Home
Microsoft

Update on Custom Policies in Skype for Business Online

As discussed in our previous blog article Custom Policies in Skype for Business Online, Skype for Business Online allows Skype administrators to create custom policies. We are now expanding with additional policies and parameters that can be configured.

 

What is new? 

The additional functionality configured with customer policies to Skype for Business Online, include:

  • Ability to block a point to point (P2P) file transfer to Federated users only.
  • Ability to create custom External Access policies.  

Block Federated point-to-point file transfer

Previously, Skype for Business Online already offered the ability to control P2P file transfer as part of the existing conferencing policy settings. However, this option allowed or blocked file transfer for users no matter if they are transferring files to a user who is hosted on the same company or Federated user.

The new feature allows you to block P2P file transfer with Federated partners only.

 

Imagine a scenario where you would like to allow internal users to use P2P file transfer, block file transfer with federated partners by default and allow exceptions to the rule.

 

This scenario would require, four components:

  • An appropriate conferencing policy with P2PFile transfer Enabled (EnableP2PFileTransfer set to True) to be assigned to users.
  • A global External User Communication Policy set to block External P2P File transfer (EnableP2PFileTransfer set to False) . Do not get confused, the setting name is the same but it is associated with a different policy set (Conferencing vs ExternalUserCommunication).
  • A user External User Communication Policy to allow exceptions
  • A version of 2016 Click-to-Run Skype for Business Client that supports the feature (see the table below).

By default, EnableP2PFileTransfer is enabled in Global Policy. When created, your users are assigned BposSAllModality policy. You can ensure that your users have P2P Enabled, by checking the setting in the Global Policy and checking user policy assigned to the users.

  1. To check global policy, execute
    Get-CsConferencingPolicy -Identity Global | Select Identity, EnableP2PFileTransfer
    In our example, the user has the SIP address zoran@contoso.com. To check policy assigned execute:
    Get-CsOnlineUser -Identity zoran@contoso.com | Select SIPAddress, ConferencingPolicy
  2. To allow internal use and block external file transfer at the tenant level, all you have to do is change the parameter at a global level. 
    Set-CsExternalUserCommunicationPolicy -EnableP2PFileTransfer $False 
  3. Per user setting is achieved by creating a policy and granting it to the user. 
    New-CsExternalUserCommunicationPolicy -Identity BlockExternalFT -EnableP2PFileTransfer $False
    Grant-CsExternalUserCommunicationPolicy -PolicyName BlockExternalFT -Identity zoran@contoso.com 
    
  4. Enforce deployment of the latest client in your organization.  Note: The following minimum version of Skype for Business 2016 Click-to-Run client is required: table for blog  zoran1.PNG

     

  5. Once policy is in place, if user tries to drop the file, they would receive File transfer is off warning as shown in the image, below.

zorans pic 2.PNG

 

Blocking Federated file transfer considerations

Users of older versions of Skype for Business Windows client or Mac client can transfer files.

If a 3rd-party tries to send a file to the user where the policy is enforced, the federated party sending file will receive Transfer Failed error.

 

Custom External Access Policies 

New-CsExternalAccessPolicy allows you to create additional External Access Policies. Unlike Client or Conferencing policies, where you have numerous combinations, with three pre-defined external access policies you can cover most of the scenarios:

  • No Federated or Skype Consumer Access (Tag:NoFederationAndPIC )
  • Federated Access Only (Tag:FederationOnly )
  • Federated and Consumer Access (FederationAndPICDefault)

Introduction of Custom External policies allows you to create additional polices that were not covered in the above list.  During policy creation, you would be required to set all required parameters and you couldn't alter them later. This new command brings option to create policy like Skype Consumer Access only or policy to disable public cloud Audio/Video, something not covered with a pre-defined set. External access policies follow the same syntax as Client, Mobility and Conferencing policies.

 

Examples of new commands are:

New-CsExternalAccessPolicy -Identity BlockSkypeVideo -EnablePublicCloudAccess $True -EnablePublicCloudAudioVideoAccess $False -EnableFederationAccess $True 
-EnableOutsideAccess $True
Grant-CsExternalAccessPolicy -PolicyName BlockSkypeVideo -Identity zoran@contoso.com
Remove-CsExternalAccessPolicy -Identity BlockSkypeVideo

 

Call to action 

  1. Review options available in portal, and review pre-defined policies before you decide to create custom ones.
  2. Questions or comments? Discuss with us in the Community.
6 Comments
Occasional Contributor

Will this functionality eventually make its way to the MSI client?

Contributor

Will this functionality be ported to SfB Server?

Can we disable desktop sharing only for federated partners ?

Microsoft

@shawn harry
I am not a PG owner for SfB Server. We forwarded your question to appropriate owner.
@MuraliKrishna Chennupati
We do not have functionality to disable desktop sharing for federated partners only. 

Occasional Contributor

Would love to see the ability to block P2P File Transfer to just specific federated organizations instead of it impacting all.

Microsoft

@Miguel Sanabia, tahnks for the feedback. The best way to provide feature requests is to log them at https://www.skypefeedback.com/