cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Update on Custom Policies in Skype for Business Online
By
Zoran Cvetkovic
Published May 26 2017 06:45 AM 12.5K Views
Zoran Cvetkovic
Microsoft
‎May 26 2017 06:45 AM

Update on Custom Policies in Skype for Business Online

‎May 26 2017 06:45 AM

As discussed in our previous blog article Custom Policies in Skype for Business Online, Skype for Business Online allows Skype administrators to create custom policies. We are now expanding with additional policies and parameters that can be configured.

 

What is new? 

The additional functionality configured with customer policies to Skype for Business Online, include:

  • Ability to block a point to point (P2P) file transfer to Federated users only.
  • Ability to create custom External Access policies.  

Block Federated point-to-point file transfer

Previously, Skype for Business Online already offered the ability to control P2P file transfer as part of the existing conferencing policy settings. However, this option allowed or blocked file transfer for users no matter if they are transferring files to a user who is hosted on the same company or Federated user.

The new feature allows you to block P2P file transfer with Federated partners only.

 

Imagine a scenario where you would like to allow internal users to use P2P file transfer, block file transfer with federated partners by default and allow exceptions to the rule.

 

This scenario would require, four components:

  • An appropriate conferencing policy with P2PFile transfer Enabled (EnableP2PFileTransfer set to True) to be assigned to users.
  • A global External User Communication Policy set to block External P2P File transfer (EnableP2PFileTransfer set to False) . Do not get confused, the setting name is the same but it is associated with a different policy set (Conferencing vs ExternalUserCommunication).
  • A user External User Communication Policy to allow exceptions
  • A version of 2016 Click-to-Run Skype for Business Client that supports the feature (see the table below).

By default, EnableP2PFileTransfer is enabled in Global Policy. When created, your users are assigned BposSAllModality policy. You can ensure that your users have P2P Enabled, by checking the setting in the Global Policy and checking user policy assigned to the users.

  1. To check global policy, execute 
    Get-CsConferencingPolicy -Identity Global | Select Identity, EnableP2PFileTransfer
    In our example, the user has the SIP address zoran@contoso.com. To check policy assigned execute: 
    Get-CsOnlineUser -Identity zoran@contoso.com | Select SIPAddress, ConferencingPolicy
  2. To allow internal use and block external file transfer at the tenant level, all you have to do is change the parameter at a global level.  
    Set-CsExternalUserCommunicationPolicy -EnableP2PFileTransfer $False
  3. Per user setting is achieved by creating a policy and granting it to the user.  
    New-CsExternalUserCommunicationPolicy -Identity BlockExternalFT -EnableP2PFileTransfer $False
Grant-CsExternalUserCommunicationPolicy -PolicyName BlockExternalFT -Identity zoran@contoso.com
  4. Enforce deployment of the latest client in your organization.  Note: The following minimum version of Skype for Business 2016 Click-to-Run client is required: table for blog zoran1.PNG

     

  5. Once policy is in place, if user tries to drop the file, they would receive File transfer is off warning as shown in the image, below.

zorans pic 2.PNG

 

Blocking Federated file transfer considerations

Users of older versions of Skype for Business Windows client or Mac client can transfer files.

If a 3rd-party tries to send a file to the user where the policy is enforced, the federated party sending file will receive Transfer Failed error.

 

Custom External Access Policies 

New-CsExternalAccessPolicy allows you to create additional External Access Policies. Unlike Client or Conferencing policies, where you have numerous combinations, with three pre-defined external access policies you can cover most of the scenarios:

  • No Federated or Skype Consumer Access (Tag:NoFederationAndPIC )
  • Federated Access Only (Tag:FederationOnly )
  • Federated and Consumer Access (FederationAndPICDefault)

Introduction of Custom External policies allows you to create additional polices that were not covered in the above list.  During policy creation, you would be required to set all required parameters and you couldn't alter them later. This new command brings option to create policy like Skype Consumer Access only or policy to disable public cloud Audio/Video, something not covered with a pre-defined set. External access policies follow the same syntax as Client, Mobility and Conferencing policies.

 

Examples of new commands are:

New-CsExternalAccessPolicy -Identity BlockSkypeVideo -EnablePublicCloudAccess $True -EnablePublicCloudAudioVideoAccess $False -EnableFederationAccess $True 
-EnableOutsideAccess $True
Grant-CsExternalAccessPolicy -PolicyName BlockSkypeVideo -Identity zoran@contoso.com
Remove-CsExternalAccessPolicy -Identity BlockSkypeVideo

 

Call to action 

  1. Review options available in portal, and review pre-defined policies before you decide to create custom ones.
  2. Questions or comments? Discuss with us in the Community.
8 Comments
Jeff Brown
Brass Contributor
‎May 26 2017 09:28 AM
‎May 26 2017 09:28 AM

Will this functionality eventually make its way to the MSI client?

0 Likes
Like
shawn harry
Iron Contributor
‎May 30 2017 11:29 AM
‎May 30 2017 11:29 AM

Will this functionality be ported to SfB Server?

0 Likes
Like
MuraliKrishna Chennupati
Microsoft
‎Aug 24 2017 09:14 AM
‎Aug 24 2017 09:14 AM

Can we disable desktop sharing only for federated partners ?

0 Likes
Like
Zoran Cvetkovic
Microsoft
‎Aug 24 2017 01:35 PM
‎Aug 24 2017 01:35 PM

@shawn harry
I am not a PG owner for SfB Server. We forwarded your question to appropriate owner.
@MuraliKrishna Chennupati
We do not have functionality to disable desktop sharing for federated partners only. 

0 Likes
Like
Miguel Sanabia
Brass Contributor
‎Nov 15 2017 11:31 AM
‎Nov 15 2017 11:31 AM

Would love to see the ability to block P2P File Transfer to just specific federated organizations instead of it impacting all.

Thomas Binder
Microsoft
‎Nov 16 2017 01:07 AM
‎Nov 16 2017 01:07 AM

@Miguel Sanabia, tahnks for the feedback. The best way to provide feature requests is to log them at https://www.skypefeedback.com/

Rachid Rachid
Copper Contributor
‎Dec 27 2017 06:34 AM
‎Dec 27 2017 06:34 AM

Hi,

Is this fonctionality works also for MSI versions?

Thank you

0 Likes
Like
Zoran Cvetkovic
Microsoft
‎Jan 02 2018 12:55 PM
‎Jan 02 2018 12:55 PM

@Rachid Rachid
 Hi

Happy New Year

 

Code was not backported to MSI version.

 

Thank You

0 Likes
Like
Version history
Last update:
‎May 26 2017 08:16 AM
Updated by: