licenses.

b. If you are using an onsite Enterprise Management Server, import a Groove license (product package) to the domain by clicking the Licenses tab, selecting Add License in the tool bar, and browsing to the file location of your organization’s Groove license files. (See “Adding Groove Licenses to a Domain” in the Managing Groove Licenses section of this guide for details.)

If you are using Groove Hosted Management Services, you can skip this step, which is handled by Groove Networks.

c. Add a Groove license to the default license set by selecting the set from the navigation panel, selecting Add License in the tool bar and selecting the license from the Add License window, as described in “Adding Groove Domain Licenses to a Set” in the Managing Groove Licenses section of this guide.

7. If you are using an onsite Enterprise Management Server, to assign specific Groove servers, including Relay and XMPP Proxy servers, to a domain server set, follow these steps:

a. Select the domain’s Server Sets heading in the navigation pane. The Server Sets page appears with two tabs: Server Sets and Servers at the bottom of the page. The Server Sets tab shows an initial default server set that does not yet contain servers.

b. Add the Groove server ID file to the domain by clicking the Servers tab, selecting Add Server in the tool bar, selecting Onsite Relay Server, Hosted Relay Server, or XMPP Proxy Server from the drop-down menu, and entering the required information. (See “Registering a Server with a Management Domain” in the Managing Servers section of this guide for details).

This server is automatically added to the initial default server set.

8. To enter user contact information in the domain (if your server manager has not already performed this step using a corporate directory server), follow the sub-steps below. If user data has already been integrated into management server member


groups from a corporate directory server, skip this series of sub-steps and proceed to next main step.

a. Select the initial domain group created for you, called Members. The Members page appears with two tabs: Members and Groups. You can add members directly to this group, but creating subgroups, as advised in the next step, is the more practical and recommended approach, particularly if you are integrating an onsite directory server with the management server.

b. Add a group to Member Groups by selecting it, clicking the Groups tab, selecting Add Group in the tool bar, and filling in the dialog box as described in “Adding Groups” in the Managing Groove Users section of this guide.

c. Select a domain group in the navigation pane, selecting Add Members in the tool bar, and select one of the Add Member options, as described in “Adding Groove Users to a Domain Group” in the Managing Users section of this guide.

9. Accept the default domain group provisioning with policies, licenses, and relay servers, or edit them by clicking the group in the navigation pane and editing its properties, as described in “Provisioning Managed Groove Users” in the Managing Users section of this guide.

10. Send activation keys to domain members, as described in “Enabling Groove Activation” in the Managing Users section of this guide.

To perform various domain-level tasks, use the domain tabs and the following table for guidance:

Distributing Activation Keys

To facilitate deployment of Groove Virtual Office (formerly Groove Workspace) in your domain, the latest Groove version should already be installed on user machines before you send them email containing their domain member activation keys. When you are ready for users to come online in your management domain and you have sent them the email that contains their identity activation keys, they must each install the activation key in Groove.

As an alternative to manual client activation, the management server offers an Auto-Acti-vation feature. See your server administrator or the Groove Enterprise Management Administrator’s Guide for information about automating Groove activation.

Groove user devices must be connected to the management server for Groove activation to

Domain Tabs Descriptions

Reports Allows you to view Groove domain usage reports for users, workspaces, and tools, as described in “Viewing Reports” in the Managing Reports section of this guide.

Email Allows you to add, edit, and delete management server email templates, as described in “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.

Roles Allows you to configure domain-level administrator roles, as described in “Editing Administrator Roles”, in the Managing Domains section of this guide.


succeed. When a Groove user applies a managed identity activation key to a PC, Groove contacts the management server (for example, groove.net if you are using Groove Hosted Management Services), authenticates the user, and downloads the appropriate user infor-mation and domain licenses to the user’s machine. It also downloads identity policies and any relay server assignments associated with the domain. If device management keys are included in the installation process, device policies are also downloaded.

To activate their new identities, users must first start up Groove Virtual Office. Subse-quent steps vary somewhat, depending on which version of Groove the user is running. The following table provides some guidelines:

In supporting Groove users, bear in mind the following factors pertaining to activation keys and managed identity creation:

• All identities in an account containing a managed identity will have access to whatever licenses are associated with that managed identity.

User Scenario What User Should do

The user is starting up a licensed version of Groove 2.0+ on a managed device for the first time

1. Double-click the Groove icon to start up the Product Activation Wizard which guides the user through the domain member activation process.

2. Copy the administrator-supplied Activation Key into the Wizard text boxes when prompted to do so.

The user is starting up Groove 2.0+ on an unmanaged device for the first time

1. Double-click the Groove icon to start up the Product Activation Wizard which guides the user through the domain member activation process.

2. Get the proper name for the management server (activation server) from the email or administrator and copy it into the Wizard text box when prompted to do so.

The user already has Groove Preview 2.0 running on their managed device

1. Start up Groove, then click the Activate Product option in the Help menu to start the Product Activation Wizard The wizard guides the user through the domain member activation process.

2. If prompted, choose whether to create the new managed identity or convert an existing identity to a managed identity. The display of this prompt depends on the administrator’s device policies.

The user already has Groove Preview 2.0 running on their unmanaged device

1. Start up Groove, then click the Activate Product option in the Help menu to start the Product Activation Wizard. The wizard guides the user through the domain member activation process.

2. When prompted, get the proper name for the management server (activation server) from the email or administrator and copy it into the Wizard text box when prompted to do so.

3. A prompt will ask the user whether to create a new managed identity or to make an existing identity managed.

Auto Activation will activate Groove

1. Make sure that Groove client devices are registered with a management domain, as described in “Registering User Devices with the Management Server” of this guide.

2. See your server administrator or the Groove Enterprise Management Server Administrator’s Guide for information about using Auto Activation.


• Users cannot install the same activation key and identity data into more than one account. Trying to do so will cause a message to appear, stating that the identity has already been installed. Users must get a new activation key from the administrator if they install the activation key and identity data into the wrong account or need to delete the account where the managed identity resides for any reason.

• Once activated, an activation key cannot be re-used or re-sent for any reason, even if the account in which the identity resided has been destroyed. You must create new identity information and send a new activation key to a user if the user has lost domain membership for any reason.

• If your device policies allow, the Product Activation Wizard gives users the choice of converting an existing identity to the new managed identity, based on the identity information that you entered for them. The original identities’ existing Groove spaces and contact lists remain intact.

• If a user does not yet have a Groove account, the Groove domain activation process creates a user account. This identity is the default for that account.

If a user has one or more existing Groove accounts, the domain activation pro-cess prompts the user to choose whether to create a new account or to use a speci-fied existing account. If the user chooses the new account option, the managed identity will become the default identity in that account. If the user specifies an existing account, that account will have multiple identities, the existing one(s) and the new one which becomes the default. As described in the previous bullet, the user can convert an existing identity to the new managed identity if your device policies allow.

Groove is now launched on the user’s device and the user is a member of the management domain, with access to the licenses and allegiance to policies associated with that domain.

Note: For administrators of Groove-hosted services: Groove licenses reside on a Groove Network server and are accessed via Groove Networks Web site at www.groove.net. If your company uses proxy servers to control traffic out to the internet and the user has not logged into the network, the Groove client will trap any login request from the proxy and display a login window during the domain activation process. The user should enter the customary name and password in order to proceed smoothly. If a user ignores this login, the activation process will fail. If activation fails for any reason and the Groove client (user’s device) cannot communicate with the server to perform activation, the Groove client automati-cally tries again within an hour.


Managing Groove Domains

Management domains are organizational units defined on the management server. This document provides information about the ongoing administration of Groove management domains via the Enterprise Management Server (EMS) or Groove-Hosted Management Services. For specific information about initial domain configuration, see “Setting Up a Groove Management System” in the Getting Started section of this guide.

The sections below describe the following domain-based tasks:

• Overview of Management Domains

• Completing Domain Configuration

• Viewing and Editing Management Domain Properties

• Configuring Management Domain Affiliation

• Setting Up Cross-Domain Certification

• Changing Reset/Recovery Private Keys and Key Locations

• Migrating Users to Another Domain

• Adding, Editing and Deleting Email Templates

• Editing Administrator Roles

Overview of Management Domains

Management domains are organizational units that contain groups of managed Groove users, templates of identity and device policies, and sets of licenses and relay servers. Management server administrator create domains, as described in the Groove Manage-ment Server Administrator’s Guide. Each domain has one top-level group, within which you can add other groups and subgroups. You use management domains to manage Groove users and devices. See “Managing Domain Member Groups” in the Managing Users section of this guide for more information about groups.

Clicking on a completely configured domain in the navigation pane of the management server administrative Web interface, displays tabs where you perform basic domain-level tasks, as described in the table below. If a domain is not yet fully configured, a pop-up domain setup window appears asking for the required information, as described in “Com-

Groove Management Server Domain Administrator’s Guide Managing Groove Domains 17

pleting Domain Configuration” later in this section.

Note: Changes or updates to user contact information apply to all members of a Groove management domain and to their Groove workspace contacts. To manage network traffic, the management server distributes these changes to Groove clients over time. Therefore, these changes may not take effect immediately. Depending on the number of Groove clients affected, the propagation can take up to several days (for example, up to 4 days for about 5,000 users). Domain-wide changes include the following:

• Management domain affiliation

• Domain name

• Group name

• Relay server set

Completing Domain Configuration

The management server provides an initial default domain. If a server administrator did not complete initial domain configuration, clicking the domain in the navigation pane on the left displays a domain setup window, instead of the domain tabs (Reports, Directory Integration, and Roles). You cannot use the domain to provision Groove users until you supply information in the required fields.

To complete management domain configuration, follow these steps:

1. Go to the management server administrative Web site and select a domain from the navigation pane on the left. If a set of domain tabs (Reports, Emails, Roles) appears, domain configuration is complete and you do not need to perform this procedure.

2. If a domain setup window appears, fill in the fields described in the following table, then click OK.


Reports Allows you to view Groove domain usage reports for users, workspaces, and tools, as described in “Viewing Reports” in the Managing Reports section of this guide.

Email Allows you to add, edit, and delete management server email templates, as described in “Adding, Editing and Deleting Email Templates”, later in this section.

Roles Allows you to configure domain-level administrator roles, as described in “Editing Administrator Roles”, later in this section.

Add Domain Fields* Explanations

Domain Setup

Domain Name The name of the domain, supplied automatically for the initial domain. This name is used in the management server user interface to refer to the domain. You can edit this field, if necessary.


Description Optional. A description of the domain which you can supply.

Identity Authentication Settings (cannot be undone)

Required. Click one of the following radio buttons, depending on your company’s security policies. Or accept the default of Groove PKI.

• Use Enterprise PKI to authenticate member’s identities - Select this option if your organization has an existing Public Key Infrastructure (PKI) system that you want to use with the management server.

• Use Groove PKI to authenticate member’s Identities - Select this option if you do not have a corporate PKI system in place or you prefer to use Groove’s application-specific PKI system.

Note: This decision cannot be undone after you click the OK button.

Default: Use Groove PKI

Certificate Authority name Required if the Use Groove PKI option is selected above. Enter a unique, fully qualified, registered Domain Name Service (DNS) name.

If the Use Enterprise PKI option is selected above, this field does not apply.

Password or Smartcard Reset Setup

Private Key Name Accept the default name for the password/smart card reset private key, or edit it as necessary. The default name is based on the creation date and time (such as Jan-10-2004 12 PM Key).

When you click the OK button in this dialog box, the management server generates a private key on the server or in a designated file location, as specified below. This key decrypts user data that is protected by a corresponding reset public key, allowing administrators to reset Groove passwords or smart card logins, and recover user data on managed Groove device. See “Resetting Groove Login Credentials for Managed Devices” and “Setting Up Data Recovery on Managed Devices” in the Managing devices section of this guide, for more information about resetting user passwords and recovering user data.

Note: Enabling password reset and data recovery also involves setting the appropriate policies for management domain devices as described in “Managing Device Policies” later in this guide.

Create Private Key Password

Required. Enter a password to protect access to the password/smart card reset private key. This is the administrative password used to reset a user’s Groove password.

Note: If you lose your private key file, you must regenerate it and reset the policy. The private key always remains password-protected.

Verify Private Key Password

Verify the private key password that you entered.



Viewing and Editing Management Domain Properties

Your management server administrator creates domains on the management server. You (or anyone with a server or domain administrator role in an RBAC-supported environ-ment) can view domain information and edit a domain’s configurable properties, as described in the following sections.

To edit management domain properties, follow these steps:

1. Go to the management server administrative Web site and select a domain from the navigation pane on the left.

2. Select Domain Properties in the tool bar. The domain Properties page appears.

3. From the domain Properties page, edit the fields shown in the following table as necessary, then click OK:.

Remember Private Key Password

Available if you are storing the private key on the management server.

Select this option if you want the management server to remember the private key password that you supplied, simplifying the password reset process (described in “Resetting Groove Login Credentials for Managed Devices” in the Managing Device Policies section of this guide).

Default: checked (enabled)

Private key storage options Required. Select a private key storage option:

• Store private key on the management server - Stores the password reset private key on the management server.

• Save private key to a file - Displays a browse Window where you can browse to and specify a file location for the password reset private key.

Default: Store private key on the management server.

Domain Properties Fields

Explanations

Domain Setup

Domain Name Specifies the name of the domain. The management server supplies an initial domain name, which you can edit as needed.

Description Displays an optional description of the domain. You can edit this description as needed

Certificate Authority (CA) name

Information only. Appears if the Groove PKI option is selected.

The CA name assigned to the domain by the server administrator during domain creation, if Groove PKI is the chosen identity authentication system.



Representation of Affiliation

Determines the level of information displayed in domain members’ Groove contact information, as follows:

• Show member’s domain only - Display’s each managed user’s name, followed by the management domain of which the user is a member.

• Show member’s position with the domain/group hierarchy - Displays each managed user name, followed by the management domain/group/subgroup... of which the user is a member.

Device Management

Remove devices from domain after __ days of inactivity

The number of days of inactivity after which the management server removes managed devices from the domain.

Default: 90

Password or Smart Card Reset Setup

Store Key on Server Appears if the private key file is stored in a specified file.

Lets you change the storage location for the password/smart card reset private key from a network location to the management server.

Clicking this button displays a pop-up window with the key name, a browse box to enter the source directory location, and a prompt for the private key password, along with an option to remember the password.

Move Key to File Appears if the private key file is stored on the management server.

Lets you change the storage location for the password/smart card reset private key from the management server to a specified file on your network.

Clicking this button displays a pop-up window that displays a standard Save dialog box where you can browse to a target directory location on your network. Note that moving the private key to a file deletes it from the management server.

Download data recovery tool for Groove version __

Specifies the version of Groove for which you want to download a data recovery tool. This tool allows you to access managed user data on a managed device when a user has left the company or forgotten their password (providing that device security policies allow).

Clicking the Download button displays a pop-up window that lets you download and install the data recovery tool (DataRecoveryAdminTool.exe) for the specified Groove version to the current device. Or, you can save the program file (DataRecoveryTool30.exe, which contains the data recovery tool and its associated system files) to a specified directory location. You install the data recovery tool .exe file to the Groove client device where you intend to restore Groove data. See “Setting Up Data Recovery on Managed Devices” in the Managing Groove Devices section of this guide for detailed information about recovering Groove data.

Default: 3.0


Explanations


Configuring Management Domain Affiliation

The management server domain Properties page lets you control how domain members appear in Groove contact lists. By default, the domain member’s domain name appears, followed by the associated domain; no group information is included. The affiliation set-ting applies to the entire management domain and all groups in the domain.

Change Private Key Password

If the password/smart card reset private key resides on the management server, this button lets you change the private key password. Clicking the button displays a pop-up window that lets administrators specify and confirm a new password for the password/smart card reset private key.

Change Key Generates another password/smart card reset private key on the management server or in a designated directory location, as specified in this domain Properties page. The new private key has a default name that includes the date, distinguishing it from previous keys.

Cross Domain Certification (available for Groove PKI only)

Download Domain Certificate

Appears only if Groove PKI is the identity authentication method.

Downloads the selected domain’s certificate from the management server to a specified directory location on the local device. You can then send this key to another domain administrator to set up cross-domain trust. See “Setting Up Cross-Domain Certification” later in this section for information about setting up cross-domain certification with trusted domains.

Add Foreign Domain’s Certificate

Appears only if Groove PKI is the identity authentication method.

Uploads a foreign domain certificate from a specified location to the management server. When you click the OK button, the certificate name appears in the list at the bottom of the Domain Properties page.

Delete Certificates Appears only if Groove PKI is the identity authentication method.

Deletes selected cross-domain certificates. Select entries in the certificate list to mark them for deletion. Then click Delete Certificates.

Color Key Information only. Appears only if Groove PKI is the identity authentication method.

• Inside the organization - Color that identifies management domain members from within your organization.

• Outside the organization - Color that identifies Groove users from trusted domains outside the organization.

Certificate list Appears only if Groove PKI is the identity authentication method.

Lists cross-domain certificates. The certificate name, description, and download date appear for each entry. A Delete button following each certificate lets you delete certificates. Note that you cannot delete your own (self-trust) certificate.


Explanations


Note: Changing the affiliation setting may result in significant added network traffic and disruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.

To configure management domain affiliation, follow these steps:

1. Go to the management server administrative Web site and select a domain from the navigation pane.

2. Click the Domain Properties button. The domain Properties page appears.

3. From the domain Properties page, select one of the following affiliation representa-tion options to specify how domain member entries should appear in Groove con-tact lists:

• Show member’s domain only - Displays the member’s managed identity name, followed by the member’s domain. For example, JDow/XYZCorp. This is the default setting.

• Show member’s position within the domain/group hierarchy - Displays the member’s managed identity name, followed by the member’s group and domain. For example, JDow/R&D/XYZXYZCorp.

4. To change the number of inactive days before Groove removes users from the searchable directory of domain members, edit the value in the ‘Remove members from searchable directory of domain members after ___ days of inactivity.’

5. Click OK.

Setting Up Cross-Domain Certification

The management service’s cross certification feature lets you extend trusted collaboration beyond a single domain, to domains that may or may not belong to your organization. The management server and Groove clients support cross certification using a scheme called Public Key Infrastructure (PKI) cross certification. Management server’s cross certifica-tion applies only in the context of Groove PKI (not third-party, enterprise PKI).

Setting up cross certification requires that two administrators from different domains - both of which use Groove PKI as their identity authentication scheme - exchange and cross-register domain certificates (certificate files that contain public keys that identify one domain to another).

Once cross certification has occurred, text color distinguishes the members in the certified domain as certified. Note that this process does not prevent certified and uncertified Groove users from communicating but simply informs users of the certification status of their contacts. You can strengthen security by setting an identity policy that controls how certified users in your domain interact with uncertified users. For information about set-ting a policy for handling uncertified Groove users, see “Managing User Interaction with Unauthenticated Identities” in the Managing Identity Policies section of this guide.

Note: To utilize cross-domain management, you must add users to a domain or group to make them managed. For information about adding users, see “Adding Groove Users to a Domain Group” in the Managing Groove Users section of this guide.


Note: You cannot cross-certify with a foreign domain that has the same domain name as yours. This condition may result any time an administrator does not obtain a regis-tered DNS name. Domain names must be unique to the domain. If you discover duplicate domain names, this condition must be corrected by assigning properly registered DNS names.

This section provides the following information and procedures:

• PKI Basics

• Cross-Certifying Management Domains

PKI Basics

Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security fea-ture known as authentication (proof of identification).

Understanding the role of PKI in software management involves the following basic terms:

• Certification Authority (CA) - An authority that Groove users trust to create and issue certificates (that contain public keys). In a managed Groove environment, the management server is the certificate authority. As such, it creates and manages the certificates for managed users.

• Certificate - A data structure containing a domain or Groove user’s public key and related identification information, which is digitally signed with the private key of the CA that issued it. The certificate securely binds together the information that it contains; any attempt to tamper with it will be detected by Groove.

If Groove PKI is used in the domain configuration, the management server and Groove implement PKI according to the following process:

1. The server administrator creates a domain certificate for a management server domain, during management domain creation.

2. The domain administrator sends activation keys and associated identity information to Groove users to give them domain membership.

3. Groove users install the activation keys, automatically uploading the associated identity information and public key to the management server.

4. EMS generates and signs each user certificate with the domain's certificate (using the domain’s private key to bind the user’s public key to the user’s associated iden-tity information). EMS then sends to each domain member the appropriate signed user certificate, giving each user a managed identity with domain membership.

Note: Management server identity policies governing certificate revocation apply to enterprise PKI authentication only, not to Groove PKI.

Third-party enterprises may implement PKI differently. Groove or Enterprise PKI is stipu-lated for the managed environment during management domain creation.

In the context of Groove PKI, if Groove accepts (validates) a contact’s management


domain (for example, if the Groove user is a member of the contact’s domain), text color distinguishes contacts as follows:

• Contacts from the same organization as the user, under either of the following conditions:

• Contact is in the same domain as the user

• Contact is in a domain that has been cross-certified with the user’s domain and is in the same organization.

• Contacts from an outside organization whose domain has been cross-certified with the user’s domain (according to the procedure outlined below in “Cross-Certifying Management Domains”).

Again, third-party enterprises distinguish users as their PKI implementation dictates.

Certified users (both Groove or enterprise PKI environments) are marked in the following places in the Groove client user interface:

• Contacts tab in the Groove launchbar

• Contacts tool

• Contact Properties window

• Member List

• Notifier, whenever a contact name is displayed, such as when a message is received

• Message and Invitation windows in the From field, when reading a message or invitation

• Message and Invitation windows in the To field, when sending a message or invitation to a single user

• More contacts list

• Message History

Groove checks if the contact belongs to a management domain and, if so, displays its authentication status and domain when a user hovers over the name. In addition, the con-tact’s domain and digital fingerprint appear in the list accessible from the Groove Contact Properties window. The window also displays an Authentication As: check-box, so that if the contact is not already certified, a user can manually authenticate the person by contact-ing the individual outside of Groove (by phone, for example), verifying the associated dig-ital fingerprint, then check-marking the checkbox to indicate that authentication took place.

Cross-Certifying Management Domains

The following procedure shows how to set up cross-domain certification between two domains, both of which use Groove PKI identity authentication (specified during domain creation). This process has two parts: you send your domain certificate to the administra-tor of an external domain so that external domain members can establish trust with your domain, and you import a certificate from the external domain. You can also set up cross certification in one direction only; Domain A can trust Domain B without Domain B trust-ing Domain A.


Note: Cross certification is appropriate only when administrators from cooperating domains trust each other, to the extent of securely maintaining proper bindings between each others’ user public keys and contact information.

This section provides instructions for the following tasks:

• Exchanging Domain Certificates

• Viewing Cross-Certified Domains

• Deleting Cross-Certified Domains

Exchanging Domain Certificates

Cross-domain certification (and the following procedure) apply only in the context of Groove PKI (not third-party, enterprise PKI).

To exchange certificates and set up mutual cross-domain trust with an administrator from a remote domain, follow these steps:

1. Go to the management server administrative Web site and select a management domain from the navigation pane (DomainA, for example).


3. Make sure that the Groove PKI identity authentication option is selected.

4. In the window’s Cross Domain Certification section, click the Download button to download the certificate (containing the domain public key) for the local domain (DomainA). A File Download pop-up window appears.

For a summary of management server keys, see “Appendix B. Management Server Keys and Certificates” of this guide.

5. Click the Save this file to disk option, then click OK. A Save As pop-up window appears.

6. Accept the path and default name of domainname.cer (in this case DomainA.cer) or edit them, then click OK. This saves the local domain certificate file in a local directory. This is the file that each administrator sends the other in order to set up cross-domain management.

7. Go to the location of your local DomainA certificate file, copy the file, and send it via email or Groove to the administrator of the remote domain (DomainB, for example).

8. Request the remote DomainB administrator to send you the DomainB certificate by performing the procedure just described.

9. When you receive a certificate from the remote DomainB administrator, save it in a directory on your local computer.

10. Authenticate the remote domain (DomainB, for example) as follows:

a. Contact the remote DomainB administrator by telephone or in person and make sure that you trust the person whom you are contacting.

b. View the certificate you received by opening the Windows Certificate Viewer, double-clicking the domainnameB.cer file, and checking the certificate’s digital fingerprint (the certificate's hash or “thumbprint” as shown in the Windows Certificate Viewer). Ask the remote administrator to do the same and to report the fingerprint. It should match what you see on your screen.


Then, reverse the procedure and report your DomainA certificate’s fingerprint to the remote administrator.

11. Return to the Cross Domain Certification portion of the Domain Properties page and click the Add Foreign Domain’s Certificate button. The cross certification pop-up window appears.

12. In the File location field, enter the path and file name of the remote DomainB.cer file, clicking the Browse button if necessary.

13. Click the OK button.

You have now set up cross-domain certification with the collaborating administrator. Cross-certified domains appear in the domain list in the lower half of the page. Contacts from cross-certified domains appear on the Groove client in a different color from local domain contacts, as shown in the Color Key section of the domain Properties page.

Viewing Cross-Certified Domains

To view a domain and its cross-certified domains, follow these steps:

1. Select the domain in the management server Web site navigation pane.

2. Select Domain Properties in the tool bar. Cross-certified domains are listed in the lower half of the page. Each entry includes the domain name, a description of the domain (as defined by the server administrator), and the date of certification.

Deleting Cross-Certified Domains

To delete a cross-certified domain and its certificates from the management server, follow these steps:

1. Go to the management server administrative Web site and select a domain from the navigation pane and click the Domain Properties button. The domain Properties page appears with any cross-certified domains listed at the bottom.

2. In the Cross Domain Certification portion of the domain Properties page, click the Delete button for cross-certified domain(s) that you want to delete.

Changing Reset/Recovery Private Keys and Key Locations

The device template Domain Properties page lets you change password/smart card login private keys and key locations. Default key names include a key creation date to help dis-tinguish keys on the management server.

To replace the private key for password/smart card login reset and data recovery, follow these steps:

1. Go to the management server administrative Web site and select a domain.


3. To change the reset/recovery private key location from a specified file to a manage-ment server directory, in the domain Properties page, click the Store Key on Server button. A Store Key on Server pop-up window appears.

To change the private key location from the management server to a specified directory and file, in the domain Properties page, click the Move Key to File button.


A Save pop-up window appears where you specify a file location for the private key, then click OK.

4. From the Store Key on Server pop-up window, browse to the target file location on the management server (the default is C:), enter a private key password, and click OK.

To change the private key location from the management server to a specified file, enter a file location in the text box and click OK. This removes the key from the management server and places it in the specified location on your network.

5. To replace the private key, click the Change Key button. A new private key with a default name that includes the date will be added to the management server or spec-ified file location.

6. If the key is stored on the management server and you want to change the private key password, click the Change Private Key Password button.

7. Click OK.

Make sure to keep labeled copies of reset/recovery private keys in a known secure loca-tion. You may need access to these old private keys (for example, if you need to recover client data but the client has an older version of the data recovery certificate).

Migrating Users to Another Domain

If you are changing from Groove Hosted Management Services to an onsite Enterprise Management Server, you must create a new domain group structure on your newly installed server. Once you have done this, you migrate your managed Groove users, group by group, to the newly defined management domain groups. The migration must be per-formed on each group and subgroup in order to preserve the policy templates, license sets, and relay server sets assigned to each group.

This section provides a basic migration procedure for use whenever you need to migrate users from one domain to another. Currently, this procedure must be performed manually and involves the Groove-hosted Web site, the onsite Enterprise Management Server, and on the Groove client devices.

Before you begin, ask your management server administrator to create a new domain on the Enterprise Management Server so that you can have a destination domain for migrat-ing your users.

To migrate users from one domain to another, follow these steps for each group and sub-group in the domain, starting with the smallest subgroup:

1. Log into the Enterprise Management Server administrative Web site and re-create the group hierarchy from your hosted management environment on your onsite management server. See “Adding Groups” in the Managing Users section of this guide, for information about creating domain groups.

2. Log into the Groove Hosted Management Server administrative Web site and, from the navigation pane, select a group in the domain from which you want to migrate users.


3. Configure two identity and device policies as follows in order to avoid disabling devices and identities during the domain transition:

• Select the appropriate identity policy template, click the Member Policies tab and UNcheck the following policy (if it is selected): Identity may only be used on a managed device, then click OK.

• For the same device policy template, click the Account Policies tab and UNcheck the following policy (if it is selected): Members can only use managed identities from this domain on devices in this domain, then click OK.

Note: Remember to allow time for clients to be updated with policy changes.

4. Export each group member list from the domain, as described in “Exporting Domain Members” in the Managing Users section of this guide.

5. Log into to your Enterprise Management Server administrative Web site and select a group in the target management domain. (Your server administrator should have already created this domain.)

6. Select the appropriate identity and device templates and UNcheck the two policies specified in step 2 (if these policies are checked).

7. Use the domain group member list to add the users to the new domain group on the management server, as described in “Adding Multiple Members from an .XML File” in the Managing Groove Users section of this guide.

8. From any device, log into the management server, select the new domain group, and download the EMS registry keys, as described in “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide. Apply these keys to the Windows registries of all the devices that you intend to manage in the new domain group.

9. Restart the client devices to update their Windows registries with the management server device information (and completely shut down Groove).

10. From the management server, send managed identity activation keys to each user to add that you are migrating the new domain, as described in “Adding Multiple Members from an .XML File” in the Managing Groove Users section of this guide.

11. Launch Groove on each client device.

12. On each client device, click Help from the Groove Home page and select Activate Product.

13. Copy the 25-character activation key for each managed identity from the email into the activation key field.

14. Click Finish to activate Groove on the device.

15. If you wish, reset the device and identity policies that you turned off earlier in this procedure.

Adding, Editing and Deleting Email Templates

The management server administrative interface lets you send email to accompany the identity activation key that you send Groove users to give them domain membership. It also lets you send email to accompany the account backup file that you send users to


restore an account. You can also create and save your own templates to use as the defaults for these email messages. The Email tab allows you to create and save email templates, edit email templates, or delete them.

The following sections explain how to accomplish the following email management tasks:

• Creating Management Server Email Templates

• Editing Management Server Email Templates

• Deleting Management Server Email Templates

Creating Management Server Email Templates

The domain Email tab lets server and domain administrators create templates for the email that the management server sends to users to activate their domain identity or to accom-pany a backed up account file. You also have the option of saving this email as a default template.

To create and save new management server email templates, follow these steps:

1. Go to the management server administrative Web site and select a management domain from the navigation pane.

2. Click the Email tab. The Manage Email page appears with a list of previously defined email templates.

3. Select Add Email in the tool bar. The Add Email window appears.

4. Fill in the fields as shown in the following table, then click OK. Only the Save Email As field is required to save this email; all fields are required to send:

Create Activation Key Email Fields

Values

Email Type Select one of the following email types from the drop-down menu:

• Activation Email - Email sent to users to accompany Groove activation keys.

• Account Restoration Email - Email sent to users to accompany a file that contains backed up account information needed to restore the user account.

Save Email as Required Field. Enter the name of the email message that you want to create. You can then use this email any time you want to send a Groove user a managed identity (or account backup file). For example, you could enter: MyCompany Groove Email.

Note: When you enter a name in this field to save an edited email, clicking the OK button renames the edited email to the new name, rather than creating a copy and saving it under the new name.

Email From Enter your email address (such [email protected]) if desired.

Email Subject Enter the subject of the email, such as Managed Identity Activation.


Editing Management Server Email Templates

To edit management server email templates that you have created and saved, follow these steps:


2. Click the Email tab. The Manage Email page appears with a list of email templates.

3. Click the email template that you want to edit. The Edit Email page appears.

4. In the Edit Email page, edit the fields as described above in the table of “Create Activation Key Email Fields”above.

5. Click OK.

Deleting Management Server Email Templates

To delete specific management server email templates, follow these steps:


2. Click the Email tab. The Manage Email page appears with a list of email templates.

3. Select the email templates that you want to delete (click the top box to select all the templates)

4. Select Delete Email in the tool bar.

5. Click OK.

Editing Administrator Roles

If the management server administrator has set up role-based access control (RBAC) and you are assigned a role of Domain Administrator, you can edit other administrator roles from the domain Roles tab. Note that you cannot edit your own role.

To edit administrator roles, follow these steps:

Email Body Enter the desired text explaining that you are sending an activation key that will give them a new identity that allows them to access the Groove licenses and tools used at your company.

When this message goes out as default email, the management server automatically includes the activation key, management server name, and new identity name.

Make this email the default for this activty

Select this option to make this email message the default email for distributing activation keys (or account backup files). This message will replace the current default email.

Leaving this checkbox unchecked allows you to save this email for editing or future use but does not substitute for the current default email.

Create Activation Key Email Fields

Values


1. Go to the Enterprise Management Server administrative Web site and select a domain from the navigation pane.

2. Click the Roles tab. A list of currently-defined administrators, including their name and role, appears.

3. Click the administrator name that you want to edit. The Edit Administrator page appears, showing a list of roles for the selected administrator.

4. Select the roles that you want to assign to the selected administrator, then click OK. Roles provide access to various parts of the management server’s administrative Web site, as summarized in the following table.:

Domain-level Administrator Roles

Descriptions

Domain Administrator Allows full access to all domain-level administration for the selected domain.

Member Administrator Allows access to management domain member administration only, within the selected domain.

License Administrator Allows access to Groove license administration only, within the selected domain.

Support Administrator Allows access to Groove password/smart card login reset administration only, within the selected domain.

Report Administrator Allows access to Groove usage reports for the selected domain.

No Role Displays the domain (scope) in the navigation pane of the management serve administrative Web site, along with a message instructing the user to see their server or domain administrator to gain domain access.


Managing Groove Users

This document provides information about the ongoing management of Groove users via the Enterprise Management Server or Groove Hosted Management Services. Once you add Groove users to a management domain, making them domain members, as described in “Distributing Activation Keys” in the Getting Started section of this guide, you can use the management server to oversee user identity information, Groove licenses, identity-based security policies, relay server usage, and other aspects of Groove use. The informa-tion here assumes that you are familiar with the information in Getting Started.

The following sections provide instructions for common member management tasks:

• Overview of Groove User Management

• Managing Domain Member Groups

• Adding Groove Users to a Domain Group

• Enabling Groove Activation

• Provisioning Managed Groove Users

• Viewing Domain Members

• Viewing and Editing Domain Member Information

• Finding Domain Members

• Moving Domain Members to Another Group

• Exporting Domain Members

• Disabling and Enabling Domain Members

• Deleting Domain Members

• Backing Up and Restoring User Account Data

• Purging Member Relay Queues

• Creating an LDAP Search String

• Initiating Client Contact With a Management Server

For information about Groove user identity policy settings and how to change them, see “Managing Identity Policies”, later this guide.

For information about managing authenticated and unauthenticated Groove users, see “Managing User Interaction with Unauthenticated Identities”, later in this guide

Groove Management Server Domain Administrator’s Guide Managing Groove Users 33

Overview of Groove User Management

Groove user management via a management server requires users to be members of a management domain defined on the server. You enter users into a management domain by adding their contact information to a domain group.

Adding members to a domain group is basically a two-step process. First, you enter iden-tity information for each user, then you supply them with a Groove activation package. This process gives users membership in a management domain group, conferring access to Groove usage policies, licenses, and relay servers.

The activation email contains a Groove identity activation key, the user’s managed iden-tity, and the management server name (to enable client communication with the manage-ment server). You can create the email to accompany the identity activation information as described in “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.

Once a user receives the email that contains a managed Groove identity activation key, the user must install the activation key and management server name into the Groove Virtual Office (formerly Groove Workspace) application. At that time, Groove typically does the following, depending on client setup:

• Creates a new account (or allows the user to convert an old account to a new managed account).

• Creates a new managed identity for the user, based on the identity information associated with the activation key that you provided. Or, if domain device policies allow, Groove gives the user the option of converting an existing identity into a new managed identity, using the identity information that you provided.

• Downloads usage policies, product licenses and tools, and relay assignments to client machines.

You can add domain members individually, from an .xml file, or by importing from an onsite corporate directory server, depending on the size of your user base. The table below can help you choose.

The following sections provide instructions for each user deployment method:

• Adding an Individual Member to a Domain Group

• Adding Multiple Members from an .XML File

• Importing Members from a Directory if a directory server is installed at your site.

User Deployment Method User Base Size

Add individual users manually. Up to 50 users

Add multiple users from an .xml file. 50 to 200 users

Import user information from an onsite LDAP-based directory server.

More than 200 users


Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer users at the group level. Editing individual members requires a role of Server, Domain, or Member administrator.

Once you have added Groove users to a domain group, you can search for them as described in “Finding Domain Members”, edit their properties as described in “Viewing and Editing Domain Member Information”, and otherwise manage them.

The main management activities appear in the Manage Members drop-down menu in the tool bar and include the following:

• Moving members as described below in “Moving Domain Members to Another Group”

• Exporting Members as described below in “Exporting Domain Members”

• Disabling and enabling members as described below in “Disabling and Enabling Domain Members”

• Deleting members, as described in “Deleting Domain Members”

Managing Domain Member Groups

Groups are subsets of management domains. For example, your company domain may contain a development group, a sales group, and a finance group. You must define at least one group for each management domain in order to create a management environment of Groove users, policies, licenses, and relay servers. An initial top-level group is defined for each new management domain and you can create groups and subgroups within it. Every domain contains at least one user template, device policy template, license set, and relay set which are assigned to domain groups by default. But can modify these templates and sets, and change the assignments for specified groups, subgroups, or individual group members.

The sections below describe the following group-related tasks:

• Adding Groups

• Viewing and Editing a Group

• Viewing Domain Groups

• Viewing Group Members

• Deleting a Group

Adding Groups

The management server provides a top-level group for each management domain. You can create groups and subgroups within this group, as recommended, or you can add mem-bers directly to this top-level group (equivalent to adding members directly to the domain).

To create a group, follow these steps:

1. Go to the management server administrative Web site and select a management domain group (such as Members) from the navigation pane on the left. The


Members and Groups tabs appear where you perform group-level tasks, as described in the following table:

2. Click the Groups tab.

3. From the Groups tab, select Add group in the tool bar. The Group Setup window appears.

4. In the Name field of the Group Setup window, type the name of the group that you want to create.

5. If you wish, type a group description in the Description text box.

6. Accept the default identity and device policy templates, license set, and relay server set, or select another choice from one of the scrolling lists, as needed. For more information about these selections, see the corresponding sections in this guide: “Managing Identity Policies”, “Managing Device Policies”, “Managing Groove Product Licenses”, “Managing Groove Servers”.

Note: In order to enact device policies, make sure that managed Groove devices are registered with the management server, as described in “Registering User Devices with the Management Server” in the Managing Device Poli-cies section of this guide.

7. Click the OK button. The group now appears under the selected domain in the domain list on the left-side navigation window and on the domain Groups tab.

8. To add members to a group, select the group in the navigation pane, select Add Members in the tool bar, and choose an option, as described in “Adding Groove Users to a Domain Group” in the Managing Groove Users section of this guide.

Viewing and Editing a Group

The group Properties page displays information about a selected group, some of which you can edit. From a group’s Properties page, you can rename a group or change its assigned identity and device policy templates, license set, or relay server set.

Note: Changing the group name may result in significant added network traffic and dis-ruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.

To edit group properties, follow these steps:

1. Go to the management server administrative Web site and click the top-level domain group (Members), in the navigation pane. Subgroups appear in the main window.


Members Lists the members in the selected group and allows you to add, provision, move, export, and delete group members, as described in this “Managing Groove Users” section of the guide.

Groups Lists groups in the selected domain or group, and allows you to add, edit, and delete domain groups, as described above in “Managing Domain Member Groups”.


2. To edit a group in the main window, click the group. The Group Properties window appears for the selected group, with fields as described in the table below.

3. To edit the top-level group, select Group Properties in the tool bar. The Group Properties window appears, with fields as described in the table below.

4. Edit the value in the Name and Description text boxes as needed.

5. Change the selected identity policy template, device policy template, license set, or relay server set in the drop-down menus, as needed.

6. Click OK.

Group Properties Field Descriptions

Group Setup

Name Specifies an editable group name.

Description Specifies an editable description of the group, if any.

Default Settings

Identity Policy Template Contains a collection of identity policy settings that govern this group. You can view and edit the settings in this template, as described in “Viewing and Editing Identity Policies” of this guide. Or, you can assign another template to the group by select it from the drop-down menu.

Device Policy Template Contains a collection of device policy settings that govern this group. You can view and edit the settings in this template, as described in “Viewing and Editing Device Policies” of this guide. Or, you can assign another template to the group by selecting it from the drop-down menu.

License Set Contains a set of licenses provisioned to this group. You can view and edit this license set, as described in “Managing Groove Product Licenses” of this guide. Or, you can assign another set to the group by selecting it from the drop-down menu.

Relay Server Set Contains an ordered set of relay servers provisioned to this group. You can view and edit this relay server set, as described in “Managing Groove Servers” of this guide. Or, you can assign another set to the group by selecting it from the drop-down menu.

Override settings for all members and subgroups

Specifies whether the current group settings apply to all subgroups and members. Select this option enables the override. Leaving the box unchecked applies group settings to the current group only (not to its ‘child’ groups).

To apply group settings (license sets, relay server sets, and policy templates) to an entire domain, configure the domain’s top-level group and select this option.

Directory Integration Settings (Appears only if automatic directory server integration is used.)


Viewing Domain Groups

To view groups in a domain, do the following:

1. Go to the management server administrative Web site and select the domain in the navigation pane. A single top-level group (Members) appears below the domain.

2. Click the top-level group. The Members tab appears.

3. Click the Groups tab. The names and descriptions of groups within the selected group appear in the main window and in the domain group hierarchy in the naviga-tion pane.

4. To see subgroups, click their parent group.

Viewing Group Members

To view the members of a group, follow these steps:

1. Go to the management server administrative Web site and select a management domain group from the navigation pane.

2. Click the Members tab. Group member names appear in the main window, along with their activation status, email address, date of last member modification, direc-tory status, and last account backup date.

3. To search for members in the group, do one of the following:

• To search for named members, enter the member’s full name, first name, last name, or email address. Wild-card strings are acceptable. For example, you could enter jon to look for entries containing the string ‘jon’. Then click the Search button.

Name Information only.

Specifies the name of the directory server integration point, defined by the management server administrator to be the source of integrated member information. The presence of the directory integration name and related information on this page indicates that members have been automatically integrated with the management server.

From Information only.

Specifies the point of integration from the directory server hierarchy. This point indicates the location on the directory server from which member identities have been integrated into this group.

To (on the Synchronization Options page only)

Information only.

Specifies the point of integration on the target management server (the member group defined on the second page of the integration wizard).

Search Filter (on the group Properties page only)

Information only.

Displays the search filter, if specified.

Group Properties Field Descriptions


• To search for members of a certain status (active or pending), click the Advanced Search button, enter a search string in the search field if desired (as described in “Finding Domain Members”), then click the Search button.

Search results appear in the main window.

Deleting a Group

To delete a group and all its members, follow these steps:

1. Go to the management server administrative Web site and select a management group from the navigation pane.

2. Click the Groups tab.

3. Select the groups that you want to remove.

4. Select Delete Group the tool bar. A confirmation pop-up window appears.

5. If you are satisfied that deleting the group deletes the group members, click OK.

Caution:Removing a group removes all users and registered devices that you defined for this group.

Adding Groove Users to a Domain Group

In order to manage Groove users at your company, you add them to a management domain group. Domain group membership subjects members to identity policies governing Groove use, gives access to Groove product licenses and tools, and assigning managed relay servers. These policies, licenses, and relay assignments do not apply to any previ-ously existing Groove accounts that the user may have. Note that a managed identity can be a member of only one domain or group.

If your management server administrator has already integrated Groove user information from an onsite directory server with an onsite Enterprise Management Server, you may not need to add users to a domain group. See your server administrator or the Groove Enterprise Management Server Administrator’s Guide for more information about auto-matic integration of user data.


The following sections provide background information and instructions for adding Groove users to a group:

• Adding an Individual Member to a Domain Group

• Adding Multiple Members from an .XML File

• Adding Multiple Members from a .CSV File

• Importing Members from a Directory

Adding an Individual Member to a Domain Group

The simplest way to add users to a domain group, making them domain members, is to enter identity information for each user manually. However, this is time consuming if you


are adding more than a few members. For information about adding multiple members from a file or directory, see the procedures for “Adding Multiple Members from an .XML File” or “Importing Members from a Directory”.

To add individual users to a domain group, follow these steps:

1. Go to the management server administrative Web site and select a management domain group from the navigation pane. The Members and Groups tabs appear.

2. From the Members tab, click Add members in the tool bar. A list of user deployment options appears.

3. Click Add Single Member, then click Next. The Add Members/Select Members Settings page appears.

4. From the Select Member Settings page, accept the default policy templates, license sets, and relay server sets or change them, as described in the sections listed in fol-lowing table:

5. Click Next. The Add Members/Add Single Member page appears.

6. From the Add Single Member page, type the user data into the fields to create a user’s identity. This data will appear in the user’s Groove Contact Properties. The following fields are required:

• Full name - The user’s full name.

• Email - The user’s email address.

7. To save this member’s information and create another member in the domain group, click the Save and Create Another button to repeat the above process.

8. When you finish adding member information, click the Finish button. This process makes the user a domain group member and lists the user on the domain group Members tab with a Pending Member icon. Repeat the previous steps for each additional user.

Now that you have supplied the identity information for a user, you must send to the user an activation key which is associated with the identity information. Once the activation key is installed in the user’s Groove software, Groove will authenticate the user and create a managed identity based on the associated identity information.

9. Send activation email to Groove users manually in your own email message, or from the Members page, as described below in “Enabling Groove Activation”

For information about: See this section of the guide:

Editing or changing identity policy templates

“Managing Identity Policies”

You can set device policies later, once the user has activated Groove and any associated device keys, as described in the “Managing Device Policies” section of this guide.

Editing or changing license sets

“Managing Groove Product Licenses”

Editing or changing relay server sets

“Managing Groove Servers”


Adding Multiple Members from an .XML File

You can facilitate the process of creating domain members by adding multiple users to a domain from an.xml file. This is useful when you need to create managed identities for numerous users. You can also use this feature to download a member list to a new domain that you exported from an existing domain. See the “Exporting Domain Members” in the Managing Groove Domains section of this guide for details about exporting.

For information about adding multiple users from a .csv file, see “Adding Multiple Mem-bers from a .CSV File” below.

To add multiple users to a management domain from an.xml file, follow these steps:



3. Click Add Multiple Members (XML), then click Next. The Add Members/Select Members Settings page appears.


5. Click Next. The Add Multiple Members page appears.

6. Create an xml file using the template provided, as follows:

a. Right-click the Download Template button and enter a location for the .xml file (ImportMembersTemplate.xml).

b. Open the .xml file template in Notepad or other text editor and scroll to the <Member> section at the end of the file, which should look similar to the following:

<Member>

<FullName>FullName</FullName>

<FirstName>FirstName</FirstName>

<LastName>LastName</LastName>

<Email>Email</Email>

<Title>Title</Title>




You can set device policies later, once the user has activated Groove and any associated device keys, as described in “Managing Device Policies”.






<Company>Company</Company>

<Street>Street</Street>

<City>City</City>

<State>State</State>

<Zip>Zip</Zip>

<Country>Country</Country>

<Phone>Phone</Phone>

<Fax>Fax</Fax>

<Cell>Cell</Cell>

</Member>

7. Supply at least a FullName and Email address for the user by replacing the corresponding strings between the angle-bracket <> pairs. For example:

<Member> <FullName>BenSmith</FullName> <FirstName>FirstName</FirstName> <LastName>LastName</LastName> <Email>[email protected]</Email> <Title>Title</Title> <Company>Company</Company> <Street>Street</Street> <City>City</City> <State>State</State> <Zip>Zip</Zip> <Country>Country</Country> <Phone>Phone</Phone> <Fax>Fax</Fax> <Cell>Cell</Cell> </Member>

8. Copy and paste the Member section of the XML file to enter additional members.

9. Save the file.

10. In the File Location field of the Add Multiple Members page, browse to the .xml file that you want to import.

11. Click Next. The Review Members window appears with a scrolling list of members about to be created. You can control the number of users that appear in the view by selecting a value in the Display drop-down menus, then navigate through the views by clicking the directionals at the top and bottom of the page.

12. Click Finish. This process enters the user identity information.

Now that you have supplied the identity information for each user, you must send them activation keys which are associated with each user’s identity information. Once the activation key is installed in a user’s Groove software, Groove will authenticate each user and create a managed identity based on the associated iden-tity information.


Adding Multiple Members from a .CSV File

You can facilitate the process of creating domain members by adding multiple users to a


domain from a .csv file. This is useful when you need to create managed identities for numerous users. You can also use this feature to download a member list to a new domain that you exported from an existing domain. See the “Exporting Domain Members” in the Managing Groove Domains section of this guide for details about exporting.

For information about adding multiple users from an .xml file, see “Adding Multiple Members from an .XML File” above.

To add multiple users to a management domain from a .csv file, follow these steps:



3. Click Add Multiple Members (CSV), then click Next. The Add Members/Select Members Settings page appears.


5. Click Next. The Add Multiple Members page appears.

6. Create a csv file using the template provided, as follows:

Note: If you decide to use your own .csv file instead of the template, be sure to define at least 4 columns (or up to 10 if you want to include all the columns used in the template. Also, use a comma to delimit each field, including empty fields that occur between values, and delimit each record (row) with a carriage return. Use the following information for guidance.

a. Right-click the Download Template button and enter a location for the .xml file (ImportMembersTemplate.csv).

b. Open the .csv file template in Excel or other .csv editor. An Excel-like table appears with the following 10 columns:

• Full Name

• First Name

• Last Name

• Email Address










• Job Title

• Company

• Street

• City

• State

• Postal Code

c. To use the template (or your own .csv file), follow these guidelines:

• Type the user information into the two required fields: Full name and Email address, and any additional fields.

• Enter one user record in each row, using text characters, NOT Uni-code.

• If you use a comma(,) or space ( ) in a field, enclose the field in double quotation marks. Enclose double quotation marks (“) with single quotation marks. For example: "Full,Name",First'Name,"Last""Name",Organization;'unknown

• When you are finished, delete the top row of column titles.

d. Save the .csv file.

7. In the File Location field of the Add Multiple Members page, browse to the .csv file that you want to import.

8. Click Next. The Review Members window appears with a scrolling list of members about to be created. You can control the number of users that appear in the view by selecting a value in the Display drop-down menus, then navigate through the views by clicking the directionals at the top and bottom of the page.

9. Click Finish. This process enters the user identity information.



Importing Members from a Directory

If your server administrator registered an LDAP-based directory with the Enterprise Man-agement Server, you can import users from a corporate directory into a domain group, making them domain members. Microsoft Active Directory, IPlanet, and Lotus Domino R5 (or greater) are supported and recommended directory formats. If your management server configured a directory server integration point to bring user information into man-agement server domains automatically, users will already be listed in your domain, so you do no not need to import them.

The following sections provide background and instructions for working with directory server user information:

• Working with Imported/Integrated Members

• Importing Members for a Directory


Working with Imported/Integrated Members

The Enterprise Management Server lets administrators import or automatically integrate users into a management server domain. Any domain-level administrator can import users from an LDAP directory server once a server administrator has configured it as described in the Enterprise Management Server Administrator’s Guide. However, user import is not necessary if the server administrator has set up an integration point for automatic integra-tion of user information from the directory.

The following rules apply to members imported into EMS from a directory server:

• You cannot edit a member's vCard or contact information (including name, email address, phone number) if the user information originated from a directory server.

• A user can be imported only once into a domain. Therefore, a user cannot be imported into more than one group in a domain.

• EMS uses an internal mapping scheme, shown in the table below, to automatically convert a copy of your corporate user directory into an EMS-compliant format for importing.

Table of EMS-to-LDAP Attribute Mapping.

Importing Members for a Directory

This section describes how to import Groove user information to the management server from an onsite LDAP directory server, properly configured with the management server

EMS Active Directory IPlanet Domino

Full Name cn cn cn

First Name givenname givenname givenname

Last Name sn sn sn

title title title title

EMail mail mail mail

orgPhone telephonenumber telephonenumber telephonenumber

orgCell mobile mobile mobile

orgFax facsmileTelephoneNumber Fax facsimileTelephoneNumber

Company company o o

orgStreet street street officestreetaddress

orgState st st st

orgCity l l l

orgCountry c c c

orgPostalCode postalcode postalcode postalcode


by a server administrator.

Before you begin this procedure, have the following information on hand:

• Directory name that you want to import.

• Directory login name and password with at least read-only access to the required user attributes.

To import users from a directory, follow these steps:



3. Click Import Member from Directory Server, then click Next. The Add Members/Select Members Settings page appears.


5. Click Next twice. The Import Members From Directory Server page appears.

6. Fill in the directory login and Search Criteria fields, as shown in the following table:.









Directory Login and Search Criteria Fields and Buttons

Descriptions

Directory Server Select the directory name from the drop-down menu (supplied to the management server by the server administrator).

Display Select the number of users to display per page from the drop-down menu.

Search for To look for a specific full name string, enter it in this field. Leaving the Full Name and Custom Filter fields blank, allows you to import or display all users in the directory.

The system treats your entry as a wild card. For example, if you enter jon, the system searches for all full names that contain the string jon. Asterisks (*) are interpreted as characters.



7. Send activation email to Groove users manually in your own email message, or from the Members page, as described below in “Enabling Groove Activation”.

Enabling Groove Activation

Once Groove identities have been defined in a management domain group, as described above in “Adding Groove Users to a Domain Group”, the managed identities must be acti-vated on Groove clients. Any server or domain administrator can initiate this process by sending domain members an activation key in an email message. In addition, the manage-ment server’s Auto-Activation feature is available to automate the process. Consult your server administrator or the Groove Enterprise Management Administrator’s Guide for information about automating Groove activation. The sections below provide instructions for manual activation using the management server or personal email.

You can send out Groove activation keys, using the management server Members page or your own email message, as described in the following sections:

• Sending an Activation Key from the Management Server

• Sending an Activation Key Via Personal Email

Enter Custom Filter To use an LDAP search filter (that will override any value in the ‘Search for’ text box), enter a value in this Custom Filter field.

For information about entering an LDAP search filter, see “Creating an LDAP Search String” below.

Note: You must have Read rights to all attributes in your search string.

Display Matching Users To preview a list of matching users first, and then import information for selected users, do the following:

1. Click the Display Matching Users button. A scrolling list of the users about to be imported appears in the window, with a green mark in the Status column indicating previously imported members.

2 Select the users that you want to import. Clicking the top checkbox selects all users.

3 Click the Import Selected Users button (or Finish). The selected users appear in the domain group Members list with a Directory Status of Imported.

Import Matching Users To import information for users that match the search criteria now, click the Import Matching Users button to submit the search criteria. The selected users appear in the domain group Members list with a Directory Status of Imported.

Directory Login and Search Criteria Fields and Buttons

Descriptions


Sending an Activation Key from the Management Server

To send a Groove identity activation key to Groove users from the management server, do the following:

1. Go to the management server administrative Web site and select a management domain group from the navigation pane. The Members tab appears, showing a list of added domain group members.

2. From the Members tab, select target recipients for the email (clicking the top checkbox selects all users).

3. Select Send Activation Key in the tool bar. The Send Activation Key window appears, with an email form, showing any default email. The activation key, man-agement server host name, and managed identity name do not appear in the default text but are automatically appended to the email that the user receives.

4. Fill in the fields on the default email page as shown in the following table:.

5. Click the Send button when you are finished. This sends the email, along with the following items:

• Activation key - Activating this key on a Groove client device creates a managed identity (or converts an existing identity), and downloads domain licenses, identity policies, and any domain relay assignments.

User Email Fields Explanations

Select Email Select an email message from the drop-down menu.

Email From Enter your email address.

Email Subject Enter the subject of this email.

Email Body Enter the email content, accept the default email, or edit the displayed template as necessary. For information about creating management server email templates, see “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.

The activation key and the name of the management server (activation server) are automatically appended to this email.

Allow this email to be saved

If you want to save your email changes, select this option.

Default: unchecked

Save Email As Available only if ‘Allow this email to be saved’ is enabled.

Accept the supplied email name to change the existing template, or enter a new name to save changes in a new template (added to the ‘Select email’ drop-down list for future use).

Make this email the default for this activity

Available only if ‘Allow this email to be saved’ is enabled.

Select this option to make this message the default email template for distributing activation keys. This template will replace the current default email template.

Leaving this checkbox unchecked allows you to save this email for editing or future use but does not substitute for the current default email template.


• Identity name - Specifies the user’s new identity name.

• Activation server - Specifies the management server name that the Groove client uses to contact the management server for updates and reporting.

You have now distributed activation keys to Groove users. Upon receipt of an activation key, users apply the activation keys to their Groove devices. This creates a managed iden-tity for each user and makes these users domain members. On the Members page, status for these users changes from Pending to Active. An envelope icon in the right-most col-umn of the page indicates defined users who have not yet activated their managed identi-ties.

For more information about distributing activation keys to users, see the section “Distrib-uting Activation Keys” in the Getting Started section of this guide.

Sending an Activation Key Via Personal Email

In order to distribute a Groove user activation key yourself, rather than emailing from the management server, you must retrieve the user’s activation key.

To retrieve a user activation key for personal distribution to users, follow these steps:

1. Go to the management server administrative Web site and select a management domain group from the navigation pane. The Members tab appears, showing a list of added domain group members.

2. From the Members page, click the member’s name. The Member Details window appears, with a Member Information tab displaying the user identity information, including the member’s activation key.

3. Copy the activation key to a safe place, and note the server name and identity name.

4. Click OK.

5. Deliver the activation key, the management server (activation server) name, and the identity name to the user in an email message or other transfer method.

Upon receipt of an activation key, users apply the activation keys to their Groove devices, as described above at the end of the “Sending an Activation Key from the Management Server” procedure.

Provisioning Managed Groove Users

The management server administrative Web interface lets you provision Groove users with user and device policies, Groove licenses, and relay servers whenever you create a domain group or add a user to a group. Once you add licenses to, and register devices and relay servers with a domain, as outlined in “Setting Up a Groove Management System” in the Getting Started section of this guide, the management server applies templates of default identity and device policies, and sets of licenses and relay servers to the domain group or user being defined.

You can change templates or sets for a selected domain group or member by editing the group or member’s properties, as follows:


• To edit a group’s properties, select a domain group in the management server navigation pane, select Group Properties in the tool bar, and select the desired identity template, device template, license set, and/or relay set from the drop-down menus.

• To edit an individual’s properties, select a domain group in the management server navigation pane, click a member on the Members tab, and select the desired identity template, device template, license set, and/or relay set from the drop-down menus.

For more information about templates and sets, see the sections listed in the following table:

Viewing Domain Members

The Members tab lets you display status and identification information for all or specific members of a domain group or subgroup. The page also provides tools for sending activa-tion keys to selected users, moving or deleting selected members, and exporting selected member identity contacts.

To view a list of managed users in a domain group, follow these steps:

1. Go to the management server administrative Web site and select a management domain group or subgroup from the navigation pane. The Members tab displays the members list for the select group.

2. To search for specific members, use the Advanced Search and Search buttons as described below in “Finding Domain Members”.

3. From the Display drop-down menu (above and below the members list), accept the default or select another value for the number of users displayed per page. You can use the directioinals at the top and bottom of the list to navigate between screen-fulls.




Editing or changing device policy templates

“Managing Device Policies”



Editing or changing relay sets



4. Click the Search button. The list of members appears as specified.The list displays the following columns of information:

Members List Columns Values

Status Icons specify the domain membership status of each user, as follows:

• Active - Groove users who have applied their activation keys and associated identity information to Groove client, making them domain or group members.

• Pending - Groove users for whom you have entered identity information but who have not yet activated their managed identities. If you need to resend an activation key, select the user and click ‘Send identity to selected member’ from the pull-down menu, then click the Submit button to resend.

An envelope icon indicates that an activation email has been sent to a pending user (but the user has not yet applied the activation key). Right-clicking the icon displays the date and time that the email was sent. The time value reflects the time zone of the management server. Once the user activates their managed identity, the user status changes to Active and the email icon disappears.

The absence of an email icon for a Pending user indicates that no activation email has been sent.

• Deleted - Domain/group members whom you have deleted from the domain or group, as described below in “Deleting Domain Members”.

• Disabled - Groove users that you have temporarily disabled (suspended), as described below in “Disabling and Enabling Domain Members”

Full name Specifies the user’s full display name.

Email address Specifies the user’s email address.

Last modified Displays the date and time that the last modification to the user record. The time value reflects the time zone of the management server.

Activation state


Viewing and Editing Domain Member Information

You can access and modify information about a specific domain member from the Mem-ber Information pages. This page also displays devices - managed or unmanaged - associ-ated with the user.


Note: You cannot edit a member's information (such as name, email address, phone number) if the member was imported or integrated from a corporate directory server.

To view or change information about a member, follow these steps:


2. To search for a specific user or category of user, use the Advanced Search and Search buttons, as described above in “Finding Domain Members”.

Directory Status If a member was imported to the domain from a directory server (as described in “Importing Members from a Directory” of this guide), specifies member status on the directory server as follows:

• Imported - Indicates that the member was imported from a directory server (with or without synchronization enabled)

• Disabled - Indicates that an imported member was disabled on the directory server (regardless of its management server state).

• Deleted - Indicates that an imported member was deleted from the directory server (regardless of its management server state).

For members that were not imported to the domain from a directory server, the column value is blank.

Last Account Backup Date If you set an identity policy to schedule automatic user account backup, specifies the time of last backup.

For information about scheduling account backup, see the section below, “Backing Up Account Data”.

Members List Columns Values


3. From the Members tab, click the member name for which you want details. The Member Information page appears, displaying information for the selected user as described in the following table:

Domain Member Information Fields

Values

User identity information fields Specifies the full name, email address, and other identity information that comprise this domain member’s contact information. These fields are editable for users that were added to the domain directly or from an XML file. These fields are not editable for users that were imported to the domain from a directory server.

Custom fields, created by the server administrator when integrating with an onsite directory server, appear below the identity contact fields (below the Fax field).

Reset Password or Smart Card Login

Displays the Reset Password or Smart Card login window so you can reset a Groove password or smart card login, upon user request and providing that Groove device policies allow.

For more information about resetting Groove passwords or smart card logins, see “Resetting Groove Login Credentials for Managed Devices” in the Managing Device Policies section of this guide.

Digital fingerprint Information only. Specifies the digital fingerprint associated with the domain member’s managed identity.

Activation server Information only. Specifies the name of the management server from which the Groove activation key was sent to this user.

Activation key Information only. Specifies the Groove activation key sent to this user by the domain administrator.

Date activated Information only. Specifies the date that the user activated Groove.

Domain Information only. Specifies the domain of which the user is a member.

Group Information only. Specifies the group of which the user is a member.

Identity Policy Template Lists the Groove identity policy templates available for this domain. You can change the template for the specified user by selecting another template from the drop-down menu.

For more information about identity policy templates, see the “Managing Identity Policies” section of this guide.


License Set Lists the Groove license sets available for this domain. You can change the set for the specified user by selecting another license server set from the drop-down menu.

For more information about license sets, see the “Managing Groove Product Licenses” section of this guide.

Relay Server Set Lists the Groove relay server sets available for this domain. You can change the set for the specified user by selecting another relay server set from the drop-down menu.

For more information about relay server sets, see the “Managing Groove Servers” section of this guide.

Advanced Relay Server Settings Displays the Advance Relay Server Settings window where you can purge the queues on selected relay servers in the set for the specified user.

For more information about purging queues, see “Purging Member Relay Queues” below.

Devices with this Identity Lists the managed and unmanaged devices associated with this domain member, as described in the “Devices with this Identity - Columns” table below.

For more information about managing devices, see “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide.

Devices with this Identity - Columns

Values

Name Lists the managed and unmanaged devices associated with this domain member.

For more information about managing devices, see “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide.

Version The Groove version running on the device.

Last Used The date that Groove was last used on the device.

Type The type of device - Managed (defined on the management server) or Unmanaged (not subject to management server device policies).

Domain Member Information Fields

Values


4. Change the editable information on this page as necessary.

5. When you are finished, click Apply to save your changes without closing the win-dow or OK to save and close.

Finding Domain Members

You can search for members in a domain or group by first name, last name, or email address.


2. To search for specific members, enter a search string for the name of the user that you want to find, using wild cards (without asterisks). For example, to search for all user names containing ‘mac’, enter the string mac.

3. To search all the groups in a domain, select the Search domain checkbox. Leaving the box unchecked, limits the search to the selected group.

4. To restrict the search to a specific user category, from the Members tab, click the Advanced Search button and fill in the fields as shown in the following table:

Device Policy Template A drop-down menu of device policy templates appears for each managed device, so you can view or change the assigned template.

Note: The assigned device policy template affects all users of a managed device (if more than one user has an account on the device). Therefore, changing the device policy template for one user affects all other users of that device.

Advanced Search Fields:

Descriptions

Text box Lets you enter a search string for the domain member name that you want to find (for example, John Doe).

Wild cards (without asterisk) are acceptable. For example, enter mac to search for all names containing with ‘mac’.

Devices with this Identity - Columns

Values


5. Click the Search button.

Moving Domain Members to Another Group

The management server interface allows you to move domain group members from one group to another within the same domain.

If a directory server is installed at your site, note the following when moving members:

• You cannot perform a move if either the source or target group of the move, or any parent group originates from an LDAP directory server integration point.

• Assigned license sets, relay server sets, and policy templates remain unchanged when members who originated from an LDAP directory server integration point along with the directory structure move from one group to another.

To move members from one group to another, follow these steps:

1. Go to the management server administrative Web site and select a management domain group or subgroup in the navigation pane from which you want to move members. The Members tab displays the members list for the select group.

2. From the Members page, use the Display and Search controls as needed (as described above in “Viewing Domain Members”).

3. From the Members page, select the group members that you want to move (clicking the top checkbox selects all members in the list).

Drop-down menu options Restricts the search to one of the following domain member categories:

• Active, pending, and disabled members - Displays active, pending, and disabled domain group members, as described for the individual items below.

• Active members - Displays Groove users who have activated their managed dainties, making them domain group members.

• Pending members - Displays Groove users in this domain or group for whom you have entered identity information that has not yet been activated on the Groove client.

• Disabled members - Displays Groove users that you have temporarily disabled (suspended), as described below in “Disabling and Enabling Domain Members”.

• Deleted members - Displays Groove users that you have deleted from the domain group, as described below in “Deleting Domain Members”.

Default: Active, pending, and disabled members

Search domain Searches all groups in the domain, regardless of what is selected (when enables) or limits the search to the selected group (disabled).

Default: checked (enabled)

Advanced Search Fields:

Descriptions


4. Click the Manage Members drop-down list in the tool bar and select Move Mem-bers. The Move Members window appears.

5. In the Move Members window, select the group into which you want to move the selected members.

6. To move the members into a new group (with the same policy templates, license sets, and relay sets as the parent group), click the New Group button and enter a new group name.

7. To apply the policy templates, license set, and relay server set of the target group to the moved members, select the option: Change member’s setting to match the group they will be moved into. To retain the moved members original templates and sets, uncheck this option.

8. Click OK. This moves the selected members into the selected or new group.

Exporting Domain Members

The domain group Members pages let you export domain group members to an .xml or a .csv file. You can then use this file to add multiple members to another domain. The fol-lowing columns of domain member information are exported (empty fields appear as blank values in the exported file):

A. Full Name (required for import)

B. First Name

C. Last Name

D. Email (required for import)

E. Title

F. Company

G. Street

H. City

I. State

J. Postal Code

K. Country

L. Phone

M. Fax

N. Cell

O. Activation Key (For information only; not used for import)

P. Group Name (For information only; not used for import)

Q. Status (For internal system use only; not used for import)

R. Type (For internal system use only; not used for import)

To export domain group members to a file, follow these steps:


2. Click the Members tab. A list of group members appears, based on the default search criteria.


3. From the Members page, use the Display and Search controls as needed, as described above in “Viewing Domain Members”.

4. Click the Manage Members drop-down list in the tool bar and select Export Mem-bers. An Export pop-up window appears.

5. If you want to export only selected the members, select those members.

6. Choose the option of Selected items, or accept the default option of All items.

7. Select CSV or XML as a target file type, then click OK. A Save pop-up window appears.

8. Enter the file location for saving the .xml file, then click OK. You can now import this .xml file to another domain using the Add Multiple Members link, as described above in “Adding Multiple Members from a .CSV File” or “Adding Multiple Mem-bers from an .XML File”.

Disabling and Enabling Domain Members

You can suspend members of a domain group by temporarily disabling them, then re-enabling them as necessary. The following sections provide instructions for:

• Disabling Domain Members

• Enabling Domain Members

Disabling Domain Members

You can suspend selected members from a domain group via the Disable member option in the Managing Users drop-down list in the Member tool bar.

Note: If a directory server is installed at your site, imported members that have been dis-abled on the directory server appear as Disabled in the Directory Status column, regardless of their management server state.

To temporarily disable members in a domain group, follow these steps:




4. Select the members that you want to disable (clicking the top checkbox selects all members in the list).

5. Click the Manage Members drop-down list in the tool bar and select Disable Mem-bers.

Enabling Domain Members

To re-enable members that you have disabled from a domain group, follow these steps:




3. To change the search criteria (for example, to display disabled members), use the Advanced Search button and search text box, as described above in “Finding Domain Members” and click the Search button.

4. Select the members that you want to enable (clicking the top checkbox selects all members in the list).

5. Click the Manage Members drop-down list in the tool bar and select Enable Mem-bers.

Deleting Domain Members

The management server interface allows you to delete domain group members. Deleting a member disables the identity on the Groove client.

If a directory server is installed at your site, note the following when deleting members:

• Members that were imported from the directory to a management server domain (not automatically integrated from a directory server integration point) will be deleted.

• Members that were automatically integrated from a directory server integration point without the directory data structure will be deleted but they will reappear as Pending users. You can then decide to re-instate them with new activation email, or delete them.

• User information that was integrated from a directory server integration point with data structure synchronization cannot be deleted using the management server interface.

Warning: The member deletion operation is NOT reversible. Once you delete a member from a domain group, you can no longer access their data unless you set a data recovery device policy that allows you to do so. You must set a data recovery policy for managed devices in order for administrators to recover data from members previously removed from the domain. For information about setting up a data recovery policy, see “Setting Up Data Recovery on Managed Devices” in the Managing Groove Device Policies section of this guide.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete domain members.

To delete members from a domain group, follow these steps:

1. Go to the management server administrative Web site and select a management domain group or subgroup in the navigation pane from which you want to move members. The Members tab displays the members list for the select group.


3. From the Members page, select the group members that you want to delete (click-ing the top checkbox selects all members in the list).


4. Click the Manage Members drop-down list in the tool bar and select Delete Mem-bers.

5. Click OK to confirm the deletion.

This deletes the selected members from the management server and any associated Groove workspaces.

Backing Up and Restoring User Account Data

If a Groove user loses a managed account or the account is corrupted, you cannot retrieve the account information or the user’s workspace data unless you have a backup system in effect. To prevent permanent loss of valuable data, you can define a policy for your domain that allows the management server to backup account data for managed users in the domain at periodic intervals. The backed up account is then available for restoration to the user via email if an account is lost or corrupted.

User accounts consist of user identity information, domain management settings, and the worspace list associated with that account, all of which is saved during Groove’s account backup. User accounts do not include Groove workspace data. Groove users can retrieve workspace data from other workspace members, using the workspace list as a reference, along with the Groove Fetch capability.

The following sections describe the two parts of this task:

• Backing Up Account Data

• Restoring Account Data

Backing Up Account Data

To avoid the consequences of lost or corrupted user account data, scheduling regular backup of account data is wise practice. The management server lets you set an identity policy that enables automatic account backup at specified intervals for users in a selected domain. Backed up information includes user contacts, the user’s workspace list, identities and contact information, licenses and identity policies.

To minimize user disruption, the management server starts the backup at a specified inter-val, once a logged-in Groove user has logged into Groove and Groove has been idle for 15 minutes. A notifier appears on Groove user screens indicating when a managed account backup is in progress and when it is complete.

Note: Groove workspaces are not backed up directly. Groove users can retrieve work-spaces from other active workspace members by using the workspace list and the Groove Fetch capability.

To set a identity policy to enable automatic backup of account data, follow these steps:

1. Go to the management server administrative Web site and click an identity policy template in the navigation pane. The Member Policies tab appears.

2. On the Member Policies page, enter a value in the Backup account every [ ] day(s) field to specify the number of days between server backups of user account data.


3. Select Save Changes in the tool bar. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined.

The server now saves user accounts at the interval you defined. You restore account data as described in the next section.

Note: Groove domain user accounts are backed up only if the accounts account users are logged in and systems have been idle for 15 minutes. If at the time of backup a user is not logged in, that account will not be backed up.

Restoring Account Data

Once you have enabled a user account backup policy for managed identities in the domain, as described in the previous section “Backing Up Account Data”, you can restore a user’s account if it is lost or damaged.

When restoring a lost or damaged account, the available version will be as of the last ver-sion saved; any data added to the account after the last backup interval will be lost. There-fore, if an account resides on multiple devices and you believe that one of these devices contains a more recent version of the account (than the backed-up version), restore the account from that device instead of restoring the backed up account.

To restore a managed user’s backed up account, follow these steps:

1. Go to the management server administrative Web site and select a domain group in the navigation pane, then click the Members tab. The Members page appears.

2. Use the Search boxes to display the desired member(s).

3. Click the member whose account you want to restore. The Member Information page appears.

4. From the Member Information page, click the Restore Account tab. The Restore Account page appears. If the backup policy is in effect and accounts have been backed up, the page lists the backed up accounts as described in the table below.

If the backup policy is not in effect or if no accounts are backed up, the entry No accounts backed up appears in place of the account information.:

Restore Account Fields

Description

Name The name of the domain member who owns the account.

Last backup The date of the most recent account backup


5. To download the backed-up user account to a file for future use, click the Down-load button and specify a directory path and file name (<identity>.grv>) for where to save it.

Note: You must import the backup file within 60 days of its last backup date. Con-tact Groove Networks Support for help in restoring expired accounts

6. Enter or edit the email fields, as described in the table below.

Status The status of the account, as follows:

• Normal - Indicates that the account is valid.

• This account has expired - Indicates that the account has not been backed up within 60 days of its Last backup date. You cannot download an expired account. However, all restoration functionality remains in case you still want to restore the account, as is, on the client.

Note: For information about how to restore an expired account, contact Groove Networks Support

Device Name Name of the device on which the account was backed up.

Size Size (in megabytes) of the backed up account.

Download A link that allows you to download an account to a specified file for use outside of the management server.

Account Restoration Email Fields

Description

Select Email Specifies the account backup email templates available. The initial default account backup email appears as ‘Original account restoration email’.

Email To Specifies the destination (member’s email address) of the for the account restoration email.

Email From Specifies your domain administrator email address.

Email Subject Specifies the subject of the email.

Email Body Displays the default email template, if any. Accept the default email, or edit the displayed template as necessary. For information about creating management server email templates, see “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.

Allow this email to be saved

Lets you edit the email fields and save them.

Default: unchecked

Restore Account Fields

Description


7. When you are ready to send the account restoration email, click the Send button to send and save the email as is, along with the backed up account. Or, to save the email without sending, click the Apply button to save without closing the window, or OK to save and close.

Once the client receives this email, the client can follow the email instructions to restore the account.

You create, edit, and delete account restoration emails, as described in “Adding, Editing and Deleting Email Templates” in the Managing Domains section of this guide.

Purging Member Relay Queues

In the event that a managed user’s relay queue becomes or is expected to become over-loaded (for example from large file downloads), you can purge a domain group member’s relay queues from onsite relay servers via the Member Information page. Purging the mes-sage queues permanently deletes all queued instant messages, Groove invitations, and workspace updates for the account associated with the selected managed identity on the specified relay server. Purged instant messages and invitations can never be recovered. However, the Groove Dynamics Manager component on the Groove client can recover workspace updates even after they are purged, if necessary to update a workspace.

To purge a managed user’s relay queues on a specific onsite relay server, follow these steps:


2. To search for a specific user or user category, use the Advanced Search and Search buttons, as described in “Finding Domain Members” above.

3. From the Members tab, click a member name. The Member Information page appears, displaying information for the selected user.

4. From the Member Information page, click the Advanced Relay Server Settings but-ton. The Advanced Relay Server settings page appears with a drop-down menu of

Save Email As Available only if ‘Allow this email to be saved’ is enabled.

Accept the supplied email name to change the existing template, or enter a new name to save changes in a new template (added to the ‘Select email’ drop-down list for future use).

Make this email the default for this activity

Available only if ‘Allow this email to be saved’ is enabled.

Select this option to make this message the default email template for distributing account backup files. This template will replace the current default email template.

Leaving this checkbox unchecked allows you to save this email for editing or future use but does not substitute for the current default email template.

Account Restoration Email Fields

Description


registered relay servers, indicating Onsite or Hosted. You can only purge relay queues on onsite Enterprise Relay Servers.

5. From the Advanced Relay Server Settings page, click the purge button for any onsite relay servers whose queues you want to purge for the specified user. Click-ing the button purges the appropriate queues.

6. Click OK to exit.

For more information about relay queues, see the Groove Enterprise Relay Server Admin-istrator’s Guide.

Creating an LDAP Search String

The Import Members From a Directory Server feature, accessible from the Add Members page, allows you to add users to a management domain by importing user information from a corporate LDAP-based directory installed at your site. The process provides two main search options: one that lets you search for users in the directory by full name, and another that lets you enter a Lightweight Directory Access Protocol (LDAP) search filter that overrides any full name. This section provides details about entering a custom search filter.

See “Importing Members from a Directory” above for information about importing user information from a directory and accessing the Custom Filter field.

EMS maps the supported directory attributes as shown in Table 1 below.

Note: The directory attribute names shown in the table may vary, depending on which directory server version you are running.


Table 1. EMS to LDAP Attribute Mapping

Note: You must have at least Read rights to all attributes in your search string.

To enter a simple LDAP search string in the Custom Filter field, use the following basic format:

(<filtercomp>(<attribute><filtertype><value>)(<attribute><filtertype><value>))...

where

<filtercomp> = An optional boolean operator, entered as a prefix to the search string, as shown in the following table:

EMS/Groove Contact Properties

Active Directory IPlanet Domino

Full Name cn cn cn

First Name given Name given Name given Name

Last Name sn sn sn

title title title title

EMail mail mail mail

orgPhone telephonenumber telephonenumber telephonenumber

orgCell mobile mobile mobile

orgFax facsmileTelephoneNumber Fax facsimileTelephoneNumber

Company company o o

orgStreet street street officestreetaddress

orgState st st st

orgCity l l l

orgCountry c c c

orgPostalCode postalcode postalcode postalcode

Unique Identifier (not in Groove Contact Properties)

objectGUID nsuniqueid UID

<filtercomp> Definition

& And

| Or

! Not


<attribute> = An attribute from the LDAP directory table. For example, in an Active Directory table, o is an attribute representing the organization (or company) to which an employee belongs. See “Table 1. EMS to LDAP Attribute Mapping” above for a list of Active Directory, iPlanet, and Domino directory attributes.

<filtertype> = Any of the following symbols:

<value> = An attribute value from the LDAP directory.

Note that subfilters can be nested within filters.

The following table shows some sample search filters for each directory type.:

<filtertype> Definition

= Equals

~= Approximately

> Greater than

< Less than

Search Expression Sample Filters

Search for all employees who work for any of the XYZ companies.

<attribute><filtertype><value>

Active Directory, iPlanet, Domino:

o=XYZ*

Search for an employee whose full name is John Doe.

<attribute><filtertype><value>

Active Directory, iPlanet, or Domino:

cn=John Doe

Search for all employees except for John Doe and Jane Brown.

(<filtercomp>(<filtercomp>(<attribute><filtertype><value>))(<filtercomp>(attribute><filtertype><value>)))


(&(!(cn=John Doe))(!(cn=Jane Brown)))

Search for all employees whose full name begins with A or B.

(<filtercomp>(<filtercomp>(<attribute><filtertype><value>))(<filtercomp>(attribute><filtertype><value>)))>


(|(cn=A*)(cn=B*))

Search for an employee who works for XYZ Corp. and whose last name is Doe or whose full name is John D.

(<filtercomp>(<attribute><filtertype><value>)(<filtercomp(<attribute><filtertype><value>)(<attribute><filtertype><value>)))


(&(o=XYZ Corp.)(|(sn=Doe)(cn=John D*)))


Initiating Client Contact With a Management Server

Once a Groove identity or a device is designated as managed in the Groove client soft-ware, Groove polls the management server periodically (generally, every 5 hours) for updates to products and policies, and to report statistics. If you want to force client contact with the management server so that users can receive updates within a polling interval, users can manually initiate management server communications from Groove.

To manually initiate client communications with the management server (between auto-matic polling events), Groove users can do the following:

1. From Groove Virtual Office, click the Help drop-down menu and select About Groove.

2. Click the Licenses button at the bottom of the window.

3. Click the Refresh button.

Search for all employees that are members of a specified group (such as Groove*) defined on the directory server.

(<filtercomp>(<attribute><filtertype><value>)(<attribute><filtertype><value>))

Active Directory:

(&(objectclass=group)(cn=Groove*))

iPlanet:

(&(objectclass=groupofuniquenames)(cn=Groove*))

Domino:

(&(objectclass=groupofnames)(cn=Groove*))

(&(objectclass=dominoGroup)(cn=Groove*))

Search Expression Sample Filters


Managing Identity Policies

Identity-based usage and security policies set a foundation for Groove user management. The identity policy template assigned to a user - directly or via the user’s domain group - applies to all devices where the user’s managed account resides. Identity policies govern Groove user practices and security.

Device-based policies which apply to managed user devices registered with a management domain, offer an added level of control to Groove usage and security management. See “Managing Device Policies” of this guide for details about using device policies.

The following sections describe identity policies and how to customize them to best advantage:

• Overview of Identity Policy Templates

• Creating Identity Policy Templates

• Editing Policy Template Names

• Cloning Policy Templates

• Changing Identity Policy Templates

• Deleting Policy Templates

• Viewing and Editing Identity Policies

• Automatically Managing Devices During Identity Activation

• Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)

• Resetting Groove Login Credentials (for Groove 3.0f or later)

• Customizing Reset Instructions (for Groove 3.0f or later)

• Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)

• Managing User Interaction with Unauthenticated Identities

• Setting the Default Workspace Version

• Specifying Enterprise PKI Certificates

• Setting Time Limit on Valid PKI Certificates

• Enabling Groove-XMPP Communications

• Member Policies

• Security Policies

Groove Management Server Domain Administrator’s Guide Managing Identity Policies 68

Overview of Identity Policy Templates

The management server provides templates of default policies (identity and device-based) which take effect at once after a user activates a managed Groove identity. Identity poli-cies apply to the managed identity on any devices on which the user’s managed account resides. You can modify identity policies, and change or add new templates at any time, but examining and customizing the defaults is a wise first step in setting up a management environment.

Collections of identity policy settings reside in identity policy templates which you can assign to domain groups, subgroups, and individual users. The same is true for device pol-icy settings, described in the “Managing Device Policies” section of this guide. The man-agement server’s default identity policy template, with its set of default settings, is applied to domain groups by default.

Enacting policies requires Groove users to be members of a management domain or group. See “Adding Groove Users to a Domain Group” in the Managing Users section of this guide for information about adding users to a domain group.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator.

Creating Identity Policy Templates

The management server provides an initial default identity policy template that contains default policy settings appropriate for typical Groove use in an enterprise. You can create additional templates at any time, using the Add Templates tool from the Identity Policy Templates page.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add policy templates.

To create a policy template, follow these steps:

1. Go to the management server administrative Web site and from the navigation pane, select the Identity Policy Templates heading for a domain. A list of templates appears in the main window.

2. Select Add Template in the tool bar. The Add Template window appears.

3. In the Add Template window, enter a template name and optional description in the corresponding fields.

4. Click OK. The new template appears in the list on the Policy Templates page and in the navigation pane. Clicking the template in the navigation pane lets you view the template’s default policy settings and edit them.

Editing Policy Template Names

To edit a policy name and description, follow these steps:


1. Go to the management server administrative Web site and select the Identity (or Device) Policy Templates heading in the navigation pane. A list of templates appears in the Templates window.

2. Click the template in the list (or click the template in the navigation pane, then click the template Properties button). The template Properties window appears.

3. In the Edit Template Properties window, edit the policy tool name and description as needed.

4. Click OK.

Cloning Policy Templates

You can clone a template and save it as a new template with another name, by using the Clone Template button available with each template.

To clone a template, follow these steps:


2. Click the Clone Template button next to the template that you want to copy. The Clone Template window appears.

3. From the Clone Template window, enter a new template name and optional description in the appropriate fields.

4. Click OK. You can now use the cloned template as a basis for a new policy tem-plate without overwriting the original.

Changing Identity Policy Templates

The management server provides a default identity policy template that applies to man-aged identities in a domain group. This initial template contains identity policy settings appropriate for typical Groove use in an enterprise. If you have defined additional identity policy templates (as described in “Creating Identity Policy Templates”), you can change default template assignments for any group or member, as described in the following sec-tions:

• Changing Identity Policy Templates for a Group

• Changing Identity Policy Templates for a Group Member

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change policy templates at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.

Note: For information about editing identity policies in a template, see “Viewing and Editing Identity Policies” later in this chapter.

Changing Identity Policy Templates for a Group

To change identity policy templates for a group, follow these steps:


1. Go to the management server administrative Web site and select a management domain group in the navigation pane.

2. Select Group Properties in the tool bar.

3. From the group Properties page, select the desired policy template from the Identity Policy Template drop-down menu.

4. To apply this change to all subgroups and members of this group, select the option, ‘Override settings for all members and subgroups.’ Otherwise, to leave subgroup and member template assignments as is, leave the option unchecked.

5. Click OK.

Changing Identity Policy Templates for a Group Member

To change identity policy templates for a group member, follow these steps:

1. Go to the management server administrative Web site and navigate the domain tree until the member whose template you want to change appears in the main screen display list.

2. From the main screen, click the member name. The Member Information page appears.

3. From the member Properties page, select the desired policy template from the Iden-tity Policy Template drop-down menu.

4. Click Apply to save your changes without closing, or OK to change and close.

Deleting Policy Templates

You can delete policy templates only if no groups or individual members are assigned to them. You cannot delete the last template.

To delete selected policy templates, follow these steps:


2. Select the templates that you want to delete (clicking the top box selects all tem-plates in the list).

3. Select Delete Template in the tool bar. If a template cannot be deleted because it is assigned to a group or member, as message appears indicating this condition. To delete assigned templates, make sure they are not assigned to any group or member. For information about reassigning templates, “Changing Identity Policy Tem-plates” or “Changing Device Policy Templates”, as appropriate.

Viewing and Editing Identity Policies

Identity policies are grouped into templates which apply to a domain group or to an indi-vidual identity. Most of these policies concern the security of company resources. Exam-ine the templates that contain these policy settings to make sure that they are adequate for your organization and change them if necessary.


Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to edit policies.

To edit identity policies, follow these steps:

1. Go to the management server administrative Web site and click an identity policy template in the navigation pane. Two identity policy tabs appear, as described briefly in the following table and in detail in the sections below:

2. Click the tab for the policies that you want and edit them as necessary.

3. Select Save Changes in the tool bar to submit your changes.

Automatically Managing Devices During Identity Activation

As of EMS version 3.0f, you can set an identity policy that allows the management server to automatically register Groove user devices with a management domain when users acti-vate their managed identity. With the policy in effect, upon identity activation, a new device is assigned a device policy template from the domain member group of which the identity is a member.

Note: The management server version 3.0f or later automatically handles the required device management key update. Earlier versions of the management server require administrators to download the device management key from the selected device policy template.

To automatically add a device to a management domain during Groove identity activation, follow these steps:

1. Go to the management server administrative Web site and from the navigation pane, select an identity policy template for the management domain that contains the Groove users and devices that you want to activate.

2. From the Member Policies tab, go to the Device Management Policies section and select the policy to ‘Automatically manage devices at activation’. See “Member Policies” below for more information about this policy setting.

3. If you are using a pre-3.0f version of the management server, download the device management key as described above in “Registering Devices in a Management Domain” in the Managing Device Policies section in this guide.

4. If you want to manage devices of all managed Groove identities on a team that may extend beyond the bounds of a management domain, you can specify a Windows domain to which the team user devices belong, as follows:

a. Select the option, ‘For user [devices] in the following Windows domains’.

Identity Policy Tabs Descriptions

Member Policies • Account backup scheduling

• Identity publishing

Security Policies • Peer authentication

• Identity authentication (applies only if enterprise PKI is the chosen identity authentication method)


b. Enter a full Windows domain name (such as xyzsales.com) in the text box, (which is case-insensitive).

c. Click the Add button to allow automatic activation for all Groove users in the specified domains. Each Windows domain entered appears in the Windows Domain list when you click Add. You can remove a domain from the list by selecting it and clicking the Remove button.

5. If you do not want to specify Windows domains but want to be sure that devices of all managed Groove identities are managed, be sure to select the companion policy, ‘Identities may only be used on a managed device in this domain.’

6. Click Save Changes in the tool bar.

Note: When users are NOT members of a listed Windows domain, and attempt to acti-vate their new managed identity, a dialog box appears asking them to allow or reject device management. If the option, ‘Identities may only be used on a man-aged device in this domain.’ is enabled, they will be warned that rejecting device management will prevent activation of their managed identity.

Note: If an automatic device activation attempt fails, it will appear as an event in the EMS audit log. See “Audit Log” in the Viewing Domain Reports section of this guide for more information about reports.

Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)

In order to reset a lost password or smart card login, or to recover data for managed Groove users, you must set up the appropriate management policy and make sure your users open their managed Groove accounts before a user’s password is lost. As of version 3.0f of the management server, this management policy applies to managed users of Groove version 3.0f or later. For information about setting equivalent policies in environ-ments with users running Groove 3.0e or earlier, see “Controlling Login Credential Reset and Data Recovery” in the Managing Device Policies section of this guide.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server Administrator of Domain Administrator to recover user data and reset passwords or smart card logins.

To configure a domain to allow resetting of passwords or smart card logins, and/or data recovery (for Groove 3.0f or later clients), follow these steps.

1. Go to the management server administrative Web site, and select a domain in the navigation pane.

2. Select an identity policy template in the navigation pane.

3. Click the Security Policies tab.

4. Scroll to the Password or Smart Card Login section and select one of the following reset/recovery options (see the “Security Policies” section below for more informa-tion on device security policies):

• Automatic reset (and data recovery) - Allows automatic reset of user passwords/smart card logins and recover of workspace data (providing that the


data recovery key and password, defined on the Domain Properties page, are stored on the management server).

• Manual reset (and data recovery) - Allows manual (administrator-controlled) resetting of login credentials and recovering data.

• Data recovery - Allows data recovery but not resetting of login credentials.

• None - Prohibits resetting of login credentials and recovering data.

See “Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)” and “Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)” below for information about resetting managed Groove user passwords/smart card logins and recovering user data, respectively.

5. Click OK to submit your policy edits. This policy will be disseminated to each managed identity in the domain the next time the user connects to the management server. Upon receiving the policy, each managed account encrypts its on-disk data in the data recovery public key

6. Make sure that users open their managed accounts to receive the policy as soon as possible. This must be done before a password is lost, in order to retrieve data and/or reset a password.

For detailed instructions about resetting user passwords, see the following section, “Reset-ting Groove Login Credentials (for Groove 3.0f or later)”.

Resetting Groove Login Credentials (for Groove 3.0f or later)

A password or smart card login is associated with each Groove user account. In a managed environment, a password and smart card login private key created during domain creation by the server administrator enables the resetting of Groove passwords or smart card log-ins. As of version 3.0f or later of the management server, an identity policy allows login credential reset for managed users running Groove 3.0f or later, as described in the follow-ing sections. If you are using a 3.0e or earlier version of the management server and/or management domain members are running Groove 3.0e or earlier, a device policy controls login credential reset. For information about resetting login credentials in environments with users running Groove 3.0e or earlier, see “Resetting Groove Login Credentials for Managed Devices” in the Managing Identity Policies section of this guide.

Note: Upgrade all managed identities in a domain to Groove 3.0f or later before trying to use the login credential reset policies available on the 3.0f management server Identity Policy pages.

In environments running version 3.0f or later of the Groove management server, you can configure your Groove management environment to control reset of Groove login creden-tials (passwords and smart card logins) in one of the following ways:

• Users reset their Groove login credentials upon receipt of permission-granting email sent to them automatically from the management server after they request a password or login change from Groove Virtual Office, as described in “Automatic Reset of Groove Login Credentials”.


• Administrators enable managed users to reset Groove login credentials upon request, as described in “Administer-Driven Reset of Groove Login Credentials”.

• Administrator reset Groove login credentials locally on managed user devices, as described in “Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)”.

The following sections cover the administrative and client aspects of resetting a user pass-word or smart card login:

• Administer-Driven Reset of Groove Login Credentials

• Automatic Reset of Groove Login Credentials

• Client Login Credential Reset

Administer-Driven Reset of Groove Login Credentials

Before you begin, make sure to enable the device policy that enables password/smart card login reset, as described above in “Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)”. In addition, the Groove user must have accessed their man-aged account in order to activate the device policy. Allowing reset of a forgotten Groove user password or smart card login involves the reset private key, generated during domain creation by the server administrator. Therefore, you need the password for the reset private key (and the private key file itself if it's not stored on the server), obtainable from your server administrator.

To centrally control Groove user login credential reset, you configure the management server and Groove clients so that the necessary private key is available on the management server (or in a specified file from which you can upload it temporarily to the management server) when users need to reset their own passwords. When a domain member clicks the “Forgot your password?” link in the Groove Login window of Groove and notifies an administrator of this request, the administrator can use the management server’s Member Information page to grant the request.

Before you begin, be aware of the following requirements and considerations:

• For users of Groove 3.0f or later, make sure to enable an identity policy that enables password/smart card login reset, as described above in “Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)” above.

• Verify that Groove users have accessed their managed account to activate the reset policy.

• Allowing reset of a forgotten Groove user password or smart card login involves the reset private key, generated during domain creation by the server administrator. Therefore, you need the password for the reset private key (and the private key file itself if it's not stored on the server), obtainable from your server administrator.

• If you want to review and customize the reset instructions that will be sent to users requesting the reset, do so from the Security Policies tab of any Device Policy template in the domain, as described below in “Customizing Reset Instructions (for Groove 3.0f or later)”.

• In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Support Administrator to reset passwords or smart card logins.


To enable administrators to grant login credential reset permission to a managed user of Groove 3.0f or later, follow these steps:

1. When a domain member clicks the Reset Password or Smart Card Login button from Groove and notifies you of the request (by phone or other method), go to the management server administrative Web site and in the navigation pane, click the domain group of which the user is a member. The Members tab appears with a list of group members. See the “Client Login Credential Reset” below for information about client

2. From the Members tab, click the name of the member requesting the reset. The Member Information window appears.

3. From the Member Information window, click the Reset Password or Smart Card Login button (available when a member has clicked the Request Reset button from Groove). The Reset Password or Smart Card Login window appears that includes a Reset Access Code and a form for resetting the user password or smart card login.

If the reset private key (generated by the server administrator during domain creation) resides in a specified file (instead of on the management server), the Reset form includes a File location text box.

If the option to Remember private key login credentials has been enabled on the domain setup page and the private key is stored on the management server, a short form appears that does not involve using the reset private key.

4. If a File location text box appears, browse to the file location of the reset private key.

5. Confirm with the user that the Reset Access Code on the management server matches the Reset Access Code in Groove’s Request Reset window on the user’s device.

Note: Make sure to verify that the user who requested the password or smart card login reset is authorized to use the Groove account.

6. If the access code on the Reset Password page does not match the user's access code, press the Refresh Access Code button to check if a new access code is avail-able. Note that refreshing the screen discards any unsaved changes to the user infor-mation or password reset form. Therefore, a pop-up message appears allowing you to click OK to proceed and refresh the screen, or Cancel to cancel the refresh.

7. Select the option, ‘I confirm I have verified the member’s identity and the password reset access code.’

8. Click OK. This action attempts to open the user’s secret key file using the private key password or smart card login that you entered. If the key is in a specified file, it is uploaded to the management server at this time. If the private key password or smart card login is valid, a Reset confirmation pop-up window appears. Otherwise, an error message window appears.

9. Click OK to accept the confirmation, or to accept the error and correct your entry.

The user’s screen automatically refreshes and displays a form that allows them to enter a new password or select new smart card login certificates. You can customize the text instructions in this form as described in “Customizing Reset Instructions (for Groove 3.0f or later)” below.


Automatic Reset of Groove Login Credentials

As of version 3.0f of the Groove management server, you can set a policy that allows the server to automatically process managed user requests for password or smart card login reset, providing that users are running Groove 3.0f or later. When a domain member clicks the Reset Password or Smart Card Login button from Groove, the management server will automatically send them an email containing a temporary password and instructions for using it (as does groove.net for unmanaged users)

To enable automatic reset of Groove login credentials in environments running versions 3.0f or later of the management server with Groove 3.0f users, follow these steps:

1. Consider the Before You Begin checklist in “Administer-Driven Reset of Groove Login Credentials” above.

2. Ensure that all domain members have upgraded to Groove 3.0f.

3. Ensure that the option to remember the private key password/smart card login, has been enabled on the domain setup page and the private key is stored on the manage-ment server.

4. Go to the identity policy template for your domain and, from the Security Policies tab, select the ‘Automatic password/smart card login reset’ option. See “Control-ling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)” above for more details about setting this option.

Now, when a domain member clicks the Reset Password or Smart Card Login button from Groove, the management server will automatically send them an email containing a tem-porary password and instructions for using it (as does groove.net for unmanaged users). See the “Client Login Credential Reset” below for information about client actions.

Client Login Credential Reset

Managed users running Groove on managed devices in a domain are subject to administra-tive control over their password/smart card login reset capability. Once you set up the management environment to enable users to reset their Groove passwords, as described above in “Administer-Driven Reset of Groove Login Credentials”, users must request per-mission to reset their password or smart card login (if they have forgotten it, for example).

Note: Users should be prepared to authenticate themselves out of band to the domain administrator when requesting a password/smart card login reset.

The Groove user request for password/smart card login reset permission involves the fol-lowing steps:

1. A managed Groove user assigned to an identity policy that has the reset password or reset smart card login policy enabled, requests a password by clicking the ‘Forgot your password?’ or ‘Request Smartcard Login Reset’ link on the Groove login window. This displays a Request Password Reset or Request Smart Card Login Reset pop-up window that contains the user’s password reset or smart card login access code along with instructions to contact the administrator.

If the user defined a password hint and a hint pop-up window appears with a Request Reset button, the user, reminded by the hint, can try logging in again.


2. The user contacts the domain administrator (by phone, for example) and verifies identity to the domain administrator by citing the reset access code in the Request Reset window. This code should match what appears for the user in the administra-tor’s Members Information/Reset Password or Smart Card Login window on the management server.

3. The user presses the Request Reset button. Clicking Request Reset refreshes the Request Password/Smart Card Login Reset window, generates a ‘reset request’ entry in the management server audit log, and displays a Reset Password or Reset Smart Card Login button in the management server’s Member Information page for this user.

Clicking the Cancel button cancels the request and returns to the Groove login window.

4. The administrator responds to the reset request, as described in “Administer-Driven Reset of Groove Login Credentials”.

5. If a New Password window appears on the client screen, along with instructions, the user enters a new password, confirms it, and clicks OK. Groove opens the user’s managed account.

If a New Smart Card Login window appears, along with instructions, the user selects new certificates and clicks OK. Groove opens the user’s managed account.

For information about customizing reset instructions, see “Customizing Reset Instructions (for Groove 3.0f or later)” below.

Customizing Reset Instructions (for Groove 3.0f or later)

The policies that govern resetting of login credentials include a feature that lets you edit the instructions that managed users receive after requesting a password or smart card login reset (as described above in “Client Login Credential Reset”). For example, you may want to include the administrator’s Help desk phone number for the user call when a reset is necessary. In environments using version 3.0f or later of the management server, with managed users of Groove 3.0f or later, you access this feature from the identity policies Security Policy tab by clicking the Edit Reset Settings button.

For information about customizing reset instructions for managed users with Groove 3.0e or earlier, see “Customizing Reset Instructions for Managed Devices” in the Managing Device Policies section of this guide.

To customize the password/smart card login password reset instructions sent to managed users of Groove 3.0f or later who request a reset, follow these steps:

1. Go to the management server administrative Web site and in the navigation pane, click a domain identity template that you want to edit.


3. Scroll to the Password or Smart Card Login section and click the Customize Man-ual Reset Instructions button. A scrollable text window appears.

4. Edit the default text as necessary.

5. Click OK. The edited text will appear above the password reset access code in the client’s Request Reset message.


6. Select Save Changes in the tool bar.

Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)

Groove workspace and account data reside on Groove user devices and are protected with each user’s password or smart card login. This means that, by default, if a user leaves the company or forgets a password (or smart card login), no one can access that user’s work-spaces without knowing the user’s password. The management server and the Data Recovery Tool that supports it enable you to reset a user’s password or smart card login and restore data on managed devices in the domain.

Note: The data recovery procedure is designed to reset user login credentials or gain access to a user’s existing data; it does not restore data that has been corrupted or destroyed.

For information about other options for resetting Groove passwords or smart card logins, see “Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)” above.

For information about backing up and restoring user accounts, see “Backing Up and Restoring User Account Data” in the Managing Users section of this guide.

For information about setting up data recovery for managed identities with Groove 3.0f or later, see in the Managing Identity Policies section of this guide.

The data recovery process begins with setting a management server device policy to allow data recovery, then using the management server’s Data Recovery tool to restore data on a client device. The tool gives access to a data recovery private key, generated during man-dating creation by the management server administrator.

The following sections provide background information and instructions for restoring user passwords, smart card logins, and/or data:

• Data Recovery Fundamentals

• Recovering User Data (using the Data Recovery Tool)

Data Recovery Fundamentals

Groove protects each user account with the user’s Groove account password or smart card login. Account data includes identity, contact, and workspace data, as well as private and secret keys generated locally by Groove (for example, when Groove user accounts, identi-ties, or workspaces are created). The password/smart card login protection scheme applies to both managed and unmanaged accounts. This means that by default administrators can-not access any account information, whether managed or unmanaged.

However, under certain conditions, for example if a user on a managed device loses or for-gets a password or smart card login, or leaves the company, an administrator may need to access a user’s Groove data. The management server provides a means of recovering data without knowing the user’s original password or smart card login. Management server identity policies provides options for two levels of data recovery:


• The first level, limited data recovery (without password reset), enables administrative access to the user's workspace data only, rather than complete access to the user's account. This level prevents an administrator from accessing the user's private cryptographic information, such as the user's private and secret keys. It thus also prevents the administrator from being able to impersonate the user (sending Groove instant messages and workspace updates on behalf of the user). Because administrators cannot gain full entry to the user's account after this type of data recovery, they must copy the workspaces from a user's account into another location (into another account or a directory on disk) for future use or reference. This level limits administrative access, providing protection against misuse through impersonation while allowing limited recovery of the user's data.

• The second level, password reset, enables administrators to reset a user’s password or smart card login, enabling complete access to a user's account and workspace data, including access to the user's private cryptographic information. Because administrators with this level of access can impersonate users, this level of access should be used judiciously. Administrators considering this access level must weigh the risk of misuse through impersonation against the benefit of allowing user accounts to be reactivated.

Both data recovery levels require the use of a data recovery key pair: a public key con-tained in a certificate (.cer) file and a private key contained in a password/smart card-pro-tected private key store (.xml) file. These keys are created during domain creation by the management server administrator. The data recovery public key is encapsulated in a data recovery policy and disseminated to all the managed devices governed by the policy.

When a Groove user is governed by a data recovery policy, Groove encrypts user account data and passwords/smart card logins with the data recovery public key. If limited data recovery is the chosen policy level, only the non-private cryptographic information in the account is encrypted with the data recovery public key. If password/smart card login reset is the chosen policy level, both the non-private and the private cryptographic information of the account are encrypted. The data recovery administrator uses the corresponding data recovery private key (generated during domain creation) to decrypt and gain access - lim-ited or full - to the user's account, without knowing the user's original Groove password. This feature is implemented using public key cryptographic protocols. Thus, an adminis-trator can gain access to an account only if the account was first encrypted with a data recovery public key, and only the correct corresponding data recovery private key (to which only the data recovery administrator has access) allows access to the account.

Recovering User Data (using the Data Recovery Tool)

Before you begin the data recovery process, be sure to set your management domain device policies to allow data recovery, as described above in, “Controlling Login Creden-tial Reset and Data Recovery (for Groove 3.0f or Later)”. Then you can use the Groove data recovery tool on a client device to recover a user’s public workspace data or to reset the user’s password which provides complete access to all the user’s Groove data.

If you want only to allow users to reset their passwords, consider using the centralized procedure described above in “Resetting Groove Login Credentials (for Groove 3.0f or later)”.


Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Support Administrator to use the data recovery tool described in the pro-cedure below.

To recover user data and/or reset a user’s login credentials, follow these steps:

Note: Make sure that Groove is not running on the client device where you are trying to restore data.

1. From the client device where you are trying to restore data, open a browser and go to the management server administrative Web site.

2. Select Domain Properties in the tool bar. The domain properties page appears.

3. In the Password or Smart Card Reset Setup section of the page, use the ‘Download data recovery tool for Groove version’ option to specify the Groove version installed on managed user devices, and click the Download button. A standard Save As pop-up window appears.

4. In the Save As window, browse to the network location where you want to store the data recovery tool.

This generates the Data Recovery tool, DataRecoveryAdminTool.exe (and its associated system files), which enables you to restore the password and/or data on a client machine.

5. Run the Data Recovery Tool, DataRecoveryAdminTool.exe, from its current loca-tion to create the data recovery certificate and keys. The Recovery page appears.

Note: Do not try to run the .exe file from a remote location; you must download and run it from the client PC.

6. Choose a data recovery option as follows:

• Reset Password - To reset the user’s password and restore full access to all workspaces and account data, providing that your policy allows resetting a user’s password.

• Recover Workspace Data - To copy the workspace information into another location. If you need to reactivate the workspaces in their new location, you must ask the workspace owners to invite you into them or invite them yourself.

If your policy allows only recovery of workspace data (not resetting the password), only the second option is available to you; an error will appear if you set the first option.

7. Edit the following fields, then click Next:

a. In the Private Key File field, enter the .xml file path for the private key file (that was generated during initial set up of this feature).

b. In the Administrator password - Enter the administrator private key password that was originally defined.

8. If you chose the Reset Password option, the Reset Password page appears. Proceed as follows:

a. In the Account Name field, select the name of the managed account that you want to restore.

b. In the New Password field, enter a new pass phrase, then enter it again in the


Confirm new password field.

c. Click Finish. A completion pop-up window appears.

d. Click OK to exit.

e. Launch Groove and log into the user’s account after entering the new password when prompted.

9. If you chose the Recover Workspace Data option, the Recovery page appears. Pro-ceed as follows:

a. Choose one of the following output options, as described in the following table:

b. When the completion pop-up appears, click OK.

10. If you saved the workspace(s) in an account, launch Groove and open the specified account.

11. If you exported the workspace(s) to disk, restore the space(s) on the Groove client as follows:

a. From the client device, launch Groove.

b. Go to My Spaces.

c. From the File menu, choose Restore Workspace or Open Workspace Archive (depending on which Groove version you are using). The Restore pop-up window appears.

d. Browse the location where you saved the workspace(s).

e. Enter the password defined in the Recovery options of the Data Recovery tool.

f. Click OK. The workspace appears in the list of workspaces.

Recovery Options Descriptions

Export spaces into new account

Choose this option to copy the selected workspaces to a new Groove account, then do the following:

1. Click the Next button to display a page where you enter the account name and password of the new account.

2 Enter the information, then click Next again to select a workspace.

3 Click the Finish button.

Export spaces into existing account

Choose this option to copy selected workspaces into another existing account on the device, then do the following:

1. Click the Next button to display a page where you select an existing name and its correct password.

2 Enter the information, then click Next again to select workspaces.


Export spaces into directory on disk

Choose this option to copy the selected workspaces into a specified directory, then do the following:

1. Click the Next button to display a page where you select a directory path and an optional password for each space.

2 Click Next again to select workspaces.



Managing User Interaction with Unauthenticated Identities

Domain member contact lists can include both authenticated and unauthenticated contacts, though this distinction may not be immediately apparent to users. Management server identity policies, allow you to specify how user ‘authenticity’ is indicated in managed user contact lists. The following sections provide information and instructions for determining the level of peer authentication:

• Authenticated vs. Unauthenticated Groove Identities

• Setting Up Peer Authentication

Authenticated vs. Unauthenticated Groove Identities

Groove supports two types of authentication: manual authentication and certification. Manually authenticated contacts are those whose identity has been verified out-of-band (by checking their digital fingerprints, for example). Certified contacts are those whose identity has been validated by a certificate issued by a management domain administrator. Text color distinguishes contacts in managed user contact lists, as summarized in the following table for each authentication type:

You can control how your users interact with unauthenticated identities by setting up a peer security policy. When a domain member attempts one of the actions listed in the “Peer Action” table below, the appropriate warning or prevention policy goes into effect as described.

Setting Up Peer Authentication

Establishing peer authentication in a managed Groove environment occurs mainly via a single identity policy that defines peer authentication for all members using the specified identity policy template.

To set up a peer authentication policy, follow these steps:



Groove PKI Enterprise PKI

The contact is a member of the user’s management domain.

The contact is a member of a domain that is cross-certified with the user’s management domain (as described in the Managing Groove Domains section of this guide).

The contact is certified.

The contact is personally (manually) authenticated by the user.

The contact is personally (manually) authenticated by the user.

The contact is not authenticated. The contact is not authenticated.


3. Go to the Peer Authentication Policy section of the Security Policy page and select one the options, described in the following table:

4. Select Save Changes in the tool bar to submit your changes. Any domain group or member to whom you assign this identity policy template will be subject to the pol-icy you just defined. The table below summarizes the effect of each policy in vari-ous Groove contexts.

Peer Authentication Policy Options

Descriptions*

Do not warn members about communicating with any contacts

When this option is in effect, Groove will not display warnings indicating communications with an unauthenticated identity.

Warn members before they communicate with contacts that have neither been administrator-certified nor manually authenticated by the user.

This option displays an Authenticate pop-up window, prompting to users to authenticate any unauthenticated identity.

Only allow communications with administrator-certified contacts.

When this option is in effect, Groove allows communications among certified identities only.

*See the Peer Action table below for descriptions of these options in various contexts.

Peer Action Peer Security Policy Effect*

Sending an instant message or workspace (.grv) invitation (including light chat and MS Instant Messages), or replying to or forwarding an instant message.

• Do not warn or restrict members when communicating with any contacts. - No effect.

• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any recipients are unauthenticated, Groove displays an Authenticate pop-up window, prompting the sender to authenticate unauthenticated users in the invite list. The sender may or may not choose to do so.

• Only allow members to communicate with administrator-certified contacts. - If any recipients are uncertified, Groove displays a pop-up window listing the uncertified users and explaining that communication with those users will not occur.


Confirming workspace invitations. • Do not warn or restrict members when communicating with any contacts. - No effect.

• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If an unauthenticated user accepts an invitation, Groove displays a confirmation pop-up window to the inviter. If the inviter confirms the acceptance, an Authenticate pop-up window appears, prompting the inviter to manually authenticate the user. The inviter may or may not choose to do so.

• Only allow members to communicate with administrator-certified contacts. - If an uncertified user accepts an invitation .grv file from a managed user, the invitation will nevertheless be declined and the workspace will not be downloaded.

Opening a workspace. • Do not warn or restrict members when communicating with any contacts. - No effect.

• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any workspace members are unauthenticated, Groove displays an Authenticate pop-up window, prompting the user who is opening the workspace to manually authenticate unauthenticated users. The workspace opener may or may not choose to do so.

• Only allow members to communicate with administrator-certified contacts. - If any recipients are uncertified, Groove displays pop-up window (upon user navigation to the workspace) explaining that x members of the space are uncertified.

Creating a workspace. • Do not warn or restrict members when communicating with any contacts. - No effect.

• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If any recipients of the invitation .grv are unauthenticated, Groove displays an Authenticate pop-up window, prompting the inviter to manually authenticate unauthenticated users in the invite list. The workspace creator may or may not choose to do so.

• Only allow members to communicate with administrator-certified contacts. - If any recipients of the invitation .grv are uncertified, Groove displays a pop-up window stating that x recipients are uncertified and prevents those users from entering the space.



Setting the Default Workspace Version

When a Groove user begins the workspace creation process, the user can choose which version of Groove to use. You can set an identity management policy that restricts man-aged users assigned to a specific identity policy template to a specified Groove version.

The default Groove policy is the current version (such as 3.0). If your managed users have not yet upgraded to version to the current version and you want to discourage creation of new version workspaces, you can change the default workspace version to an older ver-sion (such as 2.5). However, in changing the default version to a pre-2.5 option, be aware that domain-wide updates to contacts associated with managed members in pre-2.5 work-spaces may slow considerably and possibly disrupt Groove operation.

To change the default workspace version, follow these steps:


2. On the Member Policies page, select a value in the ‘Default version for new work-spaces’ drop-down menu.

3. Click the Save Changes button. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined.

Fetching a workspace • Do not warn or restrict members when communicating with any contacts. - No effect.

• Warn member before communicating with contacts that have been neither administrator-certified nor manually authenticated by the member. - If the workspace member who is the source of the fetch is unauthenticated, Groove displays an Authenticate pop-up window, prompting the fetcher to manually authenticate the user. The workspace fetcher may or may not choose to do so.

• Only allow members to communicate with administrator-certified contacts. - When a managed user attempts to fetch a workspace from an uncertified user, Groove displays a pop-up window explaining that the workspace member who is the source of the fetch is uncertified. The managed user must fetch from a certified workspace member.

Instantiating a Co-Edit session. Users must be workspace members before initiating a co-edit session, so no additional authentication checking is necessary since that has already occurred when the workspace was created or opened the workspace.

*In this table, ‘authenticated’ generally means manually authenticated or certified; ‘unauthenticated’ means neither manually authenticated nor certified



Specifying Enterprise PKI Certificates

If enterprise PKI is your chosen identity authentication method, specified during domain creation, you can control which member identity authentication certificates are available to managed users by setting an identity policy accordingly.

To limit member identity authentication certificate choices to those signed by specific Certification Authorities (those certificates who’s certificate chain contains a specific Cer-tification Authority, or CA), follow these steps:



3. From the Security Policies page, add identity authentication certificates to the tem-plate as follows:

a. Click the Add CA Certificate button. A file download window appears so you can download an CA certificate file.

b. Browse to the location of your company’s identity authentication certificates and click OK to download the file to the template. The CA certificate appears in the certificate list, along with its issuer name. You can click the certificate name to view its contents.

4. Repeat the Add CA Certificate step for each CA certificate that you want to down-load.

5. To delete any unwanted CA certificates from the management server, click the Delete Certificate button next to the CA certificate that you want to delete.

6. If necessary, edit the value in the field: ‘Consider an Identity authentication certifi-cate invalid if revocation status has not been updated __ days. See the table below in “Security Policies” for more information about this field’.

7. Select Save Changes in the tool bar to submit your changes. Any domain group or member to whom you assign this identity policy template will be subject to this identity authentication policy.

Setting Time Limit on Valid PKI Certificates

If enterprise PKI is your chosen identity authentication method, specified during domain creation, you can control when identity authentication certificates become invalid - after a number of days during which revocation status was unavailable.

To specify when an identity authentication certificate becomes invalid, follow these steps:



3. From the Security Policies page, edit the value in this field: ‘Consider an identity authentication certificate invalid if revocation status has not been updated in __ days’ field.


4. Select Save Changes in the tool bar to submit your changes. Any domain group or member to whom you assign this identity policy template will be subject to this identity authentication policy.

Enabling Groove-XMPP Communications

As of version 3.1, Groove Virtual office provides public XMPP proxy servers to enable Groove client communication with Jabber and other XMPP clients. In a managed environ-ment, an enterprise can install Groove XMPP Proxy Servers onsite, allowing administra-tors to provision Groove domain members to private XMPP servers, similar to the way users can be provisioned to dedicated relay servers. A management server identity policy determines whether domain members can access any Groove-XMPP proxy servers.

For detailed information about installing and configuring Groove XMPP Proxy Servers onsite, see the Enterprise Relay Server Administrator’s Guide.

Note: Jabber (and other XMPP) users are handled like email and other non-Groove users in Groove user contact lists - Groove does not authenticate them and may display a message indicating that these users have a lower level of security. If you are concerned about the lack of authentication of XMPP contacts, or the lack of a warning when sending instant messages to unauthenticated contacts, consider dis-abling the management server identity policy that controls XMPP integration.

To control whether Groove management domain members can access Groove XMPP proxy servers that enable Groove-XMPP communications, follow these steps:


2. On the Member Policies page, enable Groove-XMPP communications by selecting the policy: Allow Groove client to use XMPP messaging. To prohibit managed Groove users in the domain group from utilizing Groove XMPP proxy servers, uncheck this policy.

For more information about this field, see the table in “Member Policies” below.

3. Click the Save Changes button. Any domain group or member to whom you assign this identity policy template will be subject to the policy you just defined.

4. If you chose to allow XMPP messaging and you have installed a Groove XMPP server in your enterprise, provision users to this server by defining a Server set within the domain group and assigning users to it, similar to way you would provi-sion users to relay servers. For information about provisioning managed Groove users to XMPP proxy servers, see “Managing Groove Servers” in this guide.


