Locking Lync Phones

September 19, 2012 by · 33 Comments 

There are two different types of telephone handsets optimized for Lync which support the ability to be tethered via USB to a Windows PC for a ‘better together’ user experience.  In the event that the connected Windows PC is locked manually by a user or automatically by the screen saver then the devices can also be locked, if desired.

  • IP Desk Phones – These IP-based handsets run the Lync Phone Edition (LPE) client software which all include at least one Ethernet connection to perform their own SIP registration session directly to a Lync Front End server.  A subset of these devices may include a USB port for tethering to a PC for a ‘better-together’’ experience.  They primarily communicate over the network but can also interact with the tethered PC for some control commands.

  • USB Desk Phones – These handsets are USB-only and do not have their own embedded SIP client nor any network connectivity.  They are simply USB peripherals which are typically powered directly from the USB connection and can only communicate with the tethered PC.

As these devices types have different use-cases and operation then the locking capabilities are also unique to each.

  • IP devices can have the interface locked and protected by a PIN known only to the user who first signed into the device.  But even while locked the phone will still allow calls to be placed or answered, so this is essentially an interface lock only.

  • USB devices have no interface to lock, but the tethered Windows client can be configured to prevent calls from being placed from or answered on the USB device, essentially disabling these devices partially or completely.

IP Desk Phones

There are currently only four qualified Lync devices in this family which also include a USB port for tethering: the Polycom CX600, Polycom CX700, HP 4120, and Aastra 6725ip.  As these models all run the Lync Phone Edition client they are often referred to as ‘LPE devices’.

imageimageimage

Behavior

By default Lync Server 2010 enforces automatic locking on any USB-tethered device and this behavior cannot be controlled individually.  If the device lock setting is enabled on the device policy which is applied to the device then when the tethered PC is locked the phone will also lock.  It is unknown whether the Windows Lync client signals the tethered phone to lock itself when the PC is locked or if the phone itself senses the PC lock event and then locks itself, but regardless the action of locking the PC will trigger the device lock action within about 10 seconds. Unlocking the PC will then trigger the phone to unlock as well.  If desired the phone can be manually unlocked using the unlock PIN even if the PC remains locked.

This is the same device lock experience as if the user simply selected the Lock Phone option from the device’s menu.  The as-designed behavior is to prevent anyone from accessing any of the information in the phone like contacts, calendar, call logs, etc.

image     image

But the phone will still allow for inbound calls to be answered and outbound calls to be dialed.  Although when dialing telephone numbers no client-side normalization feedback will be shown, nor will any directory search results.  The placed call will normalize correctly but the actions are hidden from the user so that no information about the directory or any contacts will be displayed.

The first image shows a locked device returning no results for the dialed string of ‘7501’, although the call can still be placed and then Lync normalizes the number to a valid Tel URI.

image     image

Configuration

To verify or configure this automatic locking behavior either the Lync Server Control Panel or the Lync Server Management Shell can be used to manage the device configuration policies.

  • In the Lync Server Control Panel navigate to Client > Device Configuration and view the default Global policy.  Verify that the Enforce Device Locking setting is enabled.

image

  • Alternatively the Lync Server Management Shell can be used to verify the same setting with the Get-CsUCPhoneConfiguration cmdlet.

PS C:\> Get-CsUCPhoneConfiguration -Identity Global

Identity             : Global
CalendarPollInterval : 00:03:00
EnforcePhoneLock     : True
PhoneLockTimeout     : 00:10:00
MinPhonePinLength    : 6
SIPSecurityMode      : High
VoiceDiffServTag     : 40
Voice8021p           : 0
LoggingLevel         : Off

In this example the default Global device configuration reflects that the basic ability to lock the LPE device is enabled.  This simply means that the option to lock a device is presented in the LPE interface, and every time a user signs into a device the setup process will prompt to create a new device lock PIN.  This setting has nothing to do with enforcing the automatic device lock when a tethered PC is locked, that behavior is not customizable on its own.

Basically if device locking is enabled, then tethered devices will always automatically lock on PC lock event, but if the device lock setting is disabled then the devices are incapable of locking at all, so they will not be locked when a tethered PC is locked.  The device configuration can only be defined at a global or site level, so if a new configuration policy is defined it will apply to all devices in a specific site; Lync Server 2010 does not provide for user or pool level configurations.

