ManagementServerDomainAdministratorsGuide.bookCopyright
Copyright © 2001-2005, Groove Networks, Inc. All rights
reserved.
You may not reproduce or distribute any part of this document in
any form or by any means, without the written permission of Groove
Networks, Inc., nor may you use it to create derivative
works.
Groove Networks, Groove, the interlocking circles design, Groove
Virtual Office, and groove.net are registered trademarks of Groove
Networks, Inc. Other product or company names may be the trademarks
of their respective owners.
Use of Groove Networks, Inc. software is subject to the terms of a
license agreement and applicable export and import restrictions.
Restricted rights for U.S. government users.
This product includes software used under license from third
parties, including those par- ties identified by the following
notices. Copyright © 1995 - 2001 International Business Machines
Corporation and others. All rights reserved. VcardParser.cpp ©
Copyright Apple Computer, Inc., AT&T Corp., International
Business Machines Corporation and Siemens Rolm Communications Inc.
Outside In® ActiveX Control © 2002 IntraNet Solu- tions Chicago,
Inc. All rights reserved. This software is based in part on the
work of the Independent JPEG Group. ACME Labs Freeware Copyright ©
2000 by Jef Poskanzer <
[email protected]>. All rights
reserved.
Table of Contents
User and Device Policy Setting 3
Groove License Provisioning 4
Relay Server Provisioning 4
Domain Administration and Role Assignment 5
Password/Smart Card Login Reset and Data Recovery 5
Groove Account Backup 5
Groove Usage Monitoring 6
Hosting Groove Components 6
Groove Client Auditing 6
The Management Server Domain Administrator’s Guide 6
Getting Started 8 Before You Begin 8 Accessing the Administrative
Web Site 9 Accessing the Management Server Administrative UI
10
Getting Help 10
Changing Administrative Preferences 11
Setting Up a Groove Management System 11 Distributing Activation
Keys 14
Managing Groove Domains 17 Overview of Management Domains 17
Completing Domain Configuration 18 Viewing and Editing Management
Domain Properties 20 Configuring Management Domain Affiliation 22
Setting Up Cross-Domain Certification 23 PKI Basics 24
Cross-Certifying Management Domains 25
Changing Reset/Recovery Private Keys and Key Locations 27
Groove Management Server Domain Administrator’s Guide Table of
Contents iii
Migrating Users to Another Domain 28 Adding, Editing and Deleting
Email Templates 29 Creating Management Server Email Templates
30
Editing Management Server Email Templates 31
Deleting Management Server Email Templates 31
Editing Administrator Roles 31
Managing Groove Users 33 Overview of Groove User Management 34
Managing Domain Member Groups 35 Adding Groups 35
Viewing and Editing a Group 36
Viewing Domain Groups 38
Viewing Group Members 38
Deleting a Group 39
Adding Groove Users to a Domain Group 39 Adding an Individual
Member to a Domain Group 39
Adding Multiple Members from an .XML File 41
Adding Multiple Members from a .CSV File 42
Importing Members from a Directory 44
Enabling Groove Activation 47 Sending an Activation Key from the
Management Server 48
Sending an Activation Key Via Personal Email 49
Provisioning Managed Groove Users 49 Viewing Domain Members 50
Viewing and Editing Domain Member Information 52 Finding Domain
Members 55 Moving Domain Members to Another Group 56 Exporting
Domain Members 57 Disabling and Enabling Domain Members 58
Disabling Domain Members 58
Enabling Domain Members 58
Deleting Domain Members 59 Backing Up and Restoring User Account
Data 60 Backing Up Account Data 60
Restoring Account Data 61
Purging Member Relay Queues 63 Creating an LDAP Search String 64
Initiating Client Contact With a Management Server 67
Managing Identity Policies 68 Overview of Identity Policy Templates
69 Creating Identity Policy Templates 69 Editing Policy Template
Names 69 Cloning Policy Templates 70 Changing Identity Policy
Templates 70 Changing Identity Policy Templates for a Group
70
Groove Management Server Domain Administrator’s Guide Table of
Contents iv
Changing Identity Policy Templates for a Group Member 71
Deleting Policy Templates 71 Viewing and Editing Identity Policies
71 Automatically Managing Devices During Identity Activation 72
Controlling Login Credential Reset and Data Recovery (for Groove
3.0f or Later) 73 Resetting Groove Login Credentials (for Groove
3.0f or later) 74 Administer-Driven Reset of Groove Login
Credentials 75
Automatic Reset of Groove Login Credentials 77
Client Login Credential Reset 77
Customizing Reset Instructions (for Groove 3.0f or later) 78
Setting Up Data Recovery on Managed Devices (for Groove 3.0f or
later) 79 Data Recovery Fundamentals 79
Recovering User Data (using the Data Recovery Tool) 80
Managing User Interaction with Unauthenticated Identities 83
Authenticated vs. Unauthenticated Groove Identities 83
Setting Up Peer Authentication 83
Setting the Default Workspace Version 86 Specifying Enterprise PKI
Certificates 87 Setting Time Limit on Valid PKI Certificates 87
Enabling Groove-XMPP Communications 88 Member Policies 89 Security
Policies 90
Managing Device Policies 93 Overview of Device Management 94
Registering User Devices with the Management Server 94 Overview of
Device Registration 95
Registering Devices in a Management Domain 95
Deleting Managed Devices from a Domain 96
Creating Device Policy Templates 96 Changing Device Policy
Templates 97 Changing Device Policy Templates for a Group 97
Changing Device Policy Templates for a Group Member 97
Administering Device Templates 98 Viewing and Editing Device
Policies 98 Customizing Component Policies for Devices 99 Component
Policy Basics 99
Customizing Component Install Policies 100
Editing Component Policies 104
Managing Groove Platform Upgrades 105 Prevent Platform Upgrade
106
Allow Platform Upgrade To Current Version 107
Allow Platform Upgrade To Interim Version 108
Allow Platform Upgrade and Limited New Tools 110
Allow Platform Upgrade But No New Tools 111
Groove Management Server Domain Administrator’s Guide Table of
Contents v
Controlling Login Credential Reset and Data Recovery 112 Resetting
Groove Login Credentials for Managed Devices 113 Administering
Centralized Reset of Login Credentials 113
Client Reset of User Login Credentials 115
Customizing Reset Instructions for Managed Devices 116 Setting Up
Data Recovery on Managed Devices 117 Data Recovery Fundamentals
117
Recovering User Data (using the Data Recovery Tool) 119
Controlling Groove Tool Usage on Managed Devices 121 Restricting
Tool Usage 121
Tool Usage Recovery After Restriction is Removed 123
Limiting Groove Bandwidth Usage for Devices 124 Overview of Groove
Bandwidth Policy 124
Setting Groove Bandwidth Limit 125
Enabling Groove Client Auditing 126 Supporting an Onsite Groove
Component Server 127 Account Policies 128 Client Policies 128
Security Policies 131 Usage Policies 134 Audit Server Policies
135
Managing Groove Product Licenses 138 Overview of License
Provisioning 138 Adding Groove Licenses to a Domain 139 Adding a
License Set to a Domain 140 Adding Groove Domain Licenses to a Set
140 Editing License Set Names 141 Viewing Domain Licenses 141
Viewing Licenses in a Set 141 Viewing License Information 141
Finding License Users 142 Changing License Sets 142 Changing
License Sets for a Group 142
Changing License Sets for a Group Member 143
Deleting Licenses from a Domain 143 Deleting Licenses from a Set
143 Deleting License Sets 144 Distributing Licenses to Unmanaged
Users 144 Viewing Licenses from Unmanaged Users 145 Revoking
Licenses from Unmanaged Users 146 Adding More Seats to a License
Package 146 Using the Enterprise License Pack 147
Managing Groove Servers 148 Overview of Server Provisioning 148
Relay Server Provisioning 149
Groove Management Server Domain Administrator’s Guide Table of
Contents vi
XMPP Proxy Server Provisioning 149
Registering a Server with a Management Domain 149 Overview of
Server Registration 150
Exchanging Server Keys 150
Adding a Server Set to a Domain 152 Adding Groove Domain Servers to
a Set 152 Editing Server Set Names 153 Viewing Domain Servers 154
Viewing Servers in a Set 154 Editing Server Properties 155 Finding
Server Users 156 Changing Server Sets 156 Changing Server Sets for
a Group 157
Changing Server Sets for a Group Member 157
Deleting Servers from a Domain 157 Removing Servers from a Set 158
Deleting Server Sets 158 Locking out and Re-enabling an Onsite
Server 159 Reordering Servers in a Set 159 Synchronizing an Onsite
Server 159
Viewing Groove Domain Reports 161 Viewing Reports 161 Filtering
Reports 162 Exporting Reports 163 Domain Reports 163 Audit Log
164
Member Usage 166
Member Activity 173
Sample Report Filters 177 Show Audit Events for a User During Past
Week 178
Show Audit Log Events for Administrator in Date Range 178
Show Most-Used Tools 178
Show Members Whose Account Has Never Been Backed Up 179
Show Members Who Used Groove Since the Last Backup Date 179
Show Members with Managed Account on Multiple Devices 179
Show Members with Accounts on Unmanaged Device 179
Troubleshooting 181 Domain Administration Problems 181 Groove User
Problems 183 Data Recovery Problems 184
Appendix A. Groove Component Versions 186
Appendix B. Management Server Keys and Certificates 191
Groove Management Server Domain Administrator’s Guide Table of
Contents vii
Glossary 193
Index 211
Groove Management Server Domain Administrator’s Guide Table of
Contents viii
Overview of Domain Administration
The Enterprise Management Server (EMS) and Groove Hosted Management
Services are Web-based applications designed to facilitate the
provisioning and management of Groove users in an enterprise. EMS
runs on servers operated by an enterprise while the Groove Hosted
Management Services application runs on servers operated by Groove
Networks®. The option employed at an organization depends on its IT
practices and objectives.