Member PoliciesThe following table describes Member identity policy settings:

Member Identity Policy Settings

Descriptions

Backup account every [] day(s) (maximum 7)

Specifies how often the management server will automatically back up user accounts for managed identities in the domain.

Enter a number from 1 to 7 in the text box to specify the number of days between backups. Leaving the text box empty disables this policy and accounts will not be backed up.

To restore a backed-up account to a user, use the Members details page to send the user email along with the information necessary for restoring the account. For more information about backing up and restoring user accounts, see “Backing Up and Restoring User Account Data” in the Managing Users section of this guide.

Default: blank

Allow Groove client to use XMPP messaging

Specifies whether domain members can access Groove XMPP proxy servers that enable Jabber and other XMPP-based communications. The policy controls use of public Groove Networks-hosted XMPP proxy servers as well as any installed onsite at an enterprise.

Default: enabled (checked)

Default version for new workspaces

Overrides the default Groove workspace compatibility option, available to managed Groove identities during workspace creation. The default compatibility option for Groove clients is the current version of Groove Virtual Office.

To override this default setting (changing it to 2.5, for example) select the Default version option, then select another Groove version from the drop-down menu. Leave the option unchecked to accept the current Groove version default.

For more information about changing the Groove workspace version, see “Setting the Default Workspace Version” above.

Default: client default

Identity Publishing Policies

Prohibit publishing of vCard to management server directory

Specifies that EMS should NOT publish the managed identity contact information (vCard) of domain group members to the EMS local directory of domain members.

Selecting this option prohibits vCard publication in the management server member directory. Leaving the option unchecked allows vCard publication in the member directory.

Default: unchecked


Security PoliciesThe following table describes Security identity policy settings:.

Allow publishing of vCard to groove.net directory

Specifies that EMS can publish the managed identity contact information (vCard) of domain group members to the groove.net public directory on the groove.net Web site.

Selecting this option allows vCard publication in the groove.net directory. Leaving the option unchecked prevents vCard publication on groove.net.

Default: unchecked

Device Management Policies

Identities may only be used on a managed device in this domain

Specifies that managed identities in the selected domain can only be used on managed devices.

Selecting this option sets the restriction. Leaving the option unchecked allows managed identities to be used on any device, managed or not.

Note: If no managed device is associated with a user, enabling this policy will prevent such users from accessing their managed identities.

Default: unchecked

Automatically manage devices at activation

Enables the management server to automatically activate Groove user devices upon activation of managed user identities.

To extend application of this policy outside a management domain, you can specify Windows Domains by selecting ‘For users in the following Windows domains:’, entering a Windows domain name in the text box, then clicking the Add button. To remove a Windows domain, select it from the Windows Domains list and click the Remove button.

See “Automatically Managing Devices During Identity Activation” above for details about using this policy.

Security Identity Policy Settings

Descriptions

Peer Authentication Policies

Member Identity Policy Settings

Descriptions


Options Specifies how the management server handles client communication with unauthenticated identities. In a Groove PKI environment, unauthenticated identities are those that are not domain members, not certified via the management server’s cross-domain management feature, and not manually authenticated. In an enterprise PKI environment, unauthenticated identities are those that are neither certified nor manually authenticated.

Select one the following options to designate how the Groove client handles unauthenticated identities in a workspace created in a managed Groove account:

• Do not warn members about communicating with unauthenticated identities.

• Warn members before they communicate with unauthenticated identities. User

• Prevent members from communicating with uncertified identities.

For more information about peer authentication, see “Managing User Interaction with Unauthenticated Identities” above.

Default: Do not warn members

Identity Authentication Certificates

Limit members’ identity authentication certificate choices to certificates signed by the following CAs:

If the selected domain was created with enterprise PKI, you can use this policy to limit member identity authentication certificate choices to those signed by specific Certification Authorities in an enterprise PKI environment.

Use the Add CA Certificate tool to add allowed CA certificates to the current identity policy template.

You can click the Delete Certificate button next to any CA certificate you that want to delete from the management server list.

Specified certificate names and associated issuers appear in the certificate list. With this policy in effect, for identity authentication, managed users may only attach to their contacts those certificates whose chain contains one of these CAs.

For more information about peer authentication, see “Specifying Enterprise PKI Certificates” above.

Consider an identity authentication certificate invalid if revocation status has not been updated in __ days

If the selected domain was created with enterprise PKI, specifies the number of days that may pass before a certificate is considered invalid because its updated revocation status has been unavailable (for example, when a managed user is offline for an extended period).

Default: 90

Password/Smart Card Login Reset Policies (Groove Virtual Office 3.0f or later)


Descriptions


Reset options

(as of EMS 3.0f for use with Groove Virtual Office 3.0f or later)

Lets you set one of the following reset options:

• Automatic reset (and data recovery) - Allows automatic reset of user passwords/smart card logins and recover of workspace data. With this option enabled, users who request a credential reset from Groove receive an email (from the onsite or hosted management server, or from groove.net) supplying them with a temporary password.

Note: This option requires that the data recovery key and password, defined on the Domain Properties page, are stored on the management server.

• Manual reset (and data recovery) - Allows administrator-controlled reset of managed user passwords/smart card logins and recovery of workspace data on managed devices.

• Data recovery - Allows recovery of managed users’ workspace data on managed devices but prohibits reset of user passwords/smart Card logins.

• None - Prevents reset of managed user passwords/smart card logins or recovery of member data on managed devices.

Default (for new domains): Automatic reset (and data recovery).

Customize Manual Reset Instructions

(as of EMS 3.0f for use with Groove Virtual Office 3.0f or later)

Available only if you have already downloaded a data recovery certificate, as described in “Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)” below. Displays a window that lets you edit the password reset instructions that managed Groove users receive in response to a password reset request.

For information about customizing reset instructions, see “Customizing Reset Instructions (for Groove 3.0f or later)” above.


Descriptions


Managing Device Policies

Device-based installation and security policies set a foundation for Groove device man-agement. The device policy template assigned to a user - directly or via the user’s domain group - applies to specific managed user devices only; it does not affect unmanaged devices also running Groove. Once you add Groove devices to a management domain, you can use the management server to oversee Groove password creation, device-based secu-rity policies, data recovery, and other aspects of Groove use on a given device.

The sections below describe device policies and how to customize them to best advantage:

• Overview of Device Management

• Registering User Devices with the Management Server

• Creating Device Policy Templates

• Changing Device Policy Templates

• Administering Device Templates

• Viewing and Editing Device Policies

• Customizing Component Policies for Devices

• Managing Groove Platform Upgrades

• Controlling Login Credential Reset and Data Recovery

• Resetting Groove Login Credentials for Managed Devices

• Customizing Reset Instructions for Managed Devices

• Setting Up Data Recovery on Managed Devices

• Controlling Groove Tool Usage on Managed Devices

• Limiting Groove Bandwidth Usage for Devices

• Enabling Groove Client Auditing

• Supporting an Onsite Groove Component Server

• Account Policies

• Client Policies

• Security Policies

• Usage Policies

• Audit Server Policies

Groove Management Server Domain Administrator’s Guide Managing Device Policies 93

Overview of Device Management

Device polices add another tier of control to Groove identity policies (described in “Man-aging Identity Policies”, earlier in this guide). Groove devices are associated with users at the time of managed identity activation. The devices are unmanaged - unaffected by man-agement device policies - until an administrator explicitly makes them managed. You can modify device policies, and change or add new templates at any time, but examining and customizing the defaults is a wise first step in setting up a management environment.

As with identity policies, collections of device policy settings reside in device policy tem-plates which you can assign to domain groups, subgroups, and individual users. A device policy template assigned to a user - directly or via the user’s domain group - applies to all devices where the user’s managed account resides. The management server’s default device policy template, with its collection of default settings, is applied to domain groups by default. However, none of these settings take effect unless specific devices are regis-tered with a management domain.

Applying device policies to managed user PCs requires a preparatory step to bind user devices to a domain: a management domain registry key must be installed on each user device that you want to manage. You can access the key using the Download Device Man-agement Key tool available from any of the domain’s device templates. You then deploy the key to client devices individually or via a centralized software deployment system.

Once device registries are updated and associated managed Groove identities are acti-vated, the devices become subject to the policies set in the device policy template to which their associated users are assigned - directly or via domain groups.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator

Registering User Devices with the Management Server

You can manage Groove devices (user computers) by updating their Windows registries with a management server key from a device policy template for a domain. This key binds the device to a management domain and makes it eligible for device policies defined in templates for that domain.

You must manage your Groove devices if you want to set device-based policies, including the following:

• Groove user account practices

• Groove component installation

• Groove bandwidth usage

• Groove password creation

• Groove client auditing

The following sections provide background and instructions for registering devices in a management domain:


• Overview of Device Registration

• Registering Devices in a Management Domain

• Deleting Managed Devices from a Domain

Overview of Device Registration

Adding devices to a Groove management domain consists of downloading a registry key to every client device that you want to manage. This registry key file (.reg file), accessible from any management server device policy page, contains management server registry settings that are added to the Windows registry of each client device. The management server recognizes registered devices as managed and under domain jurisdiction.

One device registry key is associated with all device policy templates in a domain. There-fore, centralized device key deployment is a practical approach. However, a specific device can be registered from only one device policy template. Attempting to register a device from a second policy template results in overwriting the device management set-tings from the original template.

While you can register user devices at any time, registering them during initial manage-ment server setup is preferable because it allows you to enforce initial Groove password requirements; password creation policies are device polices and so can be applied only to managed devices.

You can view users and their devices on the Members Properties page, as described in “Viewing and Editing Domain Member Information” in the Managing Groove Users sec-tion of this guide.

Registering Devices in a Management Domain

You can register devices in a management domain manually, as described below, or you can set an identity policy that allows automatic device management registration for Groove users upon identity activation. For information about automatically adding a device to a management domain, see “Automatically Managing Devices During Identity Activation” in the Managing Identity Policies section of this guide.

To add a device to a management domain, follow these steps:

1. From any client device, go to the management server administrative Web site, and select a device policy template. The first tab of the device template appears.

2. From the selected device template, click the Download Device Management Key button. A File Download pop-up window appears.

3. Click the Open button, then OK to download the management server registry key (contained in a .reg file) to the local device.

Or, click the Save button, enter a directory location, then click Save to save the registry settings to a .reg file for subsequent distribution, using a centralized software deployment system, for example.

All devices in the domain share the same registry setting, so if you save the registry settings in a file, you can use it to update the registry of any devices that you want to manage within a domain.


4. Using your normal registry key distribution method, apply the registry settings to each device that you want to include in your domain or group. (On each device, click the .reg file to apply the registry settings to the local device.) These registry settings are applied to HKEY_LOCAL_MACHINE/SOFTWARE/Groove Networks, Inc./Groove/ManagementDomain in the Windows registry of the device.

5. Restart Groove on the client devices to update their Windows registries. Once a registered device starts up Groove, the device appears as Managed in the device list on the management server Members Properties page for the managed user(s) of this device. The device is then subject to the default or customized device policies templates assigned to domain groups and members.

Note: Managed devices are password-protected by default.

Deleting Managed Devices from a Domain

You can remove managed devices from a domain by setting a domain property that deletes devices after a specified period of inactivity. You cannot delete individual devices.

To delete managed devices from a management domain after a specified period of inactiv-ity, follow these steps:

1. Go to the management server administrative Web site and select a management domain in the navigation pane. The domain tab appears.

2. Click the Domain Properties button. The domain Properties window appears.

3. From the domain Properties window, enter a value in the Remove devices from domain after __ days of inactivity. A value of 0 does not remove any devices. The default value is 90 days.

4. Click OK.

Creating Device Policy Templates

The management server provides you with an initial device policy template that contains default policy settings appropriate for typical Groove use in an enterprise. You can create additional device templates at any time, using the Add Templates tool from the Device Policy Templates page.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add policy templates.

To create a device policy template, follow these steps:

1. Go to the management server administrative Web site and from the navigation pane, select the Device Policy Templates heading for a domain. A list of templates appears in the main window.

2. Select Add Template in the tool bar. The Add Template window appears.

3. In the Add Template window, enter a template name and optional description in the corresponding fields.

4. Click OK. The new template appears in the list on the Templates page and in the navigation pane. Clicking the template in the navigation pane lets you view the template’s default policy settings and edit them.


Changing Device Policy Templates

The management server provides a default device policy template that applies to all devices on which managed identities in a domain group have an account. This initial tem-plate contains device policy settings appropriate for typical Groove use in an enterprise. If you have defined additional device policy templates (as described in “Viewing and Edit-ing Device Policies”), you can change default template assignments for any group or member.

Note that an assigned device policy template affects all users of a managed device (if more than one user has an account on the device). Therefore, changing the device policy tem-plate for one user affects all other users of that device.

The following sections explain how to re-assign device policy templates:

• Changing Device Policy Templates for a Group

• Changing Device Policy Templates for a Group Member

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change policy templates at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.

Note: For information about editing device policies in a template, see “Viewing and Editing Device Policies” later in this chapter.

Changing Device Policy Templates for a Group

To change device policy templates for a group, follow these steps:



3. From the group Properties page, select the desired policy template from the Device Policy Template drop-down menu.

4. To apply this change to all subgroups and members of this group, select the option, ‘Override settings for all members and subgroups.’ Otherwise, to leave subgroup and member template assignments as is, leave the box unchecked.

5. Click OK.

Changing Device Policy Templates for a Group Member

To change device policy templates for a group member, follow these steps:



3. From the member Properties page, select the desired policy template from the Device Policy Template drop-down menu.



Administering Device Templates

You can edit, clone, or delete device policy templates from the Device Policy pages on the management server. Note that in a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administrator policy templates at the group level. Assigning templates to individual members requires a role of Server, Domain, or Member administrator.

For instructions about administering device policy templates and settings, see the appro-priate sections in the Identity Policy section earlier in this guide, and substitute device pol-icy tabs, fields, and menus for identity policy equivalents. The following table lists the relevant references:

Viewing and Editing Device Policies

Device policies are grouped into templates which apply to a domain group or to an indi-vidual identity associated with the device. Most of these policies concern the security of company resources. Examine the templates that contain these policy settings to make sure that they are adequate for your organization and change them if necessary.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to edit policies.

To edit or view device policies, follow these steps:

1. Go to the management server administrative Web site and click a device policy template in the navigation pane. Four device policy tabs appear, for setting the policies listed in the following table and in detail in the sections below:.

For information about: See:

Editing a policy template name

Editing Policy Template Names

Cloning a policy template Cloning Policy Templates

Deleting policy templates Deleting Policy Templates

Device Policy Tabs Descriptions

Account Policies • Creation of multiple accounts

• Importing accounts

• Use of managed identities on managed devices

Client Policies • Component installation policies

• Advanced:

> Install components from

> Custom policies - version-specific


2. Click the tab for the policies that you want and edit them as necessary.


Customizing Component Policies for Devices

If your device policies allow users to install components that run on the Groove platform and you want to customize those policies, you can do so by defining a custom policy from the management server’s Device Policies pages. Custom policies let you control compo-nent installation to the level of component publisher, component name, and component version. The component publisher can be Groove Networks or any third party that creates components for use with Groove. The following sections provide basic information about defining custom policy and a procedure for defining custom component installation poli-cies.

The following sections provide background information and procedures for customizing component installation policies:

• Component Policy Basics

• Customizing Component Install Policies

• Editing Component Policies

• Deleting Component Install Policies

Note: Devices must be managed in a domain in order to be controlled by domain device policies, as described above in “Registering User Devices with the Management Server”.

Component Policy Basics

Customized component policies modify the overall setting of Allow users to install every component, No components, or Prompt user. You can specify custom install settings to make an open policy more restrictive (by prohibiting installations of specific component publishers, components, or component versions) or a restrictive policy more open (by allowing exceptions).

Custom policy settings are hierarchical. More specific settings override more general set-tings. For example, a component name and version setting overrides a component name setting. When defining a custom installation policy, keep in mind the following guide-

Security Policies • Login method (password or smart card)

• Password creation

• Account lockout

• Strong private key protection

• Web Services

Audit Server Policies • Audit server

• Account events audited

• Tool events audited

Device Policy Tabs Descriptions


lines:

• Component policy settings have the following order of override strength, in increasing order:

Component Publisher (signer’s Digital Fingerprint)

Component Name

Component Version (such as 2)

• Version settings have the following order of override strength, in increasing order:

Version 2

Version 2.1

Version 2.1.1

...

• More restrictive settings (such as Prohibit) take precedence over less restrictive settings (such as Allow), all other factors being equal.

The following table shows an example of settings that define a custom installation policy for CompanyZ components:

To refine component installation policies so that they apply to components from specific component publishers (signers), you use the custom install policy pages as described in the procedures that follow.

Note: Custom policies affect Groove component install policy only; they do not affect settings for automatic component upgrade or installation of self-signed compo-nents.

Customizing Component Install Policies

You can use the following general procedure to customize the device policies that control component installation on Groove client devices. For specific information about creating a custom policy to control upgrades to Groove platform and tool components, see “Manag-ing Groove Platform Upgrades” later in this chapter.

To customize the component installation policies for managed devices, do the following:

1. Go to the management server administrative Web site and in the navigation pane, click a domain device template that you want to edit. The Account Policies tab appears.

2. Click the Client Policies tab.

Component Name Operator Version Policy Definition

ComponentA Prohibit ComponentA installations are prohibited.

ComponentA = 2.1 Allow ComponentA version 2.1. is allowed.

Composite policy: Installations of ComponentA from CompanyZ are prohibited for all versions except version 2.1.


3. To prevent installation of any Groove components, from the Client Policies tab, select the option, ‘Prevent members from Installing any component’. The default condition of this and all the component installations options is unchecked, allowing users to install any Groove component.

4. If you did not select the option to prevent members from installing any Groove component and you want to modify the policy to be more restrictive, select the option, ‘Deny installation of self-signed components’, and/or the option, ‘Prevent Groove from searching and automatically installing new components’.

5. To require that managed Groove users work from a specific version of Groove, other than the default of the current version, select another version from the drop-down menu.

6. If you want to restrict the sources of Groove components and/or create a custom policy, click the Advanced Install Policies button. The Advanced Install Policies page appears.

7. From the Advanced Install Policies page, specify a server name as the authorized source of Groove components or leave the default option (Anywhere) selected.

8. Click the Add Install Policy button. The Add Install Policy page appears, with a set of custom policy fields that you can fill in, as shown in the following table:

Device Custom Install Policies Fields

Values Examples and Explanations

Display name Required. A policy display name - usually the name of a Groove component publisher, such as Groove Networks.

If you set a policy to allow all component installations and then set a custom policy that prohibits all component installations from CompanyZ, CompanyZ installations will be prohibited but all other component installations will be allowed.

Digital fingerprint Required. The digital fingerprint (sometimes called a thumbprint, as in the Windows Certificate Viewer) for the component publisher. The digital fingerprint is an identifier associated with a certificate used by a component publisher to sign components. Cut and paste the digital thumbprint from the Internet Explorer certificate viewer.

The Digital fingerprint is at the top of the hierarchical custom policy setting, overriding only the default installation policy setting.


9. Click the Add Policy button to display additional fields and specify a version-spe-cific component policy. Enter values in the additional fields as described in the fol-lowing table.

Allow users to install:

Required. The value in this field applies specifically to components from the specified publisher. Select a component installation option from the drop-down menu, as follows:

• Every component - Allows installation of all components from the specified component publisher.

• No components - Allows installation of no components from the specified component publisher.

• Prompt user - Displays a prompt to users, allowing them to trust the component signer.

Default: Every component

Selecting Every component or Prompt user in this field, allows installation of specific component versions, as stipulated in subsequent fields.

Custom Install Policy Fields - Component and Version


Component name Optional. The component package name that you want to allow or prohibit. If you want to allow or prohibit installations of a specific component, enter its name here.

The component name is second in the hierarchical definition of the custom install policy.

If you set a custom policy to allow installations of all components from CompanyZ and to prohibit installation of ComponentA, ComponentA installations will be prohibited, but all other CompanyZ components installations will be allowed.

Device Custom Install Policies Fields



Operator Optional. An operator to be used to specify a component version in your install policy. To specify component versions, click the drop-down menu and select one of the following operators:

• no comparison (no version specified)

• not equal to (=)

• equal to (=)

• greater than (>)

• less than (<)

• greater than or equal to (>=)

• less than or equal to (<=)

Note the following affects of these operators:

• If you enter ‘less than’ or ‘greater than’, followed by a version number of 2, for example, the policy is applied with a version number of 2.0.0.0.

• If you enter the equivalent of =, <=, or >=, the policy is applied with a version number 2.*** (wild card format).

Operators are not hierarchical; they do not have an order of precedence.

Default: no comparison

If you set a policy for CompanyZ components that allows installations of ComponentA but prohibits version 4, installations of ComponentA version 4 installations will be prohibited, while all other versions of Component A will be allowed.

Version Optional. In the appropriate version boxes, enter the version of the Groove component that you want to allow or prohibit, using numbers only. Enter the version number to whatever level of specificity (2, 2.1., 2.1.1 and so on) you need in order to define the policy.

The component name is third in the hierarchical definition of the custom install policy, followed by version numbers. Settings for a more specific version number (such as 2.1) override settings for a less specific version number (such as 2).

Note: To specify any version containing a letter, convert the letter to a decimal number, where a=1, b=2, and so on. For example, to specify version 2.1a, enter 2.1.1.

If you set a custom policy to allow installations of CompanyZ ComponentA greater than version 2, and to prohibit installation of ComponentA version 2.1, CompanyZ ComponentA version 2.1 installations will be prohibited but all other CompanyZ ComponentA installations will be allowed.




10. When you finish defining the custom policy, click OK. The custom install policy that you defined appears in the hierarchical list of custom policies at the bottom of the Add Install Policy page. Parent policies appear at the top level, with any associ-ated component and version-specific ‘child’ policies indented below them.

11. Click OK to save the entire custom policy, including the version-specific settings.

See the Usage Policies section of the “Client Policies” section below for descriptions of the component install policies.

Editing Component Policies

To edit or view a component policy, do the following:

1. Go to the management server administrative Web site and in the navigation pane, click a domain device template that you want to edit.


3. To edit component install policies, from the Client Policies page, click the Advanced Install Policies button, then click a policy in the Custom Policies list. The Custom Policies page appears.

4. Edit the parameters for the selected policy, as described above in “Customizing Component Install Policies”.

Policy Required if a component name is specified.

Does not apply if defining Advanced Usage Policies.

This value indicates whether to allow or deny specific component versions, or to prompt users to decide. Choose one of the following options from the pull-down menu to set the policy for the specified component name and version:

• Allow - Allows the specified component installations.

• Prohibit - Prohibits the specified component installations.

• Prompt - Displays a prompt to device users, during installation, allowing device users to choose whether to trust the signer.

More restrictive policies take precedence over less restrictive policies, all other conditions being equal.

Default: Allow

Selecting Allow users to install any components for CompanyZ, then specifying Component = ComponentA, allows installations of CompontA from CompanyZ only.




Deleting Component Install Policies

You can delete selected custom install policies or an entire policy governing component installation, as described in the sections below.

To delete an advanced install policy, follow these steps:



3. From the Client Policies page, click the Advanced Install Policies button. The Add Install Policy page appears with a list of custom install policies.

4. Click the Delete Install Policy button to remove the policy defined on this page.

To delete a custom install policy, follow these steps:



3. From the Client Policies page, click the Advanced Install Policies button. The Add Install Policy page appears with a list of custom install policies.

4. Select the custom policies that you want to delete.

5. Click the Delete Policies button to remove the selected custom policies.

Managing Groove Platform Upgrades

An important application of component installation policies is in controlling upgrades to the core Groove platform. Normally, component updates (from 2.x to 2.y, for example) or upgrades (from 2.0 to 3.0, for example) are allowed by default. Setting these policies requires the version and digital fingerprint (the certificate's hash or thumbprint) informa-tion for specific components associated with the Groove platform that you want to allow or prohibit.

Note: If the Groove Networks digital fingerprint changes, the existing fingerprint is still recognized in device policies.

Device component policies do not affect initial Groove installations (which you can restrict by configuring locked down clients via your enterprise software management application, such as Microsoft’s Software Management Service, SMS).

Note: Before using these procedures, review the information covered in the section, “Customizing Component Policies for Devices” above.

See “Appendix A. Groove Component Versions” for a table of component information for currently supported Groove versions, including the platform required to support each component.

Note: To upgrade from your current version of Groove to the next version, you can access the version components on the Groove Networks Web site.

The following examples illustrate how you can use device component install policies to


manage access to Groove components published by Groove Networks:

• Prevent Platform Upgrade

• Allow Platform Upgrade To Current Version

• Allow Platform Upgrade To Interim Version

• Allow Platform Upgrade and Limited New Tools

• Allow Platform Upgrade But No New Tools

Prevent Platform Upgrade

Once your domain clients are all running the desired version of Groove, you may want to lock down this condition. In order to restrict Groove users on managed devices in a domain to the current version of Groove, you set device policies to block installations of additional Groove components.

The following procedure is an example of how you would set policies that keep users at the current version of Groove (2.1 in the example below) and prohibit any additional tools from being installed:



3. From the Client Policies page, select the option, ‘Prevent Groove Workspace from searching for new components.’

Note: Preventing automatic component upgrades prohibits Groove from pro-actively searching for newer versions of Groove components on managed devices. Developers of Groove components sometimes enable their compo-nents to search for updated versions. These updates are not required by Groove. Selecting this option will block these searches.This policy does not block other types of component updates or installs (such as those that may be associated with workspace invitation acceptance). Use other component installation policies to control these types of updates or installs.

4. Click the Advanced Install Policies button. The Advanced Install Policies page appears.

5. From the Install Components From field, select Anywhere.

6. Click the Add Install Policy button. The Add Install Policy page appears.

7. Fill in the custom install policy fields at the top form as shown in the following table:.

Custom Install Policies Fields Sample Values

Display name Groove Networks

Digital fingerprint 4262 DCB1 4552 D303 123D 36A6 0A96 62E5 24A7 D7DB

Allow users to install Every component


8. Click the Add Policy button. Additional fields appear on the page.

9. Fill in the Groove Core component name and version information as shown below:

10. Click the Add Policy button to display an additional row of fields and fill them in with the Groove Upgrade component information as shown below:

11. Repeat the previous step again for each of the install components, as shown below:

12. Click OK

By allowing installation of all components but prohibiting upgrade of the Groove Core components to any version greater than 2.1.0.0, this policy prohibits users on managed devices in the domain from upgrading beyond Groove 2.1 but allows them to install any new tools supported by this version.

Allow Platform Upgrade To Current Version

The following procedure is an example of how you could set policies that allow users to upgrade to Groove to the current version (3.0 in the example below) and to install any additional new components that this platform supports:

Note: To block (or allow) specific components, you need the component name and ver-sion, and knowledge of which Groove platforms support the component (as shown in the table of Groove component packages in “Appendix A. Groove Com-ponent Versions”).



Component Name Operator Version Policy

net.groove.Groove.Core >= 2.1 Prohibit



net.groove.Groove.Upgrade >= 2.1 Prohibit



net.groove.Groove.Upgrade >= 2.1 Prohibit

net.groove.Groove.SystemComponents.GrooveSystemInstaller_EXE

>= 0.5 Prohibit

net.groove.Groove.SystemComponents.GrooveInstallerService_EXE

>= 1.1 Prohibit






7. Click the Add Policy button. Additional policy fields appear on the page.


Note that in this case the version number, 3.0, implies the full version, 3.0.1.0, because the > operator interprets versions in the full syntax. When any of the = operators is used (=. >=, <=) 3.0 is interpreted as the wild card 3.0.*, so you would need to enter 3.0.1.0 explicitly if you wanted to specify an exact version.


10. Click OK.

By allowing installation of all components but prohibiting upgrade of the Groove Core component to any version greater than 3.0, this policy lets users on managed devices in the domain upgrade to Groove 3.0 and to install any new tools supported by this version.

Allow Platform Upgrade To Interim Version

The following procedure is an example of how you could set policies that allow users to upgrade to Groove to a specific interim (before current) version (2.1c in the example below) and to install any additional new components that this platform supports:

Note: To block (or allow) specific components, you need the component name and ver-sion, and knowledge of which Groove platforms support the component (as






net.groove.Groove.Core > 3.0 Prohibit



net.groove.Groove.Upgrade > 3.0 Prohibit


shown in the table of component packages in “Appendix A. Groove Component Versions” in this guide).




4. From the Install components from field, select The HTTP server, and enter http://21components.groove.net as the server name. This is the Groove Networks-hosted server where the specified version of Groove components resides.






10. Click OK.

11. Once client devices are updated with the component policies, inform your managed users of the location of the .grv file that will enable them to update Groove to the specified version.

By allowing installation of all components but prohibiting upgrade of the Groove Core component to any version greater than 2.1.3, this policy lets users on managed devices in the domain upgrade to Groove 2.1c and to install any new tools supported by this version.






net.groove.Groove.Core > 2.1.3 Prohibit


net.groove.Groove.Core > 2.1.3 Prohibit

net.groove.Groove.Upgrade > 2.1.3 Prohibit


Allow Platform Upgrade and Limited New Tools

The following procedure is an example of how you could set policies that allow users to upgrade to Groove version 2.1 and to specifically prohibit installation of the Family-Groove tool version 7 or greater:

Note: To block (or allow) specific components, you need the component name and ver-sion, and knowledge of which Groove platforms support the component (as shown in the table of Groove component packages in of this guide).


















net.groove.Groove.Upgrade > 2.1 Prohibit


10. Click the Add Policy button to display an additional row of fields and enter the information for the FamilyGroove component that you want to exclude from the allowed 2.1 tools, as shown below:

11. Click OK.

By prohibiting upgrade of the Groove Core component to any version greater than 2.1 and controlling a specific tool component, this policy lets users on managed devices in the domain upgrade to Groove 2.1, and install new tools supported by this version, with the exception of the FamilyGroove tool version 7 (or greater), which is 2.1-compatible but prohibited.

Allow Platform Upgrade But No New Tools

The following procedure is an example of how you could set policies that allow users to upgrade to Groove version 3.0 but not to install any subsequent new components:

Note: To block (or allow) specific components, you need the component name and ver-sion, and knowledge of which Groove platforms support the component (as shown in the table of Groove component packages in “Appendix A. Groove Com-ponent Versions” of this guide).

1. Go to the management server adiministrative Web site and in the navigation pane, click a domain device template that you want to edit. The Account Policies tab appears.








net.groove.Groove.Core > 2.1.0.0 Prohibit

net.groove.Groove.Upgrade > 2.1.0.0 Prohibit

net.Groove.Groove.FamilyGroovel >= 7.0.0.0 Prohibit




Allow users to install No component




10. Click OK.

By allowing upgrade of the Groove Core component to version 3.0 and prohibiting all other component installations, this policy lets users on managed devices in the domain install additional tool components only if they are compatible with Groove version 3.0.

Controlling Login Credential Reset and Data Recovery

In order to reset a lost password or smart card login, or to recover data for managed Groove users, you must set up the appropriate management policy and make sure your users open their managed Groove accounts before a user’s password is lost. In versions 3.0e or earlier of the management server, this management policy applies specifically to managed devices within a management domain, as described in this section. For informa-tion about setting similar policies in 3.0f (or later) management server environments with users running Groove 3.0f or later, see “Controlling Login Credential Reset and Data Recovery (for Groove 3.0f or Later)” in the Managing Identity Policies section of this guide.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server Administrator of Domain Administrator to recover user data and reset passwords or smart card logins.

To configure a domain to allow resetting of passwords or smart card logins, and/or data recovery (for Groove 3.0e or earlier clients), follow these steps.

1. Go to the management server administrative Web site, and select a domain in the navigation pane.

2. Make sure that user devices are registered with a management server domain, as described in “Registering User Devices with the Management Server” above. The word ‘Managed’ appears in the Type column of the devices listed on Member Information pages.

3. Make sure that user accounts each have a managed identity from the same domain as the managed device. Otherwise, the password/smart card reset (or data recovery) feature will not be applied to their account.

4. Select a device template in the navigation pane.


net.groove.Groove.Core = 3.0.1.0 Allow


net.groove.Groove.Core = 3.0.1.0 Allow

net.groove.Groove.Upgrade = 3.0.10.0 Allow



6. Click the Edit Reset Settings (Groove 3.0e or earlier) button.

7. Select one of the following reset/recovery options (see the “Security Policies” sec-tion below for more information on device security policies):

• Disable password/smart card login reset and data recovery - Prohibits resetting of login credentials and recovering data.

• Enable password/smart card login reset and data recovery. - Allows resetting of login credentials and recovering data.

• Enable data recovery without password/smart card login reset. - Allows data recovery but not resetting of login credentials.

8. Click OK to submit your policy edits. This policy will be disseminated to each managed device the next time the device successfully connects to the management server. Upon receiving the policy, each managed account encrypts its on-disk data in the data recovery public key.

9. Make sure that users open their managed accounts to receive the policy as soon as possible. This must be done before a password is lost, in order to retrieve data and/or reset a password.

For detailed instructions about resetting user passwords, see the following section, “Resetting Groove Login Credentials for Managed Devices”.

Resetting Groove Login Credentials for Managed Devices

A password or smart card login is associated with each Groove user account. In a managed environment, a password and smart card login private key created during domain creation by the server administrator enables the resetting of passwords or smart card logins. To allow resetting of any login credentials for users running Groove 3.0e or earlier, you must set a device security policy accordingly. Therefore, to service managed users running Groove 3.0e or earlier, data recovery requires Groove devices to be registered with a man-agement domain.

However, versions 3.0f or later of the management server provide identity-based data recovery for managed users running Groove 3.0f or later; device management is not required in this case. See “Resetting Groove Login Credentials (for Groove 3.0f or later)” in the Managing Identity Policies section of this guide for information about setting up data recovery for managed identities with Groove 3.0f or later.

The following sections cover the administrative and client aspects of resetting a user pass-word or smart card login:

• Administering Centralized Reset of Login Credentials

• Client Reset of User Login Credentials

Administering Centralized Reset of Login Credentials

To centrally control Groove user login credential reset, you configure the management server and Groove clients so that the necessary private key is available on the management server (or in a specified file from which you can upload it temporarily to the management server) when users need to reset their own passwords. When a domain member clicks the


“Forgot your password?” link in the Groove Login window of Groove and notifies an administrator of this request, the administrator can use the management server’s Member Information page to grant the request.

Centrally managing the reset of Groove user passwords or smart card logins is an alterna-tive to resetting login credentials locally on individual client devices described in “Setting Up Data Recovery on Managed Devices”.While the centralized method is somewhat less secure than the data recovery method (because the management server holding the private key is typically in a DMZ with internet access), it is more convenient than restoring a password individually on a Groove client device.

Before you begin, be aware of the following requirements and considerations:

• If you use a management server version 3.0e or earlier, and/or you support users of Groove 3.0e or earlier, Groove login credential reset requires identities to be members of a management domain and devices to be registered with that domain, as described above in “Registering User Devices with the Management Server”.

• For users of Groove 3.0e or earlier, make sure to enable the device policy that enables password/smart card login reset, as described above in “Controlling Login Credential Reset and Data Recovery” above.

• Verify that Groove users have accessed their managed account to activate the reset policy.

• Allowing reset of a forgotten Groove user password or smart card login involves the reset private key, generated during domain creation by the server administrator. Therefore, you need the password for the reset private key (and the private key file itself if it's not stored on the server), obtainable from your server administrator.

• If you want to review and customize the reset instructions that will be sent to users requesting the reset, do so from the Security Policies tab of any Device Policy template in the domain, as described below in “Customizing Reset Instructions for Managed Devices”.

• In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Support Administrator to reset passwords or smart card logins.

To enable a managed user on a managed device to change a Groove password or smart card login, follow these steps:

1. When a domain member clicks the Reset Password or Smart Card Login button from Groove and notifies you of the request (by phone or other method), go to the management server administrative Web site and in the navigation pane, click the domain group of which the user is a member. The Members tab appears with a list of group members. See the “Client Reset of User Login Credentials” below for information about client actions

2. From the Members tab, click the name of the member requesting the reset. The Member Information window appears.

3. From the Member Information window, click the Reset Password or Smartcard Login button (available when a member has clicked the Request Reset button from Groove). The Reset Password or Smart Card Login window appears that includes a Reset Access Code and a form for resetting the user password or smart card login.


If the reset private key (generated by the server administrator during domain creation) resides in a specified file (instead of on the management server), the Reset form includes a File location text box.

If the option to Remember private key login credentials has been enabled on the domain setup page and the private key is stored on the management server, a short form appears that does not involve using the reset private key.

4. If a File location text box appears, browse to the file location of the reset private key.

5. Confirm with the user that the Reset Access Code on the management server matches the Reset Access Code in Groove’s Request Reset window on the user’s device.

Note: Make sure to verify that the user who requested the password or smart card login reset is authorized to use the Groove account.

6. If the access code on the Reset Password page does not match the user's access code, press the Refresh Access Code button to check if a new access code is avail-able. Note that refreshing the screen discards any unsaved changes to the user infor-mation or password reset form. Therefore, a pop-up message appears allowing you to click OK to proceed and refresh the screen, or Cancel to cancel the refresh.

7. Select the option, ‘I confirm I have verified the member’s identity and the password reset access code.’

8. Click OK. This action attempts to open the user’s secret key file using the private key password or smart card login that you entered. If the key is in a specified file, it is uploaded to the management server at this time. If the private key password or smart card login is valid, a Reset confirmation pop-up window appears. Otherwise, an error message window appears.

9. Click OK to accept the confirmation, or to accept the error and correct your entry.

The user’s screen automatically refreshes and displays a form that allows them to enter a new password or select new smart card login certificates. You can customize the text instructions in this form as described in “Customizing Reset Instructions for Managed Devices” below.

Client Reset of User Login Credentials

Managed users running Groove on managed devices in a domain are subject to administra-tive control over their password/smart card login reset capability. Once you set up the management environment to enable users to reset their Groove passwords, as described above in “Administering Centralized Reset of Login Credentials”, users must request per-mission to reset their password or smart card login (if they have forgotten it, for example).

Note: Users should be prepared to authenticate themselves out of band to the domain administrator when requesting a password/smart card login reset.

The Groove user request for password/smart card login reset permission involves the fol-lowing steps:

1. A managed Groove user assigned to a device policy that has the reset password or reset smart card login policy enabled, requests a password by clicking the ‘Forgot


your password?’ or ‘Request Smartcard Login Reset’ link on the Groove login window. This displays a Request Password Reset or Request Smart Card Login Reset pop-up window that contains the user’s password reset or smart card login access code along with instructions to contact the administrator.

If the user defined a password hint and a hint pop-up window appears with a Request Reset button, the user, reminded by the hint, can try logging in again.

2. The user contacts the domain administrator (by phone, for example) and verifies identity to the domain administrator by citing the reset access code in the Request Reset window. This code should match what appears for the user in the administra-tor’s Members Information/Reset Password or Smart Card Login window on the management server.

3. The user presses the Request Reset button. Clicking Request Reset refreshes the Request Password/Smart Card Login Reset window, generates a ‘reset request’ entry in the management server audit log, and displays a Reset Password or Reset Smart Card Login button in the management server’s Member Information page for this user.

Clicking the Cancel button cancels the request and returns to the Groove login window.

4. The administrator responds to the reset request, as described in “Administering Centralized Reset of Login Credentials”.

5. If a New Password window appears on the client screen, along with instructions, the user enters a new password, confirms it, and clicks OK. Groove opens the user’s managed account.

