Symphony Administration Guide

Enterprise & Business Tiers 31 August 2018

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Table of Contents

Introducing Symphony...... 9 Preparing your installation - what you need before starting ...... 9 Things you need to know ...... 9 FQDNs and names used in this guide...... 9 Locating your admin credentials and pod configuration details ...... 9 Things you should have ...... 9 Equipment and platform compatibility ...... 9 Identifying and accessing your Symphony service ...... 10 Access to Symphony Cloud Services ...... 10 Emails from Symphony ...... 10 Getting Started – Logging in to the Admin Portal ...... 11 Understanding accounts ...... 11 Log in to the Admin Portal ...... 11 Take a quick tour ...... 12 Usage Statistics ...... 14 Large Room Optimizations ...... 14 AC Portal Two-Factor Authentication ...... 15 Create another admin account ...... 17 Creating end user accounts ...... 17 Notification of Account creation ...... 19 Set up password with email ...... 20 First time user login — Pre-populating the user’s IM contacts and filters ...... 21 Reviewing your new accounts ...... 21 Account Audit Trail...... 21 Filtering Interface for Audit Trail ...... 22 Compliance Officers’ Audit Trail ...... 23 Conversations ...... 23 Changing your password ...... 24 Logging out of the Admin Portal ...... 24 Key Management Infrastructure (Assisted Installation) ...... 24 The Symphony Private Pod Architecture ...... 25 Selecting your Deployment Option ...... 26 Option 1: Software SM and Key Manager Operating in the cloud ...... 26 Option 2: Software SM and on-premises Key Manager ...... 27

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Option 3: HSM and on-premises Key Manager ...... 28 Load Balancers ...... 29 Installing the Key Manager ...... 29 Install the host server for your Key Manager and Software SM ...... 29 Download the KeyManager RPM file ...... 31 Installing the Java Cryptography Extension (JCE) ...... 31 Running the RPM Installation ...... 31 Configuring Certificates ...... 32 Bootstrapping the Software SM and HSM Keys ...... 32 Software SM JSON file...... 32 Safenet LUNA hardware HSM – Partition Requirements and Size ...... 33 Safenet LUNA hardware HSM – Partition Policies ...... 33 Safenet LUNA hardware HSM – JSON File ...... 35 Bootstrapping your Keys ...... 36 Migrating keys from a SoftSM to an HSM ...... 36 Tomcat and KeyManager Configuration ...... 38 Starting and Stopping the Tomcat service ...... 39 Luna SA 7000 firmware versions ...... 40 Migrating keys from a SoftSM to an HSM ...... 41 Updating your Key Manager...... 43 Managing your pod ...... 44 The Symphony Pod ...... 44 Roles ...... 44 Super Administrator and Administrator Roles ...... 44 Compliance Roles...... 48 SCO can grant entitlements to COs ...... 48 Searching and filtering ...... 49 Create a user and generate a password manually ...... 50 Editing a user ...... 50 Changing the Username ...... 51 Deactivating an account ...... 52 Promoting an end user to admin ...... 52 Changing a user’s password ...... 52 Creating Service Accounts ...... 53 Management of Certificates in the Admin Portal ...... 55 RSA Authentication for Service Accounts ...... 56 Feature Entitlements ...... 56 User level entitlements supported by Symphony ...... 57 Configuration scenarios ...... 58 Disable features for the entire pod ...... 60

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Enabling feature settings for new users by default ...... 60 Manually setting features for all users (without using default values) ...... 60 Enabling External Communications ...... 61 Managing File Extensions ...... 62 Meeting Events included in Audit Trail and Content Exports ...... 66 Selective Recording Beta (for Compliance Recording/Replay) ...... 66 Compact Mode (Beta) ...... 66 Multi-lateral (Multi-company) Chat ...... 67 Firehose (Beta) ...... 68 Can Manage Signal Subscriptions...... 68 Audio, Video, Screen Share in Internal Meetings on Mobile (In anticipation of future availability) ...... 69 Meetings on iOS...... 69 Multiple Company Names ...... 70 Pod level entitlements supported by Symphony ...... 70 Managing entitlements for mobile applications ...... 72 Mobile entitlements via the Symphony Admin Portal ...... 73 Making changes to an individual user ...... 74 Entitling Users to push Signals ...... 75 Improved Confidentiality on mobile clients ...... 76 Blacklist unaffiliated public users ...... 76 Ban users from Chat Rooms, or remove a ban...... 77 Lock and unlock chat rooms ...... 79 Installing the desktop client ...... 81 Note on dependencies ...... 81 Pre-Configuring your Pod URL ...... 81 Launching the desktop client ...... 82 Authenticating using Single Sign-On (SSO) ...... 82 Configuration information required ...... 83 Notes on Symphony’s implementation of SSO ...... 83 SSO and Domain Names...... 83 Configuring SSO ...... 83 Implications of SSO ...... 85 Switching off SSO ...... 85

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 SSO accounts that also have passwords ...... 86 LDAP Synchronization (Sync) ...... 86 LDAP Sync Architecture ...... 87 Supported Directory Systems ...... 88 Preparing to Install ...... 88 Installing the Java Cryptography Extension (JCE) ...... 89 Creating the Service User Account ...... 90 Configuring the Directory Bridge ...... 91 Downloading the Directory Bridge ...... 92 Installation Instructions ...... 92 Installation ...... 92 Configuration ...... 92 Config Validation ...... 93 Directory Bridge Usage ...... 94 Start Periodic Sync ...... 94 Stop Sync ...... 94 View Logs ...... 94 Run a One-Time Sync ...... 94 Account Deactivation using LDAP Sync ...... 94 Assigning the value used for deactivating or reactivating an account ...... 94 Assigning Feature Entitlements, Roles, Info Barrier Groups, and Disclaimers ...... 96 Mapping a group to receive entitlement, role, info barrier group, or disclaimer assignments ...... 97 Upgrade Instructions ...... 98 Directory Bridge Configuration Reference ...... 98 End user management of avatars ...... 98 Main Configuration File (directorybridge.properties) ...... 98 User Attribute Mappings (userAttributeMappings.json) ...... 100 Mandatory fields in the user attributes mappings file ...... 100 Group Mappings (groupMappings.json) ...... 102 Install Guide for Directory Bridge Prior to Version 1.49 ...... 104 Compliance...... 104 Content Export ...... 104 Exporting Content in the MessageML Format ...... 106 Identification of Multi-Company Rooms ...... 106 Events Generated by Email Integration Feature ...... 106 Forwarded Messages ...... 106 New Capabilities in Version 1.5.7 of Symphony xsd File ...... 107 Installing the Content Export Bridge...... 107 Installing the Java Cryptography Extension (JCE) ...... 107

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Managing and Upgrading the Content Export Bridge ...... 114 Enabling Content Export ...... 115 Enabling SFTP Content Export ...... 115 Recurring Export ...... 116 Manual Export (AD-HOC) ...... 117 File names ...... 117 Content Export Verification...... 119 Accessing the exported SFTP repository ...... 119 Exported Content...... 120 Escaped Characters ...... 121 Content Export Self-Healing (CESH) ...... 122 Wall Post Information ...... 124 “From header” in EML export ...... 124 Recording Wall Post Likes ...... 124 Tracking of blastID in all formats ...... 124 Exporting shared articles ...... 125 Exporting messages created by an application on behalf of a user ...... 125 MessageMLv2 formatted messages ...... 125 Content Export Verification...... 126 User Summary Information ...... 126 Active Compliance...... 126 Expression Filters ...... 126 Audit Trail for Expression Filters ...... 128 Expression Filters v2 ...... 128 Policies...... 129 Hierarchy of Expression Filter Policies ...... 131 Creating and Managing Dictionaries and Policies ...... 132 Enabling EFv2 at the Pod Level ...... 132 Creating Dictionaries ...... 132 Modifying Dictionaries ...... 134 How to Write Dictionaries...... 134 Creating and Managing EFv2 Policies via the ACP ...... 138 Testing Policies ...... 139 Viewing Violations ...... 140 Exporting Policies, Dictionaries, and the Enforcement Audit Trail ...... 140 EFv2 APIs ...... 141 APIs Definition ...... 141 Install Guide for Symproxy (EFv2) ...... 142 Pre-requisites ...... 142

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Installation ...... 142 Verifying that Symproxy application is running fine ...... 145 Stopping running Symproxy process...... 148 Symproxy Error and Unhealthy States ...... 149 Information Barriers ...... 149 Chat Room Remediation ...... 151 Disclaimers ...... 151 Audit Trail for Disclaimers ...... 151 Content Search in All Conversations ...... 152 Monitoring ...... 154 Session Log ...... 155 View deleted wall posts ...... 156 The Symphony Platform ...... 156 REST API ...... 156 Agent Installation ...... 156 Configuring the Agent Application ...... 158 Client Extension API (JavaScript) ...... 160 Managing Applications ...... 160 Application Subscription Management ...... 164 Symphony Analytics App Setup & Administration ...... 165 Management of Symphony Integrations...... 169 Provisioning APIs ...... 170 BULK MANAGE ACCOUNTS (CSV Import) ...... 170 Overview ...... 170 Get the CSV template ...... 171 Introducing the CSV format ...... 171 CSV for Symphony ...... 172 Password field ...... 174 More about SEND_EMAIL...... 175 Importing CSV ...... 175 Displaying Bulk Job History ...... 176 Handling errors ...... 177 Create and modify users ...... 178 Managing admin accounts with the CSV file ...... 178 CSV best practices ...... 178

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Deactivating accounts ...... 178 Usage Statistics and Audit Trail ...... 178 Usage statistics ...... 178 Appendix 1: Content Export Schema ...... 179

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 INTRODUCING SYMPHONY

Symphony is a cloud-based messaging and collaboration platform that connects markets, organizations and individuals, securely. Powered by an open and growing app ecosystem, and protected with end-to-end encryption, Symphony’s communications platform increases workflow productivity while facilitating global regulatory compliance. Already the platform of choice for the financial services industry, Symphony eliminates inefficient workflows to boost productivity in information driven businesses.

This guide describes how to plan, provision and administer a private pod - a dedicated version of Symphony.

PREPARING YOUR INSTALLATION - WHAT YOU NEED BEFORE STARTING THINGS YOU NEED TO KNOW

You are free to name your Symphony service as you want, but Symphony needs to configure your choice during the initial creation of your service. Once this is done, you should will receive confirmation of the creation of the pod, the pod name, the IP address range used in your cloud service and your admin credentials. FQDNs and names used in this guide As we mentioned above, you are free to name your Symphony service the way you want. In this guide, we will use the following representation to indicate your pod’s name: . Symphony.com Some screenshots may also use: qa.Symphony.com

In either case, you should substitute the name you have selected for your Symphony service. Note: Some examples in the LDAP Sync section use “fakecorp” to represent your company name and this should be changed to the name used in your corporate directory service. Locating your admin credentials and pod configuration details During the creation of your pod (your company’s dedicated Symphony cloud service) we provisioned the following items:

1. The FQDN (domain name) for your pod 2. The associated IP address range 3. The credentials for your Super Admin account 4. Credentials for the Super Compliance Officer account

You should have received all the relevant details in an email from Symphony Global Services. Note: Super Compliance Officers receive their credentials separately. Please locate this email and follow the instructions it contains. THINGS YOU SHOULD HAVE

Equipment and platform compatibility You should have the latest version of the Google Chrome browser running on Windows, Mac or Chromebook computers or Internet Explorer (IE) 11.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

IDENTIFYING AND ACCESSING YOUR SYMPHONY SERVICE

The Symphony client needs to have access to various components located outside your Firewall.

Access to Symphony Cloud Services

Configure your firewall to allow the URLs and port numbers listed below. These values are provided as guidelines only. The actual names will be aligned with the service name you selected for your pod: 1. https:// .symphony.com port 443 2. http:// .symphony.com port 80 3. https://s3.amazonaws.com/user-pics-demo port 443 4. https://resources.symphony.com port 443 To confirm that the firewall is open, testing each link will either result in a Symphony Login page or a 500 error confirming that the server was reached and responded. You should now be able to start managing your pod. Note: If you intend to activate Content Export then you will also need to allow the use of SFTP on port 22 by the system that will carry out the daily content download: 5. https://-tools.symphony.com port 22

Emails from Symphony

We use Amazon Simple Email Service (Amazon SES) to send application transaction emails. Note: We will enable DKIM signature for all Symphony application emails. Please ensure that you take the necessary steps with your email infrastructure to enable DKIM signature verification. To avoid any spam filtering of Symphony application emails: • Whitelist the FROM address: no-reply-< OrgName >@symphony.com in your corporate email system. • Make sure that emails from the following IPs are not blocked by your spam filters:

199.255.192.0/22 199.127.232.0/22 54.240.0.0/18

For more information about AWS SES and DKIM features, visit:

• http://sesblog.amazon.com/blog/tag/SPF • http://sesblog.amazon.com/post/TxEH4YOF3YJG0L/Amazon-SES-IP-addresses • http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html

Access to the CAPTCHA sign-of-life mechanism We use the CAPTCHA mechanism to ensure a live person is using . Please allow access to: www.google.com/recaptcha You can read more about configuring firewalls to support CAPTCHA at: HTTPS://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 GETTING STARTED – LOGGING IN TO THE ADMIN PORTAL UNDERSTANDING ACCOUNTS

There are two types of accounts: Service Accounts and End User Accounts. Service Accounts are used by service applications such as the Directory Bridge, Content Export Bridge and Bots developed using the Symphony SDK. End User accounts are for individuals. Symphony provides a hierarchy of roles for provisioning, managing and supporting your service. We provide full details on role management in the Roles section. With the Admin account you can create users and other admins, activate and de-activate accounts and set the security and password policy for the organization. Please protect your Admin account. As your system grows, so too do the risks associated with your credentials falling into the wrong hands. The Username field uniquely identifies each user in your pod and must be unique across all active or inactive user accounts. In addition, all users must have an email address, which must be unique across all active accounts in the pod. These rules apply to all accounts – including Admin accounts.

As we mentioned in the previous section, this version works on Chrome and IE11 – please launch your browser and then enter the URL identifying the admin portal for your Pod. The precise URL would have been communicated to you along with your account details.

If you are the first (i.e. root) admin, you can set your password by clicking on Forgot Password and entering the email address in which you received the email from Symphony Global Services. Once you have created your password, go back to the admin portal login page and enter your credentials.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 At first you will be presented with the standard Symphony user interface:

Click the settings “gear” symbol located at the top right corner of the interface. The Settings options display as shown below:

Click on the Go to AC portal option located at the bottom of the General options tab.

TAKE A QUICK TOUR

You will now access the Admin portal. The left navigation bar shows the high-level features available in the admin portal:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Moving the mouse over the admin’s name (located on the top right corner) will display:

1. Help – a fully indexed version of this Admin Guide in electronic form. 2. Symphony - this is your personal end-user Symphony account. 3. Logout – Note that for security reasons, your account will be logged out automatically after ten minutes of inactivity.

USAGE STATISTICS

In order to see user activity, navigate to Usage Statistics in the left navigation panel (as shown below).

LARGE ROOM OPTIMIZATIONS

The creation of large rooms can create a high load on customer pods, because sending a single message to a large number of users requires simultaneous mass message distribution. For example, sending a single message to a 1000-member room requires 1000 messages to be distributed at exactly the same time. Over the course of the next few releases, Symphony will be improving the architecture and making a number of enhancements to reduce the impact of large rooms.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 In v1.52 we are introducing a maximum room member limit based on a customer’s pod topology. This limit is dynamically applied to customer pods to ensure that room membership does not exceed the limit. When the limit is reached, no additional users can be added to the room. Existing members must be rem oved before new members can be added. This should not impact existing customers; the limits we are enforcing in v1.52 have been set above current large room usage. As a guide, the following limits will be applied:

Pod Size Max Members per Room

Business Tier (<1K Users) 1,000

Small Enterprise (6-8K Users) 1,000

Medium Enterprise (6-15K Users) 5,000

Large Enterprise (10-25K Users) 7,500

Extra Large Enterprise (25K+ Users) 15,000

In future releases we will introduce additional new large room handling features and improvements, including a new Auditorium Room feature.

AC PORTAL TWO-FACTOR AUTHENTICATION

Available as a pod-level entitlement, this feature provides two-factor authentication when users are accessing the Admin and Compliance Portal (ACP). When enabled, all users with access to ACP will be presented with two-factor authentication when logging into ACP with Symphony credentials (i.e. a Symphony password). Note that this applies to all types of roles that access the ACP such as administrators, super administrators, compliance officers, super compliance officers and L1/L2 support. The administrators can view and modify the primary login phone number used for two-factor authentication. This setting only applies to ACP users. It does not apply to end users who are not ACP users: in other words, this setting will not force normal end user to use two-factor authentication

Note: Two-factor authentication does not apply to service accounts.

To enable two-factor authentication for ACP users, follow the process below:

• Navigate to pod level entitlements • Check “Enforce Two-Factor Authorization at Sign-In for ACP Users” • Click Save

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

If the login phone number value does not exist, the ACP user will be prompted to enter the phone number when logging in for the first time.

If the user loses the phone or the phone number changes, the super-admin can change the existing login phone number as follows:

• Navigate to Browse Accounts • Search for the user • Under User Information tab, input the new “Primary (Login) Phone” • Click Save

Note: the “Primary (Login) Phone” is only visible when the pod has enabled “Enforce Two-Factor Authorization at Sign-In for ACP Users”

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

CREATE ANOTHER ADMIN ACCOUNT

You should immediately create another Super Admin account as a backup in case you were to lose the credentials you are currently using. This is important because Symphony is designed with strict compliance in mind – Symphony Global Services do NOT have admin privileges on your pod. CREATING END USER ACCOUNTS

There are two ways to create accounts for end-users:

• Manually using CREATE AN ACCOUNT option • Selecting BULK MANAGE ACCOUNTS to load a CSV file

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Admin accounts cannot be created using the BULK MANAGE ACCOUNTS feature so we’ll use the admin portal interface to create an admin account.

Note: When you create an end-user account either manually or via uploading a CSV file, the `firstName` and `lastName` attributes have a 64-character limit. All other attributes have a 256-character limit.

Click CREATE AN ACCOUNT on the left navigation menu. You will see the create new user form as shown below:

Things to notice:

1. Scroll down - There are actually two pages to this form so you should scroll up and down to make sure you have the complete picture 2. Username – This field is the username the user will log in with. If you intend to activate SSO, then your end-users’ company usernames should match their corporate SSO credentials (Kerberos for example).

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 SSO can’t be used by admins but it’s worth being aware of this before you start creating standard end- users. The Username must be unique across all user active and inactive accounts in the pod. 3. Email: The email address is required and must be unique across all active accounts. 4. Regular User or Admin Account – Notice the table to the right where you can allocate multiple roles to special users. You can read more about ROLES in the section entitled Managing your Pod. 5. Password: Passwords must have at least 8 characters and three of the following: • At least 1 lowercase letter • At least 1 uppercase letter • At least 1 number • At least 1 special character

6. You should also be aware of your three options: a. Email the user a link so they can set their own passwords – this is actually the simplest option and is selected in the screenshot above. b. Have Symphony generate a password for you – you’ll then need to copy and communicate it to the user. c. If you want the user to have a specific password, select manually set – again you’ll need to communicate this to your user (Email, SMS etc..).

Notice the six required fields:

1. Username* 2. Display name* 3. Surname* 4. First name* 5. Email address* 6. Password*

Note: Please contact your account manager to request activation of Symphony Meetings. Note: Don’t forget to make sure you have set user as active. Otherwise the account will be created in your Symphony pod but the user will not be able to log in. There may be occasions when you will want to do that in the future – but for now, we need an active admin account.

• Fill in all of the relevant organizational and location information (optional).

Then:

• Select the Admin checkbox and then select Super Administrator • Scroll down and choose how the password will be created • When you have entered all the information you need, click Save.

Notification of Account creation Depending on what you selected, you’ll see one of the following:

1. Email Link:

2. Password set manually:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • If you entered an invalid password:

SET UP PASSWORD WITH EMAIL

• If you were successful and were using the email link method then the user will receive following email:

• When the user clicks the link, they will be prompted to type in a new password:

The same rules we mentioned earlier will be applied to passwords created in this way.

If you enter a password that satisfies the requirements, the new admin user will be prompted to log in: Note: The username is the name you assigned when you created the account. Please make sure to communicate to the user what their username is.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 FIRST TIME USER LOGIN — PRE-POPULATING THE USER’S IM CONTACTS AND FILTERS

When the user logs into the client for the first time, they will be presented with a list of contacts pre-populated from the choices you or other admins made when assigning users to departments and divisions. The user can select the contacts to add from this list and they will be added to their IM list in the left navigation panel. Similarly, a second screen will display pre-populated topic filters that are generated from the asset classes and industries that you selected for each user. They can select the specific topics that are of interest and these will be added to their FILTERS list in the left navigation panel.

REVIEWING YOUR NEW ACCOUNTS

You can use the BROWSE ACCOUNTS option to display the account you just created (“Ann”). Your own Admin account (“John” in our example) should also be shown in this list.

Click once on a name to edit or display that user’s details. ACCOUNT AUDIT TRAIL

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Audit trails are used to display a change history for a specific user. You select a user from the BROWSE ACCOUNTS option in the left Nav and then select Audit Trail from the menu bar. The audit trail will display:

1. Date and timestamp of the event – in mm-dd-yy hh:mm format 2. Action 3. Attribute – if any 4. New value 5. Old value 6. Changed by

Filtering Interface for Audit Trail

To make it easier to find relevant information and events when displaying the audit trail you can use the three Filter options above the audit trail columns as shown in the screenshot below:

Select a date range using the date picker. Once you’re satisfied with the date range, and have selected Apply, you can hide the picker again by clicking the up arrow located next to the date range at the top of the picker.

You can then add additional filters based on the Action performed on this user’s account and the Admin that performed the action. We show a date filter combined with an Action filter in the screenshot below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

COMPLIANCE OFFICERS’ AUDIT TRAIL

Super Compliance Officers are now able to track all actions taken by compliance officers or super compliance officers during a session, including any user or room search performed during a session. For example, the list of actions performed during a session by compliance officer ‘ac_sco’ is shown in the sample below, as well as the details provided when looking up the search details for one of the searches in the list.

CONVERSATIONS

Admins can also display a complete list of a users’ conversations – IMs, Group IMs and Rooms. Symphony displays the Conversation name, the type (IM, Group IM or Room), the date the conversation was started, the last activity date (for the conversation rather than just this user) and the number of active members in the conversation.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Conversations can also be filtered by type (Room, IM and Group IM) and by creation date and last active date (see below):

CHANGING YOUR PASSWORD

Users can change their password themselves by clicking on the Forgot Password? link on the login page. Note: Admins cannot use SSO to log in to the Admin Portal. They must always use a password.

LOGGING OUT OF THE ADMIN PORTAL

Some organizations may prefer their admins to always log out of the Admin Portal once they’ve completed the tasks they needed to do. To log out: Click on the down arrow located at the top right-hand corner of the interface and then click Logout. Next, we will understand how to manage your pod.

KEY MANAGEMENT INFRASTRUCTURE (ASSISTED INSTALLATION)

The use of Hardware Security Modules (HSMs) ensures the security and confidentiality of your data. These devices are installed on your premises or in a cloud service that you control. At no time is Symphony or its employees provided access to these devices. Their role is to provide the master keys that generate the encryption keys used in each conversation and Chat Room. Specific HSMs have been selected and validated for use with your Symphony private pod. Other equipment may be selected in the future but at this time only three options are available:

1. Symphony Software SM – designed primarily for user acceptance testing. Software SMs can be used to generate keys in a similar way to full HSMs. These are delivered as part of the Key Manager download from the Symphony Admin Portal and can be used on premises or in a customer controlled virtual private clouds (VPCs)

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 2. SafeNet Luna SA 7000 HSMs running on the customer premises

Symphony Software SM Luna SA 7000 HSM Hardware No Tampering will cause immediate deletion protection of keys No Disconnection will cause immediate Network protection deletion of keys Key Generation Software-based Hardware-based Requires external LB or DNS Enabled through HSM Client software HA Architecture failover Password-based PED-based Access Control FIPS 140-3 Platform Software SM code runs on Luna SA 7000 Hardware Description the Key Manager Included with the Key Hardware purchase – indicative pricing Commercialization Manager download – no has been provided in the HSM section of additional charge this guide

All these options combine with the Symphony Key Manager downloaded from the Admin Portal. The remainder of this section introduces the equipment required to implement the Symphony encryption architecture and describes how to install, configure and validate your equipment.

THE SYMPHONY PRIVATE POD ARCHITECTURE

A Private (Dedicated) Pod (DP) runs Symphony on Google Cloud Platform (GCP) or Amazon Web Services (AWS) in a dedicated virtual private cloud (VPC) connected to the company’s intranet via VPN or direct connection. It uses cloud-based resources (storage, computation, etc.) allocated exclusively to that customer. Single-Sign On (SSO) using SAML assertion is supported for authentication of users and LDAP sync is available for managing accounts and feature entitlement.

Communications between employees are encrypted in each client using keys generated by equipment owned and operated by the organization who’s customer is initiating the communication - HSMs and key managers - ensuring the security, privacy and compliance of all customer content.

Only encrypted data is stored in the customer’s private pod. Importantly, Symphony employees are unable to decrypt customer data as the keys are owned and operated by the customer and are never divulged to Symphony.

The private pod is administered by the customer using the admin portal which supports a hierarchy of administrative roles for managing user accounts, authentication, feature entitlement and content export.

Multiple formats are supported for integrating Symphony content export with corporate data retention systems. Additional compliance controls such as information barriers, disclaimers, keyword blocking and alerts will be made available through the compliance portal.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The diagram below provides a high-level summary of the private pod architecture: Private Pod Persistent Data

Transac on Engine

Front-End

DC and VPN Enterprise Premises Na ve Desktop Content Export

Browser Key Manager

Mobile HSM

7. Figure – Private Pod

Three primary components are involved in encrypting and decrypting customer content: • Hardware Security Module (HSM) or Software SM: Controlled by the customer and responds to new key generation requests received from the Key Manager. • Key Manager: Can be controlled by the customer - Interfaces between the clients (on-premises) and the HSMs to request and then wrap encryption keys. • Symphony Clients: Symphony clients are available for Windows, Chrome, IE11, iOS and Android. The clients obtain their keys by interacting either with the Wrapped Key Store located in the cloud or the Key Manager.

Before installing Key Managers and HSMs, we need to explore the advantages of each deployment option. SELECTING YOUR DEPLOYMENT OPTION

Please review each of the deployment options shown below to determine the appropriate one for your organization: Option 1: Software SM and Key Manager Operating in the cloud As shown in the diagram below, the Key Manager and Software SM are hosted in the cloud. This has the advantage of being the easiest deployment option as Symphony will carry out the installation and configuration on behalf of the customer. However, Option 1 should be considered a temporary less secure solution on the way to an on-premises HSM deployment.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Key Store Iden ty Store

Transac on Engine Persistent Data

Private Pod Request/Response DC and VPN Enterprise Premises

Key Manager/So HSM Mobile Client Directory Bridge

Key Manager/So HSM Symphony Desktop Client

Customer Content Export Bridge Controlled VPC

Option 2: Software SM and on-premises Key Manager Option 2 is similar to Option 1, but this time the Software SM and Key Managers are installed on the customer premises. Notice that both applications are downloaded together from the Symphony Admin Portal and installed on the same server. Customers will typically deploy multiple Key Managers and Software SMs for resiliency.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Key Store Iden ty Store

Transac on Engine Persistent Data

Private Pod Request/Response DC and VPN Enterprise Premises

Mobile Client Directory Bridge

Symphony Desktop Client Key Manager/So HSM

Content Export Bridge Key Manager/So HSM

Option 3: HSM and on-premises Key Manager In Option 3, the customer deploys SafeNet Luna SA 7000 HSMs as well as matching Key Managers. Symphony recommends deploying at least two HSMs for high availability. It is also advisable for customers to deploy a backup device for storing keys, as well as a PIN Entry Device (PED) or Remote PED. These are all available from SafeNet and we provide ordering information later in the document. This architecture provides the highest level of reliability and security.

Key Store Iden ty Store

Transac on Engine Persistent Data

Private Pod Request/Response DC and VPN Enterprise Premises

Mobile Client Directory Bridge

Symphony Desktop Client HSM HSM

Content Export Bridge Key Manager Key Manager

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Later in this document we describe how to order, install and configure the HSM as part of an Option 3 installation. First however we will focus on the Symphony Key Manager.

Load Balancers

Load balancers can be used to front-end multiple Key Managers and HSMs (hard or soft) in order to protect against a failure of any single system. Later in these instructions we will describe how the address or hostname of the Key Manager must be configured into the Symphony desktop clients using the admin portal. Note: if a load balancer is used, then the address configured in the Symphony Admin Portal should be that of the load balancer rather than the Key Manager servers themselves.

INSTALLING THE KEY MANAGER

This step is required for all customer-managed deployments. The Key Manager will be able to interact with both Software SMs and HSMs, so that keys can be migrated. For this reason the Software SM can be deployed as a first step towards HSM support. The first task is to install a host computer for the Key Manager and Software SM.

Install the host server for your Key Manager and Software SM

The Key Manager server should have the following characteristics: • 6 GB of memory should be made available to Key Manager and Software SM. It is more likely to be CPU-bound than memory-bound. (see note below) • CPU cores: 4 • Disk 250 GB • Operating System: Linux RHEL 6.5 or higher or CentOS 7.1 (used in our example below) • Privileges: root access is required to install the Symphony RPM • JVM: Java 8 Standard Edition, Enterprise Edition - a Java development kit (JDK) is recommended – you should create an environment variable pointing to your JDK. Example: JAVA_HOME="/usr/java/jdk1.7.0_55/" • Install Unlimited Strength JCE extensions for JDK or JRE • Install Java Cryptography Extension (JCE) from: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html • You will need to define your Key Manager domain name and communicate this to Symphony – please contact your account engineer or Symphony support.

keymanager domain name/potential keymanager domain name. Sample: mykeymanager.com Add the following configuration details to your Tomcat startup for proper cookie domain assignment.

-Dsession.cookie.domain=.pubmy.mykeymanager.com \ -Daccess.control.allow.origin=symphony.com,mykeymanager.com \ -Dhost.name=pubmy.mykeymanager.com \

• java tomcat.keystore file with passwords for the keystore. It should contain an RSA private key under the "tomcat" alias. Sample:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

keystorePassword=changeit, truststorePassword=changeit.

Add the following details to your Tomcat startup for proper key store configuration.

-Djavax.net.ssl.keyStore=$DATA_BASE/certs/tomcat.keystore \ -Djavax.net.ssl.keyStorePassword=password \

By default java uses .$JAVA_HOME/jre/lib/security/cacert truststore.

But we can use a custom one, as shown in the Tomcat startup file below:

-Djavax.net.ssl.trustStore=$DATA_BASE/certs/tomcat.keystore \ -Djavax.net.ssl.trustStorePassword=password \

Software SM mode settings Symphony application layer cryptography requires the Key Manager to use the appropriate keys. These keys are used to encrypt and decrypt all user generated content for end-to-end encryption. When the Key Manager starts, it will register fingerprints of these keys to the pod. On successful registration, the Key Manager will begin operations. However, if the registration is not successful, it indicates these keys are inconsistent with previously registered keys. As a result, the Key Manager will not start to protect the integrity of existing cryptography.

"mode": "SoftHSM", "keystorePassword": "Xmp9mcupFNw6QGcKdbn2WEudAq4CwD", "keystoreName": "hsm.jck",

Mode signifies soft HSM or Luna HSM. keystorePassword is the password on the soft HSM keystore file. keystore Name is a relative java resource path to the key store file.

General KM configuration. Get the following from ES/Security team (it will be on admin page later):

• symphony pod base URL. Sample: qa3.symphony.com

"applicationurl": "https://qa3.symphony.com/client/index.html", "baseurl": "https://qa3.symphony.com", "loginbaseurl": "https://qa3.symphony.com",

• KeyManager shared secret key (you can get it from admin page). Sample:

"secret": "RAr67in5QhTWAS7q98PfdeVE/xLGboCo3g/+iLQ5gvY="

• Keymanager entity key. Sample:

"entityKey": "kxHpEh3ddcjNrxOXpuSbR5fvNUh8yl21/mmS5WSyzMs="

• Keymanager sesssion encryption key and settings:

"enablekeymanagersession" : "true",

"sessionencryptionkey": "kxHpEh3ddcjNrxOXpuSbR5fvNUh8yl21/mmS5WSyzMs="

Network connectivity requirements

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The Key Manager must be accessible by all Symphony clients in your pod. All Key Managers must also have access to Symphony cloud.

Download the KeyManager RPM file We package keymanager rpm's in *.zip, which includes: - on-prem-keymanager-0.11.2.zip • wenger.tar.gz • symphony-external-relay-centos65-0.11.2-22.x86_64.rpm • symphony-external-relay-centos70-0.11.2-22.x86_64.rpm • tomcat-8.0.24-13.x86_64.rpm

- 2 versions of keymanager's rpms (one for RHEL 6.0 - 6.9 and one for RHEL 7.0 +) - The latest version of Tomcat we support and an internal services tool called "Wenger" needed to bootstrap keys in the HSM.

Select DOWNLOAD option located in the left navigation pane of the Symphony Admin Portal and download the Key Manager file.

Once the Key Manager has been downloaded, we can begin the installation. Note: RPM’s are signed, and you download the certificate from https://resources.symphony.com/SYMPHONY- GPG-KEY.public and save it to a local path. Now run the following command to import Symphony’s public signing key into your RPM command line. $:>sudo rpm -import /path/SYMPHONY-GPG-KEY.public

Installing the Java Cryptography Extension (JCE)

Go to http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html, accept the license agreement and download and install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7” (UnlimitedJCEPolicyJDK7.zip) If your installation fails, the Key Manager or Wenger script will report this error: java.security.InvalidKeyException: Illegal key size These errors may be due to different version of java being used than what you installed, permissions on the installed policy files prohibit use of the policy, or other configuration errors.

Running the RPM Installation

Install the tomcat and keymanager RPMs that were downloaded. $:> sudo rpm -i tomcat-7.0.61-9.x86_64.rpm

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $:> sudo rpm -i keymanager-centos65-0.7.0-49.x86_64.rpm

Create a new directory for the Wenger installation and unzip the Wenger installation. The Wenger installation is named wenger.tar.gz. $:> mkdir wenger $:> tar –xvf wenger.tar.gz

Configuring Certificates

Configure Tomcat to use https with a valid certificate.

Bootstrapping the Software SM and HSM Keys

Depending on whether you’re configuring a Software SM or a full HSM, you will use different steps to bootstrap the encryption keys. Please ensure you are using the instructions that relate to your installation.

Software SM JSON file

Please skip this step if Symphony is already managing your Software SM in the Symphony cloud service. Please contact Symphony global services to arrange the transfer of your Software SM and related configuration files. Navigate to the $Wenger/conf directory. Here you should create a new JSON file and name it keymanager_conf.json. You can do this using the following command:

$:> vim keymanager_conf.json

To bootstrap a Software SM you should have following set of values. Insert the following piece of code into the newly created JSON file.

{ "relay": { "mode": "SoftHSM", "keystorePassword": "soft_hsm_password", "keystoreName": "mysoft_HSM_keystore.jck", "account": "keymanager", "secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key" }, "companyurls": { "applicationurl": "https://.symphony.com/client/index.html", "baseurl": "https://.symphony.com", "loginbaseurl": "https://.symphony.com", "keymanagerurl": "https://.symphony.com/relay" }, "ssoconfig": { "idp.entityid": "http://sso-.symphony.com/adfs/services/trust", "sp.entityid": "https://.symphony.com", "idp.ssoendpoint": "https://sso-.symphony.com/adfs/ls", "sp.acsurl": "https://.symphony.com/relay/sso/acs",

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 "idp.signingcertificate": "sso-.symphony.com.cer", "ssoenabled": "false" }, "sessionmanagement": { "disableSkeyauthentication": "false",

"sessionencryptionkey": "session_encryption_key" } }

Special Notes:

• The Tomcat process that is running the Key Manager needs read and write access to Securedir.

• keystoreName path is relative to the Java resource path. Securedir is a canonical path i.e. not relative to the Java resource path.

• The following URLs should point to your Symphony cloud instance: applicationurl, baseurl, and loginbaseurl.

• The keymanagerurl should point to your Key Manager URL.

• The following keys are 32-byte base 64 encoded keys: secret, entityKey, and sessionencryptionkey.

• For customers looking to participate in cross-pod (cross-company) real-time $cashtag and #hashtag signals, please contact Symphony Global Services to get the “shared cross pod entity” key. Additionally, customers will need support from Symphony Global Services to apply the new key to their local Key Manager configurations.

Safenet LUNA hardware HSM – Partition Requirements and Size

When configuring your HSM, you should plan a partition size to store the encryption (master) keys as well as the keys used for signing and authenticating data. Assuming you intend to implement monthly key rotation (in the future) you will need to create a partition size to accommodate the following:

• 7 years of monthly master encryption keys = 84 AES256 keys • 7 years of monthly management encryption keys = 84 AES256 keys • 2 RSA-2048 keys for signing operations • 2 RSA-2048 keys for authentication operations • 10 RSA keys for future use • 10 certificates for future use

Safenet LUNA hardware HSM – Partition Policies

Normally you would now allow partition activation and allow auto activation: lunash:> partition changePolicy -par -policy -value <1 or 0> lunash:> par changePo -par -po 22 -v 1 lunash:> par changePo -par -po 23 -v 1 The following partition policies can never be changed. Description Value Enable private key cloning Allowed Enable private key wrapping Disallowed Enable private key unwrapping Allowed Enable private key masking Disallowed

Enable secret key cloning Allowed Enable secret key wrapping Allowed

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Enable secret key unwrapping Allowed Enable secret key masking Disallowed Enable multipurpose keys Allowed Enable changing key attributes Allowed

Enable PED use without challenge Allowed Allow failed challenge responses Allowed Enable operation without RSA blinding Allowed Enable signing with non-local keys Allowed Enable raw RSA operations Allowed Max failed user logins allowed 10 Enable high availability recovery Allowed Enable activation Allowed Enable auto-activation Allowed Minimum pin length (inverted: 255 - min) 248 Maximum pin length 255 Enable Key Management Functions Allowed Enable RSA signing without confirmation Allowed Enable Remote Authentication Allowed Enable private key unmasking Allowed Enable secret key unmasking Allowed

The following policies may be changed by the HSM Administrator. Description Value Code Allow private key cloning On 0

Allow private key unwrapping On 2 Allow secret key cloning On 4 Allow secret key wrapping On 5 Allow secret key unwrapping On 6 Allow multipurpose keys On 10 Allow changing key attributes On 11

Ignore failed challenge responses Off 15 Operate without RSA blinding Off 16 Allow signing with non-local keys On 17 Allow raw RSA operations On 18 Max failed user logins allowed 10 20 Allow high availability recovery On 21 Allow activation On 22 Allow auto-activation On 23 Minimum pin length (inverted: 255 – min) 248 25 Maximum pin length 255 26 Allow Key Management Functions On 28 Perform RSA signing without confirmation On 29 Allow Remote Authentication On 30

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Allow private key unmasking Off 31 Allow secret key unmasking Off 32

Safenet LUNA hardware HSM – JSON File

Ensure that the Luna HSM has been configured before beginning the bootstrapping process for Luna HSM. Also ensure that the HSM client (installed on the Key Manager) has been configured, using the “vtl verify” command. Please ensure that the HSM firmware and the client versions are supported with your version of the Key Manager, check the section titled “Luna SA 7000 firmware versions.” Finally ensure that the Wenger tool is installed on the Key Manager server. Navigate to the $Wenger/conf directory. Here you should create a new JSON file and name it keymanager_conf.json. You can do this using the following command: $:> vim keymanager_conf.json Insert the following piece of code into the newly created JSON file.

