This is the slide deck for the session I did at IBM's Connect 2014 conference in Orlando, FL

1. ID112: Domino Policies:
Deep Dive and Best
Practices
Mark A. Skurla, IBM
Advisory Software Engineer,
Domino Administration Team Lead
mskurla@us.ibm.com
Twitter: DomPolicy
© 2014 IBM Corporation

2. Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be
relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.
The actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
2

3. Welcome!

My background:
–
IBMer since 1995, Domino/Notes since 1997 (R5), Policy Area Owner since 8.5


Full disclosure: this session is about policies, not policy settings! (~1,000)
–
For a good discussion on that, see:
–
http://blog.darrenduke.net/darren/ddbz.nsf/dx/my-show102-using-ibm-lotus-domino-8.5policies-to-manage-your-clients.htm


3
Why this session?
–
Policies are like a Swiss army knife, very useful, but confusing
–
Wanted a session on policies themselves instead of the settings

4. Agenda

Deep Dive
–
Architecture
–
Flow
–
Precedence vs. scope
–
How To Apply Controls
–

Best Practices


Using Policies with the Cloud


4
Q&A

5. Deep Dive
5

6. Deep Dive
Policy cache
Architecture
Policy
Engine
Managed Settings
Server
thread
Java (notes2)
Directory
dynconfig
Personal
NAB
CC++(nlnotes)
Adminp
Mail
File
Standard Client
Domino Server
Policy Synopsis
(polcysyn.nsf)
6
Admin Client

7. Deep Dive
Policy cache
Client side policy flow
Policy
Engine
Managed Settings
Server
thread
Java (notes2)
Directory
dynconfig
Personal
NAB
CC++(nlnotes)
Adminp
Standard Client
7
For each home mail server
Read policy type,
Accessdyninfo from request
HTA applied,storeHow fromasfrom
Fetch Policy typessettingsApply
To info
If not in policyanddynconfigtype
Fetch policies
Store informationand pass
During authentication, policies
IfAfter allpolicypolicy forcalculateinin
changereturnedare processed,
Launch detected, dynconfig
thePolicyisdynconfiglist thatclient
effective in cache, fetched
directoryprofile
Store policy from policy to PNAB
Return effective policyhta
managedpolicy$Policies in -information -using - client.
effective in directoryprofile
$PolicyProfile of (Eclipse
PNAB settings updates
notify flags is returnedinfo fromin
are Java side forthe
update examined <username>
the flag
for Directory
the server.
<username> cache.
feature) Store PNAB PNAB
<username> in inin the
Directory.
PNAB
<username>
Mail
File
Domino Server

8. Deep Dive
Policy cache
Server side policy flow
Everystores it in adminp
And 12 hours, the Calendar
calculates the mail file. mail
profile in the effective
policy for the local mail users.
Policy
Engine
Server
thread
Directory
Use ADMINP_POLL_INTERVAL
to override (in minutes)
Tell adminp process mail
Adminp
Mail
File
Domino Server
8

9. Deep Dive
Managed Settings
Java (notes2)
dynconfig
Personal
NAB
When you access mail
Preferences, it comes from
the calendar profile. Not the
$Policies in PNAB.
Server
thread
Policy
Engine
Directory
CC++(nlnotes)
Standard Client
Adminp
Mail
File
Domino Server
9

10. Deep Dive
Location, location!
The client gets the home server from the Location document:
The server gets it from the Person document:
They may be different!
10

11. Deep Dive
Location, location!

Switching domains via Location document switches policies!


Value for MailServer in Location MUST be canoncial:
–
11

12. Deep Dive
Precedence vs. Scope

Three policy types:
Organizational
Dynamic
Explicit
Increasing precedence

Increasing scope
Use the policy type that matches your scope!


12
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/dominopolicy-precedence-explained

13. Deep Dive
Precedence vs. Scope




13
Where's Dynamic?!
Dynamic = Explicit policy with entries in the Policy Assignment tab
Explicit = Explicit policy with no entries in the Policy Assignment tab
You could use the same policy as both!

14. Deep Dive
Precedence vs. Scope

Common policy pattern:

–
Organizational policy has company wide setting: e.g. Password expiration
–
–
Individual features enabled via Dynamic policy: e.g. ID Vault, Managed Replica
–
–
14
Exceptions to feature deployment via Explicit policy: No ID Vault

15. Deep Dive
Precedence vs. Scope


15
Enforce overrides precedence
–
The value will be used
Inheritance compliments precedence
–
The value will be used if there is no value in the parent, otherwise that will be used

16. Deep Dive
How To Apply controls

Don't Set
–
Does NOT mean use a default, it means does not exist for this policy
–
Explicitly set any setting you don't intend to use to Don't Set.
–

Set Initial
–
Best used for initial deployments
–
Old Setup policy = Desktop policy with Set Initial for all values
–

Set Whenever Modified
–
Most commonly used
–

16
Set and Prevent Changes
–
Use to lock down user modifiable settings

17. Deep Dive
How To Apply controls

'Admin only' settings only have Don't Set Value.








17
Set Initial, Set Whenever modified, and Set and Prevent Changes are only available
when there is a user interface to change them

18. Best Practices
18

19. Best Practices

Is there a published set of best practices? This is it!


Use the least amount of policies to implement your needs
–
Unnecessary policies increase your TCO
–
–
Don't create one at every level in a hierarchy
–
–
Use precedence and Inherit/Enforce controls to reduce number of policies
–
–
Re-use settings documents across policies
–

19
Modify policies on the administration server of the domain

20. Best Practices

Use Autopopulated groups added in Domino 8.5


Use autopopulated groups to construct a Domain group hierarchy:
–
One autopopulated group per mail server: e.g. U2HomeServer
–
–
Group for cluster contains the mail server autopopulated groups:
●
e.g. JoshuaTreeHomeServers = U2HomeServer, etc
●
–
One group contains all the clusters in the domain: e.g.
●
IrisDomainHomeServer = JoshuaTreeHomeServers, etc.
–

20
Now you can e-mail users at any level or use in Policies

21. Best Practices
Increasing scope
IrisDomainHomeServers
(Collection of clusters)
21
JoshuaTreeHomeServers U2HomeServer
(cluster)

22. Best Practices
22

23. Best Practices

How is the previous setup helpful?
–
Example 1: New employee is on boarded, registered with a given home mail server
●
Employee is added to autopopulated group for that server, gets policies
●
No further actions for the admin!
●
–
23
Example 2: Existing employee takes international assignment, company has different
policies for regional mail servers
●
Admin uses mail file move to change users home mail server
●
Employee is removed from original home server's auto-populated group to new
server's group
●
Employee automatically gets new policies
●
No further actoins for the admin!

24. Best Practices







24
Use the Protected Group feature to for critical groups: Actions->Edit Directory Profile

25. Best Practices






25
Use dynamic policies with groups not people!
–
Specifying lots of individual people reduces performance and increases TCO
–
Examine hidden view to locate bad policies, $PoliciesByGroup

26. Best Practices

Use Policy Synopsis tool
–
Can be used to debug problems, start with user's home mail server
–
Can also be used to verify new policies before going into production
–
Launched from Admin client's People and Group or Configuration tabs


Must re-link policies when copying them
–
Useful when trying out changes to production in a test environment
–
Needed when submitting Directory to support for PMRs
–



26
Watch out for the 'Set Initial' trap! Use only for setup situations.

27. Best Practices

When removing a policy:
–
Policies are a push model, don't just remove!
–
–
First change settings to 'default' values and let deploy
–
–
'Disable' the policy instead of removing them
●
For Explicit policies, clear Policy Assignment tab.
●
For Organizational polices, modify the fullname.
●
Allows for quick restoration in case of problem
●

27
Consider using your administrators group as a pilot group for policies

28. Best Practices

Consider a special ID to sign all policies
–
Pro: Prevents “Policy has been modified since signed” when admin leaves the
company!
–
Con: Can no longer tell who last modified the policy
–
Cloud: Signs with server ID, uses tool to re-sign admin modified policies
–


28
How to tell who signed the policy?
–
The Signed By column in the view is NOT the way to go, it's the $Updated By value:

