This article is intended to explain the differences in new capabilities brought to both Skype for Business Online and the latest firmware releases for Polycom UCS-based IP phones. While both Hot-desking and Common Area Phone (CAP) features were first provided in Lync Server these concepts are both handled quite differently in Office 365.
Essentially the Hot-Desking topic discussed in this article is referring to existing functionality in Lync and Skype for Business Server that VVX phones now support, while the Common Area Phone topic is brand new functionality brought only to Skype for Business Online which VVX phones can leverage immediately. These capabilities are available in the Polycom UCS family of devices starting with VVX phones in the recent 5.7.0 firmware release.
It is important to understand that these Hot-desking and Common Area Phone (CAP) concepts are complimentary capabilities which are often confused with each other or incorrectly treated as one in the same.
- Hot-desking provides a method for a ‘guest’ user to sign into a phone that is already registered with a ‘host’ user, without permanently signing out the original ‘host’ user. Without this feature to switch user accounts on a phone a new user would have to completely sign out the current user, and to return that phone to the original state someone would have to manually sign back in again with the original user’s credentials. Hot-desking allows the original credentials to stay cached in the phone to be used again to automatically re-register to Skype for Business. This capability is nothing new to Skype for Business Server as hot-desking has been around since Lync Server 2010 and was added originally for Lync Phone Edition (LPE) devices.
- Common Area Phone (CAP) support refers to a new provisioning and licensing model specific to Skype for Business Online. So this feature comes from both updates to the VVX firmware and new capabilities brought by Microsoft into Office 365. Microsoft has added a new provisioning portal to be used in conjunction with accounts which have been assigned a new Office 365 license. This new functionality is entirely different than the CAP implementation already in Lync/SfB Server platform.
These are two distinctly different feature sets which can, but are not required to, be used in conjunction. Any user account type (standard or CAP) can be used in hot-desking scenarios, although there are some limitations today based on where the accounts are homed. Some of this works only for Skype for Business Server users homed on-premises and other parts are only applicable to Skype for Business Online users. These caveats are outlined in the following sections.
Also it is still a recommended practice to disable device updates when registering phones to Skype for Business Online as Microsoft continues to publish older firmware versions. At the time of posting this article UCS 5.7.1 is the most recent version available from Polycom, yet 5.6.0 is what is still being provided via the Device Update Service in Skype for Business Online . So, after upgrading a phone to 5.7.x and configuring the features shown in this article the phone will automatically ‘update’ to the published, older version thus removing the new capabilities.
True hot-desking functionality has been added to the VVX platform to not just mimic what has been available in the Lync Phone Edition platform but to provide even more flexibility than what those older devices can do. This capability is enabled by default in UCS starting in the 5.7.0 release (feature.HotDesking.enabled=”1″), yet it is not usable unless hot-desking is also enabled on the Skype for Business platform that the phone is registered to.
This added functionality now allows for two different sets of credentials to be registered on the same phone, but not at the same time. A ‘host’ user account is signed in first, typically by an administrator, and then a ‘guest’ user account can be signed in later on, typically by an end-user. When the guest user is either signed out, either manually by someone or automatically due to the configured hot-desking timeout, then the host user is automatically signed back into the phone used saved credentials.
For Lync Server and Skype for Business Server deployments hot-desking behavior can be controlled as described in this older article, including enabling/disabling it at a global or custom level as well as controlling the timeout value.
However, hot-desking is not currently available for Skype for Business Online, which can be confirmed by running the following Skype for Business Online PowerShell cmdlet.
Update: It is now possible to manage custom user policies in Skype for Business Online, meaning that Hotdesking can be enabled by defining a new custom policy: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Custom-Policies-for-Skype-for-Business-Online/ba-p/53824
Get-CsClientPolicy | ft Identity,*hotdesk*
Notice that the EnableHotdesking parameter is not set to ‘True’ in any of the available online client policies.
In Skype for Business Hybrid environments it is possible for online users to sign in as the ‘guest’ as long as the ‘host’ account which is first registered on the phone is an on-premises user. If an online user signs in first as the ‘host’ then hot-desking is not available for that account and thus no Guest soft key will appear on the phone.
Enabling Hot-desking for Lync or Skype for Business Server deployments is unchanged and either a CAP account or a regular user account can be used.
When a Skype for Business Server-homed user account with an assigned policy that has Hot-desking enabled is registered to a phone then a Guest soft key will appear on the home screen.
Selecting the Guest bottom prompts to sign the Host user out fro the phone.
After (temporarily) signing out the host user the phone automatically returns to the Sign In window so a user can then select the available method they want to use for signing in with their own credentials. If no options are selected after about 30 seconds then the phone drops to the home screen where both the Guest and Host soft keys are displayed. If still no sign-in actions are performed and the phone is left idle for about 3 minutes then it will automatically sign the Host user back into the phone and return to the previously registered state.
But if a user signs in with a different account as a Guest then that account will stay registered on the phone until the HotdeskingTimeout value in their assigned Skype for Business client policy is reached, which is a default of 5 minutes. At that threshold of inactivity the phone will automatically sign out the Guest account and sign the Host account back in.
Common Area Phones in Skype for Business Online
A mixture of new capabilities in the VVX firmware and new functionality in the Skype for Business Online platform now provides a new way to license and register online accounts for common area use-cases.
The term Common Area Phone means two entirely different things when talking about Lync and Skype for Business Server deployments versus Skype for Business Online.
- In server-based environments a Common Area Phone (CAP) account is a special type of user account which in essence is simply an Active Directory Contact Object that is enabled in Lync/SfB Server differently than standard AD User objects. This model was first introduced in Lync Server 2010 with the advent of the Aries model family of the Lync Phone Edition platform and leverages only Certificate-based Authentication (TLS-DSK) via PIN Authentication and DHCP Options 43/120. These accounts are not Exchange mailbox-enabled and thus address a simple goal: the ability to register a phone using generic credentials, provisioned and managed by an administrator, which is intended solely to provide basic ‘dial-tone’ features to a handset or conference phone. These CAP accounts then also provide the hot-desking capability to the registered device so that a fully-featured user can temporarily sign-in with their own account.
- With Skype for Business Online though the CAP terminology is completely different as this is currently related only to licensing and device provisioning. A new, dedicated Office 365 license has been added to reduce the overall cost for common-use IP phones and a new Web Sign-in method specific to these common-area use cases as also been added. There is no special account type like with the server platform as any standard online user account can be used with the new license, meaning that Exchange calendaring is available for phones registered using a CAP-enabled account. Registering a phone to Skype for Business online is also completely different than the server-only PIN Authentication method.
Also note that one major difference between the LPE and VVX device models is that in the LPE Aries family there existed the concept of a specific Common Area Phone model. These were special models (e.g. Polycom CX500) which were designed only for use with CAP accounts (due to the lack of a USB-B port) but could still be used with any account which was enabled for PIN Authentication. These devices cannot be registered with Skype for Business Online because PIN Authentication was never provided in Office 365. (More importantly all LPE devices will cease to function with Office 365 on October 31st, 2018 when TLS 1.2 is enforced by Microsoft.)
Comparatively the VVX phones which leverage the UCS platform software do not have these limitations. Firstly, full user credentials can be entered directly into the phone or remotely without the need for USB, unlike LPE devices which can only use the standard authentication mode via USB-pairing to a PC. Secondly, all VVX devices support the new Web Sign-in method that Skype for Business Online provided as a replacement for the older server-only PIN Authentication method. Essentially any VVX phone model can ‘be’ a Common Area Phone in either server or online platforms.
The new Common Area Phone license is simply a new subscription plan available in Office 365. It is not a Skype for Business Add-on subscription like calling plans are as it does not go with an existing subscription plan; it replaces the need for other subscription plans. As covered in this past article devices typically require the Skype for Business Online Plan 2 subscription at a minimum to perform most Skype for Business meeting-related functions. As phones typically require PBX feature and PSTN connectivity then the additional cost of potential add-in licenses like Phone System (formerly Cloud PBX) can add up. Alternatively Enterprise plans have been used in the past which include licenses for so many other unrelated Office 365 services.
Thus the creation of a dedicated license provides the needed Skype for Business core licensing, Skype for Business Online (Plan 2), as well as a Phone System license. No differently than the other Enterprise subscriptions this new license also does not include a Phone Calling plan; those must always be added at an additional cost.
As the Common Area Phone license includes a Skype for Business Online license then a separate Business or Enterprise license should not also be assigned to the same user as that would literally be a waste of money.
It is important to understand that this subscription plan is simply a license and accounts provided this license will function in Skype for Business Online no differently than an account assigned to another plan that includes Skype for Business Online Plan 2 (e.g. Enterprise E3) or if the a standalone Skype for Business Online license itself is assigned directly to the user. In essence the only difference here is the monthly cost for that user account.
Microsoft has added a new portal to the existing Web Sign-in methodology which was added previously to address the lack of PIN Authentication support in Skype for Business Online. The new provisioning process for Common Area Phones is almost identical to the previous Web Sign-in process used for regular users, but with a few distinct differences.
- Instead of a user authenticating using their own account credentials an administrator will sign into the new provisioning site. This allows that administrator to provision any phones using only the code provided by the phone, the password of the desired account is not required. When the desired account is selected its password will automatically be reset to a unique, unknown value.
- While this process was created for Common Area ‘accounts’ it is not limited to only accounts with the Common Area Phone license. As mentioned before the new license functions no differently as the underlying Skype for Business Online Plan 2 is what drives the actual functionality. Thus any user licensed for Skype for Business, be it through a standalone license, a Business plan, or Enterprise plan, can technically be provisioned on a phone by an administrator using this new portal. Be aware that doing this on any user account will reset the password and effectively lock that user out of their own systems, thus this process should really only be used with accounts that are assigned to regular users.
Acquire Common Area Phone Subscription
The new licensing subscription can be purchased or trialed in the Office 365 Admin Center.
- Sign-in to the Office 365 portal using an administrative account for the desired tenant and then open the Admin Center.
- Browse to Billing > Subscriptions > Add Subscriptions and then expand the Other Plans section.
- Locate and select the Common Area Phone option and select either Buy Now or Start Free Trial.
- Once the new plan has been purchased or selected for a 30-day trial then navigate to Billing > Subscriptions to validate that the new plan has been added to the tenant.
The screenshot above indicates that the tenant used in this article is currently in an existing trial period which includes 25 licenses for 30 days. (One licensee has already been assigned and the trial is nearing expiration in this example tenant.)
Assign Common Area Phone License
At this point either a new account can be created for the device or an existing account can be enabled with the license. For the purposes of this article a new account will be created and enabled.
- Create a new user account (e.g. email@example.com) in the Office 365 Admin Center and assign a Common Area Phone license, and if applicable, a Calling Plan.
In order to provision a device using the Common Area Phone model a Polycom VVX running at least 5.7.0 USC firmware is required. The following steps were performed on a VVX 601 running version 18.104.22.1685.
- Press the Home button on the phone and navigate the followings menus: Settings > Advanced > Enter Admin Password (default is ‘456’) > Administration Settings > Common Area Phone Settings.
- Set the CAP and CAP Admin Mode settings both to Enabled.
- Press the back arrow and then select Save Config.
The two settings above perform two different tasks. The CAP setting simply enables the Common Area Phone feature on the device but does not provide for a way to sign in directly on the phone. This is by design, to prevent end-users from attempting to provision a phone using their own standard accounts. Yet, to register the phone to Skype for Business directly from the handset it must also have the CAP Admin Mode enabled. Without this setting turned on then no Sign In button will appear on the phone and it can only be registered remotely or via a provisioning platform.
The CAP (but not the CAP Admin Mode) setting can also be changed remotely using the Web Configuration Utility (Settings > Skype for Business Settings > Common Area Phone Settings).
Once back at the main screen the Sign In button will appear if the CAP Admin Mode setting was enabled directly on the phone. At this point the unregistered phone will display a “CAP is enabled” message on the main screen. (If the phone was already registered to Skype for Business then it may report that device lock is disabled or alter other options previously available.)
If the phone is left alone in this mode too long then the following message will appear, indicating that it is not currently registered.
- To register the phone using the new process select the Sign In soft key to show the available sign-in options.
- Select the Web Sign-in (CAP) option and the resulting screen will display.
Note that while this screen looks identical to the previous Web Sign-in process the provided URL is actually different. The standard Web Sign-in process for regular users to self-provision a phone is http://aka.ms/sphone where the new admin provisioning portal is http://aka.ms/skypecap.
- Using a web browser on any Internet-connected PC or mobile device go to http://aka.ms/skypecap as instructed above to complete the provisioning process.
- Sign in using a tenant administrator account for the Office 365 tenant to access the Tenant Admin Common Area Phone Provisioning Portal. Do not sign in with the credentials of the user account which is to be assigned to the specific phone.
- Enter the partial (e.g. ‘k‘) or complete (e.g. ‘kitchen‘) account name or SIP URI (e.g. firstname.lastname@example.org) to search for the desired CAP account. The example below shows a less-specific search that returns all matches (wildcard characters are not valid).
- Deselect the Search for Common Area Phones only setting as this option is not currently functional and will return no results, regardless of the user type. (This article will be updated when the behavior of this setting is fixed.)
- Enter the alphanumeric code provided by the phone into the Pairing Code field adjacent to the desired account name and then click Provision.
At this point the phone will automatically proceed to sign-in and the provisioning is complete. As noted earlier the account’s password will have been automatically changed to a unique, unknown value during the process so to use this same account again with anything other than a Common Area Phone the password would need to be reset by an administrator.
Note that this new Common Area Phone feature set in Skype for Business Online is not yet fully featured and still has some additional capabilities not yet delivered. Given the focus on Microsoft Teams it is hard to say if and when this feature set will become complete at it is currently only applicable to Skype for Business Online.