Regardless of the management server hosting option, Groove
administrators and clients communicate with the management server
via its Web site which provides both an admin- istrative and a
client interface. The management interface, secured by its
underlying IIS configuration, allows administrators to assemble
Groove users, define Groove usage and security policies, distribute
Groove product licences, and deploy relay servers. The client
interface allows Groove users to access policies, product licenses,
and relay server assign- ments, and to report Groove usage
statistics.
This overview provides summary information on the following
topics:
• Administrative Architecture
Administrative Architecture
The management server’s Web-based administrative interface is the
interactive compo- nent of the system. From this interface,
administrators can manage users, set Groove usage and device
policies, distribute Groove product licences, and assign relay
servers within the organizational unit a management domain. This
administrative interface of the manage- ment server is accessible
from a URL, defined during management server installation.
This management server administrative interface consists of a
navigation pane and the main display window where a set of tabs and
tools let administrators access tasks associ- ated with a selected
item in the navigation tree.
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 1
The navigation tree consists of the elements described in the
following table:
Management Server Functionality
Groove management servers, whether onsite or Groove
Networks-hosted, enable central- ized control of Groove usage.
Supported by a Standard Query Language (SQL) database that stores
most of its data, the management server helps maintain productive
workflow and collaboration. While Groove clients periodically
connect to the management server to receive provisioning updates
and report usage information, administrators connect through a
dedicated Web interface to perform tasks essential to managing
Groove use on a corporate scale.
Onsite management servers must be installed and configured
appropriately by a server administrator, as described in the Groove
Management Server Administrator’s Guide. Once the server is in
place, management domain-level administrators can use it to set up
the management environment.
The following sections briefly describe the scope of domain
management tasks that can be conducted from hosted or onsite
management servers:
• Groove User Management
• Groove License Provisioning
Navigation Tree Hierarchy
Description
Domains Management domains defined on the server. Each domain
consists of member groups, policies templates, license sets, and
relay server sets.
Member groups and subgroups
Pages for creating member groups and for creating, editing, or
deleting domain member contact information.
Identity Policy Templates
Pages for adding, editing, and deleting identity policy templates -
collections of identity policies, including:
• Member policy templates
• Security policy templates
Device Policy Templates
Pages for adding, editing, and deleting device policy templates -
collections of devices policies, including:
• Account policy templates
• Client policy templates
• Security policy templates
• Audit Server policy templates (EMS only)
License Sets Pages for configuring a license set’s properties (name
and description), adding and deleting license sets to and from a
domain group, and adding or deleting licenses within a set.
Relay Server Sets
Pages for configuring a relay set’s properties (name and
description), adding and deleting relay sets to and from a domain
group, and adding or deleting relay servers within a set.
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 2
• Relay Server Provisioning
• Password/Smart Card Login Reset and Data Recovery
• Groove Account Backup
• Groove Usage Monitoring
• Groove Client Auditing
Groove User Management
Groove users must each have a managed identity in a domain group in
order to be provi- sioned with usage and security policies, Groove
licenses, and relay servers. If administra- tors need to set
policies on Groove devices, as well as user policies, they can
register the Groove user device(s) in a management server domain.
Any server or domain-level administrator can create domain groups
and populate them with users. The following sec- tions introduce
user and device administration:
• User Management
• Device Management
User Management
Once Groove is installed on user devices, domain administrators
begin the Groove man- agement process by entering user contact
information in domain groups on the manage- ment server. When this
is complete, they send activation keys to each intended member of
the group. Users apply these keys to their accounts, resulting in
the creation of a managed, provisioned identity for each group
member.
To facilitate the task of entering contact information for large
numbers of users, adminis- trators can import user specifications
from an .xml or .csv file. Or, if a corporate LDAP- based directory
server is installed onsite, the necessary user information can be
imported or integrated from a defined data point on the directory
server.
Device Management
An important aspect of managing Groove users is managing the
devices they use for work. Managed devices are subject to specific
security policies (such as password creation rules and component
download restrictions) while unmanaged devices are not.
Device management involves the distribution of Groove account,
client, and security poli- cies to devices defined for managed
identities. Devices running Groove must be regis- tered with the
management server in order to be managed and subject to device
policies. Registration is accomplished by downloading a management
server registry key to devices associated with managed domain
members. Policies become effective on target devices, as soon as
the device users activate Groove. Activating Groove on target
devices automat- ically updates Windows registries with the
management server key.
User and Device Policy Setting
The management server provides templates of default usage and
security policies that
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 3
apply to domain group members and any associated devices that are
registered on the server. Administrators can modify the policies
set in these templates or create new tem- plates, then apply the
templates to designated management domain groups or users. These
policies apply only to managed Groove users and devices - those
defined on the manage- ment server as belonging to a specific
management domain group. Policies do not affect unmanaged Groove
users.
The following sections summarize the policy options in each
category:
• Identity Policies
• Device Policies
Identity Policies
User identity policy templates cover the following aspects of
Groove use:
• Member policy templates - Client account backup scheduling,
client access to XMPP messaging, and identity publishing.
• Security policies - Peer authentication and, if enterprise PKI is
in effect at an enterprise, the use of specified identity
authentication certificates.
Device Policies
User device policy templates cover the following aspects of Groove
use:
• Account policies - Multiple account creation, importing accounts,
use of only managed identities from this domain on devices in this
domain.
• Client policies - Component installation and bandwidth
usage.
• Security Policies - Password or smart card login, password
creation and reset if used, smart card login and reset if used,
account lockout after repeated failed login attempts, enhanced
private key protection, and Web services availability.
• Audit Server Policies - Audit server URL, logging periodicity,
selected account events, and selected tool events (available for
Enterprise Management Server only).
Groove License Provisioning
Managed Groove users need licenses for managed versions of Groove
Virtual Office (for- merly Groove Workspace). Once an enterprise
has purchased the necessary licenses and made them available on a
corporate network, administrators can add them to management server
license sets for assignment to specific domain groups or users.
Domain administra- tors can add and delete license sets in a
management domain, and add and delete licenses within a license
set.
Relay Server Provisioning
Relay servers are a fundamental part of Groove peer-to-peer
communications. In a man- aged environment dedicated relay servers
installed onsite at an enterprise or hosted by Groove Networks help
ensure timely, uninterrupted message transfer between Groove peers
regardless of their location or status (online or offline) on the
network. Once an enterprise has installed at least one relay server
onsite or engaged Groove-hosted relay ser- vices, administrators
can add relay servers to relay server sets for assignment to
specific management domain groups or users. Domain administrators
can add and delete relay
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 4
server sets in a management domain, and add and delete relay
servers within a set.
XMPP Proxy Server Provisioning
As of version 3.1, Groove Virtual Office provides public XMPP proxy
servers to enable Groove client communication with Jabber and other
XMPP clients. In a managed environ- ment, an enterprise can install
Groove XMPP proxy servers onsite, allowing administra- tors to
provision Groove domain members to private XMPP servers similar to
the way they provision users to dedicated relay servers. In
addition, a management server identity policy determines whether
domain members can access any Groove XMPP Proxy Servers (public or
onsite).
Domain Administration and Role Assignment
Domains defined by server administrators (or Groove Networks,
hosted management ser- vices are employed) are the top management
unit on the server. Each domain consists of user groups and
subgroups, as well as a collection of user and device policy
templates, Groove license sets, and relay server sets. At the top
management domain level, adminis- trators can view Groove usage
reports, and add, edit, or delete management server email
templates. In addition, if the management server administrator has
enabled Role Based Access Control (RBAC) on the server, domain
administrators can define roles for peer administrators or for
those limited to Groove user, license, data recovery, or report
man- agement.
Password/Smart Card Login Reset and Data Recovery
In the event that a managed user is removed from a management
domain or forgets a Groove password or smart card login, resetting
the user’s password or smart card login credentials may be
necessary. To prepare for this eventuality, the domain (or server)
administrator can set a device policy that allows for reset
proceedings.The management server supports a centralized approach
to resetting a user passphrase or smart card login. Providing that
device security policies allow, administrators can respond to
individual user requests for password or smart card login reset, by
verifying user identity and grant- ing (or denying) the request. If
the request is granted, users can reset their own password without
further administrative involvement.
In addition, the management server provides a utility that domain
administrators can use to access data that would otherwise be
irretrievable without the user’s password. Groove data that is
normally stored encrypted with the managed user's password (known
only to that user) is also encrypted with the administrator’s
public key. The data recovery pro- gram enables the domain
administrator to use a corresponding private key to recover the
device owner’s Groove data or reset the user password.
Groove Account Backup
The management server lets administrators set an identity policy
that enables automatic account backup at specified intervals for
users in a selected domain. Backed up informa- tion includes user
contacts, workspace lists, identities and contact information,
licenses and identity policies. Without a backup system in effect,
lost or corrupted user account data is irretrievable.
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 5
Groove Usage Monitoring
When a managed identity or device exists on a Groove client, the
Groove software period- ically reports statistics on Groove usage,
providing information about managed user activ- ities, Groove
workspaces, and Groove tools being used. Administrators can view
Groove usage statistics via the management server administrative
Web site.
Usage statistics include the amount of time users spend in a
particular workspace, use a specific tool, or create workspaces.
Audit log reports are also available that log domain events, such
as the addition of a new group to a domain.
Hosting Groove Components
If Groove’s Component Server is installed onsite, administrators
can set a device policy that directs Groove clients to that server
for Groove component downloads.
Groove Client Auditing
If the Groove Audit Server is part of the management server
installation, the management server can be configured to cause
managed clients to log Groove user activities. Manage- ment server
device policies specify which groove events are tracked and
uploaded to man- agement server databases. Client audit logs are
collected onto a SQL server, and from them administrators can
generate formatted reports using third-party reporting tools, such
as Crystal Reports.
The Management Server Domain Administrator’s Guide
This Groove Management Server Domain Administrator’s Guide provides
instructions for using Groove management services, whether onsite
server or hosted by Groove Networks.
This Guide has the following sections:
• Overview - Describes management server’s role in managing Groove
and its functionality.
• Getting Started - Provides a recommended procedure for initial
deployment of Groove users and devices at an enterprise.
• Managing Groove Users - Provides instructions for creating domain
member groups, provisioning managed users, and administering Groove
usage.
• Setting Groove Identity Policies - Provides instructions for
customizing managed user policies.
• Setting Groove Device Policies - Provides instructions for
customizing managed device policies.
• Managing Groove Product Licenses - Provides instructions for
managing Groove licenses and provisioning managed users with Groove
licenses.
• Managing Groove Servers - Provides instructions for managing
Groove servers such as Enterprise Relay Servers and XMPP Proxy
Servers, and for provisioning managed users with access to
these.
• Managing Groove Domains - Provides instructions for configuring
Groove management domains and domain administrator roles.
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 6
• Monitoring Groove Usage - Provides instructions for accessing and
reading Groove usage reports.
• Troubleshooting - Lists common problems related to the management
server and suggests ways to address them.
• Glossary - Defines terms used in this Guide.
• Appendices - Provide information about Groove component versions
and other supplementary material.
20050315
Groove Management Server Domain Administrator’s Guide Overview of
Domain Administration 7
Getting Started
Groove management servers enable administrators to set up a system
for overseeing Groove usage in an enterprise. This document
provides instructions for using the adminis- trative Web interface
provided by your onsite Groove Enterprise Management Server (EMS)
or by Groove Hosted Management Services to manage Groove users and
devices at your company.
The setup process involves meeting the necessary software and
information requirements, accessing the management server
administrative Web site, defining Groove users to the management
server, and, finally provisioning them with usage and security
policies, prod- uct licenses, and relay servers.
The following sections describe details of this process:
• Before You Begin
• Setting Up a Groove Management System
• Distributing Activation Keys
Before You Begin
Review the checklists in this section before accessing the
management server administra- tive Web site.
Note: The instructions in this guide assume that you have full
access to the domain portion of the administrative Web site. If
your server administrator has enabled Role Based Access Control,
you must have the role of Server Man- ager or Domain Administrator.
Some options may not be available to you if you have any other
role.
As a domain administrator, you need the expertise in the following
areas:
• General Groove use
• User account management
• Software usage monitoring
Groove Management Server Domain Administrator’s Guide Getting
Started 8
• You understand the basic functionality provided by the management
server. For more information, see the “Overview of Domain
Administration” earlier in this guide.
• If you are using the Enterprise Management Server installed at
your site, the EMS software is installed on your system as
described in the Groove Enterprise Management Server
Administrator’s Guide and you know the Universal Resource Locator
(URL) of your company’s EMS Web site.
• The Internet Explorer 5.5 (or later) browser is installed with
Frames, Cookies, and JavaScript enabled.
• Groove version 3.0 (or later) is installed on your user’s
computers. See the Groove Software Deployment Administrator’s Guide
for information about deploying Groove software in an
enterprise.
Note: The management server supports Groove version 1.3 (or later)
but many pol- icies and other management server features, including
user provisioning with specific relay servers, are available only
for the latest version of Groove.
• If you intend to utilize one or more onsite relay servers, the
relay server is installed and configured as described in the Groove
Enterprise Relay Server Administrator’s Guide. Note that onsite
relay servers require onsite management servers.
• If your user contact information originates from a corporate
directory server, your management server administrator has defined
and configured the directory server on your management server, as
described in the Groove Enterprise Management Server
Administrator’s Guide. Note that directory server integration is
possible only if an Enterprise Management Server is installed at
your site.
• You have on hand your login name and password for the management
server if required. If you are using the Enterprise Management
Server, this information is determined by your company’s Web site
authentication system. If you are using Groove Hosted Management
Services, this information is determined by login requirements of
the Groove-hosted management server Web site.
• You have on hand the path name of the directory where your
company’s Groove license files (.pkg files) reside.
• You consider the possibility of Groove user device management,
which is strongly recommended although not required. Device
management lets you set various Groove usage and security policies,
including those that govern the types and sources of Groove
components that can be downloaded onto these devices.
Accessing the Administrative Web Site
The sections below provide instructions for accessing and using the
management server administrative Web site:
• Accessing the Management Server Administrative UI
• Getting Help
Groove Management Server Domain Administrator’s Guide Getting
Started 9
Accessing the Management Server Administrative UI
To access the management server administrative interface, do the
following:
1. From a Windows PC, open an IE Web browser.
2. If you are accessing a local Enterprise Management Server from
your own site, go to the URL of the Enterprise Management Server,
defined by the management server administrator.
If you are accessing Management Services from the Groove Networks
Web site, go to http://groove.net.
3. Log in to the management server using your administrator login
name and password (determined by your company’s Web site
authentication scheme if you are using the Enterprise Management
Server).
The management server home page appears, with a domain list on the
left and a main window showing a set of tabs. Notice the page’s
following characteristics (which may vary, depending on the role
your server administrator has assigned to you):
• The main window reflects the current selection in the navigation
pane.
• A navigation tree appears in the pane on the left, listing the
management domain(s) defined on this server.
• At least one member group appears in the navigation pane under
each management domain.
• At least one Groove identity and device policy template, license
set, and relay server set, appears in the navigation pane under
each management domain.
• A tool bar at the top of the main window contains icons
appropriate for the task being performed on the current tab.
• When the management domain is the current selection, a set of
domain tabs appears - Reports, Email, and Roles, with the Reports
tab in the foreground.
Note: If, instead of domain tabs, a domain setup window appears,
requiring infor- mation, fill in the fields as described in
“Completing Domain Configuration” in the Managing Domains section
of this guide. Then you can start using the domain management
pages.
You are now ready to begin populating a server domain group with
members and provi- sioning those members, as described below.
Getting Help
To get help using Management Services, follow these
guidelines:
• Click the Help link in the upper left of a management server
administrative Web page to access management services Help.
• Go to http://groove.net/go/ms (or the Groove EMS product CD) for
a printable.pdf version of the Groove Management Server Domain
Administrator’s Guide.
• For server-level information, see the Groove Enterprise
Management Server Administrator’s Guide.
Groove Management Server Domain Administrator’s Guide Getting
Started 10
• For specific information about installing the Groove client in an
enterprise, see the Groove Software Deployment Administrator’s
Guide.
Changing Administrative Preferences
You can change administrative Web page preferences (such as setting
a home page) by using the Preferences link next above the left
navigation pane. Changes apply only to the administrator who set
the preferences; they do not affect other administrative
logins.
To edit administrative preferences, follow these steps:
1. Go to the EMS administrative Web interface and click the
Preferences link at the top of the current page. An image of your
left navigation pane appears in the dialog box.
2. To change the default number of list items that appear on any
list page, select a number from the Display drop-down box. The
initial default setting is to display 25 items per page.
3. To select a start (or home) page, select an item from the Start
Page tree which will appear when you start the EMS administrative
Web interface.
4. Click OK.
Your changes should take effect immediately.
Setting Up a Groove Management System
A domain is the top-level management unit of Groove deployment on
the management server. It contains one or more groups of Groove
users (members). Your management server administrator creates
domains; you or anyone with management domain-level per- missions
(if Role Based Access Control is configured on your server) can
create domain groups and subgroups. The management server provides
an initial top-level domain group, within which you can create
other groups and subgroups.
Note: Administrators with limited roles (roles other than Server or
Domain administra- tor) may not be able to see certain pages or
fields discussed in this guide. Initial administrator roles are set
by the management server administrator as part of the management
server installation and configuration process. However, domain
administrators can edit the roles of domain-level or limited
domain-level adminis- trators, as described in “Editing
Administrator Roles” in the Managing Domains section of this
guide.
The procedure below outlines the basic steps necessary to create an
initial user manage- ment system, following a recommended sequence.
Where necessary, you can link to other sections of the guide that
provide more detail. You may want to begin by performing a trial
run with a sample user base and minimal customization.
To add Groove users to a Groove management domain and provision
with them policies, licenses, and relay servers, follow this basic
recommended procedure:
1. Startup and log into the management administrative Web site as
described in the “Accessing the Administrative Web Site” section of
this guide. At least one domain appears in the navigation tree in
the pane to the left of the main window.
Groove Management Server Domain Administrator’s Guide Getting
Started 11
2. Select a management domain in the navigation pane.
If an administrator has fully configured the domain, a set of tabs
(for Reports, Email, and Roles) appears in the main window allowing
you to perform various domain tasks described later in this guide.
Proceed to the next step.
If a No Roles tab appears, along with a message referring you a
server or domain administrator for domain access, ask the
appropriate administrator to assign you an administrative role.
Then return here to continue with this procedure.
If a domain setup window appears, requiring information, fill in
the fields as described in “Completing Domain Configuration” in the
Managing Domains section of this guide. Then return here to
continue with this procedure.
3. To apply management server device policies (that control client
password entry and component downloading, for example) to Groove
user devices, register each device with the management server as
follows:
Note: Registering devices with the management server is highly
recommended.
a. Download the device management registry key from the management
server to a client-accessible location, by selecting the default
device policy template in the navigation pane, then selecting
Download Device Management Key in the tool bar. (See “Registering
User Devices with the Management Server” in the Managing Device
Policies section of this guide for details).
b. Install the management server registry key on each user device
that you want to manage in the domain. Each registered device
appears with a Type of ‘Managed’ in the Member Information page of
the member(s) with which it is associated, as described in “Viewing
Domain Members”, in the Managing Groove Users section of this
guide. For information about centralized deployment of device
management keys via MSI transforms, see the Groove Software
Deployment Administrator’s Guide.
4. Consider customizing the identity policy template in the domain.
Initial defaults are usually based on minimal security
requirements. For details about specifying identity policies, see
“Viewing and Editing Identity Policies” in the Managing Identity
Policies section of this guide.
Note: If you want the management server to automatically backup
domain member accounts, make sure to configure the account backup
policy on the Member Policies tab, as described in “Backing Up and
Restoring User Account Data” in the Managing Groove Users section
of this guide.
5. Consider customizing the device policy template in the domain.
Initial defaults are usually based on minimal security
requirements. For details about specifying device policies, see
“Viewing and Editing Device Policies” in the Managing Device
Policies section of this guide. In considering device policy
settings, note the following:
• To enact any device policies, make sure you installed device
registry keys on each user device, as described earlier in this
procedure.
• If you want to allow for Groove password resetting and data
recovery, make sure to set the device settings accordingly on the
Security Policies tab, as described in the “Resetting Groove Login
Credentials for Managed Devices”
Groove Management Server Domain Administrator’s Guide Getting
Started 12
and “Setting Up Data Recovery on Managed Devices”, in the Managing
Device Policies section of this guide.
• If a Groove Audit Server is installed at your site and you want
to enable the client auditing, make sure to set the device settings
accordingly on the Audit Policies tab, as described in the
“Enabling Groove Client Auditing” section of this guide.
• If a Groove Component Server is installed at your site, make sure
to specify the server accordingly on the Advanced Install
Properties page of the Client Policies tab, as described in
“Supporting an Onsite Groove Component Server” in the Managing
Device Policies section of this guide.
6. Add Groove licenses to a domain license set, as follows:
Note: This step is required. Omitting this step will restrict your
managed users to installing the Preview version of Groove Virtual
Office instead of the profes- sional version necessary for Groove
use in an enterprise.
a. Select the domain’s License Sets heading in the navigation pane.
The License Sets page appears with two tabs: License Sets and
Licenses on the bottom of the page. The License Sets tab shows an
initial default license set that does not yet contain
licenses.
b. If you are using an onsite Enterprise Management Server, import
a Groove license (product package) to the domain by clicking the
Licenses tab, selecting Add License in the tool bar, and browsing
to the file location of your organization’s Groove license files.
(See “Adding Groove Licenses to a Domain” in the Managing Groove
Licenses section of this guide for details.)
If you are using Groove Hosted Management Services, you can skip
this step, which is handled by Groove Networks.
c. Add a Groove license to the default license set by selecting the
set from the navigation panel, selecting Add License in the tool
bar and selecting the license from the Add License window, as
described in “Adding Groove Domain Licenses to a Set” in the
Managing Groove Licenses section of this guide.
7. If you are using an onsite Enterprise Management Server, to
assign specific Groove servers, including Relay and XMPP Proxy
servers, to a domain server set, follow these steps:
a. Select the domain’s Server Sets heading in the navigation pane.
The Server Sets page appears with two tabs: Server Sets and Servers
at the bottom of the page. The Server Sets tab shows an initial
default server set that does not yet contain servers.
b. Add the Groove server ID file to the domain by clicking the
Servers tab, selecting Add Server in the tool bar, selecting Onsite
Relay Server, Hosted Relay Server, or XMPP Proxy Server from the
drop-down menu, and entering the required information. (See
“Registering a Server with a Management Domain” in the Managing
Servers section of this guide for details).
This server is automatically added to the initial default server
set.
8. To enter user contact information in the domain (if your server
manager has not already performed this step using a corporate
directory server), follow the sub-steps below. If user data has
already been integrated into management server member
Groove Management Server Domain Administrator’s Guide Getting
Started 13
groups from a corporate directory server, skip this series of
sub-steps and proceed to next main step.
a. Select the initial domain group created for you, called Members.
The Members page appears with two tabs: Members and Groups. You can
add members directly to this group, but creating subgroups, as
advised in the next step, is the more practical and recommended
approach, particularly if you are integrating an onsite directory
server with the management server.
b. Add a group to Member Groups by selecting it, clicking the
Groups tab, selecting Add Group in the tool bar, and filling in the
dialog box as described in “Adding Groups” in the Managing Groove
Users section of this guide.
c. Select a domain group in the navigation pane, selecting Add
Members in the tool bar, and select one of the Add Member options,
as described in “Adding Groove Users to a Domain Group” in the
Managing Users section of this guide.
9. Accept the default domain group provisioning with policies,
licenses, and relay servers, or edit them by clicking the group in
the navigation pane and editing its properties, as described in
“Provisioning Managed Groove Users” in the Managing Users section
of this guide.
10. Send activation keys to domain members, as described in
“Enabling Groove Activation” in the Managing Users section of this
guide.
To perform various domain-level tasks, use the domain tabs and the
following table for guidance:
Distributing Activation Keys
To facilitate deployment of Groove Virtual Office (formerly Groove
Workspace) in your domain, the latest Groove version should already
be installed on user machines before you send them email containing
their domain member activation keys. When you are ready for users
to come online in your management domain and you have sent them the
email that contains their identity activation keys, they must each
install the activation key in Groove.
As an alternative to manual client activation, the management
server offers an Auto-Acti- vation feature. See your server
administrator or the Groove Enterprise Management Administrator’s
Guide for information about automating Groove activation.
Groove user devices must be connected to the management server for
Groove activation to
Domain Tabs Descriptions
Reports Allows you to view Groove domain usage reports for users,
workspaces, and tools, as described in “Viewing Reports” in the
Managing Reports section of this guide.
Email Allows you to add, edit, and delete management server email
templates, as described in “Adding, Editing and Deleting Email
Templates” in the Managing Domains section of this guide.
Roles Allows you to configure domain-level administrator roles, as
described in “Editing Administrator Roles”, in the Managing Domains
section of this guide.
Groove Management Server Domain Administrator’s Guide Getting
Started 14
succeed. When a Groove user applies a managed identity activation
key to a PC, Groove contacts the management server (for example,
groove.net if you are using Groove Hosted Management Services),
authenticates the user, and downloads the appropriate user infor-
mation and domain licenses to the user’s machine. It also downloads
identity policies and any relay server assignments associated with
the domain. If device management keys are included in the
installation process, device policies are also downloaded.
To activate their new identities, users must first start up Groove
Virtual Office. Subse- quent steps vary somewhat, depending on
which version of Groove the user is running. The following table
provides some guidelines:
In supporting Groove users, bear in mind the following factors
pertaining to activation keys and managed identity creation:
• All identities in an account containing a managed identity will
have access to whatever licenses are associated with that managed
identity.
User Scenario What User Should do
The user is starting up a licensed version of Groove 2.0+ on a
managed device for the first time
1. Double-click the Groove icon to start up the Product Activation
Wizard which guides the user through the domain member activation
process.
2. Copy the administrator-supplied Activation Key into the Wizard
text boxes when prompted to do so.
The user is starting up Groove 2.0+ on an unmanaged device for the
first time
1. Double-click the Groove icon to start up the Product Activation
Wizard which guides the user through the domain member activation
process.
2. Get the proper name for the management server (activation
server) from the email or administrator and copy it into the Wizard
text box when prompted to do so.
The user already has Groove Preview 2.0 running on their managed
device
1. Start up Groove, then click the Activate Product option in the
Help menu to start the Product Activation Wizard The wizard guides
the user through the domain member activation process.
2. If prompted, choose whether to create the new managed identity
or convert an existing identity to a managed identity. The display
of this prompt depends on the administrator’s device
policies.
The user already has Groove Preview 2.0 running on their unmanaged
device
1. Start up Groove, then click the Activate Product option in the
Help menu to start the Product Activation Wizard. The wizard guides
the user through the domain member activation process.
2. When prompted, get the proper name for the management server
(activation server) from the email or administrator and copy it
into the Wizard text box when prompted to do so.
3. A prompt will ask the user whether to create a new managed
identity or to make an existing identity managed.
Auto Activation will activate Groove
1. Make sure that Groove client devices are registered with a
management domain, as described in “Registering User Devices with
the Management Server” of this guide.
2. See your server administrator or the Groove Enterprise
Management Server Administrator’s Guide for information about using
Auto Activation.
Groove Management Server Domain Administrator’s Guide Getting
Started 15
• Users cannot install the same activation key and identity data
into more than one account. Trying to do so will cause a message to
appear, stating that the identity has already been installed. Users
must get a new activation key from the administrator if they
install the activation key and identity data into the wrong account
or need to delete the account where the managed identity resides
for any reason.
• Once activated, an activation key cannot be re-used or re-sent
for any reason, even if the account in which the identity resided
has been destroyed. You must create new identity information and
send a new activation key to a user if the user has lost domain
membership for any reason.
• If your device policies allow, the Product Activation Wizard
gives users the choice of converting an existing identity to the
new managed identity, based on the identity information that you
entered for them. The original identities’ existing Groove spaces
and contact lists remain intact.
• If a user does not yet have a Groove account, the Groove domain
activation process creates a user account. This identity is the
default for that account.
If a user has one or more existing Groove accounts, the domain
activation pro- cess prompts the user to choose whether to create a
new account or to use a speci- fied existing account. If the user
chooses the new account option, the managed identity will become
the default identity in that account. If the user specifies an
existing account, that account will have multiple identities, the
existing one(s) and the new one which becomes the default. As
described in the previous bullet, the user can convert an existing
identity to the new managed identity if your device policies
allow.
Groove is now launched on the user’s device and the user is a
member of the management domain, with access to the licenses and
allegiance to policies associated with that domain.
Note: For administrators of Groove-hosted services: Groove licenses
reside on a Groove Network server and are accessed via Groove
Networks Web site at www.groove.net. If your company uses proxy
servers to control traffic out to the internet and the user has not
logged into the network, the Groove client will trap any login
request from the proxy and display a login window during the domain
activation process. The user should enter the customary name and
password in order to proceed smoothly. If a user ignores this
login, the activation process will fail. If activation fails for
any reason and the Groove client (user’s device) cannot communicate
with the server to perform activation, the Groove client automati-
cally tries again within an hour.
Groove Management Server Domain Administrator’s Guide Getting
Started 16
Managing Groove Domains
Management domains are organizational units defined on the
management server. This document provides information about the
ongoing administration of Groove management domains via the
Enterprise Management Server (EMS) or Groove-Hosted Management
Services. For specific information about initial domain
configuration, see “Setting Up a Groove Management System” in the
Getting Started section of this guide.
The sections below describe the following domain-based tasks:
• Overview of Management Domains
• Configuring Management Domain Affiliation
• Setting Up Cross-Domain Certification
• Migrating Users to Another Domain
• Adding, Editing and Deleting Email Templates
• Editing Administrator Roles
Overview of Management Domains
Management domains are organizational units that contain groups of
managed Groove users, templates of identity and device policies,
and sets of licenses and relay servers. Management server
administrator create domains, as described in the Groove Manage-
ment Server Administrator’s Guide. Each domain has one top-level
group, within which you can add other groups and subgroups. You use
management domains to manage Groove users and devices. See
“Managing Domain Member Groups” in the Managing Users section of
this guide for more information about groups.
