Cisco Jabber for Android Release 8.6.x Administration Guide
Feature setup
Download this chapter
Feature setupFeature setup
Download the complete book
Cisco Jabber for Android Release 8.6.x Administration GuideCisco Jabber for Android Release 8.6.x Administration Guide (PDF - 1 MB)
 Feedback

Contents

Feature setup

Add Mobile Connect and Mobile Identity

Mobile Connect, formerly known as Single Number Reach (SNR), allows the native mobile phone number to ring when someone calls the office number while Cisco Jabber is not available.

When Cisco Jabber is running and connected to the corporate network, and thus available to receive VoIP calls, Mobile Connect is automatically inactivated.

A Mobile Identity is required to transfer calls from VoIP in Cisco Jabber to the mobile network.

Procedure
    Step 1   Sign in to Unified CM Administration.
    Step 2   Search for and delete any existing Remote Destination or Mobile Identity that is already set up with the mobile phone number.
    Step 3   Navigate to the End User page for the user.
    1. Check the Enable Mobility check box.
    2. Specify the Primary User Device.
    3. Select Save.
    Step 4   Navigate to the device page for the Cisco Dual Mode mobile device settings.
    1. Enter information:

      Example:

      Setting

      Information

      Softkey Template

      Choose a softkey template that includes the Mobility button.

      Mobility User ID

      Select the user.

      Owner User ID

      Select the user. The value should match the Mobility User ID.

      Rerouting Calling Search Space

      If your Unified CM has custom partitions and multiple calling search spaces, select a Rerouting Calling Search Space that includes the partition that applies to the mobile phone number, which you will enter as a Mobile Identity.

    2. Select Save.
    Step 5   Add a new Mobile Identity for the mobile phone number:
    1. Navigate to the device page for the Cisco Dual Mode mobile device settings.
    2. Select Add a New Mobile Identity.
    3. Enter the mobile phone number as the Destination Number.

      This number must be routable to an outbound gateway. Generally, it will be the full E.164 number.

    4. Enter initial values for call timers.

      These values ensure that calls are not routed to the native device voicemail before they ring in the client on the mobile device.

      For more information, see the online help in Unified CM.



      Example:

      Setting

      Suggested initial value

      Answer Too Soon Timer

      3000

      Answer Too Late Timer

      20000

      Delay Before Ringing Timer

      0

      This value accommodates the relatively long call-setup times that are characteristic of mobile calls.
    5. Check the Enable Mobile Connect check box.
    6. Set up the schedule for routing calls to the mobile number.
    7. Select Save.
    What to Do Next

    Test your settings: The native mobile network phone number should ring and the call should connect when you answer it.

    Enable active call transfer from VoIP to mobile network

    Users can transfer an active VoIP call from Cisco Jabber to their mobile phone number on the mobile network. This feature is useful when a user on a call leaves the Wi-Fi (for example, leaving the building to walk out to the car), or if there are voice quality issues over the Wi-Fi. This Cisco Jabber feature is called Use mobile network.

    Procedure
      Step 1   For system-level settings, check that the Mobility softkey appears when the phone is in the connected and on-hook call states.
      1. Sign in to Cisco Unified Communications Manager Administration.
      2. Select Device > Device Settings > Softkey Template.
      3. Select the softkey template that you selected when you configured the device for Mobile Connect.
      4. In the Related Links drop-down list at the upper right, choose Configure Softkey Layout and select Go.
      5. In the call state drop-down list, select the Connected state and verify that the Mobility key is in the list of selected softkeys, and then do the same for the On Hook state.
      Step 2   For the per-user and per-device settings in Cisco Unified Communications Manager, set the specific device to use the Mobility softkey when transferring calls to the mobile voice network. Ensure that you have set up both Mobile Identity and Mobile Connect for the mobile device. After the transfer feature is working, users can enable and disable Mobile Connect at their convenience without affecting the feature.
      1. Sign in to Cisco Unified Communications Manager Administration.
      2. Select the Owner User ID on the Phone Configuration screen for your Cisco Dual Mode for Android device.
      3. Select the Mobility User ID. The value should match that of the Owner User ID.
      4. In the Product Specific Configuration Layout section, in the Transfer to Mobile Network drop-down list, choose Use Mobility Softkey.
      What to Do Next

      Test your settings: transfer an active call from VoIP to the mobile network.

      Related Tasks

      Enable active call transfer from desk phone to mobile device

      Before You Begin
      • Ensure that you configured the desk phone and the Cisco Dual Mode for Android (BOTXXXX) device.
      • Ensure that you configured the Mobile Connect feature on the BOTXXXX device. See Add Mobile Connect and Mobile Identity.
      Procedure
        Step 1   Sign in to Cisco Unified Communications Manager Administration.
        Step 2   Navigate to the Phone Configuration screen for the BOTXXXX device.
        Step 3   In the Device Information section, note the value of the Mobility User ID.
        Step 4   Navigate to the Phone Configuration screen for the associated desk phone.
        Step 5   In the Device Information section, ensure that the value of the Owner User ID of the desk phone matches the value for the Mobility User ID of the BOTXXXX device.
        Step 6   In the Device Information section, from the Softkey Template drop-down list, choose Mobility.
        Note   

        If you do not see the Mobility option, you must configure the Mobility softkey. See the "Mobility Softkey Configuration" section in the "Cisco Unified Mobility" chapter of Cisco Unified Communications Manager Features and Services Guide, Release 7.0 at http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_0_1/ccmfeat/fsmobmgr.html#wp1124994.

        What to Do Next

        Test your settings. The procedure for moving the call to your mobile device may vary depending on your desk phone model. A sample procedure is as follows:
        1. Press the Mobility softkey on your desk phone. You may need to press More a few times before you see the Mobility softkey.
        2. Select Send call to Mobile.
        3. Answer your call on your mobile device.

        Related Tasks

        Set up secure connect

        Secure connect is a feature that allows Cisco Jabber to securely connect to your corporate network from a remote location, using Wi-Fi or mobile data networks.


        Note

        Cisco does not guarantee the voice quality on non-corporate Wi-Fi networks or mobile data networks.

        Set up secure connect with the following procedures:

        1. Install and set up the Cisco Adaptive Security Appliance (ASA). See Install and configure the Cisco Adaptive Security Appliance.
        2. Set up the ASA for secure connect. See Set up the ASA for secure connect..
        3. Set up the Unified CM for secure connect. See Set up Unified CM to use secure connect.

        Install and set up the Cisco Adaptive Security Appliance

        You must install and set up a Cisco Adaptive Security Appliance (ASA).

        For supported Cisco Adaptive Security Appliance models, see the Release Notes at http://www.cisco.com/en/US/products/ps11678/prod_release_notes_list.html.

        Install and set up your Cisco ASA using one of the following methods:


        Note

        To support secure connect, you must have an ASA license with the AnyConnect feature enabled.

        Set up the ASA for secure connect

        The following procedures describe one method for setting up the ASA for secure connect. This information is provided as a reference; the setup in your organization may be different.

        1. Create an identity certificate. See Create an identity certificate.
        2. Set up the system for the authentication required by your organization. For certificate-based authentication, see Set up the system for secure connect using certificate-based authentication. For password-based authentication using AAA (authentication, authorization, and accounting), see Set up the ASA for secure connect using AAA authentication.

        Create an identity certificate

        Use this procedure to create an identity certificate on the ASA that allows users to use SSL VPN.

        Procedure
          Step 1   On the ASDM, in the left pane, choose Certificate Management > Identify Certificates.
          Step 2   Click Add.
          Step 3   In the Trustpoint Name field, enter a name for the trustpoint.
          Step 4   Select the Add a new identity certificate radio button.
          Step 5   In the Certificate Subject DN field, enter CN=<fully qualified domain name>.
          Step 6   (Optional) Check the Generate self-signed certificate check box.

          You can also use a certificate that is signed by an external CA instead of a self-signed certificate. For more information about using certificates that are signed by an external CA, see the “Configuring Digital Certificates” chapter at http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_certs.html.