If a New Smartcard Login window appears, along with instructions, the user selects new certificates and clicks OK. Groove opens the user’s managed account.

For information about customizing reset instructions, see “Customizing Reset Instructions for Managed Devices” below.

Customizing Reset Instructions for Managed Devices

The management server’s device Password Policies page includes a feature that lets you edit the instructions sent to managed users on managed devices after users request a pass-word or smart card login reset. For example, you may want to include the administrator’s Help desk phone number for the user call when a reset is necessary. For managed users of Groove 3.0e or earlier, you access this feature from the device policies Security Policy tab by clicking the Edit Reset Settings button.

For information about customizing reset instructions for managed identities running Groove 3.0f or later, see “Customizing Reset Instructions (for Groove 3.0f or later)” in the Managing Identity Policies section of this guide.

For information about resetting user login credentials on managed devices, see “Client Reset of User Login Credentials”).

To customize the password/smart card login reset instructions sent to managed users who request a reset from managed devices running Groove 3.0e or earlier, follow these steps:




3. Click the Edit Reset Settings (Groove 3.0e or earlier) button.

4. Click the Customize Password Reset Instructions or the Customize Smart Card Login Instructions button. A scrollable text window appears.

5. Edit the default text as necessary.

6. Click OK. The edited text will appear above the password reset access code in the client’s Request Reset message.


Setting Up Data Recovery on Managed Devices

Groove workspace and account data reside on Groove user devices and are protected with each user’s password or smart card login. This means that, by default, if a user leaves the company or forgets a password (or smart card login), no one can access that user’s work-spaces without knowing the user’s password. The management server and the Data Recovery Tool that supports it enable you to reset a Groove user’s password or smart card login and restore data.

For managed users running Groove 3.0e or earlier, data recovery requires Groove devices to be registered with a management domain. For managed users running Groove 3.0f or later, data recovery requires only identities to be managed in a domain. See “Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)” in the Managing Identity Policies section of this guide for information about setting up data recovery for managed identities with Groove 3.0f or later.

Note: The data recovery procedure is designed to reset user login credentials or gain access to a user’s existing data; it does not restore data that has been corrupted or destroyed.

For information about other options for resetting Groove passwords or smart card logins, see “Resetting Groove Login Credentials for Managed Devices” above.

For information about backing up and restoring user accounts, see “Backing Up and Restoring User Account Data” in the Managing Users section of this guide.

The following sections provide background information and instructions for restoring user passwords, smart card logins, and/or data:

• Data Recovery Fundamentals

• Recovering User Data (using the Data Recovery Tool)

Data Recovery Fundamentals

In management environments that include Groove 3.0e users, the data recovery process begins with setting a management server device policy to allow data recovery, then using the management server’s Data Recovery tool to restore data on a client device. The tool gives access to a data recovery private key, generated during management domain cre-


ation by the management server administrator.

Groove protects each user account with the user’s Groove account password or smart card login. Account data includes identity, contact, and workspace data, as well as private and secret keys generated locally by Groove (for example, when accounts, identities, or work-spaces are created on a user device). The password/smart card login protection scheme applies to both managed and unmanaged accounts. This means that by default administra-tors cannot access any account information, whether managed or unmanaged.

However, under certain conditions, for example if a user on a managed device loses or for-gets a password or smart card login, or leaves the company, an administrator may need to access a user’s Groove data. The management server provides a means of recovering data without knowing the user’s original password or smart card login. Management server device policies provide options for two levels of data recovery:

• The first level, limited data recovery (without password reset), enables administrative access to the user's workspace data only, rather than complete access to the user's account. This level prevents an administrator from accessing the user's private cryptographic information, such as the user's private and secret keys. It thus also prevents the administrator from being able to impersonate the user (sending Groove instant messages and workspace updates on behalf of the user). Because administrators cannot gain full entry to the user's account after this type of data recovery, they must copy the workspaces from a user's account into another location (into another account or a directory on disk) for future use or reference. This level limits administrative access, providing protection against misuse through impersonation while allowing limited recovery of the user's data.

• The second level, password reset, enables administrators to reset a user’s password or smart card login, enabling complete access to a user's account and workspace data, including access to the user's private cryptographic information. Because administrators with this level of access can impersonate users, this level of access should be used judiciously. Administrators considering this access level must weigh the risk of misuse through impersonation against the benefit of allowing user accounts to be reactivated.

Both data recovery levels require the use of a data recovery key pair: a public key con-tained in a certificate (.cer) file and a private key contained in a password/smart card-pro-tected private key store (.xml) file. These keys are created during domain creation by the management server administrator. The data recovery public key is encapsulated in a data recovery policy and disseminated to all the managed devices governed by the policy.

On managed devices governed by a data recovery policy, Groove encrypts user account data and passwords/smart card logins with the data recovery public key. If limited data recovery is the chosen policy level, only the non-private cryptographic information in the account is encrypted with the data recovery public key. If password/smart card login reset is the chosen policy level, both the non-private and the private cryptographic information of the account are encrypted. The data recovery administrator uses the corresponding data recovery private key (generated during domain creation) to decrypt and gain access - lim-ited or full - to the user's account, without knowing the user's original Groove password. This feature is implemented using public key cryptographic protocols. Thus, an adminis-trator can gain access to an account only if the account was first encrypted with a data


recovery public key, and only the correct corresponding data recovery private key (to which only the data recovery administrator has access) allows access to the account.

Recovering User Data (using the Data Recovery Tool)

To service users of Groove 3.0e or earlier, before you begin the data recovery process, be sure to set your management domain device policies to allow data recovery, as described above in, “Controlling Login Credential Reset and Data Recovery”. Then you can use the Groove data recovery tool on a client device to recover a user’s public workspace data or to reset the user’s password which provides complete access to all the user’s Groove data.

If you want only to allow users to reset their passwords, consider using the centralized procedure described above in “Resetting Groove Login Credentials for Managed Devices”.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Support Administrator to use the data recovery tool described in the pro-cedure below.

Note: If you use a management server version 3.0e or earlier, and/or you support users of Groove 3.0e or earlier, Groove data recovery and login credential reset requires identities to be members of a management domain and devices to be registered with that domain, as described above in “Registering User Devices with the Man-agement Server”.

To recover user data and/or reset a managed user’s login credentials on managed devices, follow these steps:

Note: Make sure that Groove is not running on the client device where you are trying to restore data.

1. From the client device where you are trying to restore data, open a browser and go to the management server administrative Web site.

2. Select Domain Properties in the tool bar. The domain properties page appears.

3. In the Password or Smart Card Reset Setup section of the page, use the ‘Download data recovery tool for Groove version’ option to specify the Groove version installed on managed user devices, and click the Download button. A standard Save As pop-up window appears.

4. In the Save As window, browse to the network location where you want to store the data recovery tool.

This generates the Data Recovery tool, DataRecoveryAdminTool.exe (and its associated system files), which enables you to restore the password and/or data on a client machine.

5. Run the Data Recovery Tool, DataRecoveryAdminTool.exe, from its current loca-tion to create the data recovery certificate and keys. The Recovery page appears.

Note: Do not try to run the .exe file from a remote location; you must download and run it from the client PC.

6. Choose a data recovery option as follows:


• Reset Password - To reset the user’s password and restore full access to all workspaces and account data, providing that your policy allows resetting a user’s password.

• Recover Workspace Data - To copy the workspace information into another location. If you need to reactivate the workspaces in their new location, you must ask the workspace owners to invite you into them or invite them yourself.

If your policy allows only recovery of workspace data (not resetting the password), only the second option is available to you; an error will appear if you set the first option.

7. Edit the following fields, then click Next:

a. In the Private Key File field, enter the .xml file path for the private key file (that was generated during initial set up of this feature).

b. In the Administrator password - Enter the administrator private key password that was originally defined.

8. If you chose the Reset Password option, the Reset Password page appears. Proceed as follows:

a. In the Account Name field, select the name of the managed account that you want to restore.

b. In the New Password field, enter a new pass phrase, then enter it again in the Confirm new password field.

c. Click Finish. A completion pop-up window appears.

d. Click OK to exit.

e. Launch Groove and log into the user’s account after entering the new password when prompted.

9. If you chose the Recover Workspace Data option, the Recovery page appears. Pro-ceed as follows:

a. Choose one of the following output options, as described in the following table:


Export spaces into new account

Choose this option to copy the selected workspaces to a new Groove account, then do the following:

1. Click the Next button to display a page where you enter the account name and password of the new account.

2 Enter the information, then click Next again to select a workspace.


Export spaces into existing account

Choose this option to copy selected workspaces into another existing account on the device, then do the following:

1. Click the Next button to display a page where you select an existing name and its correct password.

2 Enter the information, then click Next again to select workspaces.



b. When the completion pop-up appears, click OK.

10. If you saved the workspace(s) in an account, launch Groove and open the specified account.

11. If you exported the workspace(s) to disk, restore the space(s) on the Groove client as follows:

a. From the client device, launch Groove.

b. Go to My Spaces.

c. From the File menu, choose Restore Workspace or Open Workspace Archive (depending on which Groove version you are using). The Restore pop-up window appears.

d. Browse the location where you saved the workspace(s).

e. Enter the password defined in the Recovery options of the Data Recovery tool.

f. Click OK. The workspace appears in the list of workspaces.

Controlling Groove Tool Usage on Managed Devices

This section describes how to restrict Groove tool usage to prohibit use of specific Groove tools. By default, all Groove tool versions are allowed for use by domain group members. You can set tool usage policies that control which Groove tools domain members can use, in order to meet organizational requirements regarding acceptable tool use and tool usage auditing. Note that Groove tool usage policies are optimized to control usage of Groove tools at higher domain group levels, not to provide data filtering or different workspace views across many small groups. Applying tool restriction policies to small groups within a larger body of users can be difficult to manage and can have unexpected results when the various policies involved conflict.

For information about the management server’s optional client auditing capability, see “Enabling Groove Client Auditing” below.

The following sections provide instructions and guidelines for managing tool usage:

• Restricting Tool Usage

• Tool Usage Recovery After Restriction is Removed

Restricting Tool Usage

Restricting usage of a Groove tool affects all aspects of Groove use that depend on that tool. Blocked tools will appear in spaces as place-holders only, usually with a message explaining that the tool is not available for use due to policy restrictions. Before restricting

Export spaces into directory on disk

Choose this option to copy the selected workspaces into a specified directory, then do the following:

1. Click the Next button to display a page where you select a directory path and an optional password for each space.

2 Click Next again to select workspaces.




tool usage, be aware that blocked tools affect workspaces as listed in the table below:

Groove Workspaces Affected by Groove Tool Restrictions

In addition some tool restrictions can have the following unintended effects:

• Restricting Files or Forms tools will prohibit the creation of SharePoint Mobile Workspaces.

• Restricting Files or Discussion tools may prohibit the creation of spaces from Outlook, Notes.

Restricted Groove Tool Affected Workspaces

Calendar Advanced Project workspace

Contacts Advanced Project workspace

Dashboard Advanced Project workspace

Discussion Advanced Project workspace

And, for auditable Discussion (version 4 or later):

• Virtual Meeting workspace

• Relationship Management workspace

• Document Review workspace

Document Review (auditable version 2) Document Review workspace

Files Standard workspace

And, for auditable Files (version 8 or later):

• Advanced Project workspace



• Document Review workspace

Note the following:

• Restricting files blocks the Groove File Sharing (GFS) Workspace tool and prevents proper functioning of the GFS Workspaces which depend on the Files tool.

Forms • Affects all forms-based tools and templates, typically displaying a message to users explaining the denied access.

Meetings The following workspaces:

• Advanced Project workspace



Project Manager Advanced Project workspace

Web Links Advanced Project workspace


To limit Groove tool usage, follow these steps:


2. Click the Usage Policies tab.

3. To prevent blocked tools from appearing in a workspace, select ‘Hide tools that are blocked due to usage policies.’ If you do not select this option, when users try to use a blocked tool, they typically see a message explaining that the tool is not avail-able for use due to policy restrictions.

4. To prohibit tool usage, click the ‘Allow no versions’ radio button for the tool you want to prohibit.

5. If client auditing is in effect and you want to restrict Groove tool usage to auditable tools only, click the ‘Allow auditable versions’ option for those tools. Auditable tools currently include:

• Chat (version 1 and greater)

• Discussion (version 4 and greater)

• Document Review (version 2 and greater)

• Files (version 8 and greater)

• Forms Tool (version 3 and greater)

• Groove File Sharing (GFS) Workspace (version 1 and greater)


Note: For information about how to delete data associated with blocked tools, to pre-vent incoming data from being stored locally, and to prevent users from accessing the tool or tool data even after the tool usage restriction is removed, see your Groove Networks support representative. Setting the Delete information option from a blocked Groove Files tool also affects data in GFS workspaces on domain devices affected by this policy.

See “Tool Usage Recovery After Restriction is Removed” below for information about recovering data that has been purged due to the client purge interval being exceeded or if you have contacted Groove support to set the Delete information option.

See Usage Policies in the “Client Policies” section below for descriptions of the tool usage policies.

Tool Usage Recovery After Restriction is Removed

Once a tool usage restriction is removed, affected users can usually recover tool usage when they click on the tool, or, if the tool is not installed, by clicking an Install button from the missing tool placeholder within the workspace. However, recovery paths vary, depending upon the length of time that the tool has been blocked and whether tool data has been deleted.

If the tool restriction was lifted before the client purge interval (approximately 21 days of user inactivity in a space) elapsed, users can recover tool usage when they click on the tool or via the Install button, as described above. All data that existed locally when the tool was


blocked and any data that was added to the tool while it was blocked will be available (assuming that tool data deletion was not enabled).

If the tool restriction was lifted after the client purge interval (21 days) elapsed, affected users will not be able to re-install the tool by navigating to it or by clicking the Install but-ton. In addition, in the context of GFS workspaces, if the Files tool or GFS restriction was not lifted before the client purge interval (21 days) elapsed, users will see alerts indicating that GFS workspaces cannot synchronize. To recover under these conditions, affected users must delete any space that includes the tool and be re-invited to the space.

Under certain conditions, administrators can configure tool usage policies to delete all tool data if a tool is restricted. In this scenario, affected users will not be able to re-install the tool by navigating to it or by clicking the Install button. In addition, in the context of GFS workspaces, if the Delete information option was set for the Files tool, users will see alerts indicating that GFS workspaces cannot synchronize. To recover under these conditions after a tool restriction is lifted, affected users must delete any space that includes the tool and be re-invited to the space. Please contact Groove Networks for more information about enabling this feature.

Limiting Groove Bandwidth Usage for Devices

Groove is designed to utilize communications bandwidth efficiently during normal activ-ity, and to restrict its bandwidth usage when running in the background. However, if con-ditions merit (if you anticipate a period of high network demand, for example), you may want to consider setting a management server device policy to control Groove bandwidth usage. You can set a maximum network bandwidth usage limit for Groove client devices in a management domain by defining a bandwidth policy for domain devices.

The following sections summarizes bandwidth policy implications and provides instruc-tions for setting this policy:

• Overview of Groove Bandwidth Policy

• Setting Groove Bandwidth Limit

Overview of Groove Bandwidth Policy

Groove does not limit its use of communications bandwidth except when addressing the requirements of “sociable communications,” when bandwidth usage is determined by an internal optimization protocol. This limited bandwidth use occurs under the following conditions:

• When Groove is running in the system tray (all Groove windows are closed).

• Another application is heavily using the communications device (for file download, for example).

• Groove starts sending or receiving a large amount of data when the communications device is already in demand by another application.

The Groove bandwidth usage policy is disabled by default. Typically, this policy should remain disabled (the value field left blank). Specifying a value to limit Groove network bandwidth usage substantially impedes Groove performance.


You may want to consider enabling the policy and specifying a value if:

• Your network requirements demand a limit on Groove network bandwidth usage, and/or.

• You want to use the results for capacity planning. Setting a finite Groove bandwidth limit per device for a known number of devices can provide helpful statistics in planning for overall Groove bandwidth use in an enterprise.

Enabling a policy that limits network bandwidth use will dramatically affect Groove per-formance. The impacts of setting a Groove bandwidth use policy include the following:

• Causes Groove to constrain its use of communications devices at all times, even when Groove is active.

• Causes Groove to constrain its use of communications devices for all destinations, regardless of whether the destination is over a high-speed Ethernet line or a slow dial-up connection.

• Overrides sociable communications.

• Increases the time required for sending large files (a 2-megabit file, for example). Although a bandwidth policy may not have an obvious impact on delivery of small messages (such as online status messages), its impact on the large messages generated by many Groove tools can be substantial.

Make sure that you understand these implications before setting a device policy on Groove bandwidth use. Test the performance impact on a representative set of tools and hardware before deploying a new policy.

When you enable a bandwidth policy for domain devices, the bandwidth limit appears in Groove on the Options/Communications Manager and Network Settings pages on man-aged devices.

Setting Groove Bandwidth Limit

Before using this procedure, make sure you have read “Overview of Groove Bandwidth Policy” above.

To specify a Groove bandwidth usage limit, follow these steps:


2. Click the Members Policies tab.

3. Scroll to the Bandwidth Policies section.

4. To limit Groove client bandwidth usage, select the option, ‘Limit bandwidth,’ and enter a value in the text box.

5. Select one of the following units from drop-down menu:

• megabits/second - Sets bandwidth limit units to megabits per second. Allowable value: whole number from 1 to 100.

• kilobits/second - Sets bandwidth limit units to kilobits per second. Allowable values: whole number from 5 to 100,000.


• bits/second - Sets bandwidth limit units to bits per second. Allowable value: whole number from 4800 to 100,000,000.

• percentage of bandwidth - Sets bandwidth limit to a percentage of the maximum bandwidth capacity of the Groove client communications device(s) currently in use. Note that this percentage is applied regardless of a device’s bandwidth capacity. For example, a bandwidth limit of 50% will be applied to a dial-up modem with a maximum connection speed of 56 Kb/second, as well as to an Internet connection with a maximum of 10 Mb/second. Therefore, the actual bandwidth available to a given client device, when defined as a percentage, varies depending on the communications device in use. This may lead to noticeably low connection speeds in a dial-up setting. Allowable value: whole number from 1 to 99.


Enabling Groove Client Auditing

The Groove Audit Server, in conjunction with an Enterprise Management Server, collects activity logs generated by Groove clients. Audited events include activities associated with Groove accounts (such as end-user logon and logoff, instant messages, and work-space invitations), or with Groove workspaces and tools (such as adding a file to the File tool), depending on how you specify domain device policies that control client auditing. You can select whether to audit account events, workspace events, both types of events, or no events by setting device audit policies.

Once the Groove Audit Server and Audit Service have been installed and configured as described in the Groove Management Server Administrator’s Guide, you can set manage-ment server device policies to allow Groove client event auditing.

Note: Note that auditing can have substantial impact on system resources (including bandwidth usage, and disk storage on clients and servers). Therefore, set policy to enable client device auditing only where necessary.

To enable Groove client auditing and select what will be audited, follow these steps:

1. Make sure that the Groove Audit Server and Enterprise Management Server are installed at your site and that the Groove Audit Service is activated on Groove client devices. See you server administrator or Management Server Administrator’s Guide) for information about proper EMS and Audit Server installation, and Audit Service activation.


3. Click the Audit Policies tab.

4. In the Audit Server Policies section of the page, enter the URL for your Groove Audit Server (for example, http://grooveaudit.xyzcorp.com) in the Audit Server URL field.

5. Enter the number of days, hours, or minutes in the ‘Upload audit logs’ field to set the audit log upload interval.


6. For added security, you can select the option to Disable Groove Virtual Office on domain devices if auditing fails.

7. In the Groove Virtual Office Client Events section of the page, select the user account and workspace events that you want to audit, if any.

8. In the Tool Events section of the page, select the tool events that you want to audit, if any. Selecting ‘Audit workspace events’ includes auditing of workspace member and role-related events.

9. If you want to audit the contents of files added to Groove, select the option to Audit the contents of files added to tools.

Note: If you enable this option, all versions of all files added to workspaces of members affected by this policy will be sent to the audit server. If files are numerous and/or large, file auditing can notably tax the audit server and occupy considerable storage space on the SQL server.


For information about restricting Groove tool usage to only those tools which are audit-able, see “Controlling Groove Tool Usage on Managed Devices” above.

For a description of all auditing policy options, see “Audit Server Policies” below.

Supporting an Onsite Groove Component Server

If a Groove Component Server is installed at your site, you must set a Groove device pol-icy to allow the management server to access the onsite Groove component server. Make sure to set this policy in every device policy template that you will use to enforce this pol-icy.

To set device policy to support an onsite Groove component server, follow these steps:



3. From the Client Policies tab, click the Advanced Install Policies button. The Advanced Install Policies page appears.

4. From the Advanced Install Policies page, enter an HTTP server name for the com-ponent server or a UNC component directory location, as appropriate. See “Client Policies” above, for more details about setting this policy.

5. Click OK.



Account Policies

The following table describes Groove device Account policy settings:

Client Policies

The following table describes Groove client policy settings. These policies control the conditions under which Groove users can or cannot install Groove components on their devices. (Groove components are features or tools developed by Groove Networks or a third party for use in the Groove virtual office application.) The default settings for these policies are generally open, allowing component installs wherever possible. Consider whether you want to edit these settings to make them more restrictive.

Device Account Policy Settings

Descriptions

Members cannot create multiple accounts

Specifies that domain group members cannot create additional Groove accounts on their managed devices, once the managed account is created.

Default: unchecked

Members cannot import accounts

Specifies that domain group members cannot import Groove accounts to their managed devices.

Default: unchecked

Members can only use managed identities from this domain on devices in this domain

Specifies that domain group members can only use managed identities in this domain group on managed devices in this domain. Checking this box disables any previously existing unmanaged identities that a user may have created on the managed device. It also prevents the user from using any identities managed by other domains.

Note: Do not check this box if you want to allow users to convert an existing identity to a managed identity. Once your users have converted any previous identities that they wish to convert, you can re-instate this policy.

Default: unchecked

Device Client Policy Settings

Descriptions

Install Policies

Prevent members from installing any component

Specifies whether managed users can install Groove components on their managed devices.

Selecting this policy prevents domain members from installing any components. It also blocks automatic component updates or installations.

Leaving this policy unchecked, instructs Groove to prompt users with a download choice before installing components.

You can qualify this overall policy with a custom policy, as described later in this chapter.

Default: unchecked


Deny installation of self-signed components

Specifies whether managed users can install Groove components signed with a self-signed certificate on their managed devices.

Selecting this policy prevents domain members from installing self-signed components.

Leaving this policy unchecked, allows domain members from installing self-signed components.

Default: unchecked

Prevent Groove from searching for new components

Specifies for managed users whether Groove can pro-actively search and potentially install updated versions of Groove components on users’ managed devices.

Developers of Groove components sometimes enable their components to search for updated versions. These updates are not required by the Groove virtual office software.

Selecting this policy prevents Groove from searching for and potentially installing updated Groove components.

Leaving this policy unchecked, allows Groove to search for updated component versions.

Note: This policy does not block other types of component updates or installs (such as those that may be associated with Groove workspace acceptance). Use other component installation policies to control these types of updates or installs.

Default: unchecked

Advanced Install Policies

Displays a window that lets you specify where Groove components can come from (anywhere or a specified server), and create custom policies.

Install components from Specifies that managed users can install Groove components from any source or from a named server, as follows:

• Anywhere - Select this item to specify that users can install components from any server.

• The HTTP server ___ - Enter the TCP/IP address or server name of a specific HTTP server. For example: http://servername.

• The UNC file server ___ - Enter the full path name of the component directory on a specific Universal Network Connection (UNC) server, using the format \\servername\directory1\...directoryN.

Note: If a Groove Component Server is installed at your site, make sure to specify its HTTP server address or UNC network location or UNC component directory location here.

Default: Anywhere

Add Policy This button displays a pop-up window that allows you to further customize component install policies for specific component versions.

For information about customizing component installation policies, see “Customizing Component Install Policies” above.


Descriptions


Custom policies Displays custom policies that you created using the Add Install Policy key. Clicking an item in the policy list lets you edit it. The Define Custom Install Policy page appears, with additional install policy fields that you can fill in to qualify the overall policy.

Bandwidth Policies

Limit bandwidth to Limits the network bandwidth allowed for Groove usage on each device in a management domain to the specified value. A blank value indicates no specified bandwidth limit, equivalent to disabling the Device Settings Policy.

Accept the blank text box to support default Groove bandwidth usage for devices in a domain. Specifying a limit for network bandwidth allowed per Groove device in a domain, often dramatically slows delivery of large messages. Do not enter a value in the text box (and enable the device settings policy) unless you are confident that your network requirements demand such a trade-off.

Note: Enable this policy and specify a bandwidth value only if you understand the implications for Groove operation. See “Limiting Groove Bandwidth Usage for Devices” below for more detailed information about this policy.

If you entered a bandwidth value, select one of the following units from the drop-down menu:

megabits/second - Sets bandwidth limit units to megabits per second. Allowable value: whole number from 1 to 100.

kilobits/second - Sets bandwidth limit units to kilobits per second. Allowable values: whole number from 5 to 100,000.

bits/second - Sets bandwidth limit units to bits per second. Allowable value: whole number from 4800 to 100,000,000.

percentage of bandwidth - Sets bandwidth limit to a percentage of the maximum bandwidth capacity of the Groove client communications device(s) currently in use. Note that this percentage is applied regardless of a device’s bandwidth capacity. For example, a bandwidth limit of 50% will be applied to a dial-up modem with a maximum connection speed of 56 Kb/second, as well as to an Internet connection with a maximum of 10 Mb/second. Therefore, the actual bandwidth available to a given client device, when defined as a percentage, varies depending on the communications device in use. This may lead to noticeably low connection speeds in a dial-up setting. Allowable value: whole number from 1 to 99.

Default: blank value


Descriptions


Security Policies

The following table describes Groove device Security policy settings:.

Device Security Policy Settings

Descriptions

Login Method

Members will use passwords to login to Groove

Specifies that domain members must use passwords to login to Groove.

Members will use smart cards to login to Groove

Specifies that domain members must use smart cards to login to Groove.

Password Policies (if passwords are the chosen Groove login method)

Password must contain at least __ characters

Specifies that Groove passwords on managed devices in the domain/group must contain at least the specified number of characters.

Default: 4

Users cannot repeat last ___ passwords

Specifies that, when changing a Groove password, managed users cannot re-use any of the specified number of previous passwords on their managed devices. For example, if you enter 3 in the text box of this field, users cannot use any of the last 3 phrases when updating a password. Leaving the text box empty specifies that users can repeat passwords.

Default: blank

Password expires every ___ days

Specifies the number of days for which a Groove password is valid, at which time Groove requires users to change their password.

Prevent password memorization on device

Specifies that users may not choose to let their managed devices memorize passwords after initial password entry. Users must enter their password each time they log in to Groove.

Default: unchecked

Password must contain at least one alpha (a, b, c...) character.

Specifies that Groove passwords on managed devices must contain at least one alphabetic character.

Default: unchecked

Password must contain at least one numeric (1, 2, 3...) character.

Specifies that Groove passwords on managed devices must contain at least one numeric character.

Default: unchecked

Password must contain mixed-case (aBc...) characters.

Specifies that Groove passwords on managed devices must be mixed-case.

Password must contain at least one punctuation (!, ?, $...) symbol.

Specifies that Groove passwords on managed devices must contain at least one punctuation symbol.

Default: unchecked


Edit Reset Settings (Groove 3.0e or earlier)

Lets you edit one of the following reset options for pre-3.0f versions of Groove:

• Disable password reset and data recovery. - Prevents reset of managed user passwords or recovery of member data on managed devices.

• Enable password reset and data recovery. - Allows reset of managed user passwords and recovery of workspace data on managed devices.

• Enable data recovery without password reset. - Allows recovery of managed users’ workspace data on managed devices but prohibits reset of user passwords.

For information about reset options for Groove version 3.0f or later, see “Security Policies” in the Managing Identity Policies section of this guide.

Default: Disable password reset and data recovery.

Smart Card Login Policies (if smart cards are the chosen Groove login method)

Limit members’ smart card login certificate choices to certificates signed by the following CAs:

Lets you limit smart card login certificate choices to those signed by specific Certification Authorities (CAs) in an enterprise PKI environment.

Select Add CA Certificate in the tool bar to add allowed CA certificates to the current management server domain.

Select certificates from the Certificates drop-down menu to add them to the current device policy template.

You can click the Delete Certificate button next to any CA certificate you that want to delete from the management server list.

Specified certificate names and associated issuers appear in the certificate list. With this policy in effect, managed users may only use those certificates whose chain contains one of these CAs for Smart Card Login.

Consider a smart card login invalid if revocation status has not been updated in __ days

Specifies the number of days that may pass before a certificate is considered invalid because its updated revocation status has been unavailable (for example, when a managed user is offline for an extended period).

Selecting this policy enables certificate revocation checking. Leaving the box unchecked disables the policy.

Default: Unchecked (disabled)


Descriptions


Edit Reset Settings (Groove 3.0e or earlier)

Lets you edit one of the following reset options for pre-3.0f versions of Groove:

• Disable smart card login reset and data recovery. - Prevents reset of managed user smart card logins or recovery of member data on managed devices.

• Enable smart card login reset and data recovery. - Allows reset of smart card logins and recovery of workspace data on a managed devices.

• Enable data recovery without smart card login reset. - Allows recovery of managed users’ workspace data on managed devices but prohibits reset of smart card logins.

For information about reset options for Groove version 3.0f or later, see “Security Policies” in the Managing Identity Policies section of this guide.

Default: Disable password reset and data recovery.

Customize Smart Card Login Reset Instructions

Available only if you have already downloaded a data recovery certificate, as described above. Displays a window that lets you edit the smart card login reset instructions that managed Groove users receive in response to a smart card login reset request.

For information about customizing reset instructions, see “Customizing Reset Instructions for Managed Devices” above.

Account Lockout Policies

Threshold: __ Invalid login attempts

Specifies the maximum number of unsuccessful Groove login attempts permissible on managed devices.

Default: 20

Maximum duration: __ [units]

Specifies the maximum amount of time that Groove will take to process login credentials after repeated unsuccessful login attempts on managed devices. Enter a non-zero value in the text field and select units from the drop-down menu.

Default: 5 minutes

After threshold is reached: Specifies one of the following Groove account lockout options when the specified repeat login limit is reached on managed devices:

• Allow login attempts but repeat maximum duration forever. - Allows users to continue Groove login attempts with the maximum specified ‘wait’ before Groove accepts or denies the entry.

• Do not allow any more login attempts (requires the password or smart card login reset identity policy to unlock). - Prohibits any more Groove login attempts, whether or not the login is valid. The user must request a password or smart card login reset from the administrator in order to access Groove.

Default: Allow login attempts but repeat maximum duration forever.

Strong Private Key Protection


Descriptions


Usage Policies

The following table describes Groove usage policy settings. These policies control the conditions under which Groove users can or cannot use Groove components on their devices. (Groove components are features or tools developed by Groove Networks or a third party for use in the Groove virtual office application.) The default settings for these policies are generally open, allowing component installs wherever possible. Consider whether you want to edit these settings to make them more restrictive.

Require strong private key protection (see Microsoft Knowledge Base article 320828)

Specifies whether Microsoft’s CryptoAPI patch is required on managed devices in order to run Groove. The link in the policy opens the following Web page:

support.microsoft.com/ default.aspx?KBID=320828


Web Services Policies

Allow direct remote web services

Specifies whether Groove Web Services on managed devices can be accessed from remote applications.

Groove Web Services exposed on a client device can be accessed by Web service applications on the same device (a local Web Services connection) or on another physical device (a remote Web Services connection). If this device policy is enabled, remote (as well as local) applications can call Web Services exposed on managed devices. If this policy is disabled, only local applications can call Web Services on managed devices (remote Web Services applications will not be allowed access to data on managed devices).

See your Groove representative or www.groove.net for information about engaging Groove Web Services.

For information about securing remote Web services connections, see the Groove Development Kit documentation.

Note: Consider your corporate security requirements before enabling this policy.


Device Usage Policy Settings

Descriptions

Hide tools that are blocked due to usage policies

Lets you hide tools that are blocked by a policy. If you do not select this policy and a member tries to use a prohibited tool, a message appears explaining the restriction.


Descriptions


Audit Server Policies

Audit policies apply to the optional Groove Client Auditing capability, available with the Enterprise Management Server only (not for Groove Hosted Management Services). The following table describes Groove device Audit policy settings:

Allow members to use the following Groove tools

(See “Controlling Groove Tool Usage on Managed Devices” above for guidelines and precautions associated with restricted tool usage policies.)

Lets you limit the Groove tools that domain members can use (for example to allow usage of only audited tools in a client auditing environment).

To restrict a tool, click it and select from the Tool Usage Policy options described below.

Auditable tools include:

• Discussion

• Document Review

• Files

• Groove File Sharing Workspace

Note: Disabling the Files tool, prevents proper functioning of the GFS Workspace tool that depends on it.

For information about client auditing, see “Enabling Groove Client Auditing” earlier in this guide.

Default: All tools are selected (allowed).

Tool Usage Policy options Clicking a tool option controls tool usage, as follows:

• Allow all versions - Allows use of all versions of this tool.

• Allow auditable versions (3.0.2155 or greater) - Allows use of only auditable versions of this tool.

• Allow no versions - Allows no use of this tool (prohibits tool usage).

• If you contact Groove support to set an option to Delete information from blocked versions of this tool, the setting does the following:

> Deletes data associated with blocked tools

> Prevents incoming data from being stored locally

> Prevents users from accessing the tool or tool data even after the tool usage restriction is removed

For more information about tool usage policy, see “Controlling Groove Tool Usage on Managed Devices” above.

Device Audit Server Policy Settings (EMS only)

Descriptions

Audit Server Policies

Audit Server URL Specifies the URL of the Groove Client Audit Server, optionally installed at your site (for example, http://groove.xyzcorp.com).

Device Usage Policy Settings

Descriptions


Upload audit logs every __ days/hours/minutes

Specifies how often Groove client audit logs are uploaded from clients to the audit server. To minimize user disruption, uploads may occur slightly before or after the specified period (depending on user activity and idleness).

Disable Groove if auditing fails.

Specifies that Groove Virtual Office will stop functioning if auditing fails on managed devices in the domain group.

Groove Virtual Office Client Events

Audit all account events

Specifies whether client auditing captures all Groove account events, including instant messages and workspace invitations, login and logoff events, account creation, and contact list events.

Audit selected account events

Lets you specify which type of Groove account events will be captured in client auditing. Note that some events - such as account creation and deletion, and logon failures - are always audited.

• Audit instant messages and invitations

(If your site supports an optional dedicated Groove XMPP Proxy Server, this auditing option includes XMPP instant messages. See the Enterprise Relay Server Administrator’s Guide for information about Groove XMPP Proxy Servers.)

• Audit login and logoff events

• Audit contact events

Audit workspace events

Specifies whether client auditing captures Groove workspace events, including the following:

• Member events (added, suspended, or deleted Groove workspace members)

• Role events (changes to workspace member permission).

Tool Events

Audit events that occur in the following Groove tools

Specifies that client auditing captures events associated with selected Groove tools, including the following:

• Chat

• Discussion

• Document Review

• Files (including adding, editing, deleting, renaming, or moving a file)

• Files Sharing Workspace

• Forms Tool


Descriptions


Audit the contents of files added to tools

Specifies that audit events include the contents of files added to Groove tools.

Note: This feature causes all versions of all files added to audited workspaces to be sent to the audit server. Therefore, enabling it can have a noticeable effect on bandwidth usage and disk storage.


Descriptions


Managing Groove Product Licenses

Licenses are purchased agreements between your company and Groove Networks allow-ing access to specific Groove products, tools, and components. Groove licenses are pack-aged in products (such as Groove Professional). Once the agreement has been signed for a designated number of seats (users), your company receives the requested licenses and can store them at a central location for administrator access. You can use the management server to provision Groove users with the appropriate licenses.

The sections below describe the following license administration tasks:

• Overview of License Provisioning

• Adding Groove Licenses to a Domain

• Adding a License Set to a Domain

• Adding Groove Domain Licenses to a Set

• Viewing Domain Licenses

• Viewing Licenses in a Set

• Viewing License Information

• Editing License Set Names

• Changing License Sets

• Finding License Users

• Deleting Licenses from a Set

• Deleting Licenses from a Domain

• Deleting Licenses from a Set

• Deleting License Sets

• Distributing Licenses to Unmanaged Users

• Viewing Licenses from Unmanaged Users

• Viewing Licenses from Unmanaged Users

• Adding More Seats to a License Package

• Using the Enterprise License Pack

Overview of License Provisioning

Groove product license packages are collections of Groove tools and the licenses to use

Groove Management Server Domain Administrator’s Guide Managing Groove Product Licenses 138

them. When your company licenses the right to use Groove software, your company obtains a product license package for that software. Then, in order to distribute Groove product licenses among managed users, you add the license(s) to a license set, and assign the set to a domain group or individual member. If you are using an onsite management server you first need to import licenses to a domain. Any time you add a product (pur-chased by your company) to a set, the product licenses are distributed to all users and groups provisioned with that set.

The following high level procedure outlines these steps:

1. If you are using an onsite Enterprise Management Server, import a license to a management domain, as described below in “Adding Groove Licenses to a Domain”.

2. If you want to create a new license set, create one, as described below in “Adding a License Set to a Domain”.

3. Add the license to a set, as described below in “Adding Groove Domain Licenses to a Set”.

4. Assign the license set to domain group or member, as described below in “Changing License Sets”.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer license sets at the group level; a role of Server, Domain, or Member Administrator is required to provision individ-ual members with license sets. A role of Server, Domain, Member, or License Administrator is necessary to add licenses to sets.

Adding Groove Licenses to a Domain

If you are using an Enterprise Management Server installed onsite, you must import Groove licenses into a management server domain in order to deploy them to your man-aged Groove users. If you are using Groove Hosted Management Services, the necessary licenses are already resident in your management domain.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add licenses to a domain.

To add a Groove license to a domain, follow these steps:

1. Go to the management server administrative Web site and select a domain’s License Sets heading from the navigation pane. The Licenses Sets tab appears with a list of license sets. The management server provides an initial default license set (which is empty if licenses have not been added to the set).

2. Click the Licenses tab. The Licenses page appears with a list of licenses that have been added to the domain.

3. From the Licenses page, select Add License in the tool bar. A File location pop-up window appears.

4. In the File location field, browse to the location of your organization’s Groove product packages and select a product license file, then click OK. The license name


appears in the list of licenses added to the domain on the Licenses tab or in the Add License window for a selected set.

5. Repeat this process for each license you want to add to the domain.

Adding a License Set to a Domain

The management server provides an initial license set in each management domain, to which you add licenses. You can also add other sets to the domain from the License Sets page.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add license sets to a domain.

To add a license set to a management domain, follow these steps:

1. Go to the management server administrative Web site and select a domain’s License Sets heading from the navigation pane. The Licenses Sets tab appears with a list of license sets. The management server provides an initial default license set to which you can add others.

2. From the License Sets tab, select Add Set in the tool bar. The Add License Set window appears with a list of license sets.

3. In the Add License Set window, enter the license name and an optional description.

4. Click OK. The new license set name appears in the License Sets list. The set is empty until you add licenses as described below in “Adding Groove Domain Licenses to a Set”.