Clicking on a completely configured domain in the navigation pane
of the management server administrative Web interface, displays
tabs where you perform basic domain-level tasks, as described in
the table below. If a domain is not yet fully configured, a pop-up
domain setup window appears asking for the required information, as
described in “Com-
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 17
pleting Domain Configuration” later in this section.
Note: Changes or updates to user contact information apply to all
members of a Groove management domain and to their Groove workspace
contacts. To manage network traffic, the management server
distributes these changes to Groove clients over time. Therefore,
these changes may not take effect immediately. Depending on the
number of Groove clients affected, the propagation can take up to
several days (for example, up to 4 days for about 5,000 users).
Domain-wide changes include the following:
• Management domain affiliation
• Relay server set
Completing Domain Configuration
The management server provides an initial default domain. If a
server administrator did not complete initial domain configuration,
clicking the domain in the navigation pane on the left displays a
domain setup window, instead of the domain tabs (Reports, Directory
Integration, and Roles). You cannot use the domain to provision
Groove users until you supply information in the required
fields.
To complete management domain configuration, follow these
steps:
1. Go to the management server administrative Web site and select a
domain from the navigation pane on the left. If a set of domain
tabs (Reports, Emails, Roles) appears, domain configuration is
complete and you do not need to perform this procedure.
2. If a domain setup window appears, fill in the fields described
in the following table, then click OK.
Domain Tabs Descriptions
Reports Allows you to view Groove domain usage reports for users,
workspaces, and tools, as described in “Viewing Reports” in the
Managing Reports section of this guide.
Email Allows you to add, edit, and delete management server email
templates, as described in “Adding, Editing and Deleting Email
Templates”, later in this section.
Roles Allows you to configure domain-level administrator roles, as
described in “Editing Administrator Roles”, later in this
section.
Add Domain Fields* Explanations
Domain Setup
Domain Name The name of the domain, supplied automatically for the
initial domain. This name is used in the management server user
interface to refer to the domain. You can edit this field, if
necessary.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 18
Description Optional. A description of the domain which you can
supply.
Identity Authentication Settings (cannot be undone)
Required. Click one of the following radio buttons, depending on
your company’s security policies. Or accept the default of Groove
PKI.
• Use Enterprise PKI to authenticate member’s identities - Select
this option if your organization has an existing Public Key
Infrastructure (PKI) system that you want to use with the
management server.
• Use Groove PKI to authenticate member’s Identities - Select this
option if you do not have a corporate PKI system in place or you
prefer to use Groove’s application-specific PKI system.
Note: This decision cannot be undone after you click the OK
button.
Default: Use Groove PKI
Certificate Authority name Required if the Use Groove PKI option is
selected above. Enter a unique, fully qualified, registered Domain
Name Service (DNS) name.
If the Use Enterprise PKI option is selected above, this field does
not apply.
Password or Smartcard Reset Setup
Private Key Name Accept the default name for the password/smart
card reset private key, or edit it as necessary. The default name
is based on the creation date and time (such as Jan-10-2004 12 PM
Key).
When you click the OK button in this dialog box, the management
server generates a private key on the server or in a designated
file location, as specified below. This key decrypts user data that
is protected by a corresponding reset public key, allowing
administrators to reset Groove passwords or smart card logins, and
recover user data on managed Groove device. See “Resetting Groove
Login Credentials for Managed Devices” and “Setting Up Data
Recovery on Managed Devices” in the Managing devices section of
this guide, for more information about resetting user passwords and
recovering user data.
Note: Enabling password reset and data recovery also involves
setting the appropriate policies for management domain devices as
described in “Managing Device Policies” later in this guide.
Create Private Key Password
Required. Enter a password to protect access to the password/ smart
card reset private key. This is the administrative password used to
reset a user’s Groove password.
Note: If you lose your private key file, you must regenerate it and
reset the policy. The private key always remains password-
protected.
Verify Private Key Password
Add Domain Fields* Explanations
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 19
Viewing and Editing Management Domain Properties
Your management server administrator creates domains on the
management server. You (or anyone with a server or domain
administrator role in an RBAC-supported environ- ment) can view
domain information and edit a domain’s configurable properties, as
described in the following sections.
To edit management domain properties, follow these steps:
1. Go to the management server administrative Web site and select a
domain from the navigation pane on the left.
2. Select Domain Properties in the tool bar. The domain Properties
page appears.
3. From the domain Properties page, edit the fields shown in the
following table as necessary, then click OK:.
Remember Private Key Password
Available if you are storing the private key on the management
server.
Select this option if you want the management server to remember
the private key password that you supplied, simplifying the
password reset process (described in “Resetting Groove Login
Credentials for Managed Devices” in the Managing Device Policies
section of this guide).
Default: checked (enabled)
Private key storage options Required. Select a private key storage
option:
• Store private key on the management server - Stores the password
reset private key on the management server.
• Save private key to a file - Displays a browse Window where you
can browse to and specify a file location for the password reset
private key.
Default: Store private key on the management server.
Domain Properties Fields
Domain Setup
Domain Name Specifies the name of the domain. The management server
supplies an initial domain name, which you can edit as
needed.
Description Displays an optional description of the domain. You can
edit this description as needed
Certificate Authority (CA) name
Information only. Appears if the Groove PKI option is
selected.
The CA name assigned to the domain by the server administrator
during domain creation, if Groove PKI is the chosen identity
authentication system.
Add Domain Fields* Explanations
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 20
Representation of Affiliation
Determines the level of information displayed in domain members’
Groove contact information, as follows:
• Show member’s domain only - Display’s each managed user’s name,
followed by the management domain of which the user is a
member.
• Show member’s position with the domain/group hierarchy - Displays
each managed user name, followed by the management
domain/group/subgroup... of which the user is a member.
Device Management
Remove devices from domain after __ days of inactivity
The number of days of inactivity after which the management server
removes managed devices from the domain.
Default: 90
Password or Smart Card Reset Setup
Store Key on Server Appears if the private key file is stored in a
specified file.
Lets you change the storage location for the password/smart card
reset private key from a network location to the management
server.
Clicking this button displays a pop-up window with the key name, a
browse box to enter the source directory location, and a prompt for
the private key password, along with an option to remember the
password.
Move Key to File Appears if the private key file is stored on the
management server.
Lets you change the storage location for the password/smart card
reset private key from the management server to a specified file on
your network.
Clicking this button displays a pop-up window that displays a
standard Save dialog box where you can browse to a target directory
location on your network. Note that moving the private key to a
file deletes it from the management server.
Download data recovery tool for Groove version __
Specifies the version of Groove for which you want to download a
data recovery tool. This tool allows you to access managed user
data on a managed device when a user has left the company or
forgotten their password (providing that device security policies
allow).
Clicking the Download button displays a pop-up window that lets you
download and install the data recovery tool
(DataRecoveryAdminTool.exe) for the specified Groove version to the
current device. Or, you can save the program file
(DataRecoveryTool30.exe, which contains the data recovery tool and
its associated system files) to a specified directory location. You
install the data recovery tool .exe file to the Groove client
device where you intend to restore Groove data. See “Setting Up
Data Recovery on Managed Devices” in the Managing Groove Devices
section of this guide for detailed information about recovering
Groove data.
Default: 3.0
Explanations
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 21
Configuring Management Domain Affiliation
The management server domain Properties page lets you control how
domain members appear in Groove contact lists. By default, the
domain member’s domain name appears, followed by the associated
domain; no group information is included. The affiliation set- ting
applies to the entire management domain and all groups in the
domain.
Change Private Key Password
If the password/smart card reset private key resides on the
management server, this button lets you change the private key
password. Clicking the button displays a pop-up window that lets
administrators specify and confirm a new password for the
password/smart card reset private key.
Change Key Generates another password/smart card reset private key
on the management server or in a designated directory location, as
specified in this domain Properties page. The new private key has a
default name that includes the date, distinguishing it from
previous keys.
Cross Domain Certification (available for Groove PKI only)
Download Domain Certificate
Appears only if Groove PKI is the identity authentication
method.
Downloads the selected domain’s certificate from the management
server to a specified directory location on the local device. You
can then send this key to another domain administrator to set up
cross-domain trust. See “Setting Up Cross- Domain Certification”
later in this section for information about setting up cross-domain
certification with trusted domains.
Add Foreign Domain’s Certificate
Appears only if Groove PKI is the identity authentication
method.
Uploads a foreign domain certificate from a specified location to
the management server. When you click the OK button, the
certificate name appears in the list at the bottom of the Domain
Properties page.
Delete Certificates Appears only if Groove PKI is the identity
authentication method.
Deletes selected cross-domain certificates. Select entries in the
certificate list to mark them for deletion. Then click Delete
Certificates.
Color Key Information only. Appears only if Groove PKI is the
identity authentication method.
• Inside the organization - Color that identifies management domain
members from within your organization.
• Outside the organization - Color that identifies Groove users
from trusted domains outside the organization.
Certificate list Appears only if Groove PKI is the identity
authentication method.
Lists cross-domain certificates. The certificate name, description,
and download date appear for each entry. A Delete button following
each certificate lets you delete certificates. Note that you cannot
delete your own (self-trust) certificate.
Domain Properties Fields
Explanations
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 22
Note: Changing the affiliation setting may result in significant
added network traffic and disruption of Groove operation as this
change is propagated to all Groove contacts associated with managed
members of this domain. Be sure to communicate this information to
managed Groove users before making this change.
To configure management domain affiliation, follow these
steps:
1. Go to the management server administrative Web site and select a
domain from the navigation pane.
2. Click the Domain Properties button. The domain Properties page
appears.
3. From the domain Properties page, select one of the following
affiliation representa- tion options to specify how domain member
entries should appear in Groove con- tact lists:
• Show member’s domain only - Displays the member’s managed
identity name, followed by the member’s domain. For example,
JDow/XYZCorp. This is the default setting.
• Show member’s position within the domain/group hierarchy -
Displays the member’s managed identity name, followed by the
member’s group and domain. For example,
JDow/R&D/XYZXYZCorp.
4. To change the number of inactive days before Groove removes
users from the searchable directory of domain members, edit the
value in the ‘Remove members from searchable directory of domain
members after ___ days of inactivity.’
5. Click OK.
Setting Up Cross-Domain Certification
The management service’s cross certification feature lets you
extend trusted collaboration beyond a single domain, to domains
that may or may not belong to your organization. The management
server and Groove clients support cross certification using a
scheme called Public Key Infrastructure (PKI) cross certification.
Management server’s cross certifica- tion applies only in the
context of Groove PKI (not third-party, enterprise PKI).
Setting up cross certification requires that two administrators
from different domains - both of which use Groove PKI as their
identity authentication scheme - exchange and cross-register domain
certificates (certificate files that contain public keys that
identify one domain to another).
Once cross certification has occurred, text color distinguishes the
members in the certified domain as certified. Note that this
process does not prevent certified and uncertified Groove users
from communicating but simply informs users of the certification
status of their contacts. You can strengthen security by setting an
identity policy that controls how certified users in your domain
interact with uncertified users. For information about set- ting a
policy for handling uncertified Groove users, see “Managing User
Interaction with Unauthenticated Identities” in the Managing
Identity Policies section of this guide.
Note: To utilize cross-domain management, you must add users to a
domain or group to make them managed. For information about adding
users, see “Adding Groove Users to a Domain Group” in the Managing
Groove Users section of this guide.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 23
Note: You cannot cross-certify with a foreign domain that has the
same domain name as yours. This condition may result any time an
administrator does not obtain a regis- tered DNS name. Domain names
must be unique to the domain. If you discover duplicate domain
names, this condition must be corrected by assigning properly
registered DNS names.
This section provides the following information and
procedures:
• PKI Basics
PKI Basics
Public Key Infrastructure (PKI) refers to the set of hardware,
software, people, policies and procedures necessary to create,
manage, store, distribute, and revoke certificates based on public
key cryptography. The characteristic operation of PKI is known as
certification (the issuance of certificates). PKI certification
provides a framework for the security fea- ture known as
authentication (proof of identification).
Understanding the role of PKI in software management involves the
following basic terms:
• Certification Authority (CA) - An authority that Groove users
trust to create and issue certificates (that contain public keys).
In a managed Groove environment, the management server is the
certificate authority. As such, it creates and manages the
certificates for managed users.
• Certificate - A data structure containing a domain or Groove
user’s public key and related identification information, which is
digitally signed with the private key of the CA that issued it. The
certificate securely binds together the information that it
contains; any attempt to tamper with it will be detected by
Groove.
If Groove PKI is used in the domain configuration, the management
server and Groove implement PKI according to the following
process:
1. The server administrator creates a domain certificate for a
management server domain, during management domain creation.
2. The domain administrator sends activation keys and associated
identity information to Groove users to give them domain
membership.
3. Groove users install the activation keys, automatically
uploading the associated identity information and public key to the
management server.
4. EMS generates and signs each user certificate with the domain's
certificate (using the domain’s private key to bind the user’s
public key to the user’s associated iden- tity information). EMS
then sends to each domain member the appropriate signed user
certificate, giving each user a managed identity with domain
membership.
Note: Management server identity policies governing certificate
revocation apply to enterprise PKI authentication only, not to
Groove PKI.
Third-party enterprises may implement PKI differently. Groove or
Enterprise PKI is stipu- lated for the managed environment during
management domain creation.
In the context of Groove PKI, if Groove accepts (validates) a
contact’s management
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 24
domain (for example, if the Groove user is a member of the
contact’s domain), text color distinguishes contacts as
follows:
• Contacts from the same organization as the user, under either of
the following conditions:
• Contact is in the same domain as the user
• Contact is in a domain that has been cross-certified with the
user’s domain and is in the same organization.
• Contacts from an outside organization whose domain has been
cross-certified with the user’s domain (according to the procedure
outlined below in “Cross-Certifying Management Domains”).
Again, third-party enterprises distinguish users as their PKI
implementation dictates.
Certified users (both Groove or enterprise PKI environments) are
marked in the following places in the Groove client user
interface:
• Contacts tab in the Groove launchbar
• Contacts tool
• Member List
• Notifier, whenever a contact name is displayed, such as when a
message is received
• Message and Invitation windows in the From field, when reading a
message or invitation
• Message and Invitation windows in the To field, when sending a
message or invitation to a single user
• More contacts list
• Message History
Groove checks if the contact belongs to a management domain and, if
so, displays its authentication status and domain when a user
hovers over the name. In addition, the con- tact’s domain and
digital fingerprint appear in the list accessible from the Groove
Contact Properties window. The window also displays an
Authentication As: check-box, so that if the contact is not already
certified, a user can manually authenticate the person by contact-
ing the individual outside of Groove (by phone, for example),
verifying the associated dig- ital fingerprint, then check-marking
the checkbox to indicate that authentication took place.
Cross-Certifying Management Domains
The following procedure shows how to set up cross-domain
certification between two domains, both of which use Groove PKI
identity authentication (specified during domain creation). This
process has two parts: you send your domain certificate to the
administra- tor of an external domain so that external domain
members can establish trust with your domain, and you import a
certificate from the external domain. You can also set up cross
certification in one direction only; Domain A can trust Domain B
without Domain B trust- ing Domain A.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 25
Note: Cross certification is appropriate only when administrators
from cooperating domains trust each other, to the extent of
securely maintaining proper bindings between each others’ user
public keys and contact information.
This section provides instructions for the following tasks:
• Exchanging Domain Certificates
• Viewing Cross-Certified Domains
• Deleting Cross-Certified Domains
Exchanging Domain Certificates
Cross-domain certification (and the following procedure) apply only
in the context of Groove PKI (not third-party, enterprise
PKI).
To exchange certificates and set up mutual cross-domain trust with
an administrator from a remote domain, follow these steps:
1. Go to the management server administrative Web site and select a
management domain from the navigation pane (DomainA, for
example).
2. Select Domain Properties in the tool bar. The domain Properties
page appears.
3. Make sure that the Groove PKI identity authentication option is
selected.
4. In the window’s Cross Domain Certification section, click the
Download button to download the certificate (containing the domain
public key) for the local domain (DomainA). A File Download pop-up
window appears.
For a summary of management server keys, see “Appendix B.
Management Server Keys and Certificates” of this guide.