29. Best Practices

Open policy and look for the Signature or Encryption icon:










In policy view, use Actions → Resign Policy to do just that
–
29

30. Best Practices

Use machine specific policies for special situations: laptop vs desktop, Citrix





–
–
–
–
–

30
Adding new ones:
●
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21474598
Troubleshooting:
●
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21501673
Client only

31. Best Practices

31
Exemption Policy
–
Should only be needed rarely
–
Like an Enforce for a policy, restarts the precedence tree from this policy down

32. Best Practices

To force a policy update from the server:
–
For a user, just Edit/Save their person document
–
–
For a whole server:
●
Restart the server
●
●
Load updall names.nsf -T $Policies -R
●
●
Go to the Policies view and enter: CONTROL-SHIFT
●
●
32
Works because policy view timestamp is part of policy update trigger

33. Best Practices

To force a policy update from the client:
–
Since 8.5, just clearing the $Policies view in PNAB doesn't do it!
–
–
33
Run dynconfig manually from the executable directory: ndyncfg.exe 20

34. Best Practices

34
To force a policy update from the client via mailed LS button: (cont)
–
Clear client side cached info via LotusScript:
Sub Click(Source As Button)
Dim db As NotesDatabase
Dim doc As NotesDocument
Dim s As New NotesSession
Set Db = New NotesDatabase ("","names.nsf")
Set doc = Db.GetProfileDocument("directoryprofile",s.username)
Call doc.Remove(True)
Call doc.save(True,True)
Messagebox "Cleanup Complete Restart Client" , 48, "DONE!!"
End Sub

35. Smart Cloud Notes
35

36. Smart Cloud Notes

The service creates an Organizational policy for each customer
–
Contains pre-set settings needed for the service to operate
–
These settings will override any customer policy settings


Only Dynamic policies are supported, no Organizational or Explicit policies (assigned in
Person documents


To simulate Organizational policies, use wildcards, e.g. */IBM, in Dynamic policy Assignment
field


Use groups, only use individual user names when necessary
–
Don't use the following: LLNServers, LLNMailHubs, <Certifiers>_* or SAAS*
–
Must be unique across directories
–

36
Archiving, Registration, Roaming, Traveler types are not supported

37. Smart Cloud Notes

Desktop, Mail, and Security are supported with restrictions for certain fields
–
See:
http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sma
–

Review and cleanup your policies before first synching with the cloud.


For multiple domains, incorporate domain name into policy and settings names
–
Must have unique policy names across domain
–
–
37

38. Additional Information
38

39. Additional Information

Wiki articles - http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?
categoryFilter=Policies


Policy Blog - http://www-10.lotus.com/ldd/dpdblog.nsf


Debug Decision Tree http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes__Domino_Policy_Flow_Chart


39
Smart Cloud Notes - http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?
lookupName=Administering+SmartCloud+Notes
%3A+Hybrid+Environment#action=openDocument&res_title=Using_administrative_policies
_HY&content=pdcontent

40. Meet me in the Ask the Developers Lab!

Tuesday: 4:30pm-6pm


Wednesday: 11am-11:30am, 12:30-6pm


40
Thursday: 10am - noon.

41. Engage Online


SocialBiz User Group socialbizug.org
– Join the epicenter of Notes and Collaboration user groups
Follow us on Twitter
Engage
– @IBMConnect and @IBMSocialBiz
Online

LinkedIn http://bit.ly/SBComm
– Participate in the IBM Social Business group on LinkedIn:

Facebook https://www.facebook.com/IBMSocialBiz
– Like IBM Social Business on Facebook

Social Business Insights blog ibm.com/blogs/socialbusiness
– Read and engage with our bloggers
41

42.  Access Connect Online to complete your session surveys using any:
– Web or mobile browser
– Connect Online kiosk onsite
42

43. Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2014. All rights reserved.
 U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 IBM, the IBM logo, ibm.com, Lotus, Notes, and Domino are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or
both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or
common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list
of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
If you have mentioned trademarks that are not from IBM, please update and add the following lines:
[Insert any special 3rd party trademark names/attributions here]
Other company, product, or service names may be trademarks or service marks of others.
43