Device Updates with Skype for Business Online
As outlined in this previous article a wide array of Polycom phones are now supported directly with Skype for Business Online in Office 365. In the past dealing with device updates has been covered in several articles for the different device families and models. These same concepts still generally apply when using the devices with Skype for Business Online but the configuration and management is slightly different.
While separate provisioning servers can still be utilized with the various 3PIP devices, the guidance across all of the previous articles is focused on traditional on-premises deployments of Lync and Skype for Business server platforms. But what about the growing number of environments where none of those components exist and literally everything outside of the clients and end-user devices are simply leveraging the Office 365 cloud platform?
This article addresses these online-only tenants with guidance on how to manage IP phone firmware without using any additional management solutions. Keep in mind that in the future some of these management tasks may become even easier as with Microsoft’s recent acquisition of some portions of Event Zero’s UC Commander platform as that could materialize into more direct control of Polycom UCS configuration parameters inside of the Office 365 administration portals.
With the introduction of official support for Qualified IP Phones in the online platform there arose a need to offer some sort of firmware management capability that resembles what the existing Lync and Skype for Business server installations already offered. This is handled by the native Device Update service which is already part of Skype for Business Server. The main difference though is that while the on-premises server platform the configuration is performed through a combination of Control Panel setting and Management Shell cmdlets, Office 365 administrators only have access to settings exposed in the online Administration Portal. There is a limited subset of cmdlets defined for online tenants which do not match the vast array of on-premises server cmdlets.
Office 365 administrators today are given control of only a few IP Phone-specific options which includes the ability to disable the default in-band firmware updates behavior. Microsoft controls what firmware version this will be so an administrator can only control whether or not they want the officially approved and supported firmware automatically deployed to their VVX phones, which is enabled by default. It is not possible to select or upload a desired version using the device update service in Office 365 like an on-premises deployment offers. To utilize any version other than the currently approved release the automatic update behavior must manually be disabled.
At the time this article was written only the Polycom VVX IP phones will automatically receive device updates when registered with a Skype for Business Online user account. The Trio 8800 conference phone, which is part of the same core Unified Communications Software (UCS) family, does not yet receive updates from the Skype for Business Online device update server. Lync Phone Edition devices also do not receive firmware updates when registered directly to Skype for Business Online.
As outlined in Adam Jacob’s article earlier this year a pair of new cmdlets were added to the Skype for Business Online PowerShell Module for controlling some behavior of the IP Phones. These new Get-CsIPPhonePolicy and Set-CsIPPhonePolicy cmdlets are only available using the online management shell.
- Using Skype for Business Online Management Shell issue the Get-CsIPPhonePolicy cmdlet to review the following default configuration for any Office 365 tenant. Note that the EnableDeviceUpdate parameter is set to True by default.
When a VVX phone is registered with a user account in this online tenant running at least the minimum required 5.4.0A firmware version it will automatically check with the device update server when signing in or booting up with previously entered cached credentials.
Shortly after a successful registration the phone may display a message that a new firmware update is available. This will happen if the phone is currently running a version which does not exactly match the version that Microsoft currently has published on their servers. As is always the case with the device update process it does not matter if existing version is older or newer, meaning the phone can upgrade or downgrade based on its version compared to the version advertised by the server.
So if the phone has detected that a different version is available on the server then an alert notification message will be shown on the Warnings screen, which is reported on the Alert icon on the top-left corner of the home screen.
For example the phone used to capture these screenshots is a VVX 601 running the most recent 184.108.40.20641 version of software supported for on-premises Lync and Skype for Business environments.
Understand that Microsoft publishes only the most recently qualified version for Skype for Business Online. While updated versions are released for Skype for Business on-premises deployments often not every individual release goes through the complete online qualification process. The point here is that the most current version that is both qualified and fully supported by Microsoft and Polycom is what should be used on O365-registered phones. Leaving the device update service enabled is currently the best practice for keeping the phones on that specific approved version.
As shown above the qualified version at the time of writing this article is 220.127.116.1153 which is a few releases older than the 18.104.22.16841 version currently installed on this specific phone.
So what will happen here is that as soon as this phone is left inactive for 15 minutes (900 seconds) it will automatically begin the process of installing the approved firmware version from the server, effectively downgrading the device to the older, approved version. Also note that the Reboot button on the above screen can be used to immediately trigger the update process as apposed to waiting for the inactivity timeout to be reached.
The Lync Device Update menu shown below can be used to see the last time the phone checked in with the device update service.
Home > Settings > Status > Diagnostics > Lync Device Updates
Disable Device Updates
To allow phone to run on a different version then the device update behavior can be disabled by editing the online IP phone policy that Polycom UCS devices natively understand.
- Using the Skype for Business Online Management Shell issue the following Set-CsIPPhonePolicy cmdlet to change the device update behavior.
Set-CsIPPhonePolicy -EnableDeviceUpdate $false
- Then run the Get-CsIPPhonePolicy cmdlet to verify the change has been applied to the policy. The following cmdlet example simply shows how to filter out the other parameters.
Get-CsIPPhonePolicy | Select-Object EnableD* | fl
As with any policy changes the registering device will not see this immediately. There are several factors at play impacting how quickly a currently registered phone would pick up the new setting. Typically within 8 hours policy changes are refreshed throughout all clients, but a manual reboot of the phone can help expedite this. Given that this change is applied to a massive and mostly uncharted cloud provider environment it typically takes a few minutes for that change to propagate amongst the tenants home pool.
Testing has shown that waiting about 15 minutes after applying the policy change above is sufficient before rebooting a phone. Because the default update timeout is also 15 minutes make sure to interact with the phone at least once to reset that timer to prevent the device from updating itself before picking up the new setting.
Obviously this approach works if one is prepared for this but most likely the phones have already flipped to the undesired version and when looking for a solution this blog article was found. So more likely the phone is already been downgraded and the timing is not really critical. Simply disable the update service, wait until the phones have picked up the policy change, and then upgrade them to the desired version using any of the supported methods.
Validate Endpoint Configuration
To verify that the phone has picked up the new configuration after rebooting and re-registering to Skype for Business Online there are a few items which can be checked.
- The notification of an available device update will no longer appear on the phone’s home screen nor in the Warnings window.
- The Lync Device Updates menu is now hidden and will no longer be shown under the Diagnostics menu.
- The ‘device.prov.lyncDeviceUpdateEnabled’ parameter will be set to ‘0’ to indicate that it is disabled.
While the first two items can easily be seen directly on the phone to be absolutely sure that device updates has been disabled on the device configuration parameters can be viewed using the following procedure.
- Connect to the web management UI on the phone. If it is disabled then enable it and reboot the phone, as shown in the Enable Web Server section of this past article..
- Sign in using the defined Admin password (456 by default) and then browse to the Utilities > Import & Export Configuration menu.
- Expand the Export Configuration section and then select Device Settings from the drop-down menu.
- Click Export and save the file. Once downloaded open the Export_device_settings.cfg file. These files are easiest to navigate using an XML Editor like XML Notepad, but any text editor/viewer will work.
- Scroll down towards the bottom of the file and look for the device.prov.LyncDeviceUpdate* section of parameters.
- Check the value of the device.prov.lyncDeviceUpdateEnabled parameter. As shown below a defined value of 0 indicates that the device updates are disabled which the phone did receive in-band during the last registration attempt.
Configure Individual Phones
As mentioned earlier it is recommended to leave these device updates services enabled to insure the phones are always running on the latest approved build. But in the event that a different version needs to be installed on all phones then the process above can be used.
If only looking to prevent one or a few phones from upgrading for the purposes of testing other firmware versions then it is better to disable the update capability directly on the phone instead of on the server which currently only supports a single Global policy that applies to all users in the specific O365 tenant.
- Create a new txt file called DisableLyncUpdate.cfg and copy/paste in following text:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<PARAMETERS device.set="1" device.prov.lyncDeviceUpdateEnabled.set="1" device.prov.lyncDeviceUpdateEnabled="0" lync.provisionDeviceParams.enabled="0" />
- Using the process shown in the previous step access the web management UI and from the Utilities > Import & Export Configuration menu Import the file that was created in the previous step into the phone.
The first two parameters must be set to 1 in order to write changes to any phone parameters in the device settings partition. The last two parameters will then disable device updates in addition to ignoring any device paramters currently being provisioned in-band during the SfB registration process. Obviously changing only the device update parameter would not be sufficient as the next time the phone applies the client policy settings then it will simply revert back to the server-provisioned behavior. Setting the lync.provisionDeviceParams.enabled parameter to 0 makes sure that does not happen. Be aware though that this means the phone will ignore all in-band client policy settings controlled by the Set-CsIPPhonePolicy cmdlet. not just the device update parameter itself.
To configure the alternative scenario of disabling updates on the client policy and then enabling them for a few individual phones then simply change the device.prov.lyncDeviceUpdateEnabled values to ‘1’.