SOLVED

Polycom VVX 600 and MFA

Steel Contributor

Has anyone had any luck with the Polycom VVX 600 and signing into S4B when you have MFA enabled on your account?  Or for that matter any polycom device?  I've tried app passwords and those don't seem to work either.  I haven't seen any documentaiton anywhere if this is supported or not, so just curious if anyone has any inforamtion about it and if it's not supported, when it might be.

38 Replies

Hi Neil,

 

After Jeff's steer to use the web sign in method things have been ok for me. To be fair we're only trialling this with around a dozen users. But with them all on the most recent software (5.7.1.2205 as of this post) we haven't been experiencing any sign-outs. In fact I've been impressed (and very happy) at being able to unplug my phone, hot desk to another part of the office, plug my phone in there and then have it come back up with my account signed in automatically no questions asked - perfect.

 

Will post again if things go off the rails, but so far so good here.

 

Best regards,

 

James  

Hi James,

 

Thanks for this update, my handset may be a software version or two out of date, so i will update to the latest version and post back how i get on

 

thanks again

 

Neil

It is 2 years later and there is still no workable solution for these phones. It is quite unbelievable when you think that this is (or once was) such a strategic collaboration for MS and Polycom, and that they have not managed to work something out. I am the only one in my office who puts up with checking my phone in the morning and signing in again if needed, so that I can make and receive calls during the day. Everybody else resorted to using their personal cell phones. But we are paying through the nose for the E5 licenses and calling plans.
Now, over the past couple of months, things seem to have taken a turn for the worse. The latest firmware that MS is pushing down (5.8.0.12848) broke our ability to authenticate with the phones ("failed to fetch user certificate"). I suspect that this has to do with MS adding support for Teams and that this introduced a glitch. I now have to pin my firmware to the last one where web sign-in worked, which means that even if there ever is a fix for allowing MFA with app passwords on the device, I will not get it because I cannot allow the phones to upgrade the firmware ..... 
Is there anybody out there who deployed SFB Online with Lync handsets and can claim that it was a success? Or are the people in this thread the last few who are trying to make it work?

Hi Christian,

After our pilot earlier in the year we rolled it out to all our non mobile users (x80). Setup did take a lot of work to get my head round, but once we had the ftp server running, the right network settings in place and the handset config files set the way we wanted, they've been working well for us.

We also use MFA and I do experience the very occasional, "failed to fetch user certificate" error, but then next time round it will log straight in just fine (always using Web Sign-in) - not sure why (might be after disabling / re-enabling MFA on my account which I've had to do a couple of times?).

We are currently on software version: 5.8.1.6389. We needed to disable the auto-update feature though - for some reason the MS version that gets pulled down is a fair few versions behind the latest version on Polycom website, which confused me for a bit. In summary I do have a few more grey hairs from this but on reflection I would call it a success for our org. Now if only the pricing was a bit more reasonable...

James,

 

Very exciting to hear you got it working.  Are you by chance using a SfB Online account or do you host Skype yourselves locally?  We host our own SfB server and I get the "failed to fetch user certificate" error when attempting to sign-in using the web sign-in method.

 

Thanks!

-Brad

Brad, the Web Sign-In method is currently still only available for use with Skype for Business Online accounts, not SfB Server accounts.  Microsoft is working on a solution for this though, so hang tight.

Yes Brad, no on-prem server - for better or worse we've gone 'full cloud'. We moved offices recently and it seemed like a good point at which to retire our 16 yr old PBX (and remove another bit of kit from the comms room).

Jeff, Web Sign-in is also the _only_ option currently available for SFB Online with MFA enabled. This is classified information, apparently, because nowhere in process of enabling (and enforcing) MFA for our users did I run into a warning that would have alerted me of this. But just the other day I found this recently updated document that clarifies it  (scroll down to the table of sign-in options for various deployment scenarios):
https://docs.microsoft.com/en-us/skypeforbusiness/what-is-phone-system-in-office-365/getting-phones-...

And by the way, thank you, Jeff, for all the great information about SFB and the Polycom phones that you have assembled and curated over the years. Things would have been much more difficult for many of us without your blog.

Initiating a web sign-in from VVX-601 worked perfectly for me thanks.

Not today, sadly. Azure MFA out of service and we are completely crippled, not just the phones.

 

Ouch.  It must be Plantronics fault ;)

Is this still working for you? I am now getting an error "network is down unable to get url and pair code". I am certain that the network is not down as the username/password authentication still does not work with MFA enabled (using app password) as demonstrated by various errors that confirm connectivity.

Thanks for any info!

Aside from some occasional requests by SfB to re-authenticate, the integration with my VVX 601 on my MFA enabled O365 account is stable.  Contact syncing is my problem.

 


@afar wrote:

Is this still working for you? I am now getting an error "network is down unable to get url and pair code". I am certain that the network is not down as the username/password authentication still does not work with MFA enabled (using app password) as demonstrated by various errors that confirm connectivity.

Thanks for any info!



, argh.

It works for me. I had to pin my firmware to 5.7.1.3782 and disallow auto-upgrades. 

I learned that this needs to be configured on the Skype side, not the phone. Here the PS script that I use:

 

Set-ExecutionPolicy RemoteSigned
Import-Module LyncOnlineConnector
$session = New-CsOnlineSession
Import-PSSession $session
Get-Module
Get-CsIPPhonePolicy
Set-CsIPPhonePolicy -EnableDeviceUpdate $false
Get-CsIPPhonePolicy
Set-CsIPPhonePolicy -EnableBetterTogetherOverEthernet $true
Get-CsIPPhonePolicy
Set-CsIPPhonePolicy -BetterTogetherOverEthernetPairingMode Auto
Get-CsIPPhonePolicy
Set-CsIPPhonePolicy -UserDialTimeoutMS 10000

 

Also great - the ability to change the token lifetime to the max allowed (was it 30 or 60 days?), it has become much less bothersome.

@Christian Donner Could you expand on how  you extended the token lifetime please? Thanks!

@Christian Donner We are also looking out how to expand the token lifetime.  Our users are getting signed out every few days. Can you provide any details on how you achieved this?

Thanks!

@CosmoDenger  I wish I remembered this. Maybe https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

I will have to research but no time at the moment. It was definitely on one of the admin portals.

@Christian Donner, Thanks!  I was just looking at the same thing.  I'll see what I can find out and report back.