          Step 7   (Optional) Check the Act as local certificate authority and issue dynamic certificates to TLS-Proxy check box.
          Step 8   Click Add Certificate.
          Step 9   Click OK.

          Set up the system for secure connect using certificate-based authentication

          Perform the following procedures to set up the system for Cisco Jabber with secure connect using certificate-based authentication.

          1. Install and set up a certificate authority.
          2. Set up the ASA for secure connect and certificate-based authentication.
          Install and set up a certificate authority

          If your organization requires certificate-based authentication, you must set up a Certificate Authority (CA) to provide the certificates that the system uses for authentication.

          We recommend that you create a root CA and then create subordinate CAs. Start with a self-signed certificate.

          Cisco Jabber supports Cisco IOS Certificate Server and Microsoft Windows Server 2008 Enterprise Certificate Authority.

          For Certificate Authority requirements, see the Release Notes at http://www.cisco.com/en/US/products/ps11678/prod_release_notes_list.html.

          Cisco IOS certificate server

          To set up a Cisco IOS Certificate Authority Server, see http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ioscs.html.

          Microsoft Windows Server 2008 Enterprise Certificate Authority

          Use this procedure to create a Microsoft Windows Server 2008 Enterprise Certificate Authority that is customized for Cisco Jabber with secure connect using certificate-based authentication.

          Procedure
            Step 1   See the Microsoft documentation to install and set up the Certificate Authority.
            Step 2   Create the SCEP template.
            Step 3   Set the default .
            Step 4   Disable the SCEP challenge password.
            Create the SCEP template

            Use this procedure to add a new certificate template that supports both IPsec and SSL.

            The default certificate for Microsoft Windows Server 2008 Enterprise Certificate Authority supports only IPsec because of the limited Extended Key Usage. You must modify this certificate template to ensure that the system can issue certificates for both IPsec and SSL.

            Procedure
              Step 1   On the Microsoft Windows Server 2008 server, choose Start > Administrative Tools > Server Manager.
              Step 2   In the Server Manager window, in the left pane, navigate to Roles\Certificate Services\<Name of your Certificate Authority> OR Roles\Active Directory Certificate Services\<Name of your Certificate Authority>.
              Step 3   Right-click the Certificate Templates folder and choose Manage.
              Step 4   In the Certificate Templates Console window, right-click the User template and then choose Duplicate Template.
              Step 5   In the Duplicate Template dialog box, click the Windows Server 2008, Enterprise Edition radio button.
              Step 6   Click OK.
              Step 7   In the Properties of New Template dialog box, in the General tab, in Template display name field, enter a descriptive name for the template (for example: NDES-IPsec-SSL).
              Step 8   In the Validity period fields, enter a validity period for the template.

              We recommend a validity period that is greater than three years to ensure that the certificate does not expire.

              Step 9   Click the Cryptography tab.
              Step 10   In the Minimum key size field, enter 512.
              Step 11   Click the Subject Name tab.
              Step 12   Click the Supply in Request radio button.
              Step 13   If the application displays a warning, click OK.
              Step 14   Click the Extensions tab.
              Step 15   To make the certificates valid for both SSL and IPsec, in the Extensions included in this template section, click Application Policies.
              Step 16   In the Description of Application Policies section, verify that the list includes the following policies at a minimum:
              • Client Authentication
              • IP security IKE intermediate
              • IP security tunnel termination
              • IP security user
              Step 17   If you need to add policies:
              1. Click Application Policies > Edit.
              2. Click Add.
              3. In the Add Application Policy dialog box, in the Application policies section, right-click the application policies you want to add.
              4. Click OK.
              5. In the Edit Application Policies Extension dialog box, verify your application policies and click OK.
              Step 18   In the Properties of New Template dialog box, click Apply.
              Step 19   Click OK.
              Step 20   Close the Certificate Templates Console window.
              Step 21   In the Server Manager window, right-click the Certificate Templates folder and choose New > Certificate Template to Issue.
              Step 22   To enable the CA to use your new template, in the Enable Certificate Templates window, click the name of the new template that you created in the previous steps, and then click OK.
              Set the default template

              Use this procedure to set the certificate template that supports either IPsec or SSL as the default template.

              Procedure
                Step 1   On the Microsoft Windows Server 2008 server, choose Start > Run.
                Step 2   In the Open field, enter regedit.
                Step 3   Click OK.
                Step 4   In the Registry Editor window, in the left pane, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.
                Step 5   In the right pane, double-click the EncryptionTemplate key.
                Step 6   In the Value data field, enter the name of the new certificate template you created in Step 7 of Create the SCEP template.
                Step 7   Click OK.
                Step 8   Repeat Steps 5 to 7 for both the GeneralPurposeTemplate and SignatureTemplate keys.
                Step 9   Save and reboot the CA.
                Disable the SCEP challenge password

                Use this procedure to disable the SCEP challenge password so clients are not required to obtain the out-of-band password before SCEP enrollment.

                Procedure
                  Step 1   On the Microsoft Windows Server 2008 server, choose Start > Run.
                  Step 2   In the Open field, enter regedit.
                  Step 3   Click OK.
                  Step 4   In the Registry Editor window, in the left pane, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword.
                  Step 5   If you do not see the EnforcePassword key, right-click in the right pane, choose New > DWORD (32-bit) Value, and name the key EnforcePassword.
                  Step 6   In the right pane, click the EnforcePassword key.
                  Step 7   In the Edit DWORD dialog box, in the Value data field, enter 0 to disable the SCEP challenge password.
                  Step 8   Click OK.
                  Step 9   Exit regedit.
                  Step 10   Save and reboot the CA.
                  Set up the ASA for secure connect and certificate-based authentication

                  We recommend that you use this authentication method with the SCEP certificate enrollment scheme because it provides strong security and usability. Deployment for this method requires a Cisco ASA 5500 Series Adaptive Security Appliance (ASA) and a Certificate Authority (CA).

                  After you set up the CA, perform the following tasks on the ASA:

                  1. Set up an AnyConnect connection profile for SCEP enrollment
                  2. Add the certificate authority to the trustpoint
                  3. Set up the Dynamic Access Policy
                  4. Set up the AnyConnect client profile
                  5. Set up an AnyConnect connection profile for certificate authentication

                  Before You Begin
                  • Make sure your ASA software is Version 8.4.1 or later.
                  • Verify that the LINUX (3.0.x or later, 32-bit version) package is present by selecting Network (Client) > AnyConnect Client Settings. Look for a package that uses the following format: anyconnect-linux-3.0.xxxx-k9.pkg. If the package is absent or out of date, download the latest Cisco AnyConnect VPN client software package from http://www.cisco.com/cisco/software/navigator.html. Search for “AnyConnect Secure Mobility Client.”
                  • Verify that you have appropriate licenses before enabling secure connect on devices. The secure connect feature requires either AnyConnect Essentials licenses (minimum requirement) or AnyConnect Premium licenses.
                  Set up an AnyConnect connection profile for SCEP enrollment

                  Use this procedure to set up an AnyConnect connection profile (tunnel group) for Simple Certificate Enrollment Process (SCEP).

                  SCEP enrollment provides a scalable and secure means for Cisco Jabber users to create and download a personal or user certificate to use with secure connect. The certificate is a credential for authenticating secure connect sessions. Administrators can enter enrollment and secure connect values in the TFTP file to simplify the user experience when initiating certificate enrollment.

                  Procedure
                    Step 1   On the ASDM, in the left pane, choose Network (Client) Access > AnyConnect Connection Profiles.
                    Step 2   In the Connection Profiles section, add or choose the profile you want to set up as the SCEP group.
                    Step 3   Click Edit to open the Edit AnyConnect Connection Profile window for the selected profile.
                    Step 4   Choose the Both radio button for Authentication Method.
                    Step 5   In the AAA Server Group drop-down list, choose the server on which the user information is stored.
                    Step 6   In the Client Address Assignment section, choose the None radio button.
                    Step 7   In the Client Address Pools field, enter the pool you have associated with the profile.
                    Step 8   In the Default Group Policy section, enter a name for the Group Policy, and check the Enable SSL VPN client protocol check box.
                    Step 9   In the DNS Servers field, enter the IP address for the DNS server you want to use.
                    Step 10   In the Domain Name field, enter the domain name you want to use. For example, company.com.
                    Step 11   In the left pane, choose Advanced > General.
                    Step 12   Choose Enable Simple Certificate Enrollment Protocol (SCEP) for this Connection Profile.
                    Step 13   Choose Network (Client) Access > Group Policies.
                    Step 14   Choose the group policy you created.
                    Step 15   Click Edit.
                    Step 16   Ensure that Inherit is selected for Banner, Address Pools, and IPv6 Address Pools.
                    Step 17   In the SCEP forwarding URL, ensure that Inherit is not selected, and enter the address for the Certificate Authority.
                    Add the certificate authority to the trustpoint

                    Use this procedure to add the certificate authority to the trustpoint. Trustpoints let you manage and track CAs and certificates. A trustpoint is a representation of a CA or identity pair. A trustpoint includes the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

                    For automatic enrollment, a trustpoint must be configured with an enrollment URL, and the CA that the trustpoint represents must be available on the network and must support SCEP.

                    Procedure
                      Step 1   On the ASDM, choose Certificate Management > CA Certificates.
                      Step 2   Click Add.
                      Step 3   In the Trustpoint Name field, enter a name for the trustpoint.
                      Step 4   Choose the Use SCEP radio button.
                      Step 5   In the SCEP URL: http// field, enter the full SCEP enrollment URL.

                      Example:
                      • For Microsoft CA: http://<ca-ip-or-name>/certsrv/mscep/mscep.dll
                      • For other CAs: http://<ca-ip-or-name>/cgi-bin/pkiclient.exe
                      Step 6   Click Install Certificate.
                      Set up the Dynamic Access Policy

                      Set up a Dynamic Access Policy to support the SCEP proxy.

                      The system uses dynamic access policies to enforce rules of eligibility to enroll for a certificate.

                      Procedure
                        Step 1   On the ASDM, choose Network (Client) Access > Dynamic Access Policies.
                        Step 2   On the Configure Dynamic Access Policies window, click Add to create a new Dynamic Access Policy. For more information, see http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/vpn_asdm_dap.html.
                        Step 3   In the AAA Attribute section, click Add.
                        Step 4   In the AAA Attribute Type drop-down list, select Cisco.
                        Step 5   Check the SCEP Required check box.
                        Step 6   Verify the operation and value drop-down lists are set to = true.
                        Step 7   Click OK.
                        Step 8   In the Advanced section, choose the AND radio button.
                        Step 9   In the Logical Expression field, enter EVAL(endpoint.device.id , “NE”, aaa.cisco.username2, “caseless”).
                        Set up the AnyConnect client profile

                        Use this procedure to specify the VPN connection attributes for client-based connections.

                        Procedure
                          Step 1   Create an AnyConnect client profile. For more information, see http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/vpn_asdm_setup.html#wp1119491.
                          Step 2   Choose Network (Client) Access > AnyConnect Client Profiles.
                          Step 3   Highlight the AnyConnect client profile you just created.
                          Step 4   Click Edit.
                          Step 5   In the left pane, choose Certificate Enrollment.
                          Step 6   Check the Certificate Enrollment check box.
                          Step 7   In the CA URL field, enter the address for the SCEP Certificate Authority server.
                          Step 8   In the Certificate Contents section, in the Name (CN) field, enter %USER%.
                          Step 9   In the Company (O) field, enter your company name.
                          Step 10   Ensure that the Display Get Certificate Button check box is checked.
                          Step 11   In the left pane, choose Server List.
                          Step 12   In the right pane, click Add.
                          Step 13   In the Host Display Name (Required) field, enter the fully qualified domain name of the ASA gateway.
                          Step 14   In the Primary Protocol drop-down list, choose SSL.
                          Step 15   Click OK.
                          Set up an AnyConnect connection profile for certificate authentication

                          Use this procedure to create a connection profile (tunnel group) that enables users to authenticate with the certificate they obtain with the SCEP connection profile.

                          Procedure
                            Step 1   On the ASDM, configure an AnyConnect SSL VPN connection profile, using the AnyConnect VPN Wizard. To start the wizard, choose Wizards > VPN Wizards > AnyConnect VPN Wizard. For more information, see http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/wizard_vpn.html#wp1052383.
                            1. For VPN Protocols, check SSL check box.
                            2. In the Device Certificate field, choose the trustpoint created in Create an identity certificate.
                            Step 2   Choose Network (Client) Access > AnyConnect Connection Profiles.
                            Step 3   Highlight the AnyConnect connection profile you just created.
                            Step 4   Click Edit.
                            Step 5   In the Authentication section, select the Certificate radio button for the Method.
                            Step 6   Click OK.
                            Step 7   Choose Advanced > AnyConnect > Client > Dead Peer Detection.
                            Step 8   For Gateway Side Detection, check the Inherit check box.
                            Step 9   For Client Side Detection, check the Inherit check box.
                            Step 10   Click OK.
                            Step 11   Choose Advanced > AnyConnect Client.
                            Step 12   For Datagram TLS:
                            1. Uncheck the Inherit check box.
                            2. Select the Enable radio button.
                            Step 13   Click OK.

                            Set up the ASA for secure connect using AAA authentication

                            Use the following procedures to set up the ASA for Cisco Jabber with secure connect using authentication, authorization, and accounting (AAA) to provide password-based authentication. Deployment for this method requires an ASA. If you are using one time passwords, each user requires a password generator.


                            Note

                            We recommend deploying Cisco Jabber with secure connect using certificate-based authentication. The next preferred method is password-based authentication using AAA on RADIUS servers.

                            Set up secure connect with the following procedures:

                            1. Add a AAA server group to the ASA
                            2. Set up an AnyConnect connection profile for AAA authentication
                            Before You Begin
                            • Make sure your ASA software is Version 8.0 or later.
                            • Verify that the LINUX (3.0.x or later, 32-bit version) package is present by selecting Network (Client) > AnyConnect Client Settings. If the package is absent or out of date, download the latest Cisco AnyConnect VPN client software package from http://www.cisco.com/cisco/software/navigator.html.
                            • Verify you have enough licenses before enabling secure connect on devices. The secure connect feature requires either AnyConnect Essentials licenses (minimum requirement) or AnyConnect Premium licenses.
                            Add a AAA server group to the ASA

                            Use this procedure to add a AAA server group to your ASA that allows users to authenticate with either a one-time or static password.

                            For information about adding the AAA server group, see the procedure called “Configuring AAA Server Groups” at http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_fwaaa.html.

                            For one-time password authentication, point to a AAA server that supports one-time password authentication.

                            For static password authentication, point to a AAA server that supports static passwords (either the local user database or another server that supports static passwords).

                            For detailed information about how to set up AAA authentication for network access, see http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_fwaaa.html.

                            Set up an AnyConnect connection profile for AAA authentication

                            Use this procedure to create a connection profile (tunnel group) that enables users to authenticate with AAA using a one-time or static password.

                            Procedure
                              Step 1   On the ASDM, configure an AnyConnect SSL VPN connection profile, using the AnyConnect VPN Wizard. To start the wizard, choose Wizards > VPN Wizards > AnyConnect VPN Wizard. For more information, see http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/wizard_vpn.html#wp1052383.
                              Step 2   For VPN Protocols:
                              1. Check the SSL check box.
                              2. In the Device Certificate field, choose the trustpoint created in Create an identity certificate.
                              Step 3   For Client Images, choose the LINUX (3.0.x or later, 32-bit version) package.

                              If the package is absent or out of date, download the latest Cisco AnyConnect VPN client software package from http://www.cisco.com/cisco/software/navigator.html.

                              Step 4   For Authentication Methods, choose the AAA Server Group created in Add a AAA server group to the ASA.

                              Set up Unified CM to use secure connect

                              Use this procedure to set up the Unified CM device to use the secure connect feature.

                              Procedure
                                Step 1   Sign in to Cisco Unified Communications Manager Administration.
                                Step 2   Choose Device > Phone to open or add the device on which you want to set up secure connect.
                                Step 3   In the Preset Wi-Fi Networks field, enter the SSIDs for Wi-Fi networks (SSIDs) that are approved by your organization. Separate SSIDs with a forward slash (/). Devices do not connect to secure connect if they are connected to one of the entered Wi-Fi networks.
                                Step 4   In the Enable Secure Connect list box, select Enabled.
                                Step 5   In the Secure Connect Gateway Address field, enter the IP address or hostname for the ASA gateway on which you set up SCEP or passwords.
                                Step 6   If using certificate-based authentication, in the Secure Connect Certificate Enrollment Group (SCEP) field for certificate-based authentication, enter the group you created on the ASA. For AAA (password-based) authentication, leave this field blank. This field is case sensitive.
                                Step 7   If using certificate-based authentication, in the Secure Connect Authentication Group field, enter the secure VPN tunnel group name to which the user signs in.
                                Step 8   In the Secure Connect Username field, enter the SCEP username for certificate-based authentication. For AAA (password-based) authentication, enter the authentication username.
                                Step 9   Click Save.
                                Step 10   Click Apply Config.
                                Step 11   Click Reset.
                                What to Do Next

                                Verify that your configuration works:

                                • On the Android phone, clear the Cisco Jabber data.
                                • Make sure the mobile device is connected to the corporate network. Verify that you can access a web page on your corporate intranet using the browser on your device.
                                • Within the corporate Wi-Fi network, launch Cisco Jabber and complete the setup wizard.
                                • Wait for a notice that the device is registered. The Cisco Jabber icon in the status bar turns black when the device is connected to Cisco Unified Communications Manager.
                                • Test the device from a noncorporate Wi-Fi network or mobile data network. Confirm the following:
                                  • You can connect to the corporate network.
                                  • Secure connect is connected. To verify your connection, in Cisco Jabber for Android, tap Menu > Settings > Accounts > Secure Connect. When you are connected, Cisco Jabber for Android displays the following text: “Connected over secure connect.”
                                  • The device is registered.
                                  • You can use the basic telephony features in Cisco Jabber (for example, you can make, hold, and transfer calls).

                                Enable Enhanced Message Waiting Indicator

                                A Message Waiting Indicator alerts users to the presence of new voice messages. Enhanced Message Waiting Indicator provides a count of unheard messages on systems that support this feature. Users can call the voice messaging system to retrieve the messages.

                                Note

                                To enable the basic Message Waiting Indicator, follow the instructions in the Cisco Unified Communications Manager documentation for your release. There are no unique configurations for this client.

                                If your deployment supports Enhanced Message Waiting Indicator, enable this option in the Cisco Unity Connection Administration portal.

                                Procedure
                                  Step 1   Sign in to Cisco Unified Communications Manager Administration.
                                  Step 2   Select Telephony Integrations.
                                  Step 3   Select Phone System.
                                  Step 4   Select Cisco Unified Communications Manager server.
                                  Step 5   Select Send Message Counts.

                                  Specify directory search settings

                                  Specify the settings that the client will use to connect to the directory server. When the user sets up the client, these settings will be automatically configured on the client.
                                  Before You Begin

                                  Identify attributes in your corporate directory schema that are different from, or additional to, the application defaults. You must map changed attributes later in this procedure.

                                  Element

                                  Element name

                                  Default Active Directory attribute

                                  Default attribute for all other LDAP servers

                                  Your value, if different

                                  Unique identifier

                                  identifier

                                  distinguishedName

                                  distinguishedName

                                  		 

                                  Display name

                                  displayName

                                  displayName

                                  cn

                                  		 

                                  Email address

                                  emailAddress

                                  mail

                                  mail

                                  		 

                                  First name

                                  firstName

                                  givenName

                                  givenName

                                  		 

                                  Last name

                                  lastName

                                  sn

                                  sn

                                  		 

                                  User ID

                                  userid

                                  sAMAccountName

                                  uid

                                  		 

                                  Main phone number

                                  mainPhoneNumber

                                  telephoneNumber

                                  telephoneNumber

                                  		 

                                  Home phone number

                                  homePhoneNumber

                                  		     

                                  Second home phone number

                                  homePhoneNumber2

                                  		     

                                  Mobile phone number

                                  mobilePhoneNumber

                                  		     

                                  Second mobile phone number

                                  mobilePhoneNumber2

                                  		     

                                  Direct to voicemail phone number

                                  voicemailPhoneNumber

                                  voicemail

                                  		   

                                  Fax number

                                  faxPhoneNumber

                                  facsimileTelephoneNumber

                                  		   

                                  Other phone number

                                  otherPhoneNumber

                                  		     

                                  Manager

                                  manager

                                  manager

                                  Direct reports

                                  directReports

                                  directReports

                                  Title

                                  title

                                  title

                                  Department

                                  department

                                  department

                                  Procedure
                                    Step 1   Sign in to Cisco Unified Communications Manager Administration.
                                    Step 2   Navigate to the Cisco Dual Mode device page for the user.
                                    Step 3   Enter LDAP User Authentication settings.
                                    • If credentials are not needed to access directory services, select Disabled.
                                    • If users must enter credentials to access directory services, select Enabled.
                                    Step 4   Enter LDAP server IP address or hostname.
                                    • If you are not deploying Directory Search in Cisco Jabber, leave this field blank.
                                    • Otherwise, enter the IP address or hostname, and port number of your directory server.
                                    Use the format YourDirectoryServer.YourCompany.com:portnumber.
                                    • If Global Catalog is enabled, use port 3269 for secure SSL connections and 3268 for nonsecure connections.
                                    • If Global Catalog is not enabled, do not enter a port.
                                    If you enter an IP address or hostname but do not enter a port, the client tries to connect to ports 389 or 636, depending on the SSL setting.
                                    Step 5   Choose Enabled or Disabled as required by your directory server to enable LDAP SSL.
                                    Step 6   Enter the LDAP Search Base using the format: CN=users,DC=corp,DC=yourcompany,DC=com. By default, this application uses the search base found in a RootDSE search on the defaultNamingContext attribute. If you need to specify a different search base, enter the Distinguished Name of the root node in your corporate directory that contains user information. Use the lowest node that includes the necessary names. Using a higher node will create a larger search base and thus reduce performance if the directory is very large.
                                    Note    To help determine the optimal search base, you can use a utility such as Active Directory Explorer (available from Microsoft) to view your data structure.
                                    Step 7   Enter the LDAP field mappings. LDAP field mappings identify the attributes in your directory that hold the information to be searched and displayed for directory searches. Enter any field mappings that do not match the default as name=value pairs, separating each field with a semicolon (;).

                                    Example:displayName=nickname;emailAddress=email Use the Element Name value as the name value.
                                    Step 8   Enter the LDAP photo location. Enter the pathname to the image files on your HTTP server. Be sure to specify the correct graphics file type (for example, jpg or png). Use the variable %%LDAP Attribute %% to represent the LDAP attribute.

                                    Example:http://yourcompany.cisco.com/photo/std/%%userID%%.jpg

                                    You must include the double percent symbols in the string.

                                    Cisco Jabber will automatically resize the images as needed, but smaller images will be processed faster.

                                    Your photos must be stored on an HTTP server, with filenames that are identical to the values in an LDAP directory attribute (excluding the filename extension).

                                    By default, Cisco Jabber uses the attribute mapped to the userid element in the LDAP Field Mappings table that precedes this procedure. You can specify a different attribute in the LDAP Field Mappings field.



                                    Example:An image file from your directory is named jsmith.jpg, and the value in the cn attribute is jsmith. You have used the LDAP Field Mappings field to map the userid element to the cn attribute in your LDAP directory.
                                    Step 9   Select Save.
                                    Step 10   Restart Cisco Jabber.
                                    What to Do Next

                                    Test the directory search feature.