«

»

Dec 12

Lync Mobility Policy

Now that I have Lync Mobility installed and working, I’ve decided to dig in to the policy settings available. At some point, I am sure we will justopen this feature to all of our employees. But while it is still new, I want to limit the people who can use it. I don’t need a random ticket opened because someone installed the Lync Mobile client on their own and they want to know how to do something. Let me figure that out first!

This is all covered in the Microsoft Lync 2010 Mobility Guide. And while the guide covers all the requisite PowerShell commands, it doesn’t dig too deeply into what i wanted to find out. In short: You can disable Lync Mobility at the Global level and still enable it on a per-user setting. In other words, user-level permissions take precedence over Global permissions.

In order to set up the scenario I want (Global permission disabled, user permission enabled, and those permissions assigned to a specific user) I used the following PowerShell commands:

First, let’s disable the global policy:

Set-CsMobilityPolicy –EnableMobility $False –EnableOutsideVoice $False

You can run “Get-CSMobilityPolicy” to verify the changes.

At this point, wait a while and see if the policy change takes effect. In my experience, it took about 30 minutes for the policy change to effect my ability to log in. Once you can’t connect, go ahead with the following steps.

Next you need to create a new user-level policy. Here is what I ran in PowerShell to accomplish this:

New-CsMobilityPolicy “User Mobility” –EnableOutsideVoice $True -EnableMobility $True

Now if you run “Get-CsMobilityPolicy” you should see 2 policies. Note that Lync prepends your policy name with “tag:”. This is important in the next step where we assign the policy to a user which is donw like so:

Grant-CsMobilityPolicy –Identity –flinchböt@contoso.com –PolicyName “Tag:User Mobility”

This policy took effect fairly quickly. I’d say within 5 minutes I was able to successfully connect after having been denied by the global policy.


Now that I have my user policy defined, I want to assign it to a few test users. All of these users are members of an Active Directory Security Group. Surely there is a way to assign this policy to a group.

Well…there sort of is. You can use the following script to enumerate the members of a group and then apply the mobility policy to them. You aren’t assigning the policy to the group itself and there is no functionality to automatically apply the policy to any users added to the group after you run the script. I suppose you could set up a scheduled task if you need that kind of functionality.

I stole the script from http://blogs.technet.com/b/csps/archive/2010/06/06/scriptassignpolicytoallusers.aspx. Actually, it is verbatim to the script on that site except for the last line where I replaced Grant-CsClientPolicy with Grant-CsMobilityPolicy.

$strFilter = “(&(objectCategory=Group)(SamAccountName=” + $args[0] +”))”
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = “Subtree”
$colProplist = “member”
foreach ($i in $colPropList)
    {[void] $objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $group = $objItem.member}
foreach ($x in $group)
    {
        Grant-CsMobilityPolicy $x -PolicyName $args[1]
    }

To run this, open a Lync PowerShell window. Assuming the file is saved as “c:scriptsEnableMobility.ps1” and assuming the name of your policy is “tag:User Mobility” and assuming the security group is named “IT Users”, you would run this command:

c:scriptsEnableMobility.ps1 “IT Users” “tag:User Mobility”

This will then grant my mobility policy all members of the “IT Users” group.


The other approach to bulk enabling is to enable all users in a given OU. THis is easily done by using the following command:

get-csuser -OU “OU=Users,DC=flinchbot,DC=com” | grant-csmobilitypolicy -PolicyName “Tag:Mobility Enabled”


Which leaves one final thing to figure out.

How do you know which users are enabled for mobility?

The easy way is to do a get-csuser. There is now a new value added to the output called “MobilityPolicy”. This will show you which Mobility Policy has been assigned to a given user, if one has been assigned at all.

Building on this post of mine, we can build a PowerShell command to export a list of all users enabled for a specific Mobility Policy. Running the following command kicks out a sorted .csv file of all users that are assigned the “tag:User Mobility” policy:

Get-CsUser -filter {MobilityPolicy -eq ‘tag:User Mobility’} | Sort-Object DisplayName | Select-Object Displayname, Registrarpool, LineURI | export-csv wrong_plan.csv

And if you want to get a dump of all users that have any Mobility policy assigned to them, give this one a go:

Get-CsUser -filter {MobilityPolicy -ne $NULL} | Sort-Object DisplayName | Select-Object Displayname, MobilityPolicy,Registrarpool, LineURI | export-csv wrong_plan.csv


Related little funny – just after I tested this and as I was writing this post, I got a call from a co-worker with whom I have never spoken. He wanted to know if and when we were going to support Lync Mobile. He had just installed the Lync client on his phone and couldn’t log in…because the POLICY I had created 20 minutes earlier was blocking him from logging in!

1 ping

  1. Recursively Enabling Lync Mobility « Thoughts From a Böt Named Flinch

    […] in today to enable Lync Mobility for one of our remote groups. Fine enough I though, I will just run this script and be done with […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

%d bloggers like this: