Policy Editor

Overview

Cisco WebEx provides a Policy Editor to define and apply policies for your groups. Policies can be used to enable or disable features such as file transfer, desktop sharing, archiving IM sessions, and automatically upgrading Cisco WebEx. You can apply policies for all the users within your Cisco WebEx organization or to a specific groups of users.

You cannot apply policies to an individual.

Policies and Policy Actions

A policy is a set of rules that includes actions which determine the Cisco WebEx features available to groups of users or to an entire Cisco WebEx organization. Thus, a policy can include multiple actions which are enabled, disabled, or available for advanced configuration. For example, a customer who wants to restrict certain Cisco WebEx capabilities for New Employees can create a policy named New Employee Policy and associate various actions with that policy.

An action is a Cisco WebEx capability that can be regulated via policies. For example, the External File Transfer action corresponds to the capability of exchanging files with users outside the Cisco WebEx organization.

Defining and Applying Policies

It is important to understand the difference between Organization level policies and group level policies.

When you create new users in your Cisco WebEx organization, they do not belong to any groups by default. All default policy actions therefore apply to your entire Cisco WebEx organization. This is because the top-level group, typically created at the time of provisioning includes all the users of the Cisco WebEx organization.

When the Organization Administrator creates groups and applies specific policies to these groups, the group-level policies override the organization-level policies. Users belonging to these groups are now be governed by the group-level policies instead of the organization-level policies. For example, if the Organization Administrator applies a policy that prohibits external VOIP communications for a particular group, users of that group are unable to communicate using VOIP. However, external VOIP communications may still be enabled for all other users in the organization.

You can apply policies at the Organization level or to specific groups. However, if there is a conflict in policy settings between the organization level and group level (or between a parent group and its sub-groups), the most restrictive actions take effect. For example, if VOIP capability is turned on (Enabled) at the organization level, but turned off (Disabled) at the group level, VOIP capability for all users within the group is disabled. However, if VOIP capability is turned off at the organization level but the group has enabled it, VOIP capability is still disabled for the users of the group.

The Policy Editor

Use the Cisco WebEx Administration Tool to set policies. You can set different policies for each group and make changes to your policies at any time. If your Cisco WebEx organization is newly provisioned, all capabilities are enabled for all users by default, except the capability that requires users to use AES encryption.


Note

If you have modified or updated any policy, you need to first sign out of Cisco WebEx and then sign in again for the updated policy to take effect.

To learn how to apply policies to your groups, see Assign Policies to a Group.

Add a Policy

Procedure
    Step 1   Select the Policy Editor tab. The Policy List appears to the left and the Action List appears at the right of the Policy screen.
    Step 2   Under Policy Listselect Add. The new policy appears at the top of the list of existing policies. 
    Step 3   Enter a unique name for the policy.
    What to Do Next

    To add actions for this policy, see Add Actions to a Policy

    Add Actions to a Policy

    Procedure
      Step 1   Select the Policy Editor tab. The Policy List appears to the left and the Action List appears at the right of the Policy Editor screen.
      Step 2   Under Policy Name select the policy to which you want to add actions.
      Step 3   To add actions, select Add under Action List on the right of the screen. The Action Editor screen appears. 
      Step 4   Select a policy action from the Action Tag Name list.

      For more information on these actions, see Policies and Policy Actions

      Step 5   Select Save.
      Step 6   Repeat Steps 3-5 until all of your policies have actions assigned to them.

      Policy Actions Available in Cisco WebEx

      This section describes the policy actions available in Cisco WebEx. The description also includes information about the impact a policy action has on the features that it controls. This enables you to set the most appropriate policies on the groups that you administer. For information on how to view and set policy actions, see Add Actions to a Policy.

      By default, a newly provisioned Cisco WebEx organization has all the capabilities granted to all the users. This means all Cisco WebEx features are available to all users by this default policy action.


      Note

      Only the end-to-end encryption policy is not enabled by default. The Organization Administrator needs to explicitly enable this policy. Administrators then need to create policies only if specific capabilities for all the users or specific groups of users need to be disabled.

      Policy actions cannot be enforced on users using third-party XMPP IM applications.

      No more than 10 VoIP conference attendees can be connected to the same VoIP conference simultaneously.

      External users are users who do not belong to the Cisco WebEx organization but can still use Cisco WebEx to communicate with users who belong to the Cisco WebEx organization.

      Policy Action

      Description

      Impact

      Default Value

      External File Transfer

      Controls file transfer in an IM session between organization users and users outside the organization.

      Setting this policy action to Disabled will stop all file transfers between the organization users and external users, including multi-party IM sessions with at least one external user.

      Enabled

      Internal File Transfer

      Controls file transfer in an IM session between users within the organization.

      Setting this policy action to Disabled will stop all internal file transfers.

      When this policy action is not explicitly set to Disabled, all the users within the organization will have the ability to exchange files with the internal users.

      Enabled

      External IM

      Controls IM sessions between users in the organization and users outside the organization.

      Setting this policy action to Disabled will stop all IM sessions between users in the organization and users outside the organization. This will also stop all dependent services like voice, video, and VOIP.

      Enabled

      External VOIP

      Controls VOIP communications in IM sessions between users in the organization and users outside the organization

      Setting this policy action to Disabled will stop all VOIP communications in IM sessions between users in the organization and users outside the organization. However, other services like text-based IM sessions and file transfers will be available

      Enabled

      Internal VOIP

      Controls VOIP communications in IM sessions between users within the organization.

      Setting this policy action to Disabled will stop all VOIP communications in IM sessions between users within the organization. However, other services like text-based IM sessions and file transfers will be available.

      When this policy action is not explicitly set to Disabled, all the users within the organization will have the ability to use VOIP communications in IM sessions.

      Enabled

      External Video

      Controls video services in IM sessions between users in the organization and users outside the organization

      Setting this policy action to Disabled will stop all video services in IM sessions between users within the organization and users outside the organization. However, other services like text-based IM sessions and file transfers will be available.

      Enabled

      Internal Video

      Controls video services in IM sessions between users within the organization.

      Setting this policy action to Disabled will stop all video services in IM sessions between users within the organization. However, other services like text-based IM sessions and file transfers will be available.

      When this policy action is not explicitly set to Disabled, all the users within the organization will have the ability to use video communications in IM sessions.

      Enabled

      Local Archive

      Controls the ability of the user to locally archive IM text messages.

      Starting with the 7.1 application, previous stored local history will be deleted when this policy is set to Disabled.

      In the Cisco WebEx application, the following option is disabled: Edit > Settings > General IM > Message Archive.

      If you are upgrading from Cisco WebEx version 5.x to 6.x, the chat history archive stored on the users' local computers will be deleted and cannot be recovered. It is recommended that the Organization Administrator communicates this to all Cisco WebEx organization users. Additionally, users need to backup their individual chat archives before Cisco WebEx is upgraded to a newer version.

      Beginning with 7.1, local history will be deleted when this policy is set to Disabled.

      Enabled

      Join Workspace

      		   

      Enabled

      Join External Workspace

      		   

      Enabled

      External Desktop Share

      Controls the ability of users within the organization to share their desktop with users outside the organization.

      Setting this policy action to Disabled prevents users within the organization from sharing their (local) desktop with users outside the organization.

      When this policy action is not explicitly set to Disabled, users can share their (local) desktop with users outside the organization.

      Enabled

      Internal Desktop share

      Controls the ability of users within the organization to share their desktop with other users within the organization.

      Setting this policy action to Unchecked prevents users within the organization from sharing their desktop with other users within the organization.

      When this policy action is not explicitly set to Disabled, users can share their desktop with other users inside the organization.

      Enabled

      Workspace Feature

      		   

      Enabled

      Invite Users to Workspace

      		   

      Enabled

      Invite Users External Workspace

      		   

      Enabled

      Support End-to-End Encryption For IM

      Enables users to specify support for end-to-end Encryption for IM sessions.

      Setting this policy action to Enabled will allow support for end-to-end Encryption for IM sessions.

      If a user is designated to be logged, the end-to-end encryption policy setting will be overridden to be FALSE. End-to-end encryption is not supported for logged users. For more information, see Overview of IM Logging and Archiving.

      Disabled

      Support NO Encoding For IM

      Controls whether applications with end-to-end encryption enabled can initiate an IM session with applications that do not have end-to-end encryption enabled or with 3rd party applications that do not support end-to-end encryption.

      Setting this policy to Disabled prevents applications with end-to-end encryption enabled from initiating an IM session with applications that do not have end-to-end encryption enabled or with 3rd party applications that do not support end-to-end encryption.

      Note   

      If the Support End-to-End Encryption For IM is set to Enabled, the encryption level negotiated is the highest level that the other party supports. For more information about encryption levels, see Encryption Levels.

      Enabled

      Internal IM (including White Listed domains)

      Controls IM communication between users within the organization and specific domains on the white list.

      Setting this policy action to Disabled will prevent users within the organization from being able to IM users within the domains specified in the white list. However, users within the domain will continue to be able to IM each other. Setting this policy action to Disabled will also disable other dependent services such as VOIP, Video and FileTransfer.

      Enabled

      Upload Widgets

      		   

      Enabled

      Allow user to edit profile

      Controls the ability to restrict users from editing their profile information.

      Setting this policy action to Disabled will prevent users from editing their profile information.

      This policy action impacts the settings in the Profile Settings screen under the Configuration tab.

      Enabled

      Allow user to edit the view profile setting

      Controls the ability to restrict groups of users from changing their user profile view settings.

      Setting this policy action to Disabled prevents users from changing their user profile view settings.

      This policy action impacts the Allow users to change their profile view settings check box in the Profile Settings screen under the Configuration tab.

      When this policy action is set to Disabled, the Allow users to change their profile view settings check box will have no impact even if it is selected.

      Enabled

      Internal Screen Capture

      Controls users' ability to send a screen capture to users within the organization.

      Setting this policy action to Disabled prevents users within the organization from sending screen captures within the organization.

      Enabled

      External Screen Capture

      Controls users' ability to send a screen capture to users outside of the organization.

      Setting this policy action to Disabled prevents users within the organization from sending screen captures outside of the organization.

      Enabled

      Send Internal Broadcast Message

      Controls users' ability to send broadcast messages to users within the organization.

      Setting this policy action to Disabled prevents users within the organization from sending broadcast messages inside the organization.

      Enabled

      Send External Broadcast Message

      Controls users' ability to send broadcast messages to users outside of the organization.

      Setting this policy action to Disabled prevents users within the organization from sending broadcast messages outside of the organization.

      Enabled

      Allow user to send broadcast to a directory group

      Controls users' ability to send broadcast messages to a directory group within the organization.

      Setting this policy action to Disabled prevents users within the organization from sending broadcast messages to a directory group within the organization.

      Enabled

      HD Video

      Controls the HD Video feature on computer to computer calls when External Video or Internal Video policies are enabled

      Setting this policy action to Disabled will prevent HD Video for all computer to computer calls.

      Enabled

      Organization Administrators who want to disable the following policy actions for all users should set their value to FALSE:

      • Internal VoIP

      • External VoIP

      • Internal Video

      • External Video

      • Internal File Transfer

      • External File Transfer

      • Internal Desktopshare

      • External Desktopshare

      Encryption Levels

      Typically, all IM communication between Cisco WebEx applications are encrypted both within the Cisco WebEx organization and outside of it. The IM communication is encrypted at the originating Cisco WebEx application and decrypted at the destination application. This encryption applies to all forms of IM communication including text, desktop (and application) sharing, file transfer, VOIP, and video.

      Cisco WebEx provides three levels of encryption:

      • 256-bit Advanced Encryption Standard (AES)/End-to-End encryption: Provides an additional layer of security, where data is encrypted using AES at the application and decrypted only at its destination.

      • 128-bit Secure Sockets Layer (SSL): Connectivity between an application and the SSL termination point in the data center is encrypted. In Cisco WebEx version 6 or later, Cisco WebEx applications always use SSL (Secure Sockets Layer) to connect to Cisco WebEx Data Centers.

      • No encryption: The data is not encrypted, but connectivity maybe SSL (for Cisco WebEx version 5.x). For Cisco WebEx version 6 or later, connectivity is always SSL.

        The level of encryption depends on the policy set by the Organization Administrator. The Organization Administrator can apply the encryption policy either across the Cisco WebEx organization or to specific groups.

        The Cisco WebEx application automatically determines its encryption level from the policy applicable to the user logged into the application. Therefore, if a Cisco WebEx organization's policy settings do not allow a particular encryption level, the IM session will be disallowed and the applicable error message will be displayed to all applications in the IM session.


        Note

        In a group IM scenario, the encryption level will be negotiated between all the users when the initial invite is sent out. After the IM session is established, subsequent attendees will need to support the negotiated encryption level to be able to participate.

        The following example explains a typical encryption policy for IM sessions.

        An organization that chooses to adopt end-to-end encryption can choose from these policy options:

      • Allow only end-to-end encryption. Do not set end-to-end encryption exclusively if you have users that you need to log IMs for. This is because IM logging will take precedence over end-to-end encryption.

      • Allow both end-to-end encryption and SSL encryption. This option is applicable if you are using Cisco WebEx version 5.x.

      • Allow end-to-end encryption, SSL encryption, and no encryption.

        In the Action Editor, you need to set Enabled or Disabled for each of these encryption levels based on the policy option you choose.

      The following table illustrates the impact of these policy options.

      Application A Policies

      Application B Encryption Level

       

      End-to-end encryption

      SSL

      SSL

       

      Only end-to-end encryption

      End-to-end encryption

      Don't allow

      Don't allow

      End-to-end encryption or SSL

      End-to-end encryption

      SSL

      Don't allow

      End-to-end encryption or SSL or no encryption

      End-to-end encryption

      SSL

      No encryption

      In the Action Editor, you need to set Enabled or Disabled for each of these encryption levels based on the policy option you choose.