5. Click the Save this file to disk option, then click OK. A Save
As pop-up window appears.
6. Accept the path and default name of domainname.cer (in this case
DomainA.cer) or edit them, then click OK. This saves the local
domain certificate file in a local directory. This is the file that
each administrator sends the other in order to set up cross-domain
management.
7. Go to the location of your local DomainA certificate file, copy
the file, and send it via email or Groove to the administrator of
the remote domain (DomainB, for example).
8. Request the remote DomainB administrator to send you the DomainB
certificate by performing the procedure just described.
9. When you receive a certificate from the remote DomainB
administrator, save it in a directory on your local computer.
10. Authenticate the remote domain (DomainB, for example) as
follows:
a. Contact the remote DomainB administrator by telephone or in
person and make sure that you trust the person whom you are
contacting.
b. View the certificate you received by opening the Windows
Certificate Viewer, double-clicking the domainnameB.cer file, and
checking the certificate’s digital fingerprint (the certificate's
hash or “thumbprint” as shown in the Windows Certificate Viewer).
Ask the remote administrator to do the same and to report the
fingerprint. It should match what you see on your screen.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 26
Then, reverse the procedure and report your DomainA certificate’s
fingerprint to the remote administrator.
11. Return to the Cross Domain Certification portion of the Domain
Properties page and click the Add Foreign Domain’s Certificate
button. The cross certification pop- up window appears.
12. In the File location field, enter the path and file name of the
remote DomainB.cer file, clicking the Browse button if
necessary.
13. Click the OK button.
You have now set up cross-domain certification with the
collaborating administrator. Cross-certified domains appear in the
domain list in the lower half of the page. Contacts from
cross-certified domains appear on the Groove client in a different
color from local domain contacts, as shown in the Color Key section
of the domain Properties page.
Viewing Cross-Certified Domains
To view a domain and its cross-certified domains, follow these
steps:
1. Select the domain in the management server Web site navigation
pane.
2. Select Domain Properties in the tool bar. Cross-certified
domains are listed in the lower half of the page. Each entry
includes the domain name, a description of the domain (as defined
by the server administrator), and the date of certification.
Deleting Cross-Certified Domains
To delete a cross-certified domain and its certificates from the
management server, follow these steps:
1. Go to the management server administrative Web site and select a
domain from the navigation pane and click the Domain Properties
button. The domain Properties page appears with any cross-certified
domains listed at the bottom.
2. In the Cross Domain Certification portion of the domain
Properties page, click the Delete button for cross-certified
domain(s) that you want to delete.
Changing Reset/Recovery Private Keys and Key Locations
The device template Domain Properties page lets you change
password/smart card login private keys and key locations. Default
key names include a key creation date to help dis- tinguish keys on
the management server.
To replace the private key for password/smart card login reset and
data recovery, follow these steps:
1. Go to the management server administrative Web site and select a
domain.
2. Select Domain Properties in the tool bar. The domain Properties
page appears.
3. To change the reset/recovery private key location from a
specified file to a manage- ment server directory, in the domain
Properties page, click the Store Key on Server button. A Store Key
on Server pop-up window appears.
To change the private key location from the management server to a
specified directory and file, in the domain Properties page, click
the Move Key to File button.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 27
A Save pop-up window appears where you specify a file location for
the private key, then click OK.
4. From the Store Key on Server pop-up window, browse to the target
file location on the management server (the default is C:), enter a
private key password, and click OK.
To change the private key location from the management server to a
specified file, enter a file location in the text box and click OK.
This removes the key from the management server and places it in
the specified location on your network.
5. To replace the private key, click the Change Key button. A new
private key with a default name that includes the date will be
added to the management server or spec- ified file location.
6. If the key is stored on the management server and you want to
change the private key password, click the Change Private Key
Password button.
7. Click OK.
Make sure to keep labeled copies of reset/recovery private keys in
a known secure loca- tion. You may need access to these old private
keys (for example, if you need to recover client data but the
client has an older version of the data recovery
certificate).
Migrating Users to Another Domain
If you are changing from Groove Hosted Management Services to an
onsite Enterprise Management Server, you must create a new domain
group structure on your newly installed server. Once you have done
this, you migrate your managed Groove users, group by group, to the
newly defined management domain groups. The migration must be per-
formed on each group and subgroup in order to preserve the policy
templates, license sets, and relay server sets assigned to each
group.
This section provides a basic migration procedure for use whenever
you need to migrate users from one domain to another. Currently,
this procedure must be performed manually and involves the
Groove-hosted Web site, the onsite Enterprise Management Server,
and on the Groove client devices.
Before you begin, ask your management server administrator to
create a new domain on the Enterprise Management Server so that you
can have a destination domain for migrat- ing your users.
To migrate users from one domain to another, follow these steps for
each group and sub- group in the domain, starting with the smallest
subgroup:
1. Log into the Enterprise Management Server administrative Web
site and re-create the group hierarchy from your hosted management
environment on your onsite management server. See “Adding Groups”
in the Managing Users section of this guide, for information about
creating domain groups.
2. Log into the Groove Hosted Management Server administrative Web
site and, from the navigation pane, select a group in the domain
from which you want to migrate users.
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 28
3. Configure two identity and device policies as follows in order
to avoid disabling devices and identities during the domain
transition:
• Select the appropriate identity policy template, click the Member
Policies tab and UNcheck the following policy (if it is selected):
Identity may only be used on a managed device, then click OK.
• For the same device policy template, click the Account Policies
tab and UNcheck the following policy (if it is selected): Members
can only use managed identities from this domain on devices in this
domain, then click OK.
Note: Remember to allow time for clients to be updated with policy
changes.
4. Export each group member list from the domain, as described in
“Exporting Domain Members” in the Managing Users section of this
guide.
5. Log into to your Enterprise Management Server administrative Web
site and select a group in the target management domain. (Your
server administrator should have already created this
domain.)
6. Select the appropriate identity and device templates and UNcheck
the two policies specified in step 2 (if these policies are
checked).
7. Use the domain group member list to add the users to the new
domain group on the management server, as described in “Adding
Multiple Members from an .XML File” in the Managing Groove Users
section of this guide.
8. From any device, log into the management server, select the new
domain group, and download the EMS registry keys, as described in
“Registering User Devices with the Management Server” in the
Managing Device Policies section of this guide. Apply these keys to
the Windows registries of all the devices that you intend to manage
in the new domain group.
9. Restart the client devices to update their Windows registries
with the management server device information (and completely shut
down Groove).
10. From the management server, send managed identity activation
keys to each user to add that you are migrating the new domain, as
described in “Adding Multiple Members from an .XML File” in the
Managing Groove Users section of this guide.
11. Launch Groove on each client device.
12. On each client device, click Help from the Groove Home page and
select Activate Product.
13. Copy the 25-character activation key for each managed identity
from the email into the activation key field.
14. Click Finish to activate Groove on the device.
15. If you wish, reset the device and identity policies that you
turned off earlier in this procedure.
Adding, Editing and Deleting Email Templates
The management server administrative interface lets you send email
to accompany the identity activation key that you send Groove users
to give them domain membership. It also lets you send email to
accompany the account backup file that you send users to
Groove Management Server Domain Administrator’s Guide Managing
Groove Domains 29
restore an account. You can also create and save your own templates
to use as the defaults for these email messages. The Email tab
allows you to create and save email templates, edit email
templates, or delete them.
The following sections explain how to accomplish the following
email management tasks:
• Creating Management Server Email Templates
• Editing Management Server Email Templates
• Deleting Management Server Email Templates
Creating Management Server Email Templates
The domain Email tab lets server and domain administrators create
templates for the email that the management server sends to users
to activate their domain identity or to accom- pany a backed up
account file. You also have the option of saving this email as a
default template.
To create and save new management server email templates, follow
these steps:
1. Go to the management server administrative Web site and select a
management domain from the navigation pane.
2. Click the Email tab. The Manage Email page appears with a list
of previously defined email templates.
3. Select Add Email in the tool bar. The Add Email window
appears.
4. Fill in the fields as shown in the following table, then click
OK. Only the Save Email As field is required to save this email;
all fields are required to send:
Create Activation Key Email Fields
Values
Email Type Selec