2. Please Note
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be
relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.
The actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
2
3. Welcome!
My background:
–
IBMer since 1995, Domino/Notes since 1997 (R5), Policy Area Owner since 8.5
Full disclosure: this session is about policies, not policy settings! (~1,000)
–
For a good discussion on that, see:
–
http://blog.darrenduke.net/darren/ddbz.nsf/dx/my-show102-using-ibm-lotus-domino-8.5policies-to-manage-your-clients.htm
3
Why this session?
–
Policies are like a Swiss army knife, very useful, but confusing
–
Wanted a session on policies themselves instead of the settings
6. Deep Dive
Policy cache
Architecture
Policy
Engine
Managed Settings
Server
thread
Java (notes2)
Directory
dynconfig
Personal
NAB
CC++(nlnotes)
Adminp
Mail
File
Standard Client
Domino Server
Policy Synopsis
(polcysyn.nsf)
6
Admin Client
7. Deep Dive
Policy cache
Client side policy flow
Policy
Engine
Managed Settings
Server
thread
Java (notes2)
Directory
dynconfig
Personal
NAB
CC++(nlnotes)
Adminp
Standard Client
7
For each home mail server
Read policy type,
Accessdyninfo from request
HTA applied,storeHow fromasfrom
Fetch Policy typessettingsApply
To info
If not in policyanddynconfigtype
Fetch policies
Store informationand pass
During authentication, policies
IfAfter allpolicypolicy forcalculateinin
changereturnedare processed,
Launch detected, dynconfig
thePolicyisdynconfiglist thatclient
effective in cache, fetched
directoryprofile
Store policy from policy to PNAB
Return effective policyhta
managedpolicy$Policies in -information -using - client.
effective in directoryprofile
$PolicyProfile of (Eclipse
PNAB settings updates
notify flags is returnedinfo fromin
are Java side forthe
update examined <username>
the flag
for Directory
the server.
<username> cache.
feature) Store PNAB PNAB
<username> in inin the
Directory.
PNAB
<username>
Mail
File
Domino Server
8. Deep Dive
Policy cache
Server side policy flow
Everystores it in adminp
And 12 hours, the Calendar
calculates the mail file. mail
profile in the effective
policy for the local mail users.
Policy
Engine
Server
thread
Directory
Use ADMINP_POLL_INTERVAL
to override (in minutes)
Tell adminp process mail
Adminp
Mail
File
Domino Server
8
9. Deep Dive
Managed Settings
Java (notes2)
dynconfig
Personal
NAB
When you access mail
Preferences, it comes from
the calendar profile. Not the
$Policies in PNAB.
Server
thread
Policy
Engine
Directory
CC++(nlnotes)
Standard Client
Adminp
Mail
File
Domino Server
9
10. Deep Dive
Location, location!
The client gets the home server from the Location document:
The server gets it from the Person document:
They may be different!
10
12. Deep Dive
Precedence vs. Scope
Three policy types:
Organizational
Dynamic
Explicit
Increasing precedence
Increasing scope
Use the policy type that matches your scope!
12
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/dominopolicy-precedence-explained
13. Deep Dive
Precedence vs. Scope
13
Where's Dynamic?!
Dynamic = Explicit policy with entries in the Policy Assignment tab
Explicit = Explicit policy with no entries in the Policy Assignment tab
You could use the same policy as both!
14. Deep Dive
Precedence vs. Scope
Common policy pattern:
–
Organizational policy has company wide setting: e.g. Password expiration
–
–
Individual features enabled via Dynamic policy: e.g. ID Vault, Managed Replica
–
–
14
Exceptions to feature deployment via Explicit policy: No ID Vault
15. Deep Dive
Precedence vs. Scope
15
Enforce overrides precedence
–
The value will be used
Inheritance compliments precedence
–
The value will be used if there is no value in the parent, otherwise that will be used
16. Deep Dive
How To Apply controls
Don't Set
–
Does NOT mean use a default, it means does not exist for this policy
–
Explicitly set any setting you don't intend to use to Don't Set.
–
Set Initial
–
Best used for initial deployments
–
Old Setup policy = Desktop policy with Set Initial for all values
–
Set Whenever Modified
–
Most commonly used
–
16
Set and Prevent Changes
–
Use to lock down user modifiable settings
17. Deep Dive
How To Apply controls
'Admin only' settings only have Don't Set Value.
17
Set Initial, Set Whenever modified, and Set and Prevent Changes are only available
when there is a user interface to change them
19. Best Practices
Is there a published set of best practices? This is it!
Use the least amount of policies to implement your needs
–
Unnecessary policies increase your TCO
–
–
Don't create one at every level in a hierarchy
–
–
Use precedence and Inherit/Enforce controls to reduce number of policies
–
–
Re-use settings documents across policies
–
19
Modify policies on the administration server of the domain
20. Best Practices
Use Autopopulated groups added in Domino 8.5
Use autopopulated groups to construct a Domain group hierarchy:
–
One autopopulated group per mail server: e.g. U2HomeServer
–
–
Group for cluster contains the mail server autopopulated groups:
●
e.g. JoshuaTreeHomeServers = U2HomeServer, etc
●
–
One group contains all the clusters in the domain: e.g.
●
IrisDomainHomeServer = JoshuaTreeHomeServers, etc.
–
20
Now you can e-mail users at any level or use in Policies
23. Best Practices
How is the previous setup helpful?
