Locking Lync Phones
There are two different types of telephone handsets optimized for Lync which support the ability to be tethered via USB to a Windows PC for a ‘better together’ user experience. In the event that the connected Windows PC is locked manually by a user or automatically by the screen saver then the devices can also be locked, if desired.
- IP Desk Phones – These IP-based handsets run the Lync Phone Edition (LPE) client software which all include at least one Ethernet connection to perform their own SIP registration session directly to a Lync Front End server. A subset of these devices may include a USB port for tethering to a PC for a ‘better-together’’ experience. They primarily communicate over the network but can also interact with the tethered PC for some control commands.
- USB Desk Phones – These handsets are USB-only and do not have their own embedded SIP client nor any network connectivity. They are simply USB peripherals which are typically powered directly from the USB connection and can only communicate with the tethered PC.
As these devices types have different use-cases and operation then the locking capabilities are also unique to each.
- IP devices can have the interface locked and protected by a PIN known only to the user who first signed into the device. But even while locked the phone will still allow calls to be placed or answered, so this is essentially an interface lock only.
- USB devices have no interface to lock, but the tethered Windows client can be configured to prevent calls from being placed from or answered on the USB device, essentially disabling these devices partially or completely.
IP Desk Phones
There are currently only four qualified Lync devices in this family which also include a USB port for tethering: the Polycom CX600, Polycom CX700, HP 4120, and Aastra 6725ip. As these models all run the Lync Phone Edition client they are often referred to as ‘LPE devices’.
By default Lync Server 2010 enforces automatic locking on any USB-tethered device and this behavior cannot be controlled individually. If the device lock setting is enabled on the device policy which is applied to the device then when the tethered PC is locked the phone will also lock. It is unknown whether the Windows Lync client signals the tethered phone to lock itself when the PC is locked or if the phone itself senses the PC lock event and then locks itself, but regardless the action of locking the PC will trigger the device lock action within about 10 seconds. Unlocking the PC will then trigger the phone to unlock as well. If desired the phone can be manually unlocked using the unlock PIN even if the PC remains locked.
This is the same device lock experience as if the user simply selected the Lock Phone option from the device’s menu. The as-designed behavior is to prevent anyone from accessing any of the information in the phone like contacts, calendar, call logs, etc.
But the phone will still allow for inbound calls to be answered and outbound calls to be dialed. Although when dialing telephone numbers no client-side normalization feedback will be shown, nor will any directory search results. The placed call will normalize correctly but the actions are hidden from the user so that no information about the directory or any contacts will be displayed.
The first image shows a locked device returning no results for the dialed string of ‘7501’, although the call can still be placed and then Lync normalizes the number to a valid Tel URI.
To verify or configure this automatic locking behavior either the Lync Server Control Panel or the Lync Server Management Shell can be used to manage the device configuration policies.
- In the Lync Server Control Panel navigate to Client > Device Configuration and view the default Global policy. Verify that the Enforce Device Locking setting is enabled.
- Alternatively the Lync Server Management Shell can be used to verify the same setting with the Get-CsUCPhoneConfiguration cmdlet.
PS C:\> Get-CsUCPhoneConfiguration -Identity Global
Identity : Global
CalendarPollInterval : 00:03:00
EnforcePhoneLock : True
PhoneLockTimeout : 00:10:00
MinPhonePinLength : 6
SIPSecurityMode : High
VoiceDiffServTag : 40
Voice8021p : 0
LoggingLevel : Off
In this example the default Global device configuration reflects that the basic ability to lock the LPE device is enabled. This simply means that the option to lock a device is presented in the LPE interface, and every time a user signs into a device the setup process will prompt to create a new device lock PIN. This setting has nothing to do with enforcing the automatic device lock when a tethered PC is locked, that behavior is not customizable on its own.
Basically if device locking is enabled, then tethered devices will always automatically lock on PC lock event, but if the device lock setting is disabled then the devices are incapable of locking at all, so they will not be locked when a tethered PC is locked. The device configuration can only be defined at a global or site level, so if a new configuration policy is defined it will apply to all devices in a specific site; Lync Server 2010 does not provide for user or pool level configurations.
(This section was added August 2014)
By default Lync Phone Edition devices will still allow outbound calls to be dialed directly from the handset even while it is locked. This behavior has not been customizable until just now with the introduction of the August 2013 Cumulative Update (CU14) firmware release. When the phone is running firmware version 4.0.7577.4451 or newer it now leverages the existing (and previously unused) Lync in-band client policy parameter DisableHandsetOnLockedMachine.
The Set-CsClientPolicy cmdlet in Lync Server is where this parameter is managed which is by default undefined (null) on the default Global client policy.
|DisableHandsetOnLockedMachine||When set to True, users will not be able to use their Polycom handset if the computer that the handset is connected to is locked. To use the handset, users will first have to unlock the computer.
When set to False, users will be allowed to their Polycom handset even if the computer the handset is connected to is locked.
This setting is equivalent to the Communications Server 2007 R2 Group Policy setting "Configure handset use on locked machine.”
- To verify the current value of this parameter the Get-CsClientPolicy cmdlet can be used as shown below.
PS C:\> Get-CsClientPolicy -Identity Global | Select-Object DisableHandsetOnLockedMachine | fl
To block the ability to place outbound phone calls from a locked LPE handset simply set this parameter value to ‘True’ as described in KB Article 2988196. If the parameter is not currently defined or is already set to False in an environment then the past dialing behavior will not change with this latest update. Note that there are some additional important steps covered in that article in relation to making sure that emergency 911 calls can still be placed correctly from locked handsets with this parameter enabled.
This parameter has no impact on USB-only desk phones as the parameter is ignored by the Windows Lync client and is only used by Lync Phone Edition IP desk phones.
USB Desk Phones
The Microsoft Lync UC Open Interoperability Program (OIP) website lists a number of USB Audio Devices which are USB-only devices and have a different locking configuration and experience.
As the USB-devices do not contain any client software then there is nothing to protect on the devices themselves. There is no access to directory information, contacts, calendar data, etc. Only the actions of answering an incoming call or placing an outgoing call are relevant. There are actually two different configuration scenarios in Lync intended to provide locking of USB-only devices, but only one of these scenarios actually works.
This capability was originally introduced back in Office Communicator and was provided via a Group Policy setting called DisableHandsetOnLockedMachine which would be need to be configured in the Windows registry of the PC. This parameter contains three different configurations which can selected from to either disable locking (default), disable outgoing calls only, or disable both outgoing and incoming calls.
The possible values for this policy are as follows:
- 0 = Allow both incoming and outgoing calls when the tethered PC is locked (default behavior).
- 1 = Allow only incoming calls to be answered and prevent outgoing calls from being placed.
- 2 = Block both incoming and outgoing calls.
The middle scenario is unique in that only a USB device with a dial pad, voice mail button, or redial button (like the Polycom CX300) would be able to place an outbound call anyway..
This new Lync Server in-band policy does not work, but the Lync client still adheres to the previous group policy setting, so that method must be used to lock down any USB desk phones.
Firstly, the communicator.adm Group Policy template file released for Lync Server does not contain this setting as it was intended to be replaced by in-band functionality. Instead the previous OCS R2 communicator.adm must be used as it contains the desired setting.
- Download the Microsoft Office Communications Server 2007 R2 Client Group Policy Documentation and then open the included communicator.adm file and search for DisableHandsetOnLockedMachine.
PART !!PolicyDisableHandsetOnLockedMachine DROPDOWNLIST NOSORT
NAME !!DisableHandsetOnLockedMachine0 VALUE NUMERIC 0 DEFAULT
NAME !!DisableHandsetOnLockedMachine1 VALUE NUMERIC 1
NAME !!DisableHandsetOnLockedMachine2 VALUE NUMERIC 2
- Note the category key name used in this template file intends to drop any of these parameters in the following registry path. (This setting can be applied to either HKEY_Local_Machine or HKEY_Local_User hives.)
- Continue searching for the same DisableHandsetOnLockedMachine string until the end of the document is reached, where the policy description strings are located. The following excerpt explains the behavior of the parameter and its valid settings (0,1,2).
PolicyDisableHandsetOnLockedMachine="Configure handset use on locked machine"
ExplainText_DisableHandsetOnLockedMachine="This policy specifies the use of a handset on a user’s machine when it is locked. By default, the handset on a locked machine is allowed for both incoming and outgoing call."
DisableHandsetOnLockedMachine0="Allow Incoming and Outgoing Call"
DisableHandsetOnLockedMachine1="Allow Incoming Call Only"
DisableHandsetOnLockedMachine2="No Incoming or Outgoing Calls "
At this point there are two possibilities for configuring this parameter, either by using the ADM template file and pushing the configuration to workstations via Group Policy Objects or by simply setting the specific parameter directly in the registry of a workstation. For testing and demonstration purposes the latter approach will be shown below. For assistance with the Group Policy approach see this Microsoft Support article.
- On the Windows PC which is tethered to the USB desk phone open regedit.exe and navigate to the following key.
- Create a new REG_DWORD (32-bit) Value named DisableHandsetOnLockedMachine and set the value to either 1 (to disable outbound calling) or 2 (to disable all calling).
The resulting value should look like the example below. Exit and restart the Lync client and then connect a USB deck phone (if not already connected) to test the new locking functionality.
Depending on whether the value was set to 1 or 2 then either outbound calls or both inbound/outbound calls will be prevented while the tethered PC is locked. Even devices which contain a dial pad will be prevented from placing dialed calls, calling the voice mail attendant server, or performing a one-touch redial. The device will still allow the user to use the interface and dial numbers, but the call will simply not be placed. If an incoming call is ringing while the PC is locked then the PC can be unlocked and then the call can be immediately answered from the handset.
Microsoft has provided an alternative configuration option which is basically a workaround for the broken default locking policy for USB devices. The guidance is to set the embedded parameter to null and then create a new policy parameter using the exact same name, but setting it to a numeric value. This approach allows the definition of new policy as an Integer type and not a Boolean type, such that the client is then passed in-band the expected value of 0, 1 or 2 instead of an incompatible value of True or False.
It is recommended to use this approach instead of the previously shown registry-based scenario as using the Lync Server in-band policy is easier to manage than out-of-band workstation registry settings.
Using the Lync Server Management Console enter the following cmdlets one at a time to either create a new Client Policy or edit an existing client policy, and then redefine the parameter DisableHandsetOnLockedMachine with a proper integer value.
Begin by either creating a new client policy or nulling out the parameter in an existing policy by running one of these commands.
- Use the New-CsClientPolicy cmdlet to create a new client policy (e.g. PhoneLockPolicy).
- If instead using an existing client policy (e.g. Global) then use this command to remove any current value which might be stored in the default parameter. There is no need to run this cmdlet when creating a new client policy using the previous step as the default value is already null.
Set-CsClientPolicy Global -DisableHandsetOnLockedMachine $null
For the remainder of the commands use either the new client policy name (e.g. PhoneLockPolicy) or the desired existing client policy name (e.g. Global). The rest of this example uses the newly created policy.
- Enter the following string to retrieve the desired client policy and store it in a variable.
$policy = Get-CsClientPolicy PhoneLockPolicy
- Enter this string to store the new parameter definition into a variable. Set the Value to either 1 or 2 depending on the desired locking behavior as described in the previous section.
$entry = New-CsClientPolicyEntry -name "DisableHandsetOnLockedMachine" -value "2"
- Enter this string to associate the the parameter with the
- Use the Set-CsClientPolicy cmdlet to insert the new parameter configuration into the selected client policy.
Set-CsClientPolicy -Instance $policy
- If a new client policy was created in the first step then assign a Lync user account to it using either the Lync Server Control Panel or the following cmdlet.
Grant-CsClientPolicy email@example.com -PolicyName PhoneLockPolicy
To understand exactly why this configuration works compare the different in-band policy settings which are sent to different Lync users in the example below. After signing-in to the Lync client the user will receive the in-band provisioning settings which can be found in the client tracing log file within the <provisionGroupList> tag.
The first user is assigned to a client policy with the default parameter enabled, but which will send only the Boolean values of True or False regardless on how the default parameter was defined and thus would not work as expected.
From: "User 1"<sip:firstname.lastname@example.org>;tag=e0b7cf15f1;epid=183114e4b4
<property name="DisableHandsetOnLockedMachine" >true</property>
Yet the second user is assigned to the new client policy which can now properly store and assign the numeric value required by the client in order to perform the expected action of locking calls.
From: "User 2"<sip:email@example.com>;tag=18ce319435;epid=183114e4b4
<property name="DisableHandsetOnLockedMachine" >2</property>