How to Configure Registration?
The registration feature is used to restrict which types of devices/clients are filtered and which can or cannot sign in to Skype for Business.
We have 4 different device registration settings:
Self Registration
Automatic Registration
Admin Approval
Disabled
In order to get to the registration settings, we'll need to Sign in to the Admin Portal admin area → Settings → Registration, or by using the following URL: /admin/settings?category=registration_settings
Self Registration
Users are given access to a self-service registration portal, where they can register their device themselves.(Image for example)
Multiple users per device - Setting to 'Yes' will allow multiple users to register with the same device.
Number of devices user is allowed to self register in Access Portal - How many devices a user can have registered in the Admin Portal (more than the set amount will result in the devices being rejected).
Use PC pairing - If set to 'Yes', Filter PC clients and verify them for registration. Please note this requires the SIP Filter to be installed on the Edge, with the "Block NTLM" setting set to 'True'.
Self registration timeout (minutes) - The time window in which a user can sign in to Skype for Business after pressing the "Register" button on the Access Portal End user area.
Automatically register computers with internally issued certificates - When set to 'Yes', automatic registration will occur for devices which have authenticated to Skype for Business internally in the domain (for example, a company laptop that has been taken home). Please note these devices will not be counted as part of the device limit per user.
Allow Username/Password authentication by external PCs - If set to 'Yes' PCs will be able to authenticate via NTLM over HTTP. If set to 'No', only computers with internally issued certificates will be able to register, even if the PC is registered.
Allow users to self-register any PC - If set to 'Yes', allow users to self-register devices which do not have an internally issued certificate.
Prevent manual approval for devices rejected from non-approved IP ranges - If set to 'Yes', SphereShield admins will not be able to manually approve devices which have arrived from non-approved IP ranges.
Check device registration on - Where the device registration check is done. Should always be Edge.
Require registration via VPN - see more in How to Set Up VPN Redirection?
Allow End Users to Block - If set to 'Yes', users will be able to block devices from signing into Skype for Business via the Admin Portal End user area. Useful in case a device has been lost/stolen.
Automatic Registration
Using this approach the end user does not need to go to the portal for registration.
The first set amount of devices for a specific user are automatically registered. From then onward, no other device is permitted to connect to the account unless admin provides approval.
Number of mobile devices to automatically register - Set the max amount of mobile devices which will be registered automatically. Any mobile device over the limit attempting registration will get rejected.
Number of PCs to automatically register - Set the max amount of PCs which will be registered automatically. Any PC over the limit attempting registration will get rejected.
Number of SIP phones to automatically register - Set the max amount of SIP phones which will be registered automatically. Any SIP phone over the limit attempting registration will get rejected.
Multiple users per device - Setting to 'Yes' will allow multiple users to register with the same device.
Use PC pairing - If set to 'Yes', Filter PC clients and verify them for registration.
Automatically register computers with internally issued certificates - When set to 'Yes', automatic registration will occur for devices which have authenticated to Skype for Business internally in the domain (for example, a company laptop that has been taken home). Please note these devices will not be counted as part of the device limit per user.
Allow Username/Password authentication by external PCs - If set to 'Yes' PCs will be able to authenticate via NTLM over HTTP. If set to 'No', only computers with internally issued certificates will be able to register, even if the PC is registered.
Prevent manual approval for devices rejected from non-approved IP ranges - If set to 'Yes', SphereShield admins will not be able to manually approve devices which have arrived from non-approved IP ranges.
Check device registration on - Where the device registration check is done. Should always be Edge.
Require registration via VPN - see more in How to Set Up VPN Redirection?
Admin Approval
When users attempt to sign in their device will get rejected, Afterwards, the user must contact help desk service, which will manually approve their device via Admin Portal.
Multiple users per device - Setting to 'Yes' will allow multiple users to register with the same device.
Number of mobile devices allowed for admin approval - Set the max amount of mobile devices (per user) to be approved manually. Devices over the max amount will not be able to be approved manually.
Number of PC devices allowed for admin approval - Set the max amount of PCs (per user) to be approved manually. Devices over the max amount will not be able to be approved manually.
Number of all devices allowed for admin approval -
Use PC pairing - If set to 'Yes', Filter PC clients and verify them for registration.
Allow Username/Password authentication by external PCs - If set to 'Yes' PCs will be able to authenticate via NTLM over HTTP. If set to 'No', only computers with internally issued certificates will be able to register, even if the PC is registered.
Prevent manual approval for devices rejected from non-approved IP ranges - If set to 'Yes', SphereShield admins will not be able to manually approve devices which have arrived from non-approved IP ranges.
Check device registration on - Where the device registration check is done. Should always be Edge.
Require registration via VPN - see more in How to Set Up VPN Redirection?
Mac OS X Clients
We treat Mac OS X clients like PC clients.
This means that these clients have the limitations or permissions set by the admin for PCs applied to them too.
These clients are not eligible for registration using the SphereShield MDM Launcher app.
However, SphereShield Edge server settings do not apply to these devices, as they do not authenticate using the Edge server.
In environments using SphereShield credentials, these credentials must be used on the Mac OS X client.
Notifications
In order to enable this feature, you must first configure email notifications.
How to configure IM and E-Mail Notifications?
Admin Notifications
Rejected Devices Notification Frequency (days) - The frequency in days to send a report on blocked devices. Set to 0 to send a report on each blocked device.
Unregistered device message subject - The subject of the mail report message.
Rejected Devices Notification Message - The email body message of the report message.
User Notifications
Days before sending notification to user about device not registered - The number of days to wait before sending a notification on a device in the pre-registration state.
For example, if the registration period has expired or the device is in pre-auth/activated.
User notification subject - the subject of the user notification mail.
User notification body for stuck in Expired - the E-mail body message of the notification mail.
User notification body for stuck in pre-auth – the E-mail body message of the notification mail.
Device type filtering table
The device type filtering table is used in order to allow/reject the ability of a specific device type to sign-in to Skype for Business.
For example, if we'll want to allow only iOS 11 devices to be able to sign-in, we'll edit the other device types and change it to Disabled.
It is possible to add specific device types if they do not exist, by press the button.
The filtering is based on the Regular expression used, for example for the Skype Room System device type (UCCAPIMM/16.0.8315.3019 SkypeRoom/3.0.16.0), we'll make the following rule:
Registered Devices Table
In order to reach the registered devices table, please sign-in to the Admin area of the Admin Portal → Registered devices, or by using the following URL: /admin/approveddevices
Here you can see a sortable list of all devices that have been registered, together with their user and who approved them.
Features:
View/search all registered devices
Unblock/Block/delete devices
Renew Sign in period
Export a list of devices.
Rejected Devices Table
In order to reach the registered devices table, please sign-in to the Admin area of the Admin Portal → Rejected devices, or by using the following URL: /admin/rejecteddevices
You can see and manage blocked devices on this page. Only devices that attempted to sign in with correct credentials will appear here, in this page you can manually approve rejected devices.