Additional Settings

(This section was added August 2014)

By default Lync Phone Edition devices will still allow outbound calls to be dialed directly from the handset even while it is locked.  This behavior has not been customizable until just now with the introduction of the August 2013 Cumulative Update (CU14) firmware release.  When the phone is running firmware version 4.0.7577.4451 or newer it now leverages the existing (and previously unused) Lync in-band client policy parameter DisableHandsetOnLockedMachine.

The Set-CsClientPolicy cmdlet in Lync Server is where this parameter is managed which is by default undefined (null) on the default Global client policy.

DisableHandsetOnLockedMachine When set to True, users will not be able to use their Polycom handset if the computer that the handset is connected to is locked. To use the handset, users will first have to unlock the computer.

When set to False, users will be allowed to their Polycom handset even if the computer the handset is connected to is locked.

This setting is equivalent to the Communications Server 2007 R2 Group Policy setting "Configure handset use on locked machine.”

 

  • To verify the current value of this parameter the Get-CsClientPolicy cmdlet can be used as shown below.

PS C:\> Get-CsClientPolicy -Identity Global | Select-Object DisableHandsetOnLockedMachine | fl

DisableHandsetOnLockedMachine :

To block the ability to place outbound phone calls from a locked LPE handset simply set this parameter value to ‘True’ as described in KB Article 2988196. If the parameter is not currently defined or is already set to False in an environment then the past dialing behavior will not change with this latest update.  Note that there are some additional important steps covered  in that article in relation to making sure that emergency 911 calls can still be placed correctly from locked handsets with this parameter enabled.

This parameter has no impact on USB-only desk phones as the parameter is ignored by the Windows Lync client and is only used by Lync Phone Edition IP desk phones.

USB Desk Phones

The Microsoft Lync UC Open Interoperability Program (OIP) website lists a number of USB Audio Devices which are USB-only devices and have a different locking configuration and experience.

      

Behavior

As the USB-devices do not contain any client software then there is nothing to protect on the devices themselves.  There is no access to directory information, contacts, calendar data, etc.  Only the actions of answering an incoming call or placing an outgoing call are relevant.  There are actually two different configuration scenarios in Lync intended to provide locking of USB-only devices, but only one of these scenarios actually works.

This capability was originally introduced back in Office Communicator and was provided via a Group Policy setting called DisableHandsetOnLockedMachine which would be need to be configured in the Windows registry of the PC.  This parameter contains three different configurations which can selected from to either disable locking (default), disable outgoing calls only, or disable both outgoing and incoming calls.

The possible values for this policy are as follows:

  • 0 = Allow both incoming and outgoing calls when the tethered PC is locked (default behavior).
  • 1 = Allow only incoming calls to be answered and prevent outgoing calls from being placed.
  • 2 = Block both incoming and outgoing calls.

The middle scenario is unique in that only a USB device with a dial pad, voice mail button, or redial button (like the Polycom CX300) would be able to place an outbound call anyway..

Configuration

This new Lync Server in-band policy does not work, but the Lync client still adheres to the previous group policy setting, so that method must be used to lock down any USB desk phones.

Firstly, the communicator.adm Group Policy template file released for Lync Server does not contain this setting as it was intended to be replaced by in-band functionality.  Instead the previous OCS R2 communicator.adm must be used as it contains the desired setting.

POLICY !!PolicyDisableHandsetOnLockedMachine
EXPLAIN !!ExplainText_DisableHandsetOnLockedMachine
    PART !!PolicyDisableHandsetOnLockedMachine DROPDOWNLIST NOSORT
    VALUENAME "DisableHandsetOnLockedMachine"
        ITEMLIST
        NAME !!DisableHandsetOnLockedMachine0 VALUE NUMERIC  0 DEFAULT
        NAME !!DisableHandsetOnLockedMachine1 VALUE NUMERIC  1
        NAME !!DisableHandsetOnLockedMachine2 VALUE NUMERIC  2
        END ITEMLIST
    END PART
END POLICY

  • Note the category key name used in this template file intends to drop any of these parameters in the following registry path. (This setting can be applied to either HKEY_Local_Machine or HKEY_Local_User hives.)

KEYNAME "Software\Policies\Microsoft\Communicator"

  • Continue searching for the same DisableHandsetOnLockedMachine string until the end of the document is reached, where the policy description strings are located.  The following excerpt explains the behavior of the parameter and its valid settings (0,1,2).

PolicyDisableHandsetOnLockedMachine="Configure handset use on locked machine"

ExplainText_DisableHandsetOnLockedMachine="This policy specifies the use of a handset on a user’s machine when it is locked.  By default, the handset on a locked machine is allowed for both incoming and outgoing call."

DisableHandsetOnLockedMachine0="Allow Incoming and Outgoing Call"
DisableHandsetOnLockedMachine1="Allow Incoming Call Only"
DisableHandsetOnLockedMachine2="No Incoming or Outgoing Calls "

At this point there are two possibilities for configuring this parameter, either by using the ADM template file and pushing the configuration to workstations via Group Policy Objects or by simply setting the specific parameter directly in the registry of a workstation.  For testing and demonstration purposes the latter approach will be shown below.  For assistance with the Group Policy approach see this Microsoft Support article.

  • On the Windows PC which is tethered to the USB desk phone open regedit.exe and navigate to the following key.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Communicator

  • Create a new REG_DWORD (32-bit) Value named DisableHandsetOnLockedMachine and set the value to either 1 (to disable outbound calling) or 2 (to disable all calling).

image

The resulting value should look like the example below.  Exit and restart the Lync client and then connect a USB deck phone (if not already connected) to test the new locking functionality.

image

Depending on whether the value was set to 1 or 2 then either outbound calls or both inbound/outbound calls will be prevented while the tethered PC is locked.  Even devices which contain a dial pad will be prevented from placing dialed calls, calling the voice mail attendant server, or performing a one-touch redial.  The device will still allow the user to use the interface and dial numbers, but the call will simply not be placed.  If an incoming call is ringing while the PC is locked then the PC can be unlocked and then the call can be immediately answered from the handset.

Alternate Configuration

Microsoft has provided an alternative configuration option which is basically a workaround for the broken default locking policy for USB devices.  The guidance is to set the embedded parameter to null and then create a new policy parameter using the exact same name, but setting it to a numeric value.  This approach allows the definition of new policy as an Integer type and not a Boolean type, such that the client is then passed in-band the expected value of 0, 1 or 2 instead of an incompatible value of True or False.

It is recommended to use this approach instead of the previously shown registry-based scenario as using the Lync Server in-band policy is easier to manage than out-of-band workstation registry settings.

Using the Lync Server Management Console enter the following cmdlets one at a time to either create a new Client Policy or edit an existing client policy, and then redefine the parameter DisableHandsetOnLockedMachine with a proper integer value.

Begin by either creating a new client policy or nulling out the parameter in an existing policy by running one of these commands.

  • Use the New-CsClientPolicy cmdlet to create a new client policy (e.g. PhoneLockPolicy). 

New-CsClientPolicy PhoneLockPolicy

  • If instead using an existing client policy (e.g. Global) then use this command to remove any current value which might be stored in the default parameter.  There is no need to run this cmdlet when creating a new client policy using the previous step as the default value is already null.

Set-CsClientPolicy Global -DisableHandsetOnLockedMachine $null

For the remainder of the commands use either the new client policy name (e.g. PhoneLockPolicy) or the desired existing client policy name (e.g. Global).  The rest of this example uses the newly created policy.

  • Enter the following string  to retrieve the desired client policy and store it in a variable.

$policy = Get-CsClientPolicy PhoneLockPolicy

  • Enter this string to store the new parameter definition into a variable.  Set the Value to either 1 or 2 depending on the desired locking behavior as described in the previous section.

$entry = New-CsClientPolicyEntry -name "DisableHandsetOnLockedMachine" -value "2"

    • Enter this string to associate the the parameter with the

$policy.policyentry.add($entry)

  • Use the Set-CsClientPolicy cmdlet to insert the new parameter configuration into the selected client policy.

Set-CsClientPolicy -Instance $policy

  • If a new client policy was created in the first step then assign a Lync user account to it using either the Lync Server Control Panel or the following cmdlet.

Grant-CsClientPolicy steve@mslync.net -PolicyName PhoneLockPolicy

To understand exactly why this configuration works compare the different in-band policy settings which are sent to different Lync users in the example below.  After signing-in to the Lync client the user will receive the in-band provisioning settings which can be found in the client tracing log file within the <provisionGroupList> tag.

The first user is assigned to a client policy with the default parameter enabled, but which will send only the Boolean values of True or False regardless on how the default parameter was defined and thus would not work as expected.

From: "User 1"<sip:user1@mslync.net>;tag=e0b7cf15f1;epid=183114e4b4

<property name="DisableHandsetOnLockedMachine" >true</property>

Yet the second user is assigned to the new client policy which can now properly store and assign the numeric value required by the client in order to perform the expected action of locking calls.

From: "User 2"<sip:user2@mslync.net>;tag=18ce319435;epid=183114e4b4

<property name="DisableHandsetOnLockedMachine" >2</property>

About Jeff Schertz
Site Administrator

Comments

33 Responses to “Locking Lync Phones”
  1. AIP_TJ says:

    This is a great topic. I am wondering if this has been the behavior, locking an unlocking along with the connected workstation, since Lync was released or was this added in an update?

    I was previously not aware of this. We thought locking was entirely independent of anything else and given the fact that users need to remember at least 2 other PIN's we turned locking off.

    I will now consider turning it back on as long as the phone's can be used for calls when locked and will unlock seamlessly when the user logs into their workstation requiring no extra effort.

    Does anyone know the behavior I can expect when enabling locking in an environment where it was previously disabled? Will phones prompt users to add a PIN?

    Thanks!

    • jeffschertz says:

      If you re-enable the device locking parameter in the device policy then users will be be asked to set a device PIN upon signing into the phones. As I have not tested this scenario I don't know what the phone's behavior will be when it picks up the policy change. I would assume that nothing changes until the user is signed-out, but it's possible that the device would prompt the user to set a device lock PIN right away.

  2. Ismael Batista says:

    Hi Jeff, I tested with the model LG-Nortel IP8540 and does not work, any differences from the LPE?

    As always great article, congratulations!

  3. Diego Bravo says:

    Hi jeff, i have a need, i need block outbound calls when the phone is lock. Right now, when then phone is lock, the normalization is not working, but if i try dial, the call is outgoing sucessful.

    Do you have some clue for my need.

    Regards

    • jeffschertz says:

      You cannot block calls on the LPE devices, that is by design. When locked any digits entered will not appear to normalize, but the string will normalize and dial correctly. The reason that the normalization does not appear on the handset is to hide the contents of the Lync directory, no contact matches or names will appear when searching.

  4. Shahim says:

    Thanks for your Great Support !!!!!

  5. @huddleto says:

    Is there a way to keep phone locking enforced globally but turn it off for one or two phones? We have some generic accounts tied to counter phones which aren't really assigned to a real user. The phone saying it's locked is proving to be very confusing to part-time student workers here at our college.

    • jeffschertz says:

      Yes, notice the update I added to the end of this article. You can assign the users on the couple phones you don't want to lock to a different client policy without locking enabled.

      • Rob says:

        The article mentions that IP Devices adhere to only the global or site device policy. How can I disbale the locking on reception phone within a site without needing to create a fake site to put that account into

        • jeffschertz says:

          Unfortunately this is not possible as all devices in a site share a common site configuration.

        • Diego Bravo says:

          Hi Rob, we have the same situation. Our temporal solution was teach to user the log off option of the phone. Every night each user log off it phone and morning when they log in in PC, Lync ask for password and the phone log in automatically. And we made a change with dthe policies of lync, for time zone, and other options, for always select the same for default.
          I hope that this can help you.

  6. Sami says:

    hello Jeff, great article, we have a bunch of polycom cx600 and i m facing the problem that when the phone is locked, phone calls can still be made. will DisableHandsetOnLockedMachine fix the problem? and is it supported on CX600? thanks

    • jeffschertz says:

      As explained in this article that is the as-designed behavior and Microsoft has not commented on any plans to change that in Lync Phone Edition.