Adding Groove Domain Licenses to a Set

License sets are empty (they contain no licenses) until you add Groove licenses to a set. You can add licenses to a license set from the license page.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change license sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. A role of Server, Domain, Member, or License Administrator is necessary to add licenses to sets.

To add a Groove license to a license set, follow these steps:

1. Go to the management server administrative Web site and select a license set (under the domain’s License Sets heading) in the navigation pane. The License page appears with a list of licenses that have been added to the set.

2. From the Licenses page, Select Add Licenses in the tool bar. The Add License window appears with a list of domain licenses.

3. In the Add License window, select the license(s) that you want to add to the set (select the top box selects all licenses in the list).

If no licenses have been imported into the domain, the menu displays a No Licenses Available entry. For information about importing licenses to a domain, see “Adding Groove Licenses to a Domain” above.


4. Click OK. The selected license appears in the set’s license list.

5. Repeat this process for each license you want to add to the set.

Editing License Set Names

You can view or edit a license set name and description from any license set page.

To view or edit license set properties, follow these steps:

1. Go to the management server administrative Web site, select the domain’s License Sets heading from the navigation pane and select a license set in the list. Or, select a license set from the navigation pane and select License Set Properties in the tool bar. The license set Properties window appears.

2. From the license set Properties window, edit the license set name and description, as necessary.

3. Click OK.

Viewing Domain Licenses

To view licenses in a management domain, do the following:

1. Go to the management server administrative Web site and select the domain’s License Sets heading from the navigation pane. The License Sets tab appears.

2. Click the Licenses tab. The Licenses page appears, displaying Groove licenses that have been imported into the domain, along with the following information:

• License name

• Licence issue date

• License expiration date (if any)

• Number of supported seats. Licenses which the seat limit is exceeded appear in red.

• Number of seats used

Viewing Licenses in a Set

To view licenses in a license set, do the following:

• Go to the management server administrative Web site and select a license set in the navigation pane. The license page appears, displaying Groove licenses that have been added to the set. Each listing includes the license name, license activation code and associated activation server (the management server CA name).

Viewing License Information

A Groove license package consists of a set of tools and license constituents. It also has an associated activation code that you can pass to trusted unmanaged Groove users if neces-sary. You can view these license details from the management server license page.

To view Groove license details, follow these steps:


1. Go to the management server administrative Web site and select the domain’s License Sets heading. The License Sets page appears with a list of license sets.

2. Click the Licenses tab. The Licenses page appears.

3. From the Licenses page, click the license for which you want information. The license Properties window appears with the following information:

• License activation code

• Activation server (management server) CA name

• Name of each license constituent

4. When you are ready, click OK.

Finding License Users

You can search for managed users of Groove licenses by viewing the management server’s License Usage report.

To search for managed users of a Groove license, follow these steps:

1. Go to the management server administrative Web site and select a management domain from the navigation pane. The Reports tab appears, displaying the default report (the Audit Log).

2. From the Reports drop-down menu on the Reports tab, select the License Usage report.

3. Specify the remaining report display parameters as desired. For a description of license reports, see “Domain Reports” in the Managing Reports section of this guide.

4. Click the Display Report button. The License Usage report appears for the specified date range.

Changing License Sets

The management server provides a default license set to managed identities in a domain group. You can change default license set assignments for any group or member, as described in the following sections:

• Changing License Sets for a Group

• Changing License Sets for a Group Member

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change license sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.

Changing License Sets for a Group

Before reassigning license sets, make sure that the sets you plan to assign contain Groove licenses. See “Adding Groove Domain Licenses to a Set” above for information about adding licenses to sets.

To change license sets for a group, follow these steps:




3. From the group Properties page, select the desired license set from the License Sets drop-down menu.

4. To apply this change to all subgroups and members of this group, select the option, ‘Override settings for all members and subgroups’. Otherwise, to leave subgroup and individual member template assignments as is, leave the option unchecked.

5. Click OK.

Changing License Sets for a Group Member

To change license sets for a group member, follow these steps:



3. From the member Properties page, select the desired license set from the License Sets drop-down menu.


Deleting Licenses from a Domain

You can delete a Groove license from a domain, permanently removing it from the man-agement server. No managed users assigned to sets containing that license will be able to access it. If you remove all license assignments from a set, managed users assigned to that set cannot access their managed Groove account.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete licenses from a domain.

To delete a Groove license from a management domain and the server, follow these steps:

1. Go to the management server administrative Web site and select a domain’s License Sets heading from the navigation pane. The Licenses Sets tab appears with a list of license sets.

2. Click the Licenses tab. The Licenses page appears with a list of licenses.

3. From the Licenses page, select the licenses that you want to delete from the domain (selecting the top box selects all licenses in the list).

4. Select Delete Licenses in the tool bar and confirm your decision. The selected licenses are deleted from the server.

Deleting Licenses from a Set

You can delete Groove licenses from a license set without deleting them from the manage-ment server, using the set’s licenses page. Removing a license from a set means that man-


aged users previously assigned to that set containing that license can no longer access it

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change license sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member. A role of Server, Domain, Member, or License Administrator is necessary to remove licenses from sets.

To delete selected Groove licenses from a license set, follow these steps:

1. Go to the management server administrative Web site and click a license set in the navigation pane. The licenses page appears with a list of licenses.

2. From the licenses page, select the licenses that you want to remove from the set (selecting the top box selects all licenses in the list).

3. Select Remove Licenses in the tool bar. The selected licenses are removed from the license set (but still exist in the domain).

Deleting License Sets

You can delete Groove license sets from a domain, providing that the sets are not assigned to a group or member. You cannot delete the last set.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete license sets.

To delete selected license sets, follow these steps:

1. Go to the management server administrative Web site and select a domain’s License Sets heading from the navigation pane. The License Sets tab appears with a list of license sets.

2. From the License Sets tab, select the license sets that you want to delete (selecting the top box selects all licenses in the list).

3. Select Remove License in the tool bar. The selected license sets are removed. If a license set cannot be deleted because it is assigned to a group or member, as message appears indicating this condition. To delete assigned license sets, make sure they are not assigned to any group or member, as described in “Changing License Sets”, above

Distributing Licenses to Unmanaged Users

If you need to issue individual licenses to unmanaged Groove users (such as consultants), you can use the license details page on the management server. Users must have Groove installed on their devices and be connected to the Internet in order install an individual product package. When a Groove user applies a Product Activation key to Groove, Groove contacts the management server (for example, groove.net if Groove is hosting the Management Services for you), and downloads the appropriate product packages to the user’s machine.

To issue Groove licenses to Groove users who are not members of a management domain, follow these steps:


1. Go to the management server administrative Web site and select the domain’s License Sets heading. The Licenses page appears with a list of licenses.

2. From the Licenses page, click the license for which you want information. The license details window appears with the following information:

• License activation code

• Activation server (management server) CA name

• Name of each license constituent

3. Copy the product activation key and activation server (management server) name, then click OK.

4. Send the product activation key and activation server name to the unmanaged Groove user.

To gain access to the issued license(s), the recipient must do the following:

a. Connect to the Internet.

b. Start up Groove.

c. From the Help menu, select Activate Product.

d. In the Activation Key field, enter the Product Activation key for the appropriate product.

e. In the Activation provided by: field, enter the host name of the activation/management server for the appropriate product.

This installs the product package into the unmanaged user’s account but does not make the user a domain member under your management. No Groove contact information is affected, no other products or licenses are transferred, no policies or relay server assignments are assigned, and no statistics for general Groove usage are collected.

Note: If your company uses proxy servers to control traffic out to the Internet and a user has not logged into the network, Groove will trap any login request from the proxy and display a login window during the activation process. The user should enter the customary name and password in order to proceed smoothly. If a user ignores this login, the product activation fails.

Viewing Licenses from Unmanaged Users

Use the license details pages to view licenses that you distributed individually to Groove users who are not members of a management domain.

To issue Groove licenses to unmanaged Groove users, follow these steps:


2. From the Licenses page, click the license for which you want information. The license details window appears.

3. Click the Manage Non-Domain Member Licenses button. The Manage ___ Licenses pop-up window appears with a list of unmanaged Groove license holders.

4. To view active or revoked licenses of unmanaged users, select an option from the ‘View users with’ drop-down menu.


5. To navigate through the list, use the First, Previous, Next, and Last buttons.

6. Click the OK button when you finish.

Revoking Licenses from Unmanaged Users

Use the license details pages to revoke licenses that you distributed individually to Groove users who are not members of a management domain.

To issue Groove licenses to unmanaged Groove users, follow these steps:


2. From the Licenses page, click the license for which you want information. The license details window appears.

3. Click the Manage Non-Domain Member Licenses button. The Manage ___ Licenses pop-up window appears.

4. Make sure Active Licenses is selected in the ‘View users with:’ drop-down menu.

5. Select a user from whom you want to revoke the license, using the First, Previous, Next, and Last buttons to navigate through the list.

6. Click the Revoke License button to prevent the selected user from using Groove Virtual Office.

7. Click the OK button to close the window.

Adding More Seats to a License Package

License packages specify a number of seats (users) that your company has purchased from Groove Networks. Once the seats have been used up, the license package is no longer valid and your company must procure a new one from Groove Networks in order to accommodate additional seats. If you are using Enterprise Management Servers installed onsite at your company, you must import the new package, as described in the procedure below. If you are using Groove Hosted Management Services, Groove Networks performs this task for you.

To add seats to a Groove license package in environment of onsite Enterprise Manage-ment Servers, follow these steps:

1. Make sure that your company has purchased a new license package and made it accessible to you.

2. From the management server administrative Web site, select a domain’s License Sets heading.

3. Select Add License in the tool bar to import the license package that contains the additional seat count, as described in “Adding Groove Licenses to a Domain” above. The new package should have the same name as the original package but its globally unique identifier (GUID) distinguishes the new version from the old.

4. Add the new license to the appropriate sets, as described in “Adding Groove Domain Licenses to a Set” above.

This procedure adds the new license with the additional seats to your domain. The man-


agement server displays an error message if you try to add an existing license.

Using the Enterprise License Pack

The Enterprise License Pack is a special product license package with an expiration date. You import this license pack just like any other product license packages. However, this product package can exist for only one year, starting from the date of purchase. After this date, the date display appears in red, and the product and associated licenses expire.

To check the expiration date for the Enterprise License Pack, follow these steps:

1. From the management server administrative Web site, select a domain’s License Sets heading. A list of license names appears, along with license expiration dates.

2. Click the License tab. The Manage Product Packages page appears listing the product (containing licenses) that you assigned to the domain or group. This page also shows the product expiration date.

3. If a license appears in red, the license has expired and you should be prepared to import a new license to remain in compliance with the licensing terms.


Managing Groove Servers

The management server enables administrators to provision domain groups and members with onsite Enterprise Relay Servers and Groove Hosted Relay Services, necessary for successful, uninterrupted Groove client communications in an enterprise. The same inter-face can be used for managing Groove XMPP Proxy Servers and other Groove servers installed onsite at an enterprise. The procedures in this section apply to all servers, except where otherwise noted.

For more information about installing and configuring Enterprise Relay Servers and Groove XMPP Proxy Servers, see the Groove Enterprise Relay Server Administrator’s Guide.

The sections below describe the following user-related tasks:

• Overview of Server Provisioning

• Registering a Server with a Management Domain

• Adding a Server Set to a Domain

• Adding Groove Domain Servers to a Set

• Editing Server Set Names

• Viewing Domain Servers

• Viewing Servers in a Set

• Editing Server Properties

• Finding Server Users

• Changing Server Sets

• Changing Server Sets for a Group Member

• Deleting Servers from a Domain

• Removing Servers from a Set

• Deleting Server Sets

• Locking out and Re-enabling an Onsite Server

• Reordering Servers in a Set

• Synchronizing an Onsite Server

Overview of Server Provisioning

The management server’s Server Sets pages let you define sets of supporting Groove serv-ers to which you can provision management domain members. For example, you can pro-

Groove Management Server Domain Administrator’s Guide Managing Groove Servers 148

vision users to specific dedicated Enterprise Relay Servers installed onsite at your organization.

If you are using onsite Enterprise Management Servers, you must first register the sup-porting Groove server with the management server. If you are using Groove Hosted Man-agement Services this server registration has already occurred.

Provisioning management domain members with other supporting Groove servers involves the following high-level procedure:

1. Register the server with a management domain, as described below in “Registering a Server with a Management Domain”.

2. If you want to create a new server set, create one, as described below in “Adding a Server Set to a Domain”.

3. Add the server to a set, as described below in “Adding Groove Domain Servers to a Set”.

4. Assign the server set to domain group or member, as described below in “Changing Server Sets”.

The sections below provide overviews of provisioning to the currently supported commu-nications servers:

• Relay Server Provisioning

• XMPP Proxy Server Provisioning

Relay Server Provisioning

Groove relay servers help ensure continuous virtual peer communication regardless of peer status (online or offline) or network conditions. In order to provision managed users with onsite or dedicated Groove hosted relay services, you add domain relay servers to a relay server set, and assign the set to a domain group or individual member.

For more information about installing and configuring Enterprise Relay Servers, see the Groove Enterprise Relay Server Administrator’s Guide.

XMPP Proxy Server Provisioning

As of version 3.1, Groove Virtual Office provides public XMPP proxy servers to enable Groove client communication with Jabber and other XMPP clients. In a managed environ-ment, an enterprise can install Groove XMPP proxy servers onsite, allowing administra-tors to provision Groove domain members to private XMPP servers similar to the way they provision users to dedicated relay servers.

For more information about installing and configuring Groove XMPP Proxy Servers, see the Groove Enterprise Relay Server Administrator’s Guide.

Registering a Server with a Management Domain

If Enterprise Management Servers are installed at your site, you must register onsite or Groove-hosted relay server(s) with the management server in order to provision Groove domain members with relay servers. If you use Groove Hosted Management Services, the


hosted relay servers are already listed on the hosted management server.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to administer relay server sets at the group level; a role of Server, Domain, or Member Administrator is required to provision indi-vidual members with relay server sets.

The sections below describe the following relay server tasks:

• Overview of Server Registration

• Exchanging Server Keys

Overview of Server Registration

If you are using an onsite Enterprise Management Server, you must register each support-ing Groove server with the management server before you can assign theses servers to domain groups or members. Because relay and management servers depend on each other to perform specified functionality (such as data synchronization), they must be able to communicate securely. To establish this relationship, public/private key pairs are used to authenticate each server to the other and to the Groove users assigned to the relay server. An exchange of certificates (corresponding to these keys) is therefore required in the case of onsite relay servers.

Note: Data synchronization and similar tasks are not performed with hosted servers, so hosted relay (or other) servers do not require management server keys.

For onsite servers, the registration process involves two main steps:

• Copying the management server certificate and information into the supporting server registry.

• Copying the supporting server certificate and information to the management server and listing it with a domain.

Registering hosted relay services involves only the second part of the certificate exchange described for onsite servers: copying the supporting server’s certificate and information to the management server.

Exchanging Server Keys

The following procedure applies to onsite servers and hosted services and is a necessary preliminary to server provisioning.

To perform the server key exchange, follow these steps:

1. Go to the management server administrative Web site and from the navigation pane, click the domain Server Sets heading in the navigation pane. The Server Sets tab appears with a list of server sets. The management server provides an initial default server set (which is empty if servers have not been added to the set).

Note: For convenience, if your setup allows, you can perform this procedure by logging into the management server from the relay server machine.

2. Click the Servers tab. The Servers page appears, with a list of relay servers that have been added to the domain.


3. Click Add Server in the tool bar, then select a server type: Hosted Relay Server, Onsite Relay Server, or XMPP Server. The Add ___ Server page appears.

4. If you are installing an onsite relay server, follow the series of substeps below to copy the management server public key to the relay server.

If you are registering a Groove-hosted relay or other server, skip this series of substeps and proceed to the next main step to import the relay server.xml file onto the management server.

a. From the Add Server page, click the Download Public Key button to download ManagementServer.reg. The File Download dialogue box appears. This .reg file contains the management server’s certificate (containing its public key and identifying information). For more information about management server keys, see “Appendix B. Management Server Keys and Certificates”.

b. Click Save this file, then click OK, select a location for saving the file, click the Save button, and click the Close button. (If you are conducting this procedure from a local relay server machine, you can click the Open button to apply the registry settings from the .reg file, instead of saving the file on the management server to disk and then copying it onto the relay server.)

c. From the relay server machine, copy the ManagementServer.reg file from its current location onto the relay server.

d. From the relay server machine, launch the ManagementServer.reg file to apply the registry settings that contain the management server certificate in the relay server registry.

5. If you are using an onsite relay server, copy the relay server ID file, RelayID.xml, to a safe place on disk. This file is defined by the server administrator during installation and configuration of the supporting server, and usually resides in the relay server or other server’s installation directory.

If you are using hosted relay services, locate the relay server ID file, GrooveHostedRelay.xml (usually provided on a separate CD).

6. From the Add Server page on the management server, in the File location text box, type or browse to the location of the server’s ID file (RelayID.xml or GrooveHostedRelay.xml, for example). This file contains two certificates: a SOAP certificate which is used by the management server to authenticate the server, and an SSTP certificate which will be used by Groove clients provisioned to this server.

See the Groove Enterprise Relay Server Administrator’s Guide for information about generating this .xml file on onsite servers).

7. Click OK to upload the server ID file to the management server domain. The server name appears in the list of servers added to the domain on the Server tab and in the Add Server window for a selected set.

Note that adding a server to a domain automatically adds it to the default relay server set for provisioning to domain groups and members. You can delete the server from the default set as described below in “Removing Servers from a Set”.

You can also add servers to specified sets as described below in “Adding Groove Domain Servers to a Set”.


Adding a Server Set to a Domain

The management server provides an initial relay server set in each management domain, to which you add relay servers. You can add other sets to the domain from the Server Sets page.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to add server sets to a domain.

Note: Adding or removing a server set to or from a domain may result in significant added network traffic and disruption of Groove operation as this change is propa-gated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.

To add a server set to a management domain, follow these steps:

1. Go to the management server administrative Web site and select a domain’s Server Sets heading from the navigation pane. The Server Sets tab appears with a list of server sets. The management server provides an initial default server set (which is empty if servers have not been added to the domain).

2. From the Server Sets tab, click Add Set in the tool bar. The Add Server Set window appears with a list of server sets. You can select servers from this window to add them to the selected set.

3. In the Add Server Set window, enter the server set name and an optional description.

4. Click OK. The new server set name appears in the Server Sets list, along with a list of servers that have been added to the set (if any). All available domain servers are added to the set by default. You can delete any unwanted servers from the set by selecting the set and selecting Remove servers in the tool bar, as described below in “Removing Servers from a Set”. You can add servers imported to the domain after set creation, as described below in “Adding Groove Domain Servers to a Set”.

Adding Groove Domain Servers to a Set

Server sets are empty (they contain no servers) if no servers have been added to the domain. Once you add servers to the domain, all domain servers available at the time of set creation appear in the set by default. You can add servers that are subsequently imported to domain servers to specified sets, as described in the procedure below.

Groove client devices send managed users’ Groove messages to the first available server, checking the relays in the order in which they appear in the server set’s list of servers. The order that servers are added to the set determines the default server polling order. You can change the relay polling order as described below in “Reordering Servers in a Set”.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change server sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.


Note: Adding or removing a server set to a domain may result in significant added net-work traffic and disruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.

To add a Groove server to a server set, follow these steps:

1. Go to the management server administrative Web site and select a server set (under the domain’s Server Sets heading) in the navigation pane. The Servers page appears with a list of servers that have been added to the set.

2. From the Servers page, click Add Servers in the tool bar and select Hosted Relay Server, Onsite Relay Server, or XMPP Proxy Server. The Add Server page appears with a list of domain servers (indicating onsite or hosted).

3. From the Add Server page, select the server(s) that you want to add to the set (clicking the top box selects all servers in the list).

If no servers have been imported into the domain, the menu displays a No Servers Available entry. For information about listing servers with a domain, see “Registering a Server with a Management Domain” above.

4. Click OK. The selected server appears in the set’s server list.

5. Repeat this process for each server you want to add to the set.

If you add multiple servers to a server set, managed users (identities) in this domain can contact any of the named servers for messages and updates. Users sending data to these identities will send data to the first relay available, checking servers in the order that the relays appear in the list. If you have multiple servers are listed with a domain and you want to re-prioritize their usage, click the down or up arrows to reorder the entries. Users sending data will then check relay availability in the re-prioritized order.

If you need to remove or lock out a specific onsite server, you can do so from the server set’s list of servers, as described below in “Locking out and Re-enabling an Onsite Server”.

Editing Server Set Names

You can view or edit a server set name and description from any server set page.

To view or edit server set properties, follow these steps:

1. Go to the management server administrative Web site, select the domain’s Server Sets heading from the navigation pane and click a server set in the list. Or, select a server set from the navigation pane and select Server Set Properties in the tool bar. The server set Properties window appears.

2. From the server set Properties window, edit the server set name and description, as necessary.

3. Click OK.


Viewing Domain Servers

To view servers in a management domain, do the following:

1. Go to the management server administrative Web site and select the domain’s Server Sets heading from the navigation pane. The Server Sets tab appears.

2. Click the Servers tab. The Servers page appears, displaying Groove servers that have been imported into the domain, including the information described in the fol-lowing table:

Viewing Servers in a Set

To view servers in a server set, do the following:

• Go to the management server administrative Web site and navigate to a domain’s Server Sets in the navigation pane.

• Select a server set.The server page appears, displaying Groove servers that have been added to the set, including the information described in the following table.

Server Sets Information Descriptions

Server Server’s certificate Authority (CA) name (such as grooveDNS://hostedrelay1.groove.net), defined during server registration. See “Registering a Server with a Management Domain” above, for information about registering servers on the management server.

Type Information only. Relay Server, Hosted Relay Server, or XMPP Proxy Server - Indicates the server type, as follows:

• Relay Server - An Enterprise Relay Server installed onsite at your enterprise.

• Hosted Relay Server - A specific relay server hosted for your enterprise by Groove Networks.

• XMPP Proxy Server - A Groove XMPP Proxy Server installed onsite at your enterprise.


Ordering buttons Lets you re-order the server with respect to the others in the set. Click the up or down arrows to move the server up or down in the list.

See “Reordering Servers in a Set” below, for more information about re-ordering servers.

Server Server’s certificate Authority (CA) name (such as grooveDNS://hostedrelay1.groove.net), defined during server registration. See “Registering a Server with a Management Domain” above, for information about registering servers on the management server.


Editing Server Properties

The server Properties page lets you view and edit various server settings, including relay message life times. The server queues messages that are waiting for delivery to Groove clients. You can help control relay disk space usage by adjusting message retention time.

For information about purging individual member message queues on a server, see “Purg-ing Member Relay Queues” in the Managing Users section, earlier in this guide.

For information about server message queues, see the Groove Enterprise Server Adminis-trator’s Guide.

To view and edit Groove server properties, follow these steps:

1. Go to the management server administrative Web site and select the domain’s Server Sets heading. The Servers page appears with a list of servers.

2. From the Servers page, click the server for which you want information. The server Properties window appears with the information described in the table below.

3. Edit the fields as necessary, then click OK.

Type Information only. Indicates the server type, as follows:

• Relay Server - An Enterprise Relay Server installed onsite at your enterprise.

• Hosted Relay Server - A specific relay server hosted for your enterprise by Groove Networks.

• XMPP Proxy Server - A Groove XMPP Proxy Server installed onsite at your enterprise.

Lockout Lets you lock out a server from use. See “Locking out and Re-enabling an Onsite Server” below, for information about locking out servers.

Server Properties Descriptions

Enable Quotas Sets message queue quotas on version 2.5 servers.

Quota The maximum number of megabytes that can be stored in queues for each managed user account on version 2.5 servers. When the quota is reached, Groove messages are temporarily stored on the sending device until the queue frees up again (as clients contact the server to collect their messages) or, the messages can be delivered via direct peer-to-peer connection.

Default: 15 megabytes.

Enable Purge Automatically purges relay message queues.

Note: The purge settings take effect only if a server task has been added to the Windows Task Scheduler to periodically run the server’s queue purge program. The message lifetime that you specify and submit on this management server page is stored in the server registry for use by the purge program.



Finding Server Users

You can search for managed users of Groove servers by viewing the management server’s Server Usage report.

To search for managed users of a Groove server, follow these steps:

1. Go to the management server administrative Web site and select a management domain from the navigation pane. The Reports tab appears, displaying the default report (the Audit Log).

2. From the Reports drop-down menu on the Reports tab, select the Server Usage report.

3. Specify the remaining report display parameters as desired. For a description of server reports, see “Domain Reports” in the Managing Reports section, later in this guide.

4. Click the Display Report button. The Server Usage report appears for the specified date range.

Changing Server Sets

The management server provides a default server set to managed identities in a domain group. A server set can contain up to five onsite servers to a set, depending on how many servers are registered in the management domain. Groove client devices contact the serv-ers sequentially when sending managed user messages, in the order that the servers were added to the set. You can re-order servers in a set as described below in “Reordering Serv-ers in a Set”.

You can change server set assignments for any group or member, as described in the fol-lowing sections:

• Changing Server Sets for a Group

• Changing Server Sets for a Group Member

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change license sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.

Identity message lifetime The number of days that identity messages can remain enqueued before being deleted. Identity messages consist of Groove instant messages and Groove workspace invitations. Because identity-targeted queues cannot be recovered after deletion (unlike device messages), the default holding time for these messages is longer than for device messages.

Default: 90 days

Device message lifetime The number of days that device messages can remain enqueued before being deleted. Device messages consist of Groove space information.

Default: 30 days

Server Properties Descriptions


Changing Server Sets for a Group

To change server sets for a group, follow these steps:



3. From the group Properties page, select the desired server set from the Server Sets drop-down menu.

4. To apply this change to all subgroups and members of this group, select the option, ‘Override settings for all members and subgroups’. Otherwise, to leave subgroup and individual member template assignments as is, leave the box unchecked.

5. Click OK.

Changing Server Sets for a Group Member

To change server sets for a group member, follow these steps:



3. From the member Properties page, select the desired server set from the Server Sets drop-down menu.


Deleting Servers from a Domain

You can delete a server from a domain, permanently removing it from the management server. No managed users assigned to sets containing that server will be able to access it. If you remove all server assignments from a set, managed users assigned to that set must rely on public servers.

Note: Removing a server may result in significant added network traffic and disruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communicate this information to managed Groove users before making this change.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete servers from a domain.

To delete selected Groove servers from a management domain and the server, follow these steps:

1. Go to the management server administrative Web site and select a domain’s Server Sets heading from the navigation pane. The Servers Sets tab appears with a list of server sets.

2. Click the Servers tab. The Servers page appears with a list of servers.


3. From the Servers page, select the servers that you want to delete from the domain (selecting the top box selects all servers in the list).

4. Select Delete Server in the tool bar and confirm your decision. The selected servers are deleted from the server.

Removing Servers from a Set

You can remove servers from a server set without deleting them from the management server, using the servers page. Removing a server from a set means that managed users previously assigned to that set containing this server can no longer to contact it (and must rely on public servers). If you want these users to be able to communicate externally or benefit from other relay services, make sure that are assigned to other servers registered with their management domain.

Note: Assignments to a removed server default to a public server.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to change server sets at the group level; a role of Server, Domain, or Member Administrator is required to change templates for an individual member.

To remove selected Groove servers from a server set, follow these steps:

1. Go to the management server administrative Web site and select a server set from the domain’s Server Sets heading in the navigation pane. The Servers page appears with a list of servers.

2. From the Servers page, select the servers that you want to remove from the set (selecting the top box selects all servers in the list).

3. Click Remove Servers in the tool bar. The selected servers are removed from the server set (but still exist in the domain).

Deleting Server Sets

You can delete Groove server sets from a domain, providing that the sets are not assigned to a group or member. The servers associated with the set remain as is in the domain. Note that you cannot delete the last set.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Domain Administrator to delete server sets.

To delete selected server sets, follow these steps:

1. Go to the management server administrative Web site and select a domain’s Server Sets heading from the navigation pane. The Server Sets tab appears with a list of server sets.

2. From the Server Sets tab, select the server sets that you want to delete (selecting the top box selects all servers in the list).

3. Click Delete Server Set in the tool bar. The selected server sets are removed. If a server set cannot be deleted because it is assigned to a group or member, a message appears indicating this condition. To delete assigned server sets, make sure they are


not assigned to any group or member. For information about assigning server sets, see “Changing Server Sets” above.

Locking out and Re-enabling an Onsite Server

You can lock out an onsite server from a domain or group in order to temporarily block the enqueuing of Groove instant messages. You cannot lock out Groove-hosted servers. You can also lock out a specific user from accessing this server.

Note: Lockingout or re-enabling a server may result in significant added network traffic and disruption of Groove operation as this change is propagated to all Groove contacts associated with managed members of this domain. Be sure to communi-cate this information to managed Groove users before making this change.

To lockout (or re-enable) an onsite server from a domain or group, and to re-enable it, fol-low these steps:

1. Go to the management server administrative Web site and select a server set in the navigation pane. The Servers page appears, displaying Groove servers that have been added to the set, including a Lockout checkbox.

2. Select the Lockout option to lockout a server, or uncheck it to re-enable it.

Reordering Servers in a Set

If multiple servers are specified in a server set, Groove client devices send managed users’ Groove messages to the first available server, checking the relays in the order in which they appear in the server set’s list of servers. The default server sequence depends on the order that servers were added to the set. You can change the relay polling order from the server page.

To re-order servers in a set, follow these steps:

1. Go to the management server administrative Web site and select a server set in the navigation pane. The Servers page appears, displaying Groove servers that have been added to the set.

2. Click the up or down arrow keys to move a server up or down in the list. Servers at the top of the list are contacted before those further down in the list.

Synchronizing an Onsite Server

If onsite relay and management servers become unsynchronized, you can correct the con-dition from the management server from the Server Sets page. Server or communications failures can cause loss of synchronization between data on the server and data on the man-agement server. The management server detects this condition, changes the server status in the administrator interface to ‘out-of-synch’, and provides a mechanism for re-estab-lishing synchronization and restoring EMS data to the server. The management server also logs these events in the EMS audit log report.

To view onsite server synchronization status synchronize data flow between management and onsite servers if needed, follow these steps:


1. Go to the management server administrative Web site and select the domain’s Server Sets heading from the navigation pane. The Server Sets tab appears.

2. Click the Servers tab. The Servers page appears, displaying Groove servers that have been imported into the domain. In the Status column, a red synchronization indicator appears next to any onsite relays that are “out of synch” with the manage-ment server, and a Synchronize button appears next to the out-of-synch relay.

Click the Synchronize button to start the synchronization process and restore EMS data to the server. The red synchronization alert disappears once synchronization is complete.


Viewing Groove Domain Reports

The domain Reports tab on the management server Web interface lets you view various types of Groove reports and export any report to a specified file.

This document describes the following server monitoring capabilities:

• Viewing Reports

• Filtering Reports

• Exporting Reports

• Domain Reports

• Sample Report Filters

Viewing Reports

Groove Virtual Office clients report statistics for managed identities to the management server periodically (generally, hourly). Statistics are domain-wide or group-wide, depend-ing on the selection in the navigation pane, and available for all managed users in your domain. Unmanaged users (those without managed Groove identities or managed licenses) do not report usage statistics to the management server.

Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server, Domain, or Report Administrator to view management domain reports.

To view Groove user reports, follow these steps:

1. Go to the management server administrative Web site and select a management domain or group from the navigation pane.

2. From the Report drop-down list on the Reports tab, select a report type.

See “Domain Reports” below for a description of each report type.

3. To customize the current report, use the Filter controls as described below in “Filtering Reports”.

4. To specify the number of list items to display per page, select a value in the Display drop-down menu (25 events per page is the default).

5. To sort on a specific field, click an underlined title in the column that you want to sort on. To reverse the sort order, click the title again.

Groove Management Server Domain Administrator’s Guide Viewing Groove Domain Reports 161

6. Click the Display Report button to display the report. You can use the First, Previous, Next, and Last page controls to navigate within the report

For information about exporting reports to a file, see “Exporting Reports” below.

Filtering Reports

You can use the Report Filtering controls at any time to refine your report. Filtering options vary, depending on what report and fields you are filtering.

To define one or more filters, use the Filter controls as described in the following table:

1. Select a report type from the Report drop-down list.

2. Click the Filter expansion arrow to display filtering options.

3. Specify filtering options in the Filter fields as necessary. See “Figure 1. Sample Filter Specification” below for a sample filter specification, and the “Report Filtering Options” table below for descriptions of filtering options.

4. Click the + (Apply) button to add an additional line to the filter specification.

5. Click the Edit Filter button to display a pop-up window where you can edit a filter specification.

6. Click the - (Delete) button next to any filter line to delete a line (once it has been added).

7. Click the Clear Filter button clear the existing filter.

Figure 1. Sample Filter Specification

Report Filtering Options Descriptions

AND/OR drop-down list Available when at least one filter has been entered.

Select one of the following:

• AND to specify additive filters.

• OR to specify alternative filters.

Field Selector drop-down list

Lets you specify a field (column) in the report on which to filter (Type, Date, or Group for example).


Exporting Reports

You can export a displayed report to an .xml or a .csv file from the Server Reports tab.

To export a report, follow these steps:


2. Click the Reports tab. The default report (the Audit Log) appears.

3. From the Reports page, click the Report pull-down menu, then select the type of report that you want to view, as described above in “Viewing Reports”.

4. Click the Display Report button. The report appears.

5. Click Export Report in the tool bar. An Export pop-up window appears.

6. Select CSV or XML as a target file type, then click OK. A File Save pop-up window appears.

7. Browse to a file location for exporting the current report, then click OK.

Domain Reports

The tables in the following sections describe the Groove management reports that you can select from the domain Reports tab:

• Audit Log - Displays audit logging information for all managed users in the domain

• Member Usage - Displays Groove activities for managed users in the domain group.

• Tool Usage Report - Displays usage statistics for tools used by managed users in the domain group.

• Workspace Usage - Displays statistics on all workspaces used by managed users in the domain group.

• License Set Usage - Displays license usage information for all managed users in the domain group.

Comparator drop-down list One of the following:

• Is (=)

• Begins With (followed by text field)

• Ends With (followed by text field)

• Contains (followed by text field)

• On (followed by date picker)

• Before (<+ followed by date picker)

• After (>= followed by date picker)

• Between (begin date and end date)

• =, <, >, <=, >=

• Never (NULL)

Report Filtering Options Descriptions


• Member Activity - Displays Groove usage information for managed users in the domain group.

Audit Log

The audit log report displays audit log events generated at the server, domain, or group level by administrators and affecting domains, groups, members, licenses, and relay serv-ers. The following tables provide descriptions of audit log fields that appear in reports and those that you can use to filter reports:

• Audit Log Report Fields

• Audit Log Filtering Fields

Audit Log Report Fields

The tables describes the fields (columns) that appear in the audit log report:

Audit Log Filtering Fields

The following table describes the fields that you can use to filter audit log reports:

Audit Log Report Fields Descriptions

Type Icon representing event type: group, member, policy, license, or relay server. Icons correspond to those in the left-side navigation pane of the management server administrative Web site.

Date Date and time that event occurred. The time value reflects the time zone of the management server.

Who Name of administrator associated with event.

Where Name of object associated with event: the group, member, policy, license, or relay server. Information only (not filterable).

Event Description of event (such as Added MemberA in CompanyDomain).


Descriptions

Type Drop-down list of current audit log event types (including group, member, policy, license, or server). Lets you filter for audit log events of a specific type.

Associated comparator(s):

• Is

Date One or two date pickers, depending on the comparator. Lets you filter for audit log events that fall on, before, or after a specific date, or within a specific date range.


• On

• Before

• After

• Between


Who Text box for administrator login name. Lets you filter for specific audit log events associated with a specific administrator.


• Is

• Begins With

• Ends With

• Contains

Event Text box for audit log event. Lets you filter for specific audit log events (such as, Added member).


• Is

• Begins With

• Ends With

• Contains

Domain (available to Server Administrators only)

Drop-down list of domains defined on server. Lets you filter for a specified management domain. (Does not appear in report.)


• Is

Group Select Group button which displays Group Selector window where you select a group from the domain/group hierarchy. Lets you filter for audit log events associated with a specific group. (Does not appear in report.)


• Is

Member Text box for a management domain member. Lets you filter for audit log events associated with specific members. (Does not appear in report.)


• Is

• Begins With

• Ends With

• Contains

Directory Drop down list of directories defined at the management server level. Lets you filter for audit log events for a selected directory. (Does not appear in report.)


• Is

Server Drop-down list of relay servers into the current domain group. Lets you filter for audit log events associated with a specific server. (Does not appear in report.)


• Is


Descriptions


Member Usage

The Member Usage report displays member information for the selected domain group, as summarized in the table below. Note that this report does not display information for pending or removed users (although usage history reflects the activity of subsequently removed users).

The following tables provide descriptions of member usage fields that appear in reports and those that you can use to filter reports:

• Member Usage Report Fields

• Member Usage Filtering Fields

Member Usage Report Fields

The following table describes the fields (columns) that appear in the management domain member usage report

Member Usage Filtering Fields

Member Usage Report Fields

Definitions

Member Name Name of each managed domain member that used Groove during the report period.

Created Date that member’s managed Groove identity was created, regardless of the report period.

Device Count Number of devices (whether managed domain devices or not) associated with member’s managed identity.

Workspace Count Number of workspaces associated with member.

Workspaces Active Count Number of workspaces with which member has interacted during the specified report period.

Workspace Created Count Number of workspaces that member has created during the specified report period.

Workspace Joined Count Number of workspaces that member has joined (created or accepted an invitation) during the specified report period.

Workspace Deleted Count Number of workspaces that member has deleted during the specified report period.

Total Time Total cumulative number of minutes that user spent using Groove during the specified report period. Information only (not filterable).

Total Visits Total number of Groove sessions for member during the specified report period. Groove increments visits whenever a user opens a workspace. Information only (not filterable)

Avg Time/Visit Average length of a Groove session for member during the specified report period.The average is calculated by dividing the Time Spent value by the Total Visits value. Information only (not filterable)


The following table describes the fields that you can use to filter member usage reports


Descriptions

Member Name Text box for management domain member name.

Associated comparators:

• Is

• Begins With

• Ends With

• Contains

Created One or two date pickers, depending on the comparator. Lets you filter for domain members created on, before, or after a specific date, or within a specific date range.


• On

• Before

• After

• Between

Device Count Text box for number of devices (managed or unmanaged) associated with member’s managed identity. Lets you filter for members with a specific or comparative device count.


=, <, >, =<, =>

Workspace Count Text box for number of workspaces associated with member. Lets you filter for members with a specific or comparative workspace count.


=, <, >, =<, =>

Workspaces Active Count Text box for number of workspaces with which member has interacted during the specified report period. Lets you filter for members with a specific or comparative active workspace count.


=, <, >, =<, =>

Workspace Created Count Text box for number of workspaces that member has created during the specified report period. Lets you filter for members with a specific or comparative created workspace count.


=, <, >, =<, =>

Workspace Joined Count Text box for number of workspaces that member has joined (created or accepted an invitation) during the specified report period. Lets you filter for members with a specific or comparative joined workspace count.


=, <, >, =<, =>


Tool Usage Report

The Tool Activity report displays Groove tool information for the selected domain group. The following tables provide descriptions of tool usage fields that appear in reports and those that you can use to filter reports:

• Tool Usage Report Fields

• Tool Usage Filtering Fields

Tool Usage Report Fields

The following table describes the fields (columns) that appear in the tool usage report

Tool Usage Filtering Fields

Workspace Deleted Count Text box for number of workspaces that member has deleted during the specified report period. Lets you filter for members with a specific or comparative deleted workspace count.


=, <, >, =<, =>

Last Accessed One or two date pickers, depending on the comparator. Lets you filter for domain members that last used Groove on, before, or after a specific date, or within a specific date range. (Does not appear in the report).


• On

• Before

• After

• Between

Tool Usage Report Fields Definitions

Tool Name Name of each tool being used in Groove workspaces associated with domain members in the domain during the specified report period.

Tool Version Version of each tool being by any domain member.

First Accessed Date that tool was first used by any domain member.

Last Accessed Date that tool was last used by any domain member.

Total Time Total cumulative number of minutes that members spent using each tool during the specified report period.

Total Visits Total number of times that users employed each tool during the specified report period. Groove increments visits whenever a member opens a workspace.

Average Time/Visit Average number of minutes that members spent with each tool per workspace session, during the specified report period.


Descriptions


The following table describes the fields that you can use to filter tool usage reports:


Descriptions

Tool Name Drop-down list of tools being used in Groove workspaces associated with domain members. Lets you filter for events associated with selected tools.


• Is

Tool Version Text box for version of each tool being by any domain member. Lets you filter for events associated with specific versions of Groove tools.


=, <, >, <=, >=

First Accessed One or two date pickers, depending on the comparator. Lets you filter for tools that were first used on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Last Accessed One or two date pickers, depending on the comparator. Lets you filter for tools that were last used on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Total Time Text box for total cumulative number of minutes for which a tool has been used during the specified report period. Lets you filter for tools that have been used for a specific or comparative total number of minutes.


=, <, >, <=, >=

Total Visits Text box for total number of visits to a tool during the specified report period. Lets you filter for tools that users have accessed a specific or comparative number of times.


=, <, >, <=, >=


Workspace Usage

The Workspace Usage report displays Groove workspace information for the selected domain group. The following tables provide descriptions of workspace usage fields that appear in reports and those that you can use to filter reports:

• Workspace Usage Report Fields

• Workspace Usage Filtering Fields

Workspace Usage Report Fields

The following table describes the fields (columns) that appear in the workspace usage report

Average Time/Visit Text box for average time per visit for which a tool has been used during the specified report period. Lets you filter for tools that have been used by members for a specific or comparative average number of minutes per workspace session.


=, <, >, <=, >=


Definitions

Workspace Name Name of each workspace created by a managed domain member in the domain during the specified report period. If a space is missing, a globally unique identifier (GUID) appears as the name. A workspace will not appear if the space was created in pre-1.2 version of Groove.

Member Count Total number of managed and unmanaged Groove users in the workspace as of the most recent report date.

Managed User Count Total number of managed domain members active in the workspace over the report period.

Unmanaged User Count Total number of unmanaged Groove users active in the workspace over the report period.

Creator Name of member who created the workspace.

Date created Date when workspace was created.

Total Time Total cumulative number of minutes that all managed members in this domain spent in the workspace during the specified report period. For example, if two users were in a workspace for 1 minute, the total usage time that would appear in this field would be 2 (one minute by each user). Time spent in a workspace begins when a user opens a workspace and end when a user goes to another space, goes to another Groove page (such as the Home page), or closes the Groove tansceiver. A user’s ‘offline’ time while the space is open is included in the time spent in the space. Information only (not filterable.)


Descriptions


Workspace Usage Filtering Fields

The following table describes the fields that you can use to filter workspace usage reports:

Total Visits Total number of visits to the workspace by managed members during the specified report period. Groove increments visits whenever a user opens a workspace. Information only (not filterable.)

Average Time/Visit Average number of minutes that members spent in the workspace, per visit, during the specified report period.The average is calculated by dividing the Time Spent value by the Total Visits value. Information only (not filterable.)


Descriptions

Workspace Name Text box for workspace name. Lets you filter for specific workspaces.


• Is

• Begins With

• Ends With

• Contains

Member Count Text box for number of domain members in a workspace. Lets you filter for workspaces with a specific or comparative number of members.


=, <, >, <=, >=

Managed User Count Text box for number of managed domain members active in a workspace. Lets you filter for workspaces with a specific or comparative number of active users.


=, <, >, <=, >=

Unmanaged User Count Text box for number of unmanaged Groove users active in a workspace. Lets you filter for workspaces with a specific or comparative number of unmanaged users.


=, <, >, <=, >=

Creator Text box for name of member who created the workspace. Lets you filter for workspaces created by a specific domain member.


• Is

• Begins With

• Ends With

• Contains


Definitions


License Set Usage

The License Set Activity report displays Groove license information for the selected domain group. The following tables provide descriptions of license set usage fields that appear in reports and those that you can use to filter reports:

• License Set Usage Report Fields

• License Set Usage Filtering Fields

License Set Usage Report Fields

The following table describes the fields (columns) that appear in the license set usage report

Date created One or two date pickers, depending on the comparator. Lets you filter for workspaces created on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Tool Count (link to Tool Activity)

Text field that specifies number of tools used in a workspace. Lets you filter for workspaces that contain a specific number of tools. (Does not appear in reports.)

Manager Count (link to Member Activity)

Text field that specifies number Manager members of a workspace. Lets you filter for workspaces that contain a specific number of Manager members.

Last Accessed One or two date pickers, depending on the comparator. Lets you filter for workspaces last accessed on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

License Set Activity Report Fields

Definitions

License Set Name Name of each license set in management domain.

License Set Description License Set description if available. Information only (not filterable).

Managed Member Count Number of managed users assigned to this license set.


Descriptions


License Set Usage Filtering Fields

The following table describes the fields that you can use to filter license set usage reports:

Member Activity

The Member Activity report displays Groove usage information for members in the selected domain group. The following tables provide descriptions of license set activity fields that appear in reports and those that you can use to filter reports:

• Member Activity Report Fields

• Member Activity Filtering Fields

Member Activity Report Fields

The following table describes the fields (columns) that appear in the member activity

Date Last Updated Date of last update to license set, or Never if the set has never been updated.

Date Created Date that license set was created.

License Set Usage Filtering Fields

Descriptions

License Set Name Drop-down list of license sets in management domain.


• Is

Managed Member Count Text field for number of managed users assigned to this license set. Lets you filter for licenses that are assigned to a specific or comparative number of domain members.


=, <, >, <=, >=

Date Last Updated Text field for date of last update to license set, or Never if the set has never been updated. Lets you filter for licenses that were last updated on a specific or comparative date.


=, <, >, <=, >=

Date Created Text field for date license set creation, or Never if the set has never been updated. Lets you filter for license sets that were created on a specific or comparative date.


=, <, >, <=, >=

License Set Activity Report Fields

Definitions


report


Definitions

Member Name Name of each management domain group member, including managed users and unmanaged users with individual managed licenses.

Member Group Member’s domain group.

Email Address Member’s email address. Information only (not filterable).

Type Type of Groove user, managed or unmanaged, as follows:

• Managed - Has managed Groove identity (distributed by a management domain administrator), granting access to managed licenses.

• Unmanaged - Has individual managed license (distributed by a management domain administrator) but does not have a managed identity.

Status Member status, as follows:

• Active - Domain member has activated the managed Groove identity, sent to them by a domain administrator.

• Pending - Groove user has received a managed Groove identity but has not yet activated it.

• Disabled - Domain member identity has been disabled by an administrator.

• Deleted - Domain member identity has been deleted.

Device Count Number of managed devices associated with member’s managed identity.

License Set Name Name of license set provisioned to member.

Primary Relay Name of primary relay server provisioned to member.

vCard Current Yes or No, indicating whether member’s vCard is up-to-date on all computers associated with the domain member.

Created Date that member identity was created by administrator.

Date Activation Email Sent Date that member identity activation email was sent by administrator.

Activated Date that member activated a Groove identity.

Last Contacted Date that member last contacted management server.

Last Used Date that member last used Groove.


Member Activity Filtering Fields

The following table describes the fields that you can use to filter member activity reports

Last Backup Date of last member account backup, as follows:

• On [date]

• Before [date]

• After [date]

• Between [date] and [date]

• Never


Descriptions

Member Name Text box of management domain member name (whether managed, or unmanaged with managed license). Lets you filter for specific domain members.


• Is

• Begins With

• Ends With

• Contains

Member Group Select Group button which displays Group Selector window where you select a group from the domain/group hierarchy. Lets you filter for managed users who are members of specific domain groups.


• Is

Type Drop-down list of values for type of Groove user: Managed or Unmanaged (with managed license). Lets you filter for managed or unmanaged Groove users associated with the domain.


• Is

Status Drop-down list of member status types:

• Active - Domain member has activated the managed Groove identity, sent to them by a domain administrator.

• Pending - Groove user has received a managed Groove identity but has not yet activated it.

• Disabled - Domain member identity has been disabled by an administrator.

• Deleted - Domain member identity has been deleted.


• Is


Definitions


Device Count Text box for number of managed devices associated with member’s managed identity. Lets you filter for members with a specific or comparative number of devices associated with a managed identity.


=, <, >, <=, >=

License Set Name Displays drop-down list of license sets in management domain. Lets you filter for members that are provisioned with a specific license set.


• Is

Primary Relay Drop-down list of servers in management domain. Lets you filter for members that are provisioned with a specific primary relay server.


• Is

vCard Current Drop-down list of values (Yes or No) indicating whether member’s vCard is up-to-date on all computers associated with the managed identity. Lets you filter for members whose vCard is not up-to-date on all the member’s associated devices.


• Is

Created One or two date pickers, depending on the comparator. Lets you filter for members whose managed identity was created on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Date Activation Email Sent One or two date pickers, depending on the comparator. Lets you filter for members whose managed identity activation email was sent on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between


Descriptions


Sample Report Filters

The following sections provide examples of some typical report filters:

• Show Audit Events for a User During Past Week

• Show Audit Log Events for Administrator in Date Range

• Show Most-Used Tools

• Show Members Whose Account Has Never Been Backed Up

Activated One or two date pickers, depending on the comparator. Lets you filter for members whose managed identity was activated on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Last Contacted One or two date pickers, depending on the comparator. Lets you filter for members who last contacted the management server on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Last Used One or two date pickers, depending on the comparator. Lets you filter for members who last used Groove on, before, or after a specific date, or within a date range.


• On

• Before

• After

• Between

Last Backup One or two date pickers, depending on the comparator. Lets you filter for members whose account was last backed up on, before, or after a specific date, or within a date range, or never.


• On

• Before

• After

• Between

• Never


Descriptions


• Show Members Who Used Groove Since the Last Backup Date

• Show Members with Managed Account on Multiple Devices

• Show Members with Accounts on Unmanaged Device

Show Audit Events for a User During Past Week

To see the audit log events for a specific user during the past week, you can filter the Audit Log report as shown below (this results from this report can provide useful baseline infor-mation for trouble-shooting user problems):

Show Audit Log Events for Administrator in Date Range

To see license-based events within a specific date range and associated with a specific administrator, you can filter the Audit Log report as shown below:

Show Most-Used Tools

To see Groove tools that are most used by members of the current domain group, you can filter the Tools Usage report as shown below:


Show Members Whose Account Has Never Been Backed Up

To see all members of the current domain group whose managed Groove accounts have never been backed up, you can filter the Member Activity report as shown below:

Show Members Who Used Groove Since the Last Backup Date

To see all members of the current domain group that have used Groove Virtual Office since the last backup date, filter the Member Activity report as shown below (given a last backup date of March 10, 2005).

Show Members with Managed Account on Multiple Devices

To see all members that have a managed Groove account on multiple devices, you can fil-ter the Member Activities Report as shown below:

Show Members with Accounts on Unmanaged Device

To see all members that have a managed Groove account on unmanaged device, you can


filter the Member Activities Report as shown below:


Troubleshooting

This section describes how to resolve problems you may encounter while managing your domain. Problem descriptions are grouped into the following categories:

• Domain Administration Problems

• Groove User Problems

• Data Recovery Problems

For help with server-related problems, contact server administrator or refer to the Trouble-shooting section of the Groove Management Server Administrator’s Guide.

Domain Administration Problems

The following section suggests solutions to management domain-based problems that may arise.

Problem

A device does not appear as ‘Managed’ on a Member Information page.

Solution

Apply a registry key to the device, as described in “Registering User Devices with the Management Server” in the Managing Device Policies section of this guide. This makes the device a part of your domain and makes it subject to the download or install policy that you set for that domain. Once you have applied the registry setting to devices to add them to your domain, Groove automatically applies the domain’s device policies to that device.

Problem

User installation of a domain activation key fails, displaying the message ‘Activation server cannot be reached’.

Solution

The client (user’s device) cannot communicate with the server to download the license(s), associated with the activation key. Check the Activation Server name sent to the user (the management server name) to make sure that it is correct.

Groove Management Server Domain Administrator’s Guide Troubleshooting 181

Problem

An error message, “this identity cannot run on this device”, appears on Groove clients when attempting to activate or use their managed identity.

Solution

You may have set the identity policy, Identity may only be used on a managed device, but the managed user is running Groove on an unmanaged device. To correct the problem, make sure to uncheck the policy to disable it, or make the user’s device managed. See “Member Policies” in the Managing Identity Policies section of this guide for information about setting this policy.

Problem

The text color for a certified member does not appear for a managed domain member in Groove contact lists.

Solution

Make sure that you used only valid characters when entering the domain member’s con-tact information. Edit the information, if necessary.

Problem

A user’s device policies changed unexpectedly. For example, component installation restrictions intended for that user no longer have the desired effect.

Solution

This condition could result because the user shares a managed device with another man-aged user for whom an administrator changed the device policy template assignment. Changing a device policy template assignment. When multiple Groove users share a man-aged device, any device template change for one managed user affects other all users of the device. Therefore, the latest device policy change for one user over-rides any previous device policy settings for any other user of the same device.

Verify whether the user in question shares a managed Groove device with another user. You can check this information by going to the management server’s Domain Reports tab and displaying the Device Policy Template Usage report. Either remove one of the mem-bers from the device and activate their managed Groove identity on another device, or define a device policy template that is satisfactory and can be assigned to all users of the device.

See “Viewing Reports” in the Viewing Groove Domain Reports section of this guide for information about displaying reports.

See the “Managing Groove Users” section of this guide for detailed information about adding and removing domain members.


Problem

Trying to delete a license set fails.

Solution

Provisioned license sets can not be deleted. Unprovision all the users from the license set.

Groove User Problems

The following section suggests solutions to problems that managed Groove users may encounter.

Problem

A user’s managed identity is accidentally deleted from the client device.

Solution

Remove the user from the management domain group, as described in “Deleting Domain Members” in the Managing Users section of this guide. Create a new domain user and dis-tribute the activation key associated with the new user information to the user. Once the user applies the activation key to the Groove virtual office application and becomes a new domain member, the new user identity must be re-invited to the Groove spaces to which the original identity belonged.

Note: Removing a user from a domain removes all their data and you will need to use the Data Recovery tool if you need to retrieve it. The Data Recovery tool must be enabled and set up before the removal occurs in order to retrieve the data.

See the “Adding Groove Users to a Domain Group” in the Managing Users section of this guide for information about creating new users and distributing activation keys.

Problem

A user tries to install a domain activation key into a second account and does not gain domain membership in that second account.

Solution

Inform the user that a domain activation key cannot be installed more than once.

Problem

Groove shows an unexpectedly large amount of outgoing data in the communications reporting fields and changes to certain domain settings are not apparent when expected. In


some cases, Groove slows down dramatically or does not respond.

Solution

This may be the result of changing any of the following domain settings:

• Domain friendly (display) name

• Domain affiliation

• Group name (if the domain affiliation is set to display groups)

• Relay server assignments to the domain

Domain-wide changes apply to all members of a Groove management domain and to their Groove workspace contacts. To manage network traffic, the management server distrib-utes these changes to Groove clients over time. Therefore, these changes may not take effect immediately. Depending on the number of Groove clients affected, the change can take up to 4 days (for 5,000 or more users).

Communicate this information to managed Groove users beforehand. Advise them NOT to shut down Groove as the condition will re-occur when they restart, further delaying the updates.

Problem

A management domain member does not appear in the domain contacts lists of fellow management domain members.

Solution

Any management domain member that has not contacted the management server for 31 days, is removed from the Groove contacts list (that appears when a Groove user uses the ‘More’ window to find a member). The removed member must restart Groove (thus con-tacting the management server) in order to be re-instated in the domain contact list.

Data Recovery Problems

The following section suggests solutions to data recovery problems that may arise.

Problem

Your login credential reset attempt failed because the submitted data recovery key does not match the data recovery public key used to encrypt the user’s data and therefore needed to recover the database.

Solution

The managed device where you are trying to recover a user’s Groove data may have been managed by another domain that did not have the reset policy enabled. Or, you may have enabled the reset policy after the password or smart card login was lost. If either of these conditions is true, you cannot reset the login credentials on this device as the policy must be set on the device before the password is lost. See “Resetting Groove Login Credentials


for Managed Devices” in the Managing Device Policies section of this guide for informa-tion about data recovery and resetting managed Groove user passwords or smart card log-ins.

Problem

Your password reset attempt failed because the database does not support either full or partial data recovery by administrators.

Solution

Your device policy does not allow administrators to reset a Groove user’s password or recover data under any conditions. You cannot recover the current data using the data recovery tool. To allow administrators to access to user data in the future, be sure to import a data recovery key and tool, set the device policy to support this capability, and advise your managed users to accept the policy by opening the managed account on their devices. For instructions on recovering data, see “Setting Up Data Recovery on Managed Devices” in the Managing Device Policies section of this guide.


Appendix A. Groove Component Versions

The following table provides component information for currently supported Groove ver-sions, including the platform required to support each component. You will need similar information for any additional tool component (separate from a platform upgrade) that you may specifically want to allow or prohibit.

Groove Component Packages Version Number

Groove Networks Digital Fingerprint: 4262 DCB1 4552 D303 123D 36A6 0A96 62E5 24A7 D7DB

Groove Workspace version 2.0a Components

net.groove.Groove.Core 2.0.1

net.groove.Groove.Upgrade 2.0.1

Groove Workspace version 2.1 Components




0.5


1.1

Groove Workspace version 2.1b Components




0.5.1


1.1.1

Groove Workspace version 2.1c Components


GMS Domain Administrator’s Guide Appendix A. Groove Component Versions 186



0.5.1


1.1.1

Groove Workspace version 2.1d Components




0.5.1


1.1.1


net.groove.Groove.Core 2.5

net.groove.Groove.Upgrade 2.5


0.6


1.2





0.6.0


1.2.0

Groove Workspace version 2.5e Components




0.6.0


1.2.0

Groove Workspace version 2.5g Components






0.6.0


1.2.0

Groove Workspace version 2.5i Components




0.6.0


1.2.0

*Currently Groove Networks tools are Groove Workspace version-specific. No additional tools are currently available from Groove networks.

Groove Workspace version 2.5j Components




0.6.0


1.2.0


net.groove.Groove.noprompt.Core 3.0.1

net.groove.Groove.noprompt.Upgrade 3.0.1


0.7.0


1.3.0

Groove Workspace version 3.0a Components




0.7.2


1.4.2



Groove Workspace version 3.0b Components




0.7.3


1.4.3

Groove Workspace version 3.0c Components




0.7.4


1.4.4





0.7.5


1.4.5

net.groove.Groove.noexclusive.Core 3.0.5

Groove Workspace version 3.0e Components




0.7.6


1.4.6


Groove Workspace version 3.0f Components






0.7.7


1.4.7



net.groove.Groove.SystemComponents.Installers

1.4.0




Appendix B. Management Server Keys and Certificates

All management server encryption and authentication key information is stored on the management server’s associated SQL database. The management server accesses this information to generate key and certificate files whenever an administrator requests one - for example, to register a relay server with a management server or to establish cross-domain certification - during the administration of a management server or domain.

The following table lists and describes the key and certificate files used at various points as part of administering Groove from a management server.

Key Files Description and Contents Location

ManagementServer.reg Management server public key file that includes the management server’s certificate (containing its public key and identifying information). This file is generated on demand by the server administrator. This file is used to register relay servers with the management server.

Directory defined by server administrator

domainname.cer Domain certificate file, generated upon domain creation by a server administrator. Domain administrators exchange these files in order to set up cross-domain certification in Groove PKI domains.

Directory on administrative machine

RelayID.xml Relay server ID file that contains two certificates: a SOAP certificate which is used by the management server to authenticate the relay server, and an SSTP certificate which is used by Groove clients provisioned to this relay server. This file is generated during relay server installation.

SQL management server database

Device registry key file (.reg)

Device registry file that contains management server registry settings that are added to the Windows registry of each client device in a domain or group. This file is generated upon demand by a domain administrator via a button accessible from any device policy page.

Windows registry of each managed device

GMS Domain Administrator’s Guide Appendix B. Management Server Keys and Certificates 191

Data RecoveryPublicKey.cer The data recovery public key file (certificate) that contains the generated public key that Groove uses to encrypt a Groove user’s data. This file is generated during domain creation, using the Change Key in the Domain Properties window, or via the Data Recovery Tool. Data that is encrypted by a public key can be unlocked only by the corresponding private key.

Directory location on management server. Sent down to managed devices in device policy.

DataRecoveryPrivateKey.xml

The data recovery private key file that contains the generated private key. A domain administrator uses this key to decrypt a Groove user’s data that is protected by a corresponding data recovery public key. This file is generated during domain creation, using the Change Key in the Domain Properties window, or via the Data Recovery Tool.

Directory location on management server or defined by domain administrator

Key Files Description and Contents Location

GMS Domain Administrator’s Guide Appendix B. Management Server Keys and Certificates 192

Glossary

This document defines the main administrative terms used in describing Groove Manage-ment Services.

Account See User Account.

Activation key A key that allows users to activate Groove with a managed identity.

Authentication Term used in security contexts, such as PKI, to mean proof of a person’s (or data’s) identity. Authentication usually involves an objective party, such as an admin-istrator, confirming the identity of a computer user (or data), by comparing user-submitted information with filed information, for example. Authentication generally takes place between people. Groove supports the following types of identity authentication: digital fingerprint for unmanaged users, and Groove PKI or Enterprise PKI for managed users.

Certificate Term used in security contexts, such as PKI, to mean a data structure that con-tains a public key and identifying information for a domain, device or identity. The public key is digitally signed with the private key of the CA which issued it.

Certification Authority (CA) Term used in security contexts, such as PKI, to mean an entity which creates and assigns certificates. In a managed Groove environment, the man-agement server can be the certification authority.

Certification Term used in security contexts, such as PKI, to mean the deployment and assignment of public keys by a certification authority (CA) to a domain, device, identity. In a managed Groove environment, the management server can be the certification author-ity.

Component A feature or tool created by Groove Networks or a third party for use in the Groove virtual office application.

Contact Properties Groove user identity contact information (such as contained in a vCard).

Default identity The user identity assumed for all subsequent workspaces (those created after the default is set). When a user installs the product activation key (sent to them by their domain administrator) into Groove, that identity becomes the default identity for workspaces that the user creates from then on. Users can change their default identity at any time by setting another identity as the default.

Device A device is a client (user) computer that is running Groove. Devices are automati-cally associated with users during the initial Groove installation. Administrators can man-age these devices by applying a registry setting (a pointer to a management domain) to the

Groove Management Server Domain Administrator’s Guide Glossary 193

devices. This makes the devices part of a management domain. Once devices are regis-tered with a management domain, administrators can apply device policies, for example, to control password creation or regulate Groove component downloads on these devices.

Device policy template In the context of Groove management servers, a collection of device usage and security policies, assigned to a management domain group or member.

Digital fingerprint Also called digital thumbprint. An identifier (usually a certificate’s hash) associated with a certificate. Typically, fingerprints are used for out-of-band authen-tication. In Groove, fingerprints are used to authenticate Groove users, Groove relay serv-ers, and Groove component publishers.

Digital Thumbprint Another term (used in the Windows Certificate Viewer) for Digital fingerprint.

DMZ In the context of computer networks, a DMZ (demilitarized zone) is an area on a corporate network that houses corporate servers that require limited access to external communications. A combination of firewalls, proxy devices, and other related equipment determine the extent of external network access.

Domain See Management Domain.

Domain member A managed Groove user - one who has installed the identity activation key sent by the Groove administrator. Domain members are subject to the domain admin-istrator’s management, gaining access to Groove licenses, usage and security policies, and specified relay servers.

Enterprise Management Server (EMS) A Groove Networks Web application that pro-vides comprehensive services for deploying and managing Groove use in an enterprise. The application resides on an IIS server installed on a corporate network and is supported by a SQL server. With an onsite management server, server administrators can install, configure, and monitor the server, as well as manage Groove users and devices, distribute product licenses, set device and user policies, deploy managed relay servers, and monitor Groove usage.

Enterprise PKI An organization’s enterprise-wide implementation of the Public Key Infrastructure (PKI) that typically allows users to employ their enterprise-issued certifi-cates in multiple PKI-enabled applications. Groove users can employ these enterprise-issued certificates for smart card login or, in a managed environment, with Enterprise PKI identity authentication. Groove management servers support Enterprise PKI as an alterna-tive to Groove PKI identity authentication.

Enterprise Relay Server (ERS) A Groove Networks server-based application, that facil-itates data transmission among Groove users. This server, installed at a company site, pro-vides various services that support Groove software, including message handling for offline devices, device presence detection, firewall transparency, and bandwidth optimi-zation.

Fingerprint See Digital fingerprint.

Groove Hosted Management Services Groove management services hosted by servers at Groove Networks. These services allow administrators to manage Groove users and


devices, distribute Groove product licenses, set policies to ensure the security of its resources, deploy any onsite relay servers, and monitor Groove usage.

Groove Hosted Relay Services Groove relay services hosted by servers at Groove Net-works. These services allow administrators to manage the distribution of relay services to Groove users.

Groove PKI Groove’s implementation of the Public Key Infrastructure (PKI) used solely for authenticating Groove identities. With this implementation, an EMS domain functions as a Certificate Authority (CA) to all its users.

Groove space See Workspace below.

Group In a management server context, a sub-category of a domain.

GUID A Globally Unique Identifier that identifies an object.

Identity See User Identity.

Identity authentication See Authentication.

Identity policy template In the context of Groove management servers, a collection of Groove user policies assigned to a management domain group or member.

IIS Microsoft Internet Information Services, installed on a Windows Server machine.

Key (security) A cryptographic sequence of symbols that control the operations of encrypting and decrypting.

License In the context of this guide, the formal permission to access a specific Groove tool set, tool, or tool component. Licenses are purchased by a company for a management domain as part of Groove product packages.

License set In the context of Groove management servers, a collection of Groove licenses assigned to management a domain group or member.

Managed device An end-user PC that is registered with a Groove management server domain and subject to device policies (governing password creation and Groove compo-nent downloads, for example) defined for that domain. A device becomes managed when its Windows registry has been updated with a management server key and Groove starts up on that device.

Managed identity A Groove user identity defined for a Groove management server domain and distributed to end-users in an activation key.

Management domain A management domain (in the context of this guide) is a manage-ment unit defined on a Groove management server. Each management contains a collec-tion of domain member groups, identity policy templates, device policy templates, license sets and relay server sets.

Management server A Groove Enterprise Management Server or Groove Hosted Man-agement Services.

Member See Domain Member.


Policy A rule applied to all managed identities in a domain or group, or to all managed devices associated with a managed user. Preventing publication of managed identity con-tact information is an example of an identity policy. Restricting downloads of Groove components on managed devices is an example of a device policy.

Private key One half of a key pair, kept private by the owner and used in conjunction with a matched public key. This strictly private key is used to decrypt messages that have been encrypted by a public key. A private key may be stored in an .xml file.

Public key One half of a key pair, used to verify signatures created with a matched pri-vate key and to encrypt messages which can only be decrypted using the matched private key. This publicly-listed key is associated with a user, device, or server and is available to other users, devices, or servers for sending encrypted messages to the public key owner. The public key owner then uses a private key to decrypt the message. A public key is usu-ally stored in a certificate (.cer) file along with other identifying information.

Public Key Infrastructure (PKI) The set of hardware, software, people, policies and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography.

Public relay server Groove Networks-hosted relay server employed when managed onsite Enterprise Relay Servers or Groove Hosted Relay Services are not in use.

Relay server See Enterprise Relay Server, Groove Hosted Relay Services, or Public relay server.

Relay server set In the context of Groove management servers, a collection of registered relay servers assigned to a management domain group or member.

Registry file A .reg file that contains information to be applied to the Windows Registry. In the context of Groove Enterprise Management Services, the registry file contains set-tings to allow devices to join a domain, placing them under domain management. Once an administrator applies the registry settings in this file to a device, that device becomes sub-ject to the component installation and other policies that the domain administrator sets for devices in the domain.

Seat A purchased place-holder for a user of a specific product license. Each product license package in a domain has a maximum number of seats associated with it. The seats are purchased by an enterprise and specified in the purchase agreement. Domain adminis-trators populate these seats by adding users to their domain and by sending individual products to specific Groove users.

Smart card Hardware token containing user credentials. Groove and Groove manage-ment servers accept smart cards in lieu of Groove passwords for login to user accounts. Smart cards can also be used with the management server’s Enterprise PKI identity authentication option, which allows users to authenticate one another using smart card cre-dentials added to their Groove contact properties.

SQL server The Microsoft Standard Query Language (SQL) database application, installed on a Windows Server machine.

Tool A Groove program or application that workspace members use to interact. Each


member of a workspace has access to the same tools (such as chat, calendar, and sketch-pad tools) and can use them to affect workspace data.

Trust A term used in Public Key Infrastructure (PKI) contexts to mean an understanding between two entities that allows them to perform certain predetermined tasks. For exam-ple, a Groove user in one domain may trust another user in the same domain to access and review reports in a workspace. This differs from authentication which specifically involves identifying who someone is, not what they are allowed to do. Trust, therefore may depend on (but is not equivalent to) authentication. Trust also differs from certifica-tion which is official and objective, involving a third-party (the CA, and usually an administrator), while trust is personal and subjective, normally involving two people and not requiring a third-party.

User A Groove user. From the perspective of a Groove administrator, a user is a domain member - one with a managed identity defined by the Groove administrator for a specific management domain, or a non-member - a Groove user without a managed identity for a domain.

User account A file, stored on a user’s computer, that maintains usage data, including information about the user’s identities, secret encryption keys, devices (computers) on which the user runs Groove, workspaces, and contacts.

User identity A persona in Groove. Groove users create an initial default identity when they install Groove. A user can have one or more identities in a single account and selects one to be the default.

vCard A virtual business card that contains contact information for each domain member identity.

Workspace A user-created space, accessible via the Groove transceiver, that enables col-laboration among small groups of users.


End User License Agreement

END USER LICENSE AGREEMENT (for Groove Server Software)

Thank you for licensing Groove software. Please read this End User License Agreement ("EULA") carefully and be sure you understand it. This EULA is a legal agreement between you (either an individual or a single entity) and Groove Networks, Inc., a Dela-ware corporation ("Groove Networks"). You must review and either accept or reject the terms of this EULA before installing or using the Software. Clicking the "I ACCEPT" button below is just like signing a contract written on paper. By clicking the "I ACCEPT" button or installing or using the software, you acknowledge that you have read all of the terms and conditions of this EULA, understand them, and agree to be legally bound by them.

If you or your employer has entered into a separate agreement with Groove Networks per-mitting you to use the Software, that agreement, rather than this EULA, will govern your use of the Software. If the Software you are installing is beta or other pre-release Soft-ware, however, the terms of this EULA will apply. Third party software of which Groove Networks is an authorized reseller may be accompanied by a separate license agreement, in which case that agreement, rather than this EULA, governs your use of the third party software.

If you are installing evaluation use or beta Software, please note that special terms and conditions apply, as described below in Sections 4 and 5.

1. DEFINITIONS. The following capitalized terms used in this EULA have the meanings indicated:

(a) "Client Access License" or "CAL" means the licensed right to permit one End User to use third party software or services to access or use the Software's functionality on the terms and conditions specified in this EULA.

(b) "Delivery Date" means (i) in the case of Software that utilizes an activation key, the

Groove Management Server Domain Administrator’s Guide End User License Agreement 198

date on which Groove Networks sends or otherwise makes available to you the activation key(s) for the Software or a method for creating them; and (ii) in the case of Software that does not utilize an activation key, the date on which Groove Networks sends you a CD, diskette, or a digital file containing the Software.

(c) "Documentation" means any online help text and/or manuals provided with the Soft-ware.

(d) "End User" means a human being using a computer or other digital device.

(e) "Server" means a computer server owned, leased or otherwise controlled by you, or operated on your behalf, on which a licensed a copy of the Software is installed. If you utilize virtual server technology or any similar technology that enables a single hardware unit to function as multiple computer servers, each virtual server operating on a single hardware unit will be deemed a single "computer server" for purposes of this definition.

(f) "Service Access License" or "SAL" means the licensed right to permit one Account to access the services or functionality of one or more specified Server(s) on the terms and conditions specified in this Agreement.

(g) "Services" means software maintenance, support services (including deployment sup-port services), and any other services Groove Networks may provide you in connection with your use of the Software.

(h) "Software" means the Groove Networks server-based software product licensed by you pursuant to this EULA, and (A) any other software applications or components that subsequently may be provided by Groove Networks for use with it, and (B) any Updates to or Upgrades of any of the foregoing.

(i) "Updates" means bug fixes, patches, or other revisions to or modifications of Software that Groove Networks provides to you, including those it makes generally available to customers that subscribe to its software maintenance services. An Update typically is identified by a change in a number and/or letter to the right of the first decimal point in a product's version number. Updates do not include Upgrades.

(j) "Upgrade" means a major release of Software, as determined by Groove Networks in its sole discretion. An Upgrade typically is identified by a new product name or a new


number to the left of the first decimal point in the version number of an existing product name.

(k) "Web Site" means Groove Networks' web site located at http://www.groove.net.

2. OWNERSHIP. The Software is licensed, not sold. All Software (including any changes you may request or suggest) is the property of Groove Networks and/or its licen-sors. Title to each copy of the Software and all related intellectual property rights embod-ied in or represented by the Software will remain with Groove Networks and/or its licensors at all times, as will all other rights not explicitly granted to you under this EULA.

3. LICENSE GRANT. Groove Networks grants you the following perpetual, nonexclu-sive, worldwide, limited license rights to use the Software solely in object code form, pro-vided you comply with all the terms and conditions of this EULA:

(a) You may install and use the Software on one (1) Server that contains no more than two (2) central processing units. If you utilize virtual server technology or any similar technol-ogy that enables a single hardware unit to function as multiple servers, you must license one (1) copy of the Software for each virtual server that utilizes the Software. If you have licensed the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege and have not paid a separate license fee permitting you to use the Groove Enterprise Data Bridge Server Software independent of the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege, you may use the Groove Enterprise Data Bridge Server Software solely to support your use of the Groove Enterprise Backup Service or the Groove Enterprise Data Bridge for CASAHL ecKnowlege. If the Software you are installing is evaluation use Software or beta Soft-ware, your rights are limited as described below in Section 4 or 5. You may make one (1) copy of the Software solely for backup or archival purposes, one (1) copy solely for disas-ter recovery purposes, and one (1) copy solely for use for internal development purposes. .

(b) Each Account to which all required SALs have been allocated may access the services or functionality of the Server(s) covered by the SAL(s). Each End User who has been allocated all required CAL(s) corresponding to the type and major version number of the Server Software covered by the CAL(s) may access and use the functionality of such Server software via a third party software program or service. Each End User who accesses the services or functionality of Groove Networks' Enterprise Data Bridge Server Software via another server or service that directly or indirectly identifies or differentiates End Users, or that tracks or maintains session context for distinct End Users, must be allo-cated a CAL. Each time you acquire an Upgrade of any Server Software, you must upgrade all CALs and SALs associated with the Server Software, so that each CAL and


SAL version matches the major version number of the Server Software product(s) to which the CALs and SALs relate.

(c) U.S. Government End Users. The Software is a "commercial item" as defined at 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation." Notwithstanding anything to the contrary in this EULA, the U.S. Government sometimes makes certain minimum rights of use, reproduction, and dis-closure a condition of its purchase or acquisition of commercial software. Accordingly:

(i) GSA Supply Schedule Acquisitions. For government purchases or acquisitions through a GSA Supply Schedule contract, use, reproduction, and disclosure of the Soft-ware are subject to restrictions set forth (in March 2002) in 8 of GSA's "Terms and Con-ditions Applicable to . . . [SINs] 132-32 . . ., 132-33 . . . and 132-34 . . .." Note, however, that any modification or combination of the Software under those rights will entirely void the warranty per Section 8(a) of this EULA.

(ii) FAR Acquisitions. For government purchases or acquisitions under the authority of Federal Acquisition Regulation ("FAR") Part 12, the rights of use, reproduction, and dis-closure are only as stated in Section 3 and 7 of this EULA.

(iii) DOD Acquisitions. For government purchases or acquisitions by the Department of Defense, the rights of use, reproduction, and disclosure are only as stated in Section 3 and 7 of this EULA, per DFARS 227.7202-3(a).

(iv) RESTRICTED RIGHTS NOTICE (JUN 1987). For all other government purchases or acquisitions (that is, under authority other than a GSA Supply Schedule contract, FAR Part 12, or the DFARS), the Software is submitted with restricted rights under FAR 52.227-14 Alt. III. It may not be used, reproduced, or disclosed by the government except as provided in paragraph (b) of FAR 52.227-14 Alt. III or as otherwise expressly stated in Section 3 and 7 of this EULA. Note, however, that any modification, adaptation, or com-bination of the Software under those rights will entirely void the warranty per Section 8(a) of this EULA.

4. EVALUATION SOFTWARE. Notwithstanding anything to the contrary in this EULA, if Groove Networks has provided the Software to you for evaluation use, then (a) you may use the Software (and any Services Groove Networks chooses to provide you in connection with it) in a manner consistent with the terms of this EULA solely for evalua-tion purposes for 90 days from the Delivery Date (or such other period as may be indicated in writing by Groove Networks at the time of delivery); (b) your use of the Software (and any Services provided in connection with it) may be terminated by Groove Networks without notice at any time; and (c) in light of the fact that evaluation Software is provided to you free of charge, Groove Networks disclaims the limited warranty set forth below in


Section 8, and neither Groove Networks nor any Released Party will be liable for direct damages related to evaluation Software, as explained more fully in Section 9(b). Evalua-tion copies of Software may contain a "time-out" mechanism that will automatically reduce the functionality or disable use of the Software at the end of the evaluation period.

5. BETA SOFTWARE.

(a) Use. If the Software is designated as pre-release or beta software, then you may use it (and any Services Groove Networks chooses to provide you in connection with it) in a manner consistent with the terms of this EULA solely to test the product internally, test the compatibility of your application or other product(s) that operate in conjunction with the Software, and to evaluate the Software for the purpose of providing feedback regard-ing it to Groove Networks. You may use the Software until the earlier of (i) 120 days from the Delivery Date, (ii) the date of the commercial release of the non-beta version of the Software, or (iii) 10 days after the date on which you or we send written notice to the other terminating your right to use the beta Software, which either of us may do at any time. You may not use the Software in a live operating environment where it may be relied upon to perform in the same manner as a commercially released product or with data that has not been sufficiently backed up. You may not use the Software for bench-mark or performance testing.

(b) Acknowledgement and Additional Liability Limitation and Warranty Disclaimer. You acknowledge that all Software designated as pre-release or beta Software may contain bugs, may not operate properly or perform all intended functions, may interfere with the functioning of other software applications, and may cause errors, data loss or other prob-lems. WE STRONGLY ADVISE YOU NOT TO INSTALL BETA SOFTWARE ON A COMPUTER ON WHICH YOU HAVE INSTALLED AN EARLIER VERSION OF THE SOFTWARE. YOU SHOULD NOT INSTALL BETA SOFTWARE ON THE SAME COMPUTER ON WHICH YOU HAVE INSTALLED AN EARLIER VERSION OF THE SOFTWARE, UNLESS YOU ARE CERTAIN YOU HAVE CONFIGURED YOUR COMPUTER SO THAT THE BETA SOFTWARE WILL NOT REPLACE THE EARLIER VERSION. In light of the fact that pre-release or beta Software is provided to you free of charge, Groove Networks disclaims the limited warranty set forth below in Section 8 with respect to pre-release or beta Software, and neither Groove Networks nor any Released Party will be liable for direct damages related to pre-release or beta Soft-ware, as explained more fully in Section 9(b).

(c) Feedback. You agree to provide to Groove Networks reasonable suggestions, com-ments and feedback regarding beta Software, including but not limited to usability, bug reports and test results, with respect to Software testing (collectively, "Feedback"). You grant Groove Networks, under all of your intellectual property and proprietary rights, the following worldwide, non-exclusive, perpetual, irrevocable, royalty free, fully paid up rights: (i) to make, use, copy, modify, and create derivative works of, the Feedback as part


of any Groove Networks product, technology, service, specification or other documenta-tion (collectively, "Groove Offerings"), (ii) to publicly perform or display, import, broad-cast, transmit, distribute, license, offer to sell, and sell, rent, lease or lend copies of the Feedback (and derivative works thereof) as part of any Groove Offering, (iii) solely with respect to your copyright and trade secret rights, to sublicense to third parties the forego-ing rights, including the right to sublicense to further third parties, and (iv) to sublicense to third parties any claims of any patents owned or licensable by you that are necessarily infringed by a third party product, technology or service that uses, interfaces, interoperates or communicates with the Feedback or portion thereof incorporated into a Groove Net-works product, technology or service. Further, you warrant that your Feedback is not sub-ject to license terms that will require, or claim to require, that any Groove Offering that incorporates any Feedback (or any intellectual property therein) be licensed to any third party on specified terms. Due to the nature of the development work, Groove Networks provides no assurance that any specific errors or discrepancies in the Product will be cor-rected.

(d) Confidentiality. All beta Software, including its existence and features and related information, are proprietary and confidential information to Groove Networks. You agree not to disclose or provide beta Software, its Documentation, or any related information (including the Software features or the results of use or testing) to any third party, for a period of one year following the Delivery Date of the Software or until its commercial release, whichever occurs first; provided that, thereafter, you agree not to disclose or pro-vide to any third party any information regarding the Software that has not been made public by Groove Networks as of its commercial release. These restrictions will not apply to any information that (a) is publicly known at the time of its disclosure; (b) is lawfully received from a third party not obligated to maintain it in confidence; (c) is published or otherwise made known to the public by Groove Networks; (d) you generated indepen-dently before you received it, as evidenced by your records; or (e) is required to be dis-closed under any law, governmental rule or regulation or a valid court order, provided you give Groove Networks reasonable written notice prior to disclosure and comply with any applicable protective order or equivalent.

(e) Support and Maintenance. Groove Networks is not obligated to provide maintenance, technical support, or updates to you for beta Software, but any Updates or other supple-mental Software provided to you in connection with beta Software will be subject to the terms and conditions of this EULA. In no event will Groove Networks be obligated to provide you, free of charge, a copy of the commercial release version of the Software in connection with your participation in any testing program. Groove Networks is not obli-gated to make beta Software commercially available.

6. RESTRICTIONS. You agree not to violate any of the following restrictions, or permit others to violate them:


(a) Copying, Distribution and Use. You may not copy the Software, except as provided above in Section 3(a). You may not sell, rent, lease, sublicense or redistribute Software, or use or permit others to access, install or use the Software, except as provided in this EULA.

(b) Proprietary Notices. You may not alter or remove any copyright, trademark, patent, or other protective notices contained in or on Software.

(c) Reverse Engineering, Decompilation, and Disassembly. You may not reverse engi-neer, decompile, or disassemble the Software or otherwise attempt to derive its source code, except and only to the extent that any of these activities is permitted by applicable law despite this restriction. To the extent that the right to decompile, disassemble, or reverse engineer the Software is permitted by applicable law, you agree not to do so if Groove Networks makes available to you a separate software module that allows you to achieve interoperability of an independently created computer program for use with the Software. You agree that, prior to attempting to achieve such interoperability, you will obtain written notification from Groove Networks that it is unwilling to make such a soft-ware module available within a reasonable period of time.

(d) Modifications and Derivative Works. You may not modify or create derivative works of the Software, but computer code written to current application programming interfaces for the Software that are published by Groove Networks or otherwise disclosed by Groove Networks to you or a third party and are which are not marked "preview" or "beta" (or some similar designation) will not be considered modifications or derivative works for purposes of this restriction.

(e) Interference with Certain Features. You may not modify, disable, circumvent, deacti-vate or otherwise interfere with features of the Software that enforce license restrictions or limits or report technical or statistical information regarding the Software or its use to Groove Networks.

(f) Use of Prior Versions. You may not continue to use prior versions of any Software after installing an Upgrade of the Software or any Update that wholly replaces the Soft-ware.

(g) Client Access Licenses. You agree not to permit any End User to use or obtain func-tionality from Software directly or indirectly (including by "pooling," "multiplexing," or other uses of hardware or software that reduce the number of users or computers directly accessing or using Software) without first obtaining a current CAL for that End User.


(h) Commercial Hosting Services. You may not use the Software to provide commercial hosting services.

(i) Acceptable Use. You may not use the Software for a purpose or in a manner not per-mitted by the terms of Groove Networks' Acceptable Use Policy (as it may be amended from time to time), including, without limitation, infringement of intellectual property rights. Groove Networks' Acceptable Use Policy is accessible on the Web Site.

(j) Enterprise Data Bridge Server Software. You may not use Groove Networks' Enter-prise Data Bridge Server Software with software applications whose primary function is to integrate distinct software systems through the exchange of data and interconnection of processes, as contrasted with software applications whose primary function is to directly offer services to End Users, without first obtaining a separate license from Groove Net-works.

7. MAINTENANCE AND SUPPORT. Technical support for the Software may be found in the Help menu within the Software and on the Web Site. Unless you subscribe to an enhanced maintenance and/or support offering, you are not entitled to receive additional maintenance or support for the Software (though any Updates or Upgrades Groove Net-works may provide you will be covered by this EULA, unless Groove Networks requires you to accept a new agreement at the time they are provided). If you subscribe to a Groove Networks maintenance and/or support offering, Groove Networks will provide you with maintenance and/or support services corresponding to the service level(s) to which you have subscribed, as set forth in the Maintenance and Support Terms and Condi-tions accessible on the Web Site (at http://www.groove.net/support/maintenance.html) or the terms of any separate agreement you may enter into with Groove Networks related to such services. Any technical information you provide Groove Networks in connection with support services it provides you may be used by Groove Networks for its business purposes, including product and service development, subject to the terms of Groove Net-works' Privacy Policy, which is accessible on the Web Site.

8. LIMITED WARRANTY AND WARRANTY DISCLAIMER.

(a) Groove Networks warrants that, for a period of 90 days after the Delivery Date, the Software (including any Upgrades for which Groove Networks does not require you to accept the terms of a replacement agreement, but excluding Updates) will function sub-stantially in accordance with its Documentation. As your exclusive remedy for breach of this warranty, Groove Networks will, at its option, either replace or repair the defective Software or refund the license fee paid for it, as well as any associated fees pre-paid for maintenance and support for the twelve (12) month period following the Delivery Date of


the defective Software; ; provided, however, that, with respect to a defective Upgrade that you received as part of a maintenance and support plan subscription, the total fees to be refunded to you will be the maintenance and support fee for the twelve (12) month period during which the Upgrade was delivered to you. Notwithstanding the foregoing, Groove Networks will not be responsible for any breach of warranty not reported during the war-ranty period; any malfunctioning of Software that you or a third party has modified, mis-used, or damaged; or any malfunctioning of Software caused by hardware or network configuration or malfunctioning or by third party software or services. THIS WAR-RANTY DOES NOT APPLY TO SOFTWARE COVERED BY SECTION 4 OR 5 OF THIS EULA.

This warranty gives you specific legal rights. You may also have other rights that vary from state to state and country to country.

(b) EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8(a), GROOVE NETWORKS AND ITS LICENSORS AND LICENSORS' DISTRIBUTORS DISCLAIM ALL WARRANTIES WITH RESPECT TO ALL SOFTWARE AND SER-VICES AND ALL THIRD PARTY PRODUCTS OR SERVICES YOU MAY UTILIZE IN CONNECTION WITH SOFTWARE OR SERVICES, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NONINFRINGEMENT. IN PARTICULAR, GROOVE NETWORKS DOES NOT REPRESENT THAT THE SOFT-WARE OR SERVICES ARE ERROR FREE, WILL OPERATE IN AN UNINTER-RUPTED MANNER, ARE COMPLETELY SECURE, OR WILL INTEROPERATE WITH THIRD PARTY SOFTWARE OR SERVICES. THE SOFTWARE AND SER-VICES ARE NOT DESIGNED OR MANUFACTURED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMU-NICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT SYS-TEMS, OR WEAPON OR COMBAT SYSTEMS, IN WHICH THEIR FAILURE COULD LEAD DIRECTLY TO PERSONAL INJURY, DEATH, OR PROPERTY OR ENVIRONMENTAL DAMAGE. GROOVE NETWORKS DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR SUCH USES.

(c) U.S. Government Customers and End Users. The Software is a "commercial item," as that term is defined in 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation." For government purchases or acquisi-tions through a GSA Supply Schedule contract, the government customer and end user accept the standard, commercial Groove Networks warranty terms per 2.a of GSA's "Terms and Conditions Applicable to . . . [SINs] 132-32 . . ., 132-33 . . . and 132-34 . . .." For government purchases or acquisitions under the authority of Federal Acquisition Reg-ulation ("FAR") Part 12, the government customer and end user accept the standard, com-mercial Groove Networks warranty terms and 48 C.F.R. 52.212-4(p). For all government purchases or acquisitions that are not through a GSA Supply Schedule contract or FAR


Part 12, the government customer and end user accept the standard, commercial Groove Networks warranty per 48 C.F.R. 46.709 (prime contracts) or 52.244-6 (subcontracts).

9. EXCLUSION OF DAMAGES AND LIMITATION OF LIABILITY.

(a) TO THE MAXIMUM EXTENT PERMITTED BY LAW (INCLUDING ANY APPLICABLE CONSUMER PROTECTION LAW OF A FOREIGN JURISDICTION), NEITHER GROOVE NETWORKS NOR ANY OF ITS DIRECTORS, OFFICERS, EMPLOYEES, CONTROLLED OR CONTROLLING ENTITIES, LICENSORS OR LICENSORS' DISTRIBUTORS (EACH, A "RELEASED PARTY"), WILL HAVE ANY LIABILITY TO YOU OR ANY END USERS FOR INDIRECT, INCIDENTAL, SPE-CIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, ANY LOSS OF USE, LOST PROFITS, BUSINESS OR REVENUE, LOSS OF GOODWILL OR OTHER ECONOMIC ADVANTAGE, OR LOSS OF PRI-VACY) ARISING OUT OF OR RELATED TO THIS EULA, EVEN IF GROOVE NET-WORKS OR A RELEASED PARTY HAS BEEN ADVISED OF, OR KNEW OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES.

(b) NOTWITHSTANDING PARAGRAPH 9(a) ABOVE OR ANYTHING ELSE TO THE CONTRARY SET FORTH IN THIS EULA, IF YOUR CLAIMED DAMAGES ARISE FROM OR RELATE TO SOFTWARE OR SERVICES COVERED BY SEC-TION 4 OR 5 OF THIS EULA, THEN, TO THE MAXIMUM EXTENT PERMITTED BY LAW (INCLUDING ANY APPLICABLE CONSUMER PROTECTION LAW OF A FOREIGN JURISDICTION), NEITHER GROOVE NETWORKS NOR ANY RELEASED PARTY WILL HAVE ANY LIABILITY TO YOU OR ANY END USERS FOR DAMAGES OF ANY KIND ARISING OUT OF OR RELATED TO THIS EULA, THE SOFTWARE OR THE SERVICES, INCLUDING BUT NOT LIMITED TO DIRECT DAMAGES, EVEN IF GROOVE NETWORKS OR A RELEASED PARTY HAS BEEN ADVISED OF, OR KNEW OR SHOULD HAVE KNOWN OF, THE POS-SIBILITY OF SUCH DAMAGES.

(c) WITHOUT LIMITING THE SCOPE OR EFFECT OF SECTIONS 9(a) OR (b) ABOVE, IN NO EVENT WILL GROOVE NETWORKS' AND THE RELEASED PAR-TIES' TOTAL LIABILITY WITH RESPECT TO ALL CLAIMS ARISING OUT OF OR RELATED TO THIS EULA, THE SOFTWARE OR THE SERVICES (INCLUDING CLAIMS OF NEGLIGENCE AND STRICT LIABILITY) EXCEED THE LOWER OF (i) THE AGGREGATE DIRECT DAMAGES ACTUALLY INCURRED BY YOU AND YOUR END USERS, OR (ii) US$5OO.

(d) SOME JURISDICTIONS LIMIT THE EXCLUSION OF DAMAGES OR LIMITA-TION OF LIABILITY, SO THE ABOVE EXCLUSIONS AND LIMITATIONS MAY


NOT APPLY TO YOU. IF ANY PART OF THE EXCLUSIONS OF DAMAGES OR LIMITATIONS OF LIABILITY SET FORTH IN THIS EULA IS UNENFORCEABLE UNDER APPLICABLE LAW, GROOVE NETWORKS' AND THE RELEASED PAR-TIES' AGGREGATE LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.

10. TERM AND TERMINATION. The term of this EULA will commence upon installa-tion or use of the Software and continue perpetually, unless you and Groove Networks enter into a new agreement that entirely replaces this EULA or Groove Networks termi-nates this EULA as provided herein. Without prejudice to any other rights, Groove Net-works may terminate this EULA if you fail to comply with its terms and conditions. If Groove Networks terminates this EULA, (i) you must immediately stop using the Soft-ware and destroy all copies of the Software and all of its component parts, and (ii) Groove Networks will have no further obligation to provide any Services being provided to you as of the termination date. The parties' respective rights and obligations under Sections 2 (Ownership), 6 (Restrictions), 8 (Limited Warranty and Warranty Disclaimer), 9 (Exclu-sion of Damages and Limitation of Liability), and Section 11 (General Provisions) will survive the termination of this EULA. The term of any Services offering to which you subscribe will be extended automatically for successive periods of twelve (12) months (or, if greater than twelve (12) months, the duration of the initial subscription period), and on Groove Networks' standard terms and prices then in effect, unless either party gives notice of cancellation to the other at least sixty (60) days before the subscription expires.

11. GENERAL PROVISIONS.

(a) Export Restrictions. You agree to comply with all applicable laws and regulations of governmental bodies and agencies related to use of the Software and Services and your performance under this EULA. In particular, you acknowledge that the Software is of United States origin, is subject to United States export laws and regulations. Some Groove Networks server software (including, without limitation, its Relay Server software and Enterprise Data Bridge Server Software) is encryption software and may not be exported or re-exported to certain countries (currently Cuba, Iran, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (includ-ing Denied Parties, Specially Designated Nationals, and entities on the Bureau of Export Administration Entity List or involved with missile technology or nuclear, chemical or biological weapons). The Software also may be subject to the export, import or other laws of other countries. You represent that you are eligible to receive favorable treatment under current United States export control laws and regulations, and that you will not use or transfer the Software in violation of any U.S. or foreign laws or regulations, or permit others to do so.

(b) Data Protection. Each party undertakes to comply with its obligations under the rele-vant EU data protection and privacy legislation including (where applicable) the EC Data


Protection Directive (95/46) and equivalent national legislation.

(c) Waiver. No delay or omission by either party to exercise any right or power arising upon the other party's nonperformance or breach will impair that right or power or be con-strued as a waiver of it. Any waiver must be in writing and signed by the waiving party. A waiver on one occasion will not be construed as a waiver of any subsequent event of nonperformance or breach.

(d) Severability. If any provision of this EULA is declared to be unenforceable for any reason, the remainder of this EULA will continue in full force and effect, and the unen-forceable provision will be deemed modified to the extent necessary to comply with the applicable requirements of law, while retaining to the maximum extent permitted by law its intended effect, scope and economic effect.

(e) Governing Law. The interpretation and performance of this EULA will be governed by the laws of the Commonwealth of Massachusetts, USA, applicable to contracts exe-cuted in and performed entirely within Massachusetts, but excluding any choice of law principles that would result in the application of the laws of another jurisdiction. The par-ties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this EULA.

(f) Dispute Resolution. Any litigation arising under or related to this EULA will be brought only in the United States District Court for the District of Massachusetts, or, if federal subject matter jurisdiction is lacking, then in the Massachusetts state trial court for the division and county in which Groove Networks' or its successor's or assign's principal office in Massachusetts is then located. You hereby submit to the personal jurisdiction of these courts and waive all objections to placing venue exclusively before them. The pre-vailing party in any litigation arising under or related to this EULA, in addition to any other relief granted to it, will be entitled to recover from the losing party its reasonable attorneys' fees and costs incurred in connection with the litigation. Notwithstanding the foregoing, Groove Networks acknowledges that the Contract Disputes Act, its implement-ing regulations, and its judicial interpretations may take precedence when the U.S. Gov-ernment is the party accepting this EULA, if required by law; whenever commercial item protections or other exceptions permit the commercially offered disputes resolution clause to apply, however, it applies in full force.

(g) Payment and Taxes. You agree to pay all applicable fees and other charges for Soft-ware and Services you acquire. Unless prepaid, all fees and charges are payable in U.S. dollars and are due net thirty (30) days from the date of invoice. Groove Networks may charge a late fee of 1.5% per month or the maximum rate allowable by law, whichever is greater, on any balance remaining unpaid for more than thirty (30) days, except that inter-


est on payments by U.S. government customers will be calculated according to the Prompt Payment Act and its implementing regulations. Prices are exclusive of all applicable taxes. You agree to pay all taxes (including but not limited to sales, use, excise, and value-added taxes), tariffs, duties, customs fees or similar charges imposed or levied on all Soft-ware and Services you acquire, with the exception of taxes on Groove Networks' net income.

(h) Software and EULA Transfer. Except with respect to Software covered by Section 4 or 5, the initial licensee of the Software may make a one-time, permanent transfer of this EULA and the Software directly to an individual or a single entity. The transfer must include all of the Software (including all component parts and Documentation) and this EULA, and it may not occur by way of consignment or any other indirect transfer. The transferee of the one-time transfer must agree to comply with the terms of this EULA, including the obligation not to further transfer this the Software. You may not otherwise transfer the Software or assign any of your rights or obligations under this EULA.

(i) Entire Agreement. This EULA and Groove Networks' Acceptable Use Policy and Pri-vacy Policy for Groove users, and product and service descriptions for Software and Ser-vices, all of which are accessible on the Web Site and incorporated by reference into this EULA as they may be amended from time to time, set forth the entire agreement between you and Groove Networks with respect to their subject matter, and they supersede all prior communications, understandings and agreements, as well as the terms and conditions set forth in or on any purchase order, acknowledgement form, check, or any other document or instrument you may issue to Groove Networks or transmit in connection with any pay-ment for Software or Services.

Copyright Groove Networks, Inc. 2000-2005. All Rights Reserved. Groove, Groove Net-works and the Groove interlocking circles logo are trademarks of Groove Networks, Inc. U.S. and foreign patents pending.

Groove Server Software v. 3.1 (and later) EULA


Index

AAccount Lockout Policies 133Account Policies 128Account with managed identity, finding when user has lost 183Account, definition 193Account, defintion 193Accounts 144Accounts, user, backing up 60Accounts, user, restoring 61Activation email, sending 47Activation key 48, 53Activation key email

creating and saving 30deleting 31editing 31

Activation key, affect when user tries to apply to other accounts 183, 184Activation key, for products 145Activation key, sending 56Activation key, sending from management server 48Activation key, sending from personal email 49Activation key,definition 193Activation provided by 145Activation server 49, 53Activation state 51Activation status 51Active and pending members 56Active member 51Active members 56Add CA Certificate 91, 132Add Foreign Domain’s Certificate 22Add Install Policy 129Add Multiple Members (CSV) 43Add Multiple Members (XML) 41Adding an individual user to a domain or group 39Adding devices to domain or group 14Adding Groove users to a domain or group 14Adding Groups 35Adding Members to a Domain Group, overview 34Adding members, importing from directory 44Adding Multiple Members from a .csv File 42Adding Multiple Members from an .xml File 41

Enterprise Management Server Administrator’s Guide Index 211

Adding single member to domain group 39Adiministration, troubleshooting 181Administrative Architecture 1Administrative interface, accessing 9Administrator roles, editing 31Administrator, setting UI preferences 11Advanced Install Policies 129Advanced install policy, deleting 105Advanced Relay Server Settings 54Advanced Search Options 55Allow component installations 103Allow Groove client to use XMPP messaging 89Allow members to use the following Groove tools 135Allow publishing vCard to groove.net directory 90Allow this email to be saved 48Allow users to install

102AND/OR 162Audit all account events 136Audit events that occur in the following Groove tools 136Audit log events 164, 175Audit Log Filtering Fields 164Audit Log Report Field 164Audit Policies 135Audit selected account events 136Audit Server Policies 135Audit Server URL 135Audit workspace events 136Auditing Groove clients 6Authenticated vs. Unauthenticated Groove Identities 83Authentication, definition 193Automatic password reset (an data recovery) 92Automatically manage devices at activation 90Automatically publish vCard to management server directory 89

BBacking up user account data 60Backup account every x days, identity policy 89Bandwidth limit, setting 124Bandwidth Policies 130Bandwidth usage, limiting 124Bandwidth, setting device policy to limit 130Block component installations 103Browser 10

CCA, definition in PKI 24Centralized passphrase reset 83Certificate 24Certificate Authority, definition 193Certificate list, for cross-certified domains 22Certificate, definition 193Certificates drop-dow 132


Certificates, Enterprise PKI, deleting 87Certification Authority (CA) 24Certification Authority (NA) name, domain 19, 20Certification, definition 193Change Key 22Change Private Key Password 22Clear Filter 162Client Policies 128Client updates from management server, manually triggering 67Color Key 22Comparator, drop-down menu in reports 163Component install policy 128, 134Component installation policies, for devices, customizing 99Component name 102Component, definition 193Configuring domain affiliation 22Consider a smart card login invalid if revocation status has not been updated in __ days 132Consider an Identity authentication certificate invalid if revocation status has not been updated __ days 87Consider an identity authentication certificate invalid if revocation status has not been updated in __ days 91Create Private Key Password 19Cross Domain Certification, setting domain properties 22Cross-certified domains, removing 27Cross-certified domains, viewing 27Cross-certifying management domains 25Cross-domain management 23Cross-domain management procedure 25Cross-domain management, setting up 23Custom Component Install Policy, editing 104Custom Filter, Directory Integration 47Custom install policy, deleting 105Custom policies 130Custom policy, allow component installations 103Custom policy, block component installation 103Custom policy, component version, Policy field 104Custom policy, deleting 105Customize Password Reset Instructions 92Customize Smart Card Login Reset Instructions 133

DData Recovery 5Data recovery 92Data Recovery certificate

deleting 124Data Recovery certificate, replacing 124Data Recovery Fundamentals 79Data Recovery Fundamentals, for managed devices 117Data Recovery private key location, changing 27Data Recovery Problems 184Data recovery, allowing 112


Data recovery, changing private key 27Data Recovery, configuring on managed devices 117Data recovery, controlling for Groove 3.0f or later 73Data recovery, setting policy to enable 80, 119Data Recovery, setting up (for Groove 3.0f or later) 79Data, recovering 80, 119Date activated 53Date, audit log event 164Default identity, definition 193Default identity, defintion 193Default workspace version 89

setting 86Delete Certificate button 91, 132Delete Certificates, for cross-certified domains 22Deleted members 56Deleted users 51Deleting domain members 59Deleting group 39Deleting Managed Devices from a Domain 96Deleting Tool Usage Policies 124Deny automatic component upgrades 129Deny installation of self-signed components 129Deploying Groove Workspace

using Enterprise Installer 191Device Management, removing devices from domain 21Device message lifetime 156Device policies, allow component installations 103Device policies, block component installations 103Device policies, custom 99Device policies, viewing and editing 98Device policy template 194Device policy templates, changing for a group 97Device policy templates, creating 96Device policy, prohibit publishing of vCard to management server directory 89Device Registration, overview 95Device templates, administering 98Device, adding to domain 181Device, definition 193Device, defintion 193Devices with this Identity 54Devices, adding to domain or group 14Devices, managed, deleting 96Devices, managing 33, 93Diagnosing server problems 181Digital fingerprint 53, 101

definition 194Digital Thumbprint, definition 194Directory Integration Settings 37Directory integration, importing members via 44Directory search criteria 46Directory Server 46


Directory Status 52Disable Groove if auditing fails. 136Disable password reset and data recovery without password reset. 132, 133Disabled members 56Disabled users 51Disabling domain members 58Display Matching Users 47Display name 101Display number of users 46Display Report, domain reports 142, 156Distributing Identities 14DMZ, definition 194Domain

audit log information 164, 175Certification AUthority name 19, 20friendly name 18, 20

Domain Administrator’s Guide, management server 6Domain affiliation, configuring 22Domain Description 19Domain description 20Domain field 53Domain fields 18, 20Domain group, importing members to 44Domain groups, viewing 38Domain Licenses, viewing 141Domain member 194Domain Member Information Fields 53Domain Member Information, viewing and editing 52Domain member list, exporting 57Domain member, definition 194Domain member, defintion 194Domain member, disabling 58Domain member, enabling 58Domain Members, deleting 59Domain Members, finding 55Domain members, finding 55Domain Members, moving to another group 56Domain members, suspending 58Domain members, viewing 50Domain Name 18, 20Domain policies 131Domain relay servers, viewing 154Domain Setup 20Domain, applying templates and sets to 37Domain, definiion 194Domain, edit properties 20Domain, view domains 20Domains

managing 17Domains tab 32Domains, management, cross-certifying 25


Domain-wide changes 18Download certificate, for cross-domain management 26Download data recovery tool for Groove version 21Download Domain Certificate 22Download Template 41, 43Download the Registry Key (.reg) to a device to a domain 95

EEdit Filter 162Editing Device Policies 98Email

see Activation key email 30Email address 51Email Body 48Email From 48Email Subject 48Email templates, creating 30EMS 1EMS, overview 1Enable Purge 155Enable Quotas 155Enabling domain member 58Enabling Groove Client Auditing 126End 198End User License Agreement 198Enterprise Installer 191Enterprise License Pack 147Enterprise Management Server 1Enterprise Management Server (EMS) 1

definition 194Enterprise PKI certificates, deleting 87Enterprise PKI, definition 194Enterprise Relay Server (ERS)

definition 194EULA 198Event, audit log 164, 165Expired licenses, viewing 141, 154Export members 58Export spaces into directory on disk 82, 121Export spaces into existing account 82, 120Export spaces into new account 82, 120Exporting domain member list 57

FField Selector 162Filter specification, adding line to 162Filter specification, deleting line from 162Finding domain members 55, 142, 156Finding license users 142Finding users 55, 142, 156Fingerprint

definition 194Friendly name for the domain 18, 20


Full name 51Functionality, management server 2

GGetting Help 10Glossary 193Groove Bandwidth Policy, overview 124Groove Client Audit Server, introdcution 6Groove client auditing, enabling 126Groove client events, auditing 136Groove Enterprise Management Server 1Groove Hosted Management Server 1Groove Hosted Management Services 1

definition 194Groove Hosted Relay Services

definition 195Groove Licenses, adding to a domain 139Groove Licenses, managing 138Groove login policy 133Groove PKI, definition 195Groove Platform Upgrades, managing 105Groove space, definition 195Groove space, defintion 195Groove Tool Usage, controlling on managed devices 121Groove usage monitoring 5, 6Groove Usage Reporting 5Groove usage reports 161Groove usage reports, viewing 161Groove User Problems 183Groove users and devices, managing 33Groove users, managing 33Groove Virtual Office Client Events, auditing 136Groove-hosted services 16Group field 53Group members, viewing 38Group Name, changing 36Group Propertie 37Group properties, editing 36Group Setup 37Group, definition 195Group, deleting 39Group, editing properties 36Group, importing members to 44Groups tab 36Groups, adding 35Groups, managing 35GUID, definition 195

HHelp, accessing 10Hosted relay server, adding to EMS 149Hosted relay server, registering with EMS 149Hosted relay servers 148


Hosting Groove Components 6I

Identities, distributing 14Identities, managing 33, 68, 148Identity activation, status of 51Identity Authentication Certificate 91Identity Authentication Settings (cannot be undone) 19Identity authentication, definition 195Identity may only be used on a managed device 90Identity message lifetime 156Identity name 49Identity Policies 71Identity policies, editing 71Identity policies, viewing and editing 71Identity Policy Template 53Identity policy template 195Identity policy template, creating 69Identity policy templates, changing 70, 97Identity policy templates, changing for a group 70, 142, 157Identity policy templates, changing for a group member 71, 143, 157Identity policy templates, cloning 70Identity policy templates, creating 69Identity policy templates, deleting 71Identity policy, prevent publishing vCard to groove.net directory 90Identity, definition 195Import Foreign Domain’s Certificate 27Import Matching Users 47Import Members From Directory Server page 46Importing Licenses to a Domain or Group 138Importing Members from a Directory 44Importing members from a directory 44Install components from 129Install Policies 128

KKey (security), definition 195Key Files 191Key, definition 195

LLast Account Backup Date 52Last modified 51License information, viewing 141License provisioning, overview 138License Set 54License set 195License Set Names, editing 141License Set Usage Filtering Fields 173License Set Usage Report Fields 172License set, deleting 144License Sets, adding to a domain 140License sets, changing 142License sets, provisioning 142


License users, finding 142License, definition 195License, number of seats, viewing 141, 154Licenses, adding more seats 146Licenses, adding to a domain 139Licenses, adding to a set 140Licenses, checking expiration date 147Licenses, deleting from a set 143Licenses, deleting from domain 143Licenses, distributing to unmanaged users 144, 145Licenses, expiration date, viewing 141, 154Licenses, importing to a domain or group 138Licenses, issue date, viewing 141, 154Licenses, managing 138Licenses, name 141, 154Licenses, removing from a set 143Licenses, revoking from unmanaged users 146Licenses, see also Groove licenses 138Licenses, viewing for unmanaged users 145Licenses, viewing in a set 141Limit bandwidth to 130Limit members’ identity authentication ceretificaqte choices to certificates signed by the following CAs 91Limit members’ smart card login certificate choices to certificates signed by the following CAs 132Lockout, relay server 155Login credentials, centralized reset of 113Login credentials, centralized reset of (for Groove 3.0f or later) 75Login credentials, client reset of 77, 115Login Methods 131

MMake this email the default for this activity. 48, 63Managed device, definition 195Managed devices, deleting from domain 96Managed identity, definition 195Management domain, definition 195Management domain, defintion 195Management server

client polling of 67Management server administrative interface, accessing 9Management server email templates, creating 30Management server email, creating and saving 30Management server email, editing 31Management server updates, manually initiating 67Management Server, Administrator’s Guide 6Management server, definition 195Management server, Help 10Management server, overview 1Managing Device Policies 93Managing domains 17Managing Groove Licenses 138


Managing Groove users 33, 68, 148Managing Groups 35Managing identities in a domain 33, 68, 148Managing Relay Servers 148Managing User Interaction with Unauthenticated Identities 83Managment server email, deleting 31Managment server functionality 2Manual password reset and data recovery 92Member Activity Filtering Fields 166, 175Member Activity Report Fields 173, 174Member information, editing 52Member Policies 89Member status 51Member Usage Filtering Fields 166Member Usage Report Fields 166Member, definition 195Members 50, 52, 55, 56, 59, 63Members can only use managed identities from this domain on devices in this domain 128Members cannot create multiple accounts 128Members cannot import accounts 128Members list 51Members list, exporting 58Members, disabling and enabling 58Members, enabling disabled 58Members, removing 59Members, see Domain Members 55Members, suspending 58Monitoring Groove usage 5Move Key to File 21Move members 57Move selected members 60Moving members 56Multiple members, adding from a .csv file to a domain or group 42Multiplie members, adding from an .xml file to a domain or group 41

NNon-trusted identities

managing client interaction with 83, 87O

Onsite relay servers, synchronizing with management server 159Operator 103Ordering buttons, relays 154Ordering relay sequence 159Override settings for all members and subgroups 37Overview 1

PPackage users, finding 142, 156Passphrase length must contain at least x characters 131Passphrase must contain at least one alpha character 131Passphrase must contain at least one numeric character 131Passphrase must contain at least one punctuation symbol 131


Passphrase must contain mixed-case characters 131Password and smart card login reset, controlling on managed devices (for pre-3.0f Groove versions) 112Password expires every ___ days 131Password or Smart Card Login reset, client intructions 115Password or Smart Card Login reset, client side instructions (for Groove 3.0f or later) 77Password or Smart Card Reset Setup 21Password or Smartcard Reset Setup 19Password Policies 131Password reset and data recovery, None 92Password/Smart Card Login Reset, administering centralized 113Password/Smart Card Login Reset, administering centralized (for Groove 3.0f or later) 75Password/Smartcard Login Reset Policies (Groove Virtual OFfice 3.0f or later) 91Passwords and Smart Card Login reset (for Groove 3.0f or later 74Passwords and Smart Card Login reset on managed devices (for Groove 3.0e or earlier) 113Passwords and Smart Card Login reset, controlling for Groove 3.0f or later 73Peer Authenication Policy 90Peer Authentication, setting up 83Pending member 51Pending members 56Pending status 51PKI 24

definition 196PKI Basics 24PKI, definition 24Platform Upgrade and limited new tools, policy for 110Platform Upgrade To Current Version 107Platform Upgrade To Interim Version 108Platform Upgrade without new tools, policy for 111Policies, allow users to install 102Policies, component install 128, 134Policies, component name 102Policies, device 131Policies, digital fingerprint 101Policies, display name 101Policies, editing 71Policies, identity 71Policies, operator 103Policies, version 103Policies, viewing and editing 71Policy template, creating 69Policy templates, changing 70, 97Policy templates, cloning 70Policy templates, deleting 71Policy templates, editing 69Policy, definition 196Polling interval 67Preferences, editing administrator 11Prequisites 8Presets, tool installation policy 134


Prevent members from installing any component 128Prevent passphrase memorization on device 131Private Key Name 19Private key storage options 20Private key, definition 196Product, activation keys 145Prohibit direct remote web services 134Provisioning users 3, 49Provisioning users, with licenses, overview 138Provisioning users, with relay servers, overview 148Public Key Infrastructure 24Public Key Infrastructure (PKI)

definition 196Public key, definition 196Public relay server 196

QQuota, setting on relay server 155

RRecover the data without resetting the member’s passphrase 132, 133Recover Workspace Data option 81, 120Recovering user data 80Recovering user data on managed devices 119Recovery Options 82, 120Registering Devices in a Management Domain 95Registry file, definition 196Relay server key exchange 150Relay server properties, editing 155Relay server provisioning, overview 148Relay server queues, purging 156Relay server quota 155Relay server quotas, enabling 155Relay server registration, overview 150Relay Server Set 54Relay server set 196Relay server set names, editing 153Relay server sets, changing 156Relay server sets, provisioning 156Relay server, adding hosted server to EMS 149Relay server, adding to a set 152Relay server, adding to EMS 149Relay server, definition 196Relay server, enable quotas 155Relay server, locking out from a domain or group 159Relay server, locking out temporarily 159Relay server, lockout 159Relay server, re-enabling after lockout 159Relay Servers, deleting from domain 157Relay servers, Groove-hosted 148Relay servers, removing from a set 158Relay servers, re-ordering 159Relay servers,ordering sequence of 159


Remember Private Key Password 20Remove devices from domain after __ days of inactivity 21Removing devices from a domainDevices, removing from a domain 51Removing Members 59Removing Relay Servers from a Set 158Report Filtering Options 162Report filters, sample 177Reports tab, domain 142, 156, 163Representation of Affiliation 21Require strong private key protection 134Requirements, expertise 8Resending an Activation Key 56Reset Passphrase, option 81, 120Reset Password or Smart Card Login 53Reset the member’s passphrase 132, 133Resetting user’s passphrase 79Restorgin user accounts 61Restoring user account data 60Restricting Tool Usage 121Revoking licenses 146Revoking, Disabling, and Deleting Licenses 146Roles, editing administrative 31

SSave Email As 48, 63Search Filter 38Search for 46Seat, definition 196Seats, adding more to license 146Seats, number supported in a license 141, 154Security Policies 90, 131Select Email 48Sending activation email 47Server diagnostics 181Server set, adding to a domain 152Server, relay 154Setting Groove Bandwidth Limit 125Show member’s domain only 23Show member’s position within the domain/group hierarchy 23Smart card 196Smart Card Login Policies 132Startup 9, 10Status 51Store Key on Server 21Strong Private Key Protection 134Synchronizing onsite relay and management servers 159

TTemplate, creating for policy 69Templates, cloning for policies 70Templates, creating for policy 69Templates, deleting for policies 71Threshold


__ Invalid login attempts 133Tool Events, auditing 136Tool Usage Filtering Fields 168Tool usage pocies 134Tool Usage Recovery 123Tool Usage Report Fields 168Tool, definition 196Tools Usage Report 168Trouble shooting 181Trust, definition 197Type, audit log event 164Type, relay 154, 155

UUI, help using 10Maximum duration

__ 133Upload audit logs every __ days 136Usage Policies 134Usage reports 161Usage reports, options 163User account 197User account, definition 197User account, defintion 197User accounts

backing up and restoring 60User accounts, restoring 61User Activity Report 172User data, recovering 80, 119User Deployment Method 34User identity 197User identity information fields 53User identity, definition 197User identity, defintion 197User passphrase, resetting 79User passphrases, allowing users to reset 83User, definition 197Users cannot repeat last ___ passphrases 131Users, adding to a domain or group 14Users, finding 55Users, managing 3, 33Users, provisioning 3, 49Users, troubleshooting 181

VvCard, definition 193, 197Verify Private Key Password 19Version 103Viewing Groove Usage Reports 161Viewing License Information 141Viewing license information 141Viewing relay server properties 155Viewing the Audit Log 164


Viewing the Audit Log, domain 164Viewing user information 141

WWhere, audit log event 164Who, audit log event 164, 165Workspace Activity Filtering Fields 171Workspace Usage Filtering Fields 171Workspace Usage Report 163Workspace Usage Report Fields 170Workspace, definition 197Workspace, defintion 197

XXMPP messaging, allowing clients to use 89XMPP messaging, controling use of 89


groove management serverdownload.microsoft.com/download/a/a/a/aaa7f161-1655-410d...groove management...

Documents