–
Example 1: New employee is on boarded, registered with a given home mail server
●
Employee is added to autopopulated group for that server, gets policies
●
No further actions for the admin!
●
–
23
Example 2: Existing employee takes international assignment, company has different
policies for regional mail servers
●
Admin uses mail file move to change users home mail server
●
Employee is removed from original home server's auto-populated group to new
server's group
●
Employee automatically gets new policies
●
No further actoins for the admin!
25. Best Practices
25
Use dynamic policies with groups not people!
–
Specifying lots of individual people reduces performance and increases TCO
–
Examine hidden view to locate bad policies, $PoliciesByGroup
26. Best Practices
Use Policy Synopsis tool
–
Can be used to debug problems, start with user's home mail server
–
Can also be used to verify new policies before going into production
–
Launched from Admin client's People and Group or Configuration tabs
Must re-link policies when copying them
–
Useful when trying out changes to production in a test environment
–
Needed when submitting Directory to support for PMRs
–
26
Watch out for the 'Set Initial' trap! Use only for setup situations.
27. Best Practices
When removing a policy:
–
Policies are a push model, don't just remove!
–
–
First change settings to 'default' values and let deploy
–
–
'Disable' the policy instead of removing them
●
For Explicit policies, clear Policy Assignment tab.
●
For Organizational polices, modify the fullname.
●
Allows for quick restoration in case of problem
●
27
Consider using your administrators group as a pilot group for policies
28. Best Practices
Consider a special ID to sign all policies
–
Pro: Prevents “Policy has been modified since signed” when admin leaves the
company!
–
Con: Can no longer tell who last modified the policy
–
Cloud: Signs with server ID, uses tool to re-sign admin modified policies
–
28
How to tell who signed the policy?
–
The Signed By column in the view is NOT the way to go, it's the $Updated By value:
29. Best Practices
Open policy and look for the Signature or Encryption icon:
In policy view, use Actions → Resign Policy to do just that
–
29
30. Best Practices
Use machine specific policies for special situations: laptop vs desktop, Citrix
–
–
–
–
–
30
Adding new ones:
●
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21474598
Troubleshooting:
●
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21501673
Client only
32. Best Practices
To force a policy update from the server:
–
For a user, just Edit/Save their person document
–
–
For a whole server:
●
Restart the server
●
●
Load updall names.nsf -T $Policies -R
●
●
Go to the Policies view and enter: CONTROL-SHIFT
●
●
32
Works because policy view timestamp is part of policy update trigger
33. Best Practices
To force a policy update from the client:
–
Since 8.5, just clearing the $Policies view in PNAB doesn't do it!
–
–
33
Run dynconfig manually from the executable directory: ndyncfg.exe 20
34. Best Practices
34
To force a policy update from the client via mailed LS button: (cont)
–
Clear client side cached info via LotusScript:
Sub Click(Source As Button)
Dim db As NotesDatabase
Dim doc As NotesDocument
Dim s As New NotesSession
Set Db = New NotesDatabase ("","names.nsf")
Set doc = Db.GetProfileDocument("directoryprofile",s.username)
Call doc.Remove(True)
Call doc.save(True,True)
Messagebox "Cleanup Complete Restart Client" , 48, "DONE!!"
End Sub
36. Smart Cloud Notes
The service creates an Organizational policy for each customer
–
Contains pre-set settings needed for the service to operate
–
These settings will override any customer policy settings
Only Dynamic policies are supported, no Organizational or Explicit policies (assigned in
Person documents
To simulate Organizational policies, use wildcards, e.g. */IBM, in Dynamic policy Assignment
field
Use groups, only use individual user names when necessary
–
Don't use the following: LLNServers, LLNMailHubs, <Certifiers>_* or SAAS*
–
Must be unique across directories
–
36
Archiving, Registration, Roaming, Traveler types are not supported
37. Smart Cloud Notes
Desktop, Mail, and Security are supported with restrictions for certain fields
–
See:
http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sma
–
Review and cleanup your policies before first synching with the cloud.
For multiple domains, incorporate domain name into policy and settings names
–
Must have unique policy names across domain
–
–
37
39. Additional Information
Wiki articles - http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?
categoryFilter=Policies
Policy Blog - http://www-10.lotus.com/ldd/dpdblog.nsf
Debug Decision Tree http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes__Domino_Policy_Flow_Chart
39
Smart Cloud Notes - http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?
lookupName=Administering+SmartCloud+Notes
%3A+Hybrid+Environment#action=openDocument&res_title=Using_administrative_policies
_HY&content=pdcontent
40. Meet me in the Ask the Developers Lab!
Tuesday: 4:30pm-6pm
Wednesday: 11am-11:30am, 12:30-6pm
40
Thursday: 10am - noon.
41. Engage Online
SocialBiz User Group socialbizug.org
– Join the epicenter of Notes and Collaboration user groups
Follow us on Twitter
Engage
– @IBMConnect and @IBMSocialBiz
Online
LinkedIn http://bit.ly/SBComm
– Participate in the IBM Social Business group on LinkedIn:
Facebook https://www.facebook.com/IBMSocialBiz
– Like IBM Social Business on Facebook
Social Business Insights blog ibm.com/blogs/socialbusiness
– Read and engage with our bloggers
41
42. Access Connect Online to complete your session surveys using any:
– Web or mobile browser
– Connect Online kiosk onsite
42