  7. Alex says:

    Hey Jeff, I'm wondering if there is any way in the world that I can have one Polycom CX700 to prevent from locking? We have a nice IT Collaboration room that is booked via Outlook (standard resource booking) and I want to put Polycom CX700 into window and select Calendar on the phone so anyone passing by can see booking time for this room for this day. Calendar view is super cool feature of CX700 large LCD screen and I really miss all of the charm with Polycom CX600 phones (even though they can display photos but still CX700 remains my favorite phone of all times). We must have a global policy to lock phones after 15 minutes (similar to Screen Saver on PC) but I really need one phone to be exempted from policy somehow. Is that possible? I really need this…

    • jeffschertz says:

      This is not possible as the device lock policy is defined at the site level and will apply to all devices in a defined Lync site. The only thing I can think of would be to deploy an entirely new pool in a new Lync site and move the user account for the CX700 to it, but that would be massive back-end overhead simply for a single user/device.

  8. Ian says:

    Hi Jeff, is this locking a phone but can still dial still an issue with Lync 2013 ? Any way around it ?

  9. Alverez says:

    Hey Jeff (or anyone) – Since the CsUCPhoneConfiguration is either global or site-based, does the enforce auto-lock time-out apply to common area phones as well? In other words if our company is not enforcing auto-lock today but have many common area phones, could we expect these phones to lock once enabled and the timeout value is reached?

    • Jeff Schertz says:

      Yes, that parameter applies to all Lync Phone Edition devices globally in or a defined site. But understand that the device locking behavior only applies to standard Lync accounts, not CAP accounts. So in the event that a standard Lync user account (like an employee or room account) is signed on to the phone then it will automatically be locked. If a true CAP account (AD contact, no Exchange mailbox) is signed in on ANY phone (CX500, 600, etc) then the device will NOT be locked. (The device unlock PIN that is set when signing into a CAP account the first time is used for administrators to unlock the ‘settings’ portion of the phone.)

  10. Trond E. Gjelsvik-Bakke says:

    Hi.

    Will this also apply for Common Area Phone ?

    • Jeff Schertz says:

      You cannot USB tether a Common Area Phone device (like the CX500) so those options are not applicable. Only settings like the device timeout locking, for example, which are not dependent on the ‘Better Together’ tethering.

  11. Fritz says:

    Hi Jeff, I’m a bit new to Lync Phone support and I noticed when a Polycom cx600 is locked there is no way to “Switch User” that I can see. Our office does not have assigned cubicles/desks (Most of our employees travel so office personnel changes daily) so Users sit anywhere they want. So when one user leaves for the day the phone is locked. if a different user comes in they have no way to Switch user or unlock the phone without a hard reset. is there any way to enable the switch user option on a locked phone?

    • Fritz says:

      forgot to mention we are using Lync 2010

    • Jeff Schertz says:

      You need to have the phones first logged in using a Common Area Account, then the individual users will sign in OVER that account. This will allow for switching users as well as utilizing the hotdesking timeout.

      • Fritz says:

        thanks for responding Jeff. I’m not familiar with hotdesk or common area accounts. So once I get a common area account on and the user is able to log in over that, then what happens when that user leaves for the day and the phone is locked the next day for a different user? Will the switch user option then remain? I just want to be able to have users use the phone without having IT come over every time to hard reset every time.

        • Brian Longoria says:

          Your hotdesk timeout can be adjusted. Make it 10 hours (600 minutes) and even your late sales guys ;P that log in at 10am will be logged out of the phone by 8pm.

  12. David says:

    Hi Jeff,
    Great article, as with a lot of your others it’s very clear. I have applied the csclientpolicy changes in my Lync 2013 environment however the phone never locks and I’m still able to make outbound calls. It’s a Polycom CX600 phone and the firmware is at the latest version. I have tried the registry edits on the local computer as well, still with no joy. The phone is definitely connected and recognised by the computer, is there anything you can suggest?

    Thank you
    David

    • Jeff Schertz says:

      The configuration has not changed since I Write this article so I can’t say as to why it’s not picking up the changes. I’d wipe the phone config and re-register the user account to make sure that the latest policy is applied.

  13. Korbyn says:

    Do you happen to have a list of Client PolicyEntry options that are available for use with CX series phones? Specifically I’m wanting to change the user dial timeout value. I can do it on the VVX phones, but now CX users are jealous…
    Thanks,
    Korbyn

  14. Joel C. says:

    Any word on how to do this for S4B Online with CX600 phones. There’s an IP Phone policy built-in that locks the phone, but I cannot manipulate it, or find how/where to do so.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!