{ "relay": { "mode": "HSM", "partitionName": "partition_name_for_luna_hsm", "partition_name_for_luna_hsm": "partition_password_for_luna_hsm", "account": "keymanager", "secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key" }, "companyurls": { "applicationurl": "https://.symphony.com/client/index.html", "baseurl": "https://.symphony.com", "loginbaseurl": "https://.symphony.com", "keymanagerurl": "https://.symphony.com/relay" }, "ssoconfig": { "idp.entityid": "http://sso-.symphony.com/adfs/services/trust", "sp.entityid": "https://.symphony.com", "idp.ssoendpoint": "https://sso-.symphony.com/adfs/ls", "sp.acsurl": "https://localhost.symphony.com:8443/relay/sso/acs", "idp.signingcertificate": "sso-.symphony.com.cer", "ssoenabled": "false" }, "sessionmanagement": { " disableSkeyauthentication": "false",

"sessionencryptionkey": "session_encryption_key" } }

Special Notes:

• The Tomcat process that is running the Key Manager needs read and write access to Securedir.

• keystoreName path is relative to the Java resource path. Securedir is a canonical path i.e. not relative to the Java resource path.

• The following URLs should point to your Symphony cloud instance: applicationurl, baseurl, and loginbaseurl.

• The keymanagerurl should point to your Key Manager URL.

• The following keys are 32-byte base 64 encoded keys: secret, entityKey, and sessionencryptionkey.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 For customers looking to participate in cross-pod (cross-company) real-time $cashtag and #hashtag signals, please contact Symphony Global Services to get the “shared cross pod entity” key. Additionally, customers will need support from Symphony Global Services to apply the new key to their local Key Manager configurations.

Bootstrapping your Keys

Assuming you have configured the keymanager_conf.json file correctly for you installation, you can now edit the $WENGER/conf/ServiceConfigurationClient.properties file. To configure Wenger to work with a local file, input the following code snippet: #Backend configuration data storage, e.g. ZooKeeper, Memory, File #ConfigSource=ZooKeeper ConfigSource=File FileConfigSourceLocation=$WENGER/conf/keymanager_config.json

Migrating keys from a SoftSM to an HSM

Often customers will have operated a preliminary Soft Security Module (SSM) prior to installing their Luna SA 7000 Hardware Security Module (HSM). If this is the case, the SSM would have been running on the same server as the Key Manager and this may have been either on-premises or in the cloud. In either case, keys generated during the SSM phase must be migrated to the HSM.

First, make sure that you have your SSM *.jck file in the classpath of Wenger ($WENGER/conf for example), and your configuration contains the necessary path locations to access the SSM and a partition on your Luna appliance. Prerequisite: Please check that the HSM client was installed and configured correctly using the HSM vtl verify command on the HSM client. Note that the vtl command should be run on the same server that will host the Key Manager and the Wenger utility. A successful vtl verify will display the partition name for the Symphony Key Manager. In the example below, the partition for the Key Manager is: hapg-8f56e43a_472949. centos@Dev8 - HSMControl2:~ $ vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ======

1 472949007 hapg-8f56e43a_472949

Step 1: Configure Wenger.sh if this was not done previously $> mkdir $WENGER $> tar -xvzf wenger.tar.gz -C ./$WENGER $> cd ./$WENGER

Step2: Validate that the HSM client was setup correctly and that the HSM has the correct partitions $> cmu list Select token [1] Token Label: hapg-8f56e43a_472949 [2] Token Label: ha-mk2015-1 Enter choice: 1 Please enter password for token in slot 1 : ******************************

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 At this point, the partition should be empty.

Step 3: Add your SSM file -hsm.jck to the Wenger classpath:

$> cp -hsm.jck $WENGER/conf/

Step 4: Validate the Wenger config keymanager_config.json $> vi $WENGER/config/keymanager_config.json { "relay": { "mode": "HSM", "keystorePassword": "soft_hsm_password", "keystoreName": "-hsm.jck", "partitionName": "partition_name_for_luna_hsm", "partition_name_for_luna_hsm": "partition_password_for_luna_hsm", "account": "keymanager", "secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key" } ...

Step 5: Validate the ServiceConfigurationClient.properties file

$> vi $WENGER/config/ServiceConfigurationClient.properties #Backend configuration data storage, e.g. ZooKeeper, Memory, File ConfigSource=File ServiceBasePath=Symphony/ServiceConfiguration #File config FileConfigSourceLocation=/$WENGER/conf/keymanager_config.json

Step 6: Migrate keys from the SSM to the HSM

$> $WENGER/sbin/wenger.sh soft-to-luna

Step 7: Validate the installation using the Certificate Management Unit commands (CMU) on your HSM $> cmu list Select token [1] Token Label: hapg-8f56e43a_472949 [2] Token Label: ha-mk2015-1 Enter choice: 1 Please enter password for token in slot 1: ******************************

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 handle=20 label=mgmtRSA.key handle=24 label=mk-0 handle=48 label=mgmtAES handle=49 label=mgmtRSA.cert

Step 7.1 Application layer validation: Use the “Verify Key” functionality of the Wenger utility to validate the migration works at the application layer.

$> $WENGER/sbin/wenger.sh verify-key

Note: Depending upon the number of users and rooms in your pod, this may take some time to verify the application layer cryptography.

Step 8: Switch the Key Manager to HSM mode KM config files are similar to Wenger config files and they can be found in the /data/tomcat/config folder. Change the keymanger mode from softHSM to HSM and add the partitionName and partition credentials there.

$> vi /data/tomcat/config/keymanager_config.json { "relay": { "mode": "SoftHSM", = > "mode": "HSM", "partitionName": "partition_name_for_luna_hsm_only", "ha-mk2015-1": "partition_password_for_luna_hsm_only",

Step 9: Restart the Key Manager. Step 10: Verify you can now see historical room content The KM will use the HSM for all future keys rather than the SSM.

Tomcat and KeyManager Configuration Some organizations may prefer to use an internally approved version of Tomcat. This option will be supported in a future release and customers should work closely with Symphony Global Services to ensure that the internally approved version is compatible with the Key Manager. Warning: It is NOT currently possible to share Tomcat containers with other Symphony applications such as the Content Export Bridge. Tomcat configuration Next, configure the “environment.sh” file. Navigate to /data/tomcat/config/environment.sh and setup the ports, domain names and number of threads In the screenshot below, you should substitute your own where you see “mykeymanager” in the example URLs.

#!/usr/bin/env bash

DATA_BASE="/data/tomcat/" CATALINA_BASE="/opt/tomcat/" JAVA_HOME="/usr/java/jdk1.7.0_55/" CATALINA_OPTS="-server -Xms5048m -Xmx5048m -XX:MaxPermSize=256m \

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 -Djava.util.logging.config.file=$DATA_BASE/config/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.endorsed.dirs=$CATALINA_BASE/endorsed \ -classpath $CATALINA_BASE/bin/bootstrap.jar:$CATALINA_BASE/bin/tomcat-juli.jar \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_BASE \ -Djava.io.tmpdir=$CATALINA_BASE/temp \ -Dsession.cookie.domain=.pubmy.mykeymanager.com \ -Daccess.control.allow.origin=symphony.com,mykeymanager.com \ -Djava.library.path=$CATALINA_BASE/native/ \ -Djavax.net.ssl.keyStore=$DATA_BASE/certs/tomcat.keystore \ -Djavax.net.ssl.keyStorePassword=password \ -Djavax.net.ssl.trustStore=$DATA_BASE/certs/tomcat.keystore \ -Djavax.net.ssl.trustStorePassword=password \ -Dserver.port=8443 \ -Dajp.port=8009 \ -Dserver.command.port=8005 \ -Ddisable.ib=true \ -Dhost.name=host.domain.com \ -Dmax.threads=3000" PATH=$JAVA_HOME/bin:$JAVA_HOME/jre:$PATH

If using a proxy to access the KeyManager than the following line should be added to /data/tomcat/config/environment.sh – change to the domain name of your proxy.

-Dproxy.uri=http:proxy..com:8080

Next configure your Tomcat KeyManager. Please use one of the two sections below – either for Software SM or Luna SA HSM.

Tomcat KeyManager Configuration

Please configure the Tomcat Key Manager in the same way as the Wenger utility, described above. You can do this by copying the keymanager_config.json and ServiceConfigurationClient.properties files from the Wenger utility to the /data/tomcat/config folder.

Starting and Stopping the Tomcat service

First ensure that the user running the Tomcat service has full read/write access to folders where tomcat and keymanager were installed. To start the Tomcat service, use the following command: $:> sudo service tomcat start To stop the Tomcat service, use the following command: $:> sudo service tomcat stop If you have a High Availability cluster, repeat the set-up process on server cluster. In Soft SM configuration mode, use the same *.jck file across all components to ensure keymanager compatibility. Verification of Logs Check the logs that are generated using the following commands – $:>tail -f /data/tomcat/logs/livecurrent.log $:>tail -f /data/tomcat/logs/catalina.YYYY-MM-DD.log $:>tail -f /data/tomcat/logs/error-livecurrent.log Installation Verification Once you’ve completed your Key Manager and Software SM configuration, you can run

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $:> curl https://KeymanagerURL/relay/HealthCheck and you should expect a 200 OK response.

Functional Validation To validate a Key Manager and Software SM combination, log into your Symphony account. Post a message and check that the message is redisplayed in unencrypted clear text. If this is the case then the Key Manager is doing its job correctly. Repeat these steps and exchange messages between clients. If your messages are being displayed correctly then your Key Manager was installed successfully.

Luna SA 7000 firmware versions

The following versions of security modules are supported:

HSM HSM Firmware HSM Client Key Manager version Qualified & version version Supported? Luna SA 7000 HSM 6.2.1 5.3.5-1 / 5.4.5 All Key Manager Yes versions

Luna SA 7000 HSM 6.10.9 5.3.5-1 / 5.4.5 For Key Manager Yes 1.45.15 and higher Luna SA 7000 HSM 6.24.5 6.2.2 For Key Manager Yes 1.45.15 and higher

Other versions of HSM firmware, HSM client, and Key Manager have not been tested and are not supported. If you are using High Availability partition for the Luna HSM, please note that the client must be “HAOnly” enabled, which you can set with the following vtl command. #vtl haAdmin HAOnly -enable Next set retry to -1 (infinite). This means the Key Manager will attempt to connect to the HSM every 60 seconds infinitely in the event of a connectivity failure. Setting the value for retry to -1 (infinity) allows the disconnected HSM to rejoin at any time. #vtl haAdmin autoRecovery -retry -1 -interval 60 To verify that the HA group has been successfully created, run the following command. #vtl haAdmin show You will see the following screenshot. Ensure that HA Auto recovery is enabled and that every member of the HA availability group is alive.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Installation Verification

Use the “Verify Key” functionality of the Wenger utility to validate the migration works at the application layer. $> $WENGER/sbin/wenger.sh verify-key Note: Depending upon the number of users and rooms in your pod, this may take some time to verify the application layer cryptography.

Conclusion

At this point your Key Manager and either Software SM or HSM with preferably a high availability group has been successfully installed. It is now time to go live with your infrastructure. This requires an address change by Symphony. Please work with Symphony Global Services to cutover to your infrastructure. You will need to provide the URL to your Key Manager to Symphony Global Services. Once this is completed, all your content will be encrypted using keys based on the infrastructure we installed above. This infrastructure is controlled by you and should be managed with the same diligence as other mission-critical services.

Migrating keys from a SoftSM to an HSM

A script is available for customers seeking to migrate keys and corresponding historical content from a Pod supported by a Software Security Module (SSM) to one supported by a Luna SA 7000 Hardware Security Module (HSM).

Step 1: Configure Wenger.sh if this was not done previously

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $> mkdir $WENGER $> tar -xvzf wenger.tar.gz -C ./$WENGER $> cd ./$WENGER

At this point, the partition should be empty.

Step 3: Add your SSM file -hsm.jck to the Wenger classpath:

$> cp -hsm.jck $WENGER/conf/

Step 4: Validate the Wenger config keymanager_config.json $> vi $WENGER/config/keymanager_config.json { "relay": { "mode": "HSM", "keystorePassword": "soft_hsm_password", "keystoreName": "-hsm.jck", "partitionName": "partition_name_for_luna_hsm_only", "partition_name_for_luna_hsm_only": "partition_password_for_luna_hsm_only", "account": "keymanager", "secret": "keymanager_shared_secret_key", "storagePassword": "session_storage_password", "secureDir": "/data/tomcat/secure/", "entityKey": "entity_key" } ...

Step 5: Validate the ServiceConfigurationClient.properties file

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Step 6: Migrate keys from the SSM to the HSM

$> $WENGER/sbin/wenger.sh soft-to-luna

Step 7.5: Verify the key-fingerprints after the key transfer

$> $WENGER/sbin/wenger.sh key-fingerprints

Step 8: Switch the Key Manager to HSM mode, to start using the keys in the HSM KM config files are similar to Wenger config files and they can be found in the /data/tomcat/config folder. Change the keymanger mode from softHSM to HSM and add the partitionName and partition credentials there.

$> vi /data/tomcat/config/keymanager_config.json { "relay": { "mode": "SoftHSM", = > "mode": "HSM", "partitionName": "partition_name_for_luna_hsm_only", "partition_name_for_luna_hsm_only": "partition_password_for_luna_hsm_only",

Step 9: Restart the Key Manager Restart the Key Manager. Verify you can now see historical room content using your own account. The KM will use the HSM for all future keys rather than the SSM.

Step 10: Verify you can now see historical room content The KM will use the HSM for all future keys rather than the SSM. Use your own account to verify that historical data is being displayed correctly. Updating your Key Manager First log into the Admin Portal and download the latest version of the Key Manager RPM distribution by visiting the DOWNLOADS option located in the left Nav. Copy this file to your Key Manager server: $> scp symphony-external-relay-centos*.rpm root@qa8-km:. stop tomcat and verify that it has bee successfully stopped:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $> service tomcat stop $> service tomcat status update the key manager rpm: $> rpm -U symphony-external-relay-centos65-0.11.0-6.x86_64.rpm verify your update: $> rpm -qa | grep sym symphony-external-relay-centos70-0.11.0-6.x86_64 now restart tomcat: $> service tomcat start $> service tomcat status

MANAGING YOUR POD THE SYMPHONY POD

Symphony combines a frontend application with a highly reliable, secure backend platform. These backend platforms are called pods and come in two flavors (or deployment options):

• Public pod • Private pod

The Public pod is a multi-tenant system where businesses are hosted within the same environment. Each business hosted on the shared pod has its own domain managed and controlled by the business’s admin account. We anticipate that the shared pod will mainly host individual accounts, small and medium sized businesses and workgroups of larger organizations. The Private pod: For company-wide deployments enterprise customers will prefer to use a dedicated pod designed specifically for the needs of global enterprises. The pod you are administering is a private pod, dedicated to your organization.

ROLES Before we begin, it’s worth discussing the various roles available in Symphony:

Super Administrator and Administrator Roles

• The Super Administrator role provides the highest level of access. The super administrator sets the policies such as: o Assigning people to the following functions: ▪ Administrative – super administrator or administrator ▪ Support – L1 or L2 o Enabling feature entitlements at pod and user group levels o Managing the compliance features o Adding custom apps to the Symphony Market, and o Managing company level settings for SSO and Content Export. • The Administrator role is limited compared to the super administrator. The administrator can manage the end user accounts, but cannot make changes to service accounts or other roles such as

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 compliance officers. Here are the example tasks that an administrator can accomplish: create end user accounts in bulk, manage passwords, search users in the Symphony directory, and assign disclaimers to accounts. • The End-User – will create rooms and chats in support of their daily activities. The end user does not have access to the Admin Portal.

All End-User, Admin and Support accounts are granted the INDIVIDUAL role. The Admin can assign additional responsibilities by adding roles to end-user accounts as shown in the screenshot below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 46 Copyright © 2014–2018 Symphony. All Rights Reserved. Symphony and the Symphony logo are registered trademarks in the U.S. and other countries.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 If the Admin box is selected, then either Super-Administrator or Administrator can be selected from the corresponding dropdown box. L1 and L2 Support Roles can also be added. Admin and Support Roles can be combined but only one of each role category can be selected - Super-Administrators cannot also be Administrators and L1’s cannot also be L2’s. It is important that administrators fully understand the implications of assigning the different admin and support roles available. The full matrix showing the tasks available to each role is shown below. Note: the table is in two parts to help with document formatting:

Table: Super Administrator, Administrator & Support Roles

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Compliance Roles Compliance officer roles can only be assigned by compliance officers. For this reason the Super Compliance Officer Role is provided separately from the Super Admin Role when the customer pod is first created.

• The Super Compliance Officer role allows authorized users to define, manage and monitor tasks that help ensure compliance with regulations. For example, the Super Compliance Officers can search for rooms, monitor all chat rooms, view all posts of an account, and manage expression filters. They can run reports such as the session logs of all the Super Compliance Officers and the Compliance Officers. • The Compliance Officer role is limited compared to the Super Compliance Officer. The Compliance Officer can search for rooms and see attendees but does not have the ability to manage expression filters. The Compliance Officer can also monitor rooms and wall posts if given the right by the Super Compliance Officer.

In the table below, we list the specific entitlements for SCO and CO roles:

SCO can grant entitlements to COs

Super Compliance Officers can manage and grant additional entitlements to standard Compliance Officers (COs).

Select BROWSE ACCOUNTS in the left Nav. Then filter the list by role and select compliance officers. Find the compliance officer who will be granted the additional entitlements and display their user details by clicking on their record in the list. Then use the Role section to grant the additional entitlements (see screenshot below):

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

SEARCHING AND FILTERING

In the previous section, we logged in to the Admin portal and created a user account. When you click the Manage menu item, Symphony will display a list of all the users created so far. At first, this list will be relatively short, probably containing your own account, “John” in our example below, as well as the new user you created in earlier sections. But once you start loading users, you find it more convenient to search and filter the users displayed. Symphony provides selection criteria for displaying exactly the users you’re looking for. You can sort and filter the contents of the search. Sort By

• First Name • Last Name • Location • Division • Department • Last login • Date Created • Date Updated • Role

Filter By

• Status: Active and inactive users

You can also search for users in the search window, see below:

If there are multiple users with the same name, the search results will display the following information for each user to help you differentiate between the users:

• Display Name (The default is First_Name Last_Name) • User Name • Email address • Avatar

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 CREATE A USER AND GENERATE A PASSWORD MANUALLY

In the earlier example, we created our first user and selected ‘Email the user a link to set their password’ which led Symphony to generate a self-provisioning password email. This time, we will see how the set password manually option works.

Here we have selected to set the password manually. When you select CREATE A USER you will be prompted to enter your password and as you type, the system displays hints about the default password rules until the password entered complies with these rules as shown in the screen below:

Editing a user

• To edit a user, select BROWSE ACCOUNTS from the Admin menu and then highlight the user we want to manage:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Changing the Username

You can change the Username in edit mode—you will see a warning before you change it. Remember that if you change the username, the user will not be able to login to Symphony using their old username and password. You must communicate the change to the user.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Deactivating an account

• To deactivate a user account, click the Deactivate button at the top right-hand side of the window to toggle the account —you will be asked for a confirmation:

• Once you confirm the account deactivation, the system will confirm as follows:

You can re-activate the account using the same process.

Promoting an end user to admin

• Click on the Browse Accounts, choose the user. • In the Role Type section, select the Admin row from the drop-down list.

Changing a user’s password

1. Select BROWSE ACCOUNT 2. Search for the user you want to manage 3. Select Reset Password 4. Select Email password reset link or Assign new password

See screenshot below:

When you click on Email password reset link, Symphony will display the following:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • If you choose Assign new password then you will be given the option to have Symphony suggest a password for you. Alternatively, you can simply type in your own password. • Remember to copy the password to the clipboard before completing the process. This is important because you need to let your user know what her new password will be. • Once you‘ve done this you can then submit the password change to the system.

CREATING SERVICE ACCOUNTS

Service accounts are used by applications. They leverage the Symphony APIs to interact with your Symphony Pod, either to automate administration or for value-added applications. One important use case for service user accounts is LDAP Synchronization which requires a service user account in combination with the directory bridge server.

We use the same process to create a service user account as we used previously for creating an end-user account. When the option is selected, Symphony presents the Admin with the create user form. Selecting the Service Account option in the high-level menu above will display the form shown below:

Note: Please contact your account manager to request activation of Symphony Meetings. Note for LDAP Sync: When configuring the service account to support LDAP Sync you must configure it as an Admin role.

Be sure to select the roles that the service user account needs:

• Individual: Enables a service user account to operate as a general user (meaning, without admin privileges). This option is selected by default. • User Provisioning: Enables a service user account to call the Symphony Admin User Management, Presence, and Streams endpoints. • Content Management: Enables a service user account to call the Symphony Message endpoints. • Expression Filter Policy Management: Enables a service user account to call the Symphony Dictionary Management and Policy Management endpoints. For more information, see the Expression Filters v2 section.

For more information about Symphony REST APIs that require a service user account, see the following topics in the Symphony REST API developer documentation: https://rest-api.symphony.com/

• Use Cases section > Service User Account Endpoints topic • Admin User Management section > User Attributes topic

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Once the fields have been entered as described above, press the CREATE button located at the bottom of the form. This will generate a security key. You should immediately copy the security key.

The security key is system generated and acts as a shared secret between your service application and your pod. For security reasons, the Admin Portal uses a display timeout of between 15 and 30 seconds.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Changing your Security Key

If you weren’t able to copy the key quickly enough, or need to change the key for any reason, use the Reset Security Key option located top right of the user information form:

You will be asked to confirm the reset:

At which point a new key will be displayed. Again you will have 15 to 30 seconds to copy this new key. Remember, this is the key that will be used by your service application so it needs to be configured in that application.

MANAGEMENT OF CERTIFICATES IN THE ADMIN PORTAL

Bots and other applications developed using the Symphony REST APIs use certificate-based authentication. These certificates can be configured by the Symphony Admin using the MANAGE CERTIFICATES option in the left Nav. The list of currently loaded certificates will be displayed:

Click the Import button to load a new PEM or CER file:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

RSA AUTHENTICATION FOR SERVICE ACCOUNTS

Starting with Symphony Release 1.51, admins can configure new and existing service accounts to use RSA authentication. Admins can manage the entire lifecycle of RSA public/private key pair management from the Admin Portal including uploading keys, revoking keys, and replacing keys. This functionality is also supported via the APIs.

Complete instructions are available here: https://rest-api.symphony.com/docs/rsa-bot-authentication-workflow

FEATURE ENTITLEMENTS

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 When you first deploy your pod, several features are activated by default, meaning that whenever you create new users they are authorized to: 1. Delegate: Allow another user to POST on their behalf (deactivated by default) 2. Share Files internally 3. Communicate and share files externally 4. Allow users to create public rooms 5. Allow users to change their profile photos If you display a new user’s details, in a recently deployed pod by using BROWSE ACCOUNTS and then selecting a user, you will see that these features are all shown as activated for this user. While you can modify these selections on a per-user basis this might be time-consuming for larger implementations and FEATURE ENTITLEMENTS provides additional flexibility for controlling these three features at a system-wide level.

USER LEVEL ENTITLEMENTS SUPPORTED BY SYMPHONY

The graphic below shows the user-level entitlements supported by Symphony.

User-level entitlement Result when entitlement is enabled Allow user to read wall posts Wall posts are visible to the user. Allow user to write wall posts The user can create wall posts on his or her profile.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 User-level entitlement Result when entitlement is enabled Can have delegates The user can select delegates to post on her wall on her behalf. Can chat in external IM/MIMs The user can participate in bi-lateral Direct Chats (IMs and MIMs) Can share files externally User can share files with connections at other companies. Can edit profile picture The user can change his or her profile picture. Can create internal public The user can create chat rooms that are accessible by anyone from rooms within the company. Can chat in private external The user can participate in bilateral Chat Rooms that have restricted rooms membership. Can create push signals The user can create Signals that are made available to everyone within the company. Can send files internally User can share files with others within the company. Can use Audio in internal The user can send and receive audio while using Meetings within the Meetings company. Can use Video in internal The user can send and receive video while using Meetings within the Meetings company. Can Share Screens in internal The user can share his or her screen while using Meetings within the Meetings company. Can view Shared Screens in The user can view the screens shared by others while using Meetings internal Meetings within the company. Can manage signal This entitlement is for services accounts. The enabled service account subscriptions can use the Subscribe Signals API to manage Signal subscriptions on behalf of end users.

CONFIGURATION SCENARIOS

In this section, we describe the various combinations for configuring feature entitlement using two dropdown boxes:

1. Disable for entire pod? • Disable for entire pod • Manage at user level 2. Assign to new users by default? • Yes • No

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

DISABLE FEATURES FOR THE ENTIRE POD

Disabling a feature for everyone on the pod is an important configuration decision but sometimes necessary. Note that the feature will also be disabled for any existing users. When you first provision your pod, you will see “Manage at user level” against the features (please see the screenshot above). If you have decided to disable one of these features then you turn it off by selecting “Disable for entire pod”. Follow these steps:

1. First decide whether you need to disable any of these features 2. Inform any existing users that you are about to disable the feature 3. Disable the feature for the entire pod (no users will be able to use the feature)

This screenshot shows a disabled “Can have delegates feature” (this is the default setting):

Note: Disabling file transfer does NOT inhibit the pasting of tables directly into IMs and users will still be able to receive and display files posted by others. Important: Only disable features at the system-wide level if you intend to disable the feature for ALL users and preferably have informed existing users of the planned change. Note: The Screen Sharing feature is in customer beta trials.

ENABLING FEATURE SETTINGS FOR NEW USERS BY DEFAULT

When you first provision your pod, please check if the features being assigned to new users by default are aligned with your corporate policies. For example, “Can have delegates” is allowed and is being assigned to new users by default. You will see “Manage at user level” against each feature and “Yes” as the value in the “Assign to new users by default?” column. You may prefer not to activate specific features for new users in which case you would simply select “No” in the “Assign to new users by default” column and then manage the user settings on a per user basis. Follow these steps to configure default settings for your new users:

1. First decide which features will be enabled by default 2. Select “Manage at user level“ in the first column entitled: “Disable for entire pod?” on the row corresponding to each feature you want to set defaults for 3. Select “Yes” or “No” in the next column under the heading “Assign to new users by default?” depending on how you want the default settings to work – yes to allow, no to disable. 4. You can still toggle this feature for individual users through the BROWSE ACCOUNTS option or the search window in the top right (see section entitled “Making changes to an individual user” below)

MANUALLY SETTING FEATURES FOR ALL USERS (WITHOUT USING DEFAULT VALUES)

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

This approach requires that each user be modified manually. You might use this approach if your organization generally prefers a certain feature to be disabled for users but has a few special cases users who will be allowed to use the feature.

1. First decide which features you want to set exclusively by setting the feature for each user manually 2. Select “Manage at user level“ in the first column entitled: “Disable for entire pod?” on the row corresponding to each feature you want to set defaults for 3. Select “No” in the next column under the heading “Assign to new users by default?” 4. You can enable this setting for individual users with the BROWSE ACCOUNTS option and searching for a user (see section below) ENABLING EXTERNAL COMMUNICATIONS

Admins can control whether users will be able to communicate externally by default. There are important regulatory compliance issues to consider when activating this feature at the company level. Some regulated organizations will prefer to enable this feature at the user level which we describe in a section below.

Note: Please contact your account manager to request activation of Symphony Meetings.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 If a user is granted either:

1. Can chat in external IM/MIMs 2. Can chat in private external rooms

Then they will be visible in searches by external users and will also be able to search for and communicate with external users. Note: Both participants must have External communications activated by their respective admins for this feature to work. Users must first request a connection with an external user before being able to communicate with them. Two additional entitlements are available for controlling external communications:

1. Can send files externally 2. Require user warning for external communications

You can also ensure that users will receive a warning whenever they initiate external communications using:

• Require user warning for external communications

MANAGING FILE EXTENSIONS

Admins can configure file attachments by logging into the Admin Portal, and selecting the File Types tab in EDIT ENTITLEMENTS from the left Nav.

• Admins can manage the set of extensions allowed for internal conversations independently of the set of extensions allowed externally.

• As of release 1.52, the following extensions can be selected: .265, .3g2, .3gp, .7z, .aif, .atom, .au, .avi, .bmp, .bz, .bz2, .cdi, .chm, .class, .cpio, .csv, .doc, .docm, .docx, .dotm, .dotx, .dwg, .eml, .epub, .flv, .gif, .gz, .hdf, .heic, .heif, .hevc, .html, .ico, .jar, .java, .jpeg, .jpg, .js, .json, .m4v, .mbox, .mdb, .mid, .mov, .mp4, .mp4a, .mpeg, .mpg, .mpga, .mpp, .msg, .nc, .odc, .odf, .odft, .odg, .odi, .odm, .odp, .ods, .odt, .oga, .ogv, .ogx, .otc, .otg, .oth, .oti, .otp, .ots, .ott, .p7m, .p7s, .pdf, .png, .potm, .potx, .ppam, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .pub, .qt, .rar, .rss, .rtf, .sldm, .sldx, .sql, .svg, .sxw, .tar, .tif, .tiff, .tsd, .ttf, .txt, .vsd, .wav, .wbmp, .webp, .wpd, .x-tiff, .xhtml, .xlam, .xls, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .xml, .xps, .xsd, .yaml, .zip

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

• The Admin can search for extensions and view a list of all allowed or blocked extensions for both internal and external streams using the summary link

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Summary of file types enabled for sharing

• For existing pods, the list of allowed extensions configured prior to the upgrade to 1.52 is copied across the 2 new lists based on the following rules: o Set the list of allowed extensions for internal conversations to the existing list of allowed extensions configured before the upgrade. o Set the list of allowed extensions for external conversations to: ▪ The existing list of allowed extensions configured before the upgrade if external file sharing is enabled at the pod level. ▪ The Default External Allowed list of extensions if external file sharing is disabled at the pod level where the Default External Allow list == [ .jpeg, .jpg, .png, .bmp, .wbmp, .tiff, .tif, x-tiff, .ico, .gif].

There is currently no way for Admins to add their own custom extensions to the list.

Note: Blocking all extensions internally and externally is equivalent to disabling the “Can send files” feature.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Enabling Real-Time Communications Meeting entitlements

The Symphony Real-Time Communications (RTC) Meetings functionality lets users hold a meeting with audio, video, and screen sharing capabilities from a chat. When meeting entitlements are enabled, the Start Meeting icon displays on the right side of a chat interface.

To enable RTC Meetings functionality:

1. Your organization must have implemented RTC as either an on-premises or cloud-based service as described in the Real-Time Communications Planning Guide of 15 September 2017. 2. Symphony must have enabled the following entitlements for your organization’s pod: • Can use Audio in internal Meetings • Can use Video in internal Meetings • Can Share Screens in internal Meetings • Can view Shared Screens in internal Meetings

Contact your Symphony representative if you do not see these entitlements in the Admin Portal.

The following procedure describes a general deployment scenario of setting entitlements at the user level and then activating the functionality at the company level for all users. For more information, see the Feature Activation section in the Real-Time Communications Planning Guide of 15 September 2017.

1. Determine which entitlements to activate for your organization.

Customers who only want to use Symphony Meetings for screen sharing should activate only the two screen sharing options. Doing this removes the audio and video buttons from the interface of users’ meeting experiences.

2. Set entitlements at the user level.

You can set them manually for each individual user, or use the bulk account management logic or use the Provisioning APIs or LDAP Synchronization. See these sections above:

• Enable feature settings for new users by default • Manually setting features for all users (without using default values) • Provisioning APIs • LDAP Synchronization 3. Set entitlements at the company level.

Navigate to Company Settings > Edit Entitlements > Feature Entitlements in the Admin Portal and enable or disable the four options, as needed.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 MEETING EVENTS INCLUDED IN AUDIT TRAIL AND CONTENT EXPORTS

Starting with Release 1.50, Meeting events will be included in:

• The audit trail available to compliance officers from the AC portal • Content exports SELECTIVE RECORDING BETA (FOR COMPLIANCE RECORDING/REPLAY)

Symphony is pleased to announce the availability of the selective recording beta (for compliance recording/replay) for on-premises customers. An additional on-premises component called the Replay Bridge needs to be installed. If you are interested in participating in the Beta program for selective compliance recording, please contact your Symphony Technical Account Manager.

COMPACT MODE (BETA)

A new beta feature, “Compact Mode,” is available for testing. Compact mode provides a simplified interface for the desktop client to allow the end user to focus on their most important tasks.

The admin can control this feature via an entitlement called “Enable Compact Mode.” This entitlement is disabled by default. Admins can enable or disable access to compact mode for their company and manage access per account as well. See below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 If the feature is enabled by the admin for a given account, that end user will have access in the settings of the desktop client to the toggle to switch compact mode on, as shown below.

Please contact your Symphony Account Manager or Solutions Architect for more information on this beta program. This feature should be disabled unless your company is part of the beta program.

MULTI-LATERAL (MULTI-COMPANY) CHAT

Multi-lateral (Multi-company) chat provides the capability to create chat rooms between participants at more than two companies. This feature currently supports chat rooms with up to 300 participants from up to 25 companies.

Admins can enable or disable multi-company chat feature for their company and manage individual user entitlements, including:

• Create multi-lateral (multi-company) chat • Join multi-lateral (multi-company) chat

Both these entitlements are enabled at the company level and disabled at the user level by default. See below.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

If the admin disables external chat for a user via the entitlement “Can chat in external IM/MIMs,” then enabling the entitlements “Can join/create multi-lateral room” for that user does not allow the user to participate in external chat.

FIREHOSE (BETA)

With Release 1.50, Symphony is introducing a new entitlement “Can use Firehose.” This entitlement enables a service account to access the Firehose API – a beta feature. Unless your company is part of the beta program, this entitlement should be disabled at the company/pod level.

CAN MANAGE SIGNAL SUBSCRIPTIONS

With Release 1.51, Symphony is introducing a new entitlement “Can manage signal subscriptions.” This entitlement is for services accounts. The enabled service account can use the Subscribe Signals API to manage Signal subscriptions on behalf of end users. Learn more about this API here: https://rest- api.symphony.com/docs/signal-object

This entitlement is enabled at the company level and disabled at the user level by default.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 AUDIO, VIDEO, SCREEN SHARE IN INTERNAL MEETINGS ON MOBILE (IN ANTICIPATION OF FUTURE AVAILABILITY)

With Release 1.50, admins will see four entitlements for internal Meetings on Mobile as follows:

• Can use Audio in internal Meetings on Mobile • Can use Video in internal Meetings on Mobile • Can Share Screens in internal Meetings on Mobile • Can view Shared Screens in internal Meetings on Mobile

These four entitlements are being introduced in anticipation of future availability of these capabilities in the Symphony mobile clients. These four entitlements must be disabled at the company or pod level until further notice.

Meetings on iOS

• Meetings are now available on iOS for customer trial (Early Access Program). Meetings launch from within chat rooms and IMs, or can be accessed by clicking “Join” from a Meeting invitation.

Symphony mobile RTC: Symphony chat, Symphony meeting invitation, and video sharing for iOS

• Important note: This version has not been tuned for use within Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) frameworks. So, while UX feedback is helpful, customers should be aware that further work is required for full user deployment of mobile Meetings.

• Entitlement to “Use mobile Meetings” can be set via the Admin portal, by provisioning APIs or using LDAP sync. The mobile Meetings entitlement inherits the user’s RTC settings for audio/video and

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 viewing screen shares. It is not currently possible to share screens or apps from iOS devices. You can, however, view shared screens on your iOS device.

• Please contact your Symphony representative to enable Meetings on iOS.

MULTIPLE COMPANY NAMES

This feature supports assigning of company names other than the default company name to individual user accounts on the company’s pod. This ensures that user profiles show a specific company, subsidiary, or affiliate name. • A list of pre-approved aliases, affiliates, or subsidiaries will be provisioned on your pod to enable this new multiple company names feature. To ensure uniform organizational association of account profiles with company names, it is strictly enforced that company names must match one from the provisioned list. For Release 1.50, please seek assistance from the Symphony Technical Account Management team to establish the pre-approved name list. • Once these additional company names are created, Symphony Admin APIs or the Admin and Compliance portal UI or LDAP bridge v1.50 can be used to create or update user profiles with them. • via the UI:

• If no value is assigned to the company name field, a user account will default to the company name based on their email domain. This is in line with the pre-existing behavior.

POD LEVEL ENTITLEMENTS SUPPORTED BY SYMPHONY

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

The graphic below shows the pod-level entitlements supported by Symphony.

Pod-level entitlement Result when entitlement is enabled General Block receipt of files from Users cannot receive files sent by their contacts at other companies. external users Require user warning for Users get a pop-up notification that their message will be sent to external communications contacts at other company. Allow inline media to open by Links to inline media such as images or videos are opened default automatically. Enable offline email If Symphony users are offline when they receive new messages, they notifications are notified via email. Allow Drag & Drop Users can attach files to the message composition window simply by dragging and dropping. Silence deactivation events The chat rooms do not display the user has left the room when an admin disables a user account. Enable external connections When new users are added to a bilateral (cross-company) chat room, based on conversations they get connected to each other automatically. The new users do not need to send or accept connection requests. Enable View Conversation When new users are added to an existing chat room, they can view the History for Private Internal history of the chat room. Chat Rooms

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Pod-level entitlement Result when entitlement is enabled This room owner can optionally disable the viewing of conversation history while setting up the room. Enforce reduced Emoji set on The Emoji set is restricted to a small group of Emojis. Desktop clients Note: The full list of emojis supported in Symphony is here; the reduced set is here. Enable Two-Factor All users with access to Admin and Compliance Portal (ACP) will be Authorization at Sign-In for presented with two-factor authentication when logging into ACP with ACP Users Symphony credentials (i.e. a Symphony password). Note that this applies to all types of roles that access the ACP such as administrators, super administrators, compliance officers, super compliance officers and L1/L2 support. Mobile Specific Disable SSO for mobile clients Single Sign On is not available to users on mobile clients Hide conversation and sender Users don’t see the conversations and sender names in the notifications names in mobile push in order to maintain privacy of messages and senders notifications Can share files externally Users can share files with connections at other companies Can share files internally Users are limited to sharing files with others within the company Can copy and paste content Users can:

• Copy messages from within Symphony chats • And hence paste messages to Symphony chats

Symphony can access the Users allow Symphony access to their address book on the mobile address book device Can open links and documents Users can in the Symphony app • Click to open the links shared via the Symphony app • Open documents inline within the Symphony app

Allow external sharing using Users can forward content from within Symphony via the Share iOS device share extensions Extension functionality available in iOS devices and other services Allow users to set a 6-digit PIN Users can pick a six-digit PIN to secure their device

MANAGING ENTITLEMENTS FOR MOBILE APPLICATIONS

Starting with release 1.47, Super Admins have two options for managing entitlements of mobile applications:

• Symphony Admin Portal • Third party Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions such as BlackBerry Dynamics, MobileIron or AirWatch

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Mobile entitlements via the Symphony Admin Portal By default, the option shown below in the “EDIT ENTITLEMENTS” menu item is unchecked. If Super Admins want to continue managing mobile policies using an external MDM/EMM solution, they should leave this box unchecked.

The option below should be checked for organizations that:

• Want to move from their MDM/EMM solution to Symphony Admin Portal for mobile policy management, or • Do not currently use an MDM/EMM solution

If checked, updating the mobile policies in the Admin Portal will override any policies set by an external MDM or EMM solution such as BlackBerry Dynamics, MobileIron or AirWatch. This allows Super Admins to manage the following entitlements for mobile users:

When the below option is unchecked, there are two scenarios that apply depending upon the use of external MDM/EMM solutions:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 1. If your company uses an external MDM/EMM solution, the mobile policies set in MDM/EMM solution will apply to Symphony mobile clients. 2. If your company does NOT use an external MDM/EMM solution, all of the below policies are set to TRUE by default. Super Admins will need to check the box to make edits.

MAKING CHANGES TO AN INDIVIDUAL USER

Use the ACCOUNTS option located on the left nav. Click on BROWSE ACCOUNTS then search for the user and select ENTITLEMENTS to enable the features you want to activate as shown below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Note: Please contact your account manager to request activation of Symphony Meetings. ENTITLING USERS TO PUSH SIGNALS

This entitlement can be applied to specific users who will be allowed to push company-wide signals. These signals will be automatically displayed in the left Nav. of all users on the pod.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

IMPROVED CONFIDENTIALITY ON MOBILE CLIENTS

An additional entitlement has been added to prevent information from being displayed on the iPhone and Android lock screen. This option is displayed as a new feature entitlement setting:

• Hide conversation and sender names in mobile push notifications

BLACKLIST UNAFFILIATED PUBLIC USERS

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Users can be blocked from communicating with or receiving communications from unaffiliated users (public users) with the BLACKLIST option in the left Nav. The admin can set this feature by selecting MANAGE BLACKLIST from the left Nav.

BAN USERS FROM CHAT ROOMS, OR REMOVE A BAN

The Super Compliance Officer and the Compliance Officer can ban users from specific chat rooms. The banned user is immediately removed from the chat room and is blocked from re-joining that room until the SCO or the CO removes the ban. The SCO or CO can ban a member by navigating to the list of members in a room, and clicking on the “Ban Member” icon as shown below:

The ALL ROOMS option in the left Nav has a check box for “Show only rooms with banned members” as shown below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The SCO or the CO can look at the list of members banned from a room by navigating to the BANNED tab as shown below:

The SCO or the CO can remove a ban by clicking the plus sign under “Unban Member” as shown below:

After clicking the “Unban Member” icon, the SCO or CO will be presented with a dialog box to add a justification for unbanning the user. The SCO or CO can also choose the option to add the user to the room automatically. See below:

Note: The ability to export ban and unban events is supported starting with CEB v1.47. Prior versions of CEB do not export ban and unban events. Admins must upgrade to Release 1.47 before the SCOs/COs start using the ban/unban feature.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 LOCK AND UNLOCK CHAT ROOMS

Important! Companies must upgrade their CEB to v1.48 before an SCO or CO can use this lock and unlock feature because older CEBs are not able to export lock and unlock events.

Super Compliance Officers and Compliance Officers can lock and unlock chat rooms. When an SCO or CO locks a room, it is immediately deactivated and room owners are prevented from re-activating it. Only an SCO or CO can unlock a room. Unlocking a room automatically reactivates it.

Active room

Deactivated room

Locked room

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Lock a room

Click Lock on the right side of the window. Enter a Justification and click Lock.

The Room locked confirmation message displays on the Conversation Detail window and the room status changes to Locked.

Unlock a room

Click Unlock on the right side of the window. Enter a Justification and click Unlock.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The Room unlocked confirmation message displays on the Conversation Detail window and the room status changes to Active.

INSTALLING THE DESKTOP CLIENT

Starting with release 1.52, we are introducing the Symphony Desktop Client v2.9 for Early Access. Compared to the previous generation Minuet (Paragon), the new version is up to 2.3x faster, provides support for three OS platforms (Mac OS X, Windows 32-bit and 64-bit), and enables simplified experience with features such as one-click audio/video conferencing, ability to add screen capture automatically and more.

The desktop client for Windows can be downloaded from the Admin Portal and works on Windows 7, Windows 8.x and Windows 10 computers. The Mac client can also be downloaded from the Admin Portal and works on Mac OS X 10.9 and higher.

Upgrade best practices: • Migrate to the updated desktop application by going to the downloads section of the Admin Portal. Here, you can access all available versions (32-bit and 64-bit Windows client + Mac OS).

• Plan a desktop application rollout timeline.

Note on dependencies The desktop client for Windows requires .NET version 3.5 or 4.0. On Windows 7 system, .NET 3.5 is pre- installed with the system and on Windows 8.x .NET 4.0 is pre-installed, so nothing should need to be installed. If for some reason neither .NET 3.5 nor .NET 4.0 is detected, the installer will stop and display a message requesting the installation of .NET 3.5 or 4.0. Pre-Configuring your Pod URL Requires Symphony Desktop Client for Windows version 1.44.0.7 or higher Registry settings are available for simplifying the installation of the desktop client for Windows. At installation, the registry setting will be checked first and will override any other pod URL settings.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • When installing the Symphony desktop app version 1.44.0.7 (or higher) using the msi file provided by Symphony, a registry entry will be created at: Computer\HKEY_LOCAL_MACHINE -> SOFTWARE -> Symphony -> Symphony -> PodUrl with an empty data string. • When the app starts, it will look at the registry PodUrl value and if it finds a valid URL then the app will open to the given address. In this case, the value in the pgx described in the following section will be ignored.

Notes: • The PodUrl should include a valid URL including protocol (e.g., https://symphony.mycompany.com/) • If the URL is invalid (e.g., missing protocol) then the value in the pgx file will be used. • If the URL is not reachable then an error will be shown saying: "Application load error. Additional details may be available in the log file: ..." • If the PodUrl is changed in the registry, the app will need to be restarted to pick up the new value.

LAUNCHING THE DESKTOP CLIENT

Start Symphony by executing the “Symphony shortcut” icon located on your desktop or by selecting Symphony/”Symphony wrapper” from the Windows Start menu on Windows 7 and higher as shown below.

AUTHENTICATING USING SINGLE SIGN-ON (SSO)

SSO can be configured so that a relationship of trust is established between corporate identity systems and Symphony. With SSO in place, users will no longer be required to re-authenticate with Symphony after having logged into the corporate network. In this way, Symphony joins the family of corporate assets protected by the existing system. SSO makes life easier for both end-users and admins.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 CONFIGURATION INFORMATION REQUIRED

Before you configure SSO, you should obtain the following information:

• IdP entity ID • IdP SSO endpoint • IdP signing certificate (this will be a file)

NOTES ON SYMPHONY’S IMPLEMENTATION OF SSO

This section describes various elements of SSO and how they have been implemented at Symphony. In general we have preferred the most commonly used options wherever possible. Binding - the most widely used • POST binding for incoming assertions • Redirect binding for SAML Requests Assertions • Assertions should be signed • Responses should NOT be signed Signing cert • PEM format • Base64 encoded • Starts with ---BEGIN SAML subject • Should match the username field—this means that when you load your users into Symphony, you should take care to ensure the username field matches the NameID field in the SAML subject contained in the IdP’s SAML assertion.

SSO AND DOMAIN NAMES

To use URLs in domains other than the Symphony.com domain, you need to provide your preferred domain name to [email protected]. Using this name, you will then update your IdP configuration with the desired ACS URL. The ACS url displayed in the Admin Portal SSO configuration window is provided as an example, but will not match what you configure on your IdP. For example if you see https://MYCOMPANY.symphony.com/login/sso/acs in the SSO configuration window, you can still configure your ACS URL in the IdP configuration as https://symphony.MYCOMPANY.com/login/sso/acs as long as MYCOMPANY.com was whitelisted during initial installation.

CONFIGURING SSO

Select the Configure SSO option and you will then go through three steps:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

In this example, we are configuring a pod called QA and the addresses for the Entity ID and ACS URL are displayed so that they can be noted down and communicated to the appropriate AD admin. Admin Portal SSO Fields • IDP entity ID - the name you give your directory application • IDP SSO endpoint - the URL for accessing that app e.g.: ADFS.example.com • IDP signing certificate - the public signing certificate and can be exported from your directory application

Enter the fields corresponding to your corporate directory federation service and then Import the IdP signing certificate. Click Next. You will now move to the second phase in which we test whether we can access the URL you provided. If Symphony was able to access the URL then you will be notified with a pop-up. You will need to enable pop-ups in your browser to see the test.

After successfully logging in to your Symphony account using your corporate credentials, click Next. You can then select to Switch on SSO.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

When you click on Turn on SSO, you will be asked to confirm that you want to switch on SSO:

If SSO was enabled, you will see the message:

Note: It can take up to two minutes for SSO to be activated after you have enabled it. Note that you will need to communicate to all current users that they need to use the corporate credentials from now on to log into Symphony and can no longer use their Symphony password.

IMPLICATIONS OF SSO

You will now find that whenever you attempt to change user passwords you will be informed that SSO is in place with the message: Your company has SSO authentication turned on. Note: Admins must have a password to log in to the Admin portal even when SSO has been enabled for the pod.

SWITCHING OFF SSO

In the future, if you decide to revert to manual passwords, you can select Configure SSO again and will see the following:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 h p://AD.XXXXXXXXX.com/adfs/services/trust h ps://AD.XXXXXXXXX.com/adfs/ls

Be aware that if you did select Disable SSO then your users would need to be notified to set their Symphony passwords.

We recommend that you send an email to your users before disabling SSO telling them how to reset/set a Symphony password.

SSO ACCOUNTS THAT ALSO HAVE PASSWORDS

In the future we will be providing a mobile client and at early stages the mobile client may require a manual password. For this reason, you have the flexibility to assign a password to an account, even when you’ve activated SSO on your system. When those users log in using the desktop client, they will still use SSO. In addition to SSO, LDAP Sync is also an important feature that Admin’s can use to simplify the management of users on their private pod.

LDAP SYNCHRONIZATION (SYNC)

LDAP is broadly supported by corporate directory systems. With LDAP sync, Admins can create and control their Symphony accounts directly from their corporate directory services.

Symphony has implemented a Directory bridge that provides a real-time interface between the corporate directory and your pod’s internal directory mechanism. We provide a summary of the installation and configuration steps below:

Create a Service Account for your Directory Bridge:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 1. Log into the Admin Portal and create a user and select Service Account (see the section on managing Service Accounts) 2. Copy the system-generated security key (you will need this for configuring your Directory Bridge)

Download and install the Directory bridge: 1. Install a Linux RHEL server (virtual or physical) 2. Follow the installation instructions below i. Navigate to the Downloads page in the left nav of the Admin Portal and download the “Directory Bridge” file ii. Extract the distribution (tar.gz file) iii. Configure the directory bridge to connect to your LDAP server and add your Symphony Security Key so that the Directory Bridge can authenticate with your Symphony Pod 8. 9. ‘Drive’ Accounts from the Corporate Directory following these steps: 1. Determine which LDAP server attribute will be used to map to the “username” attribute in Symphony 2. Configure an LDAP group or filter to identify which users should be managed by Directory Bridge 3. Configure other LDAP groups to be mapped to certain Feature Entitlements, Roles, or other available mapping types 4. Synchronize your directories – LDAP server to the Symphony Pod – via the Directory Bridge 5. Check that your user additions and updates are being synchronized in Symphony using the Symphony Admin Portal

Before beginning your installation, you need to understand the Symphony LDAP sync architecture as well as Symphony Service Accounts which will be used for Authentication to Symphony. Please review the section on managing Symphony service accounts earlier in the Admin Guide before proceeding.

LDAP SYNC ARCHITECTURE

The Symphony Directory Bridge server is configured to interface between the corporate LDAP service and the Symphony Pod, and it will be helpful for you to familiarize yourself with the bundled components and concepts involved, using the diagram below.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 meta MSG Files meta MSG Files meta MSG Files

Instance 1 Instance 2 Instance 3 Symphony Load Balancer Private (dedicated) Po d

New accounts, Direct Admin portal Account updates, VPN Groups, Connect displays updated account information Entitlements …

Corporate Directory LDAP Bot App

periodic login to Directory account (with key) Load Balancer

KKeeyyUser AccountsKKeeyy MMaanUnaapggederar ted settingMMsaannaaggeerr

Symphony Service User Account: This is the account used by the Directory Bridge for authenticating with the Symphony Pod. It will include an Account name as well as a security key. This security key will be configured on your Directory Bridge. Admin Portal: used to configure the Service User Account on your Symphony Pod

Directory Bridge Configuration files:

• directorybridge.properties: used to configure user activation and high level properties • groupMappings.json: used to configure Feature Entitlements, Information Barriers, Roles and Disclaimers • userAttributeMappings.json: used to configure user properties like department

SUPPORTED DIRECTORY SYSTEMS

Symphony has initially validated Active Directory 2008 R2. Symphony will continue to test and validate corporate directory systems based on customer demand. This section provides a snapshot of some of the LDAP directories supported today:

• UnboundID Identity Data Store • UnboundID Identity Proxy (3.x) • Oracle Directory Server Enterprise Edition (DSEE 6.x, 7.x) • Oracle Directory Server (5.2 patch 3 or higher) • Microsoft Active Directory

Preparing to Install

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Before beginning your installation, you will need to obtain the Directory Bridge server image and install a server (or virtual server) to run the Directory Bridge.

Directory Bridge Server Attributes • RAM: 4 GB gigabytes • Hard drive: logs will require 250 MB. • Processors: 4 • Operating System: Linux RHEL Fedora 2015.03 (This AWS supported OS has been validated by Symphony) • JVM: Java 8 Standard Edition, Enterprise Edition - a Java development kit (JDK) is recommended – see additional instructions for upgrading to TLS 1.2 below. • JVM 64-bit is recommended • Virtual Servers: both on-premises and cloud-hosted are supported

Installing the Java Cryptography Extension (JCE) The Java Cryptography Extension (JCE) is required if you would like to encrypt any properties within directorybridge.properties.

Download the JCE software from the following:

• Java 8 http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html Unzip the JCE software binaries. Example: # unzip UnlimitedJCEPolicyJDK8.zip Copy local_policy.jar and US_export_policy.jar to the Java JDK security folder. Example: # cp -p US_export_policy.jar local_policy.jar /usr/java/jdk1.8.0_102/jre/lib/security/ * Note: ensure the file permissions match

Information to gather

Before beginning the installation process, gather the following information:

1. LDAP source system info

a. The host and port of the LDAP system. b. The DN and password of the LDAP user that LDAP Sync will use to connect to the LDAP source system. c. The base DN for all user entries that LDAP Sync will need to access d. The LDAP attribute that will be used to associate LDAP user entries with Symphony usernames. In the vast majority of cases, this will be "sAMAccountName" (preferred for Active Directory) or “mail”. e. The LDAP attribute that indicates which groups a user is a member of. Most LDAP systems use "memberOf" as the attribute name, but this should be confirmed. f. The LDAP attribute that indicates which users are members of a given group. Most LDAP systems use “member” as the attribute name, but this should be confirmed.

2. Symphony information a. The username and key for the Symphony service user that will be used to access the Symphony APIs

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 b. The base path to the Symphony APIs. This will be something like "https://mycompany.symphony.com".

3. Sync configuration info a. The LDAP group or filter to use to control which users are synchronized by Directory Bridge. Symphony users will be created/activated/deactivated based on whether they are members of this group or match the filter. Throughout this guide, this LDAP group/filter will be referred to as the “Symphony Users Group/Filter”. b. See User Attributes section below for the complete list of user attributes available for syncing. For each of the attributes that you want to sync, determine the corresponding attribute name used by your LDAP system and have this mapping available before beginning installation.

The Symphony Users Group

The “Symphony Users Group” is effectively the list of all active Symphony users that exist in the LDAP system under the configured user base DN. A user account will be Activated in Symphony when the account is added to this group and Deactivated if it is then removed. Adding the account name back into the group will Reactivate the account.

The “Symphony Users Filter” is an LDAP filter matching all users that exist in the LDAP system under the configured user base DN that should be synced to Symphony. A user account will be Activated in Symphony if the user LDAP entry matches the filter, and deactivated if the user no longer matches the LDAP filter.

Mapping the Symphony Users Group/Filter is accomplished by configuring the “symphony-users-ldap-group” or “symphony-users-ldap-filter” properties in the directorybridge.properties file.

Creating the Service User Account The Directory Bridge interacts with your private pod using a Symphony Service user account. Before proceeding, please make sure you’re familiar with our instructions for creating and configuring service accounts using the Admin Portal. An earlier section describes this in more detail. Service accounts can be created using the CREATE AN ACCOUNT option in the left nav.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Once the account has been configured a Security Key will be generated (see below):

You should copy this information immediately for inclusion in your Directory Bridge configuration. The Security code will only be displayed for a brief 15-30 seconds. If you miss it, you can regenerate another security code. Configuring the Directory Bridge Once installed (see below), the directory bridge is configured by modifying three files:

• directorybridge.properties: used to configure user activation and high level properties • groupMappings.json: used to configure feature entitlements, Information Barriers and Roles • userAttributeMappings.json: used to configure user properties like department

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Each time these files are modified, the Directory Bridge must be stopped and restarted using the commands below:

$> $syncroot/bin/stop-sync-server $> $syncroot/bin/start-sync-server

If errors are encountered with your configuration files (typically when you try to restart your bridge) then the Directory Bridge will fail to start and you should consult the error log file:

$syncroot/logs/errors Limits and Issues with the current Implementation When a group is mapped to two roles in the same category (ADMINISTRATOR/SUPER_ADMINISTRATOR; L1_SUPPORT/L2_SUPPORT; or COMPLIANCE_OFFICER/SUPER_COMPLIANCE_OFFICER), the user will retain whichever of the conflicting roles happens to be assigned first and an error will be returned by Symphony (and shown in the errors log) when Directory Bridge attempts to assign the second role.

In order to avoid unintended consequences, Admins should manage accounts either via LDAP Synchronization as explained in this section, or via the Admin Portal. Managing the same user attributes using both the Admin Portal and Directory Bridge will result in the changes eventually being overwritten by Directory Bridge.

Downloading the Directory Bridge The Directory Bridge server image can be obtained by using the option located in the left Nav. of the Admin Portal. You should then select the DirectoryBridge--.RPM file.

INSTALLATION INSTRUCTIONS Installation Create a new directory called DirectoryBridge II in the current working directory, then extract the downloaded tar.gz file into that directory as follows: mkdir DirectoryBridgeII tar -xvf -C DirectoryBridgeII This will extract 3 directories into the new DirectoryBridge directory:

• config • bin • lib

Configuration

Create the directorybridge.properties, userAttributeMappings.json, and groupMappings.json files in the config directory by copying the "-example" files: cp directorybridge-example.properties directorybridge.properties cp userAttributeMappings-example.json userAttributeMappings.json

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 cp groupMappings-example.json groupMappings.json directorybridge.properties

Each property is listed in directorybridge-example.properties, with comments describing how each property is used. Use that as a template and guide for configuring the correct values for your installation. Information about each property is also available in the section called “Directory Bridge Configuration Reference” below. userAttributeMappings.json

Entries in userAttributeMappings.json are used to associate LDAP user attributes with Symphony user attributes. For each Symphony attribute that should be synced by DirectoryBridge, make sure there is an entry for that attribute in userAttributeMappings.json, and that it is associated with the correct LDAP attribute name. Remove any attributes from userAttributeMappings.json that should not be synced. See the Appendix for the list of available Symphony attributes. groupMappings.json

Group mappings are used to associate membership of certain LDAP groups to certain assignments in Symphony (such as assignment of roles or entitlements). See the Appendix for more information.

Config Validation

After configuring DirectoryBridge 1.49, run the validate-config script from the command line to verify the configuration: bin/validate-config

The output for a successful validation would look like this: ######################################################### Running Validations... 2017-11-09 17:24:40,990 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Validating configuration... 2017-11-09 17:24:41,419 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Checking connection to Symphony... 2017-11-09 17:24:42,228 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Checking connection to LDAP... 2017-11-09 17:24:42,369 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Checking existence of configured LDAP groups... 2017-11-09 17:24:42,422 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Checking number of user entries matching the Symphony Users group/filter... 2017-11-09 17:24:42,516 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Found 9 user entries in the configured Symphony Users LDAP group 'cn=AlysAllGroup,cn=Users,dc=fakecorp,dc=local' 2017-11-09 17:24:42,532 -08:00 INFO com.symphony.adsync.SymphonySyncServiceValidationRunner - Validation completed successfully. No errors found.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 DIRECTORY BRIDGE USAGE

Start Periodic Sync

To start the periodic sync process for all users and configured groups. /bin/start-periodic-sync

Stop Sync

To stop the sync process: /bin/stop-sync

View Logs

The following log files are written to the /logs directory:

• sync.log: Info-level and error logs • errors.log: Only errors • debug.log: Debug-level logging, for investigative purposes

Run a One-Time Sync

There may be situations where it is necessary to run a one-time sync of all users and configured groups. To run a one-time sync: /bin/sync all

Account Deactivation using LDAP Sync Symphony’s LDAP Sync implementation has been designed to be “forward looking.” It cannot for example be used to delete accounts that have already been created. Such accounts should be deactivated rather than deleted and we provide an example below on how to configure ldap-user-deactivation.

A lot of flexibility is provided with the Directory Bridge and supporting utilities. However, care has been taken to ensure that the configuration settings described in this chapter prevent the bulk loading of your entire LDAP directory. If this did occur, as we state in the previous paragraph none of those accounts (even dormant ones) could be deleted from Symphony. If this is unclear, please review the installation instructions above (particularly step 10).

Assigning the value used for deactivating or reactivating an account In order to map account deactivation between your corporate directory and Symphony, you need to configure 2 specific values in directorybridge.properties The deactivation value we are using in our example corresponds to the value used by Active Directory: (bitmask) 0x2. Please refer to your LDAP server documentation for the appropriate value used when deactivating accounts in your system. ldap-user-deactivation-attr=userAccountControl ldap-user-deactivation-value=bitmask:0x2

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Note that you can control whether you want LDAP sync to do account deactivation using the disable-user- deactivation Configuration (see below for more info)

The table below provides a detailed map of what LDAP Sync does based on the configuration values assigned to:

- ldap-user-deactivation-attr - ldap-user-deactivation-value - disable-user-activation - disable-user-deactivation ldap-user-deactivation-attr: LDAP attribute that contains the deactivation value. In Active Directory, the "userAccountControl" attribute is usually used to configure user account properties, with the hexadecimal property flag 0x2 used to mark a user as disabled. ldap-user-deactivation-value: If set, a match of the user attribute "isDisabled" will cause the corresponding user account to be deactivated in Symphony. This field supports a special prefix, "bitmask:", to allow matching against bit masks. For example, a value of "bitmask:0x2" can be used to configure user deactivation in Microsoft Active Directory for LDAP Sync. If this prefix is not used, then a Java regular expression match will be performed. disable-user-activation: If this property is set to "true", LDAP Sync will not create or activate users in Symphony. This is useful if you want to use LDAP Sync only for syncing attributes of existing Symphony users. Default value is "false". disable-user-deactivation: If this argument is set to "true", LDAP Sync will not deactivate users in Symphony. This is useful if you want to use LDAP Sync only for syncing attributes of existing Symphony users. Default value is "false".

LDAP Sync behaves in the following ways depending on the configuration values assigned:

• When disable-user-activation and disable-user-deactivation are set to FALSE • When ldap-user-deactivation-attr { "symphony": "isDisabled", "ldap": "userAccountControl" } ldap-user-deactivation- user attribute value result (isActive) value (value of userAccountControl)

!* null FALSE

any value TRUE

!* TRUE

* any value FALSE

* FALSE

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 null TRUE

null null

null

any value null bitmask:0x2 0x0202"; // "514" in FALSE decimal (either one works)

"0x0200"; // "512" in TRUE decimal

bitmask:0x2 TRUE

null TRUE

Matchme matchme FALSE

doesntmatch TRUE

null TRUE

A deactivation value set to !* means that any non-null value of the user deactivation attribute will indicate that the user is ACTIVE. If the attribute is missing or null, then the user should be INACTIVE. (User deactivation value of !* means that the user should be deactivated if the mapped isDisabled attribute is missing or null.)

A deactivation value set to * means that any non-null value of the user deactivation attribute will indicate that the user is INACTIVE. If the attribute is missing or null, then the user should be ACTIVE. (User deactivation value of * means that the user should be deactivated if the mapped isDisabled attribute is present on the user and is non-null.)

No configured deactivation value means that the active attribute will not be set.

A deactivation value beginning with bitmask means that the user should be deactivated if the mapped isDisabled attribute is present on the user and matches the bitmask.

A deactivation value that is any other string means that the user should be deactivated if the mapped isDisabled attribute is present on the user and matches the string.

If the deactivation value is set, but deactivation attribute does not exist on the user, then the user will be ACTIVE.

Assigning Feature Entitlements, Roles, Info Barrier Groups, and Disclaimers

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 When User Accounts are created using LDAP sync, they receive default Pod-wide entitlements set by the Symphony Admin using the Admin Portal (See Feature Entitlement section in this guide). In this section we show how these default values can be overridden for specific groups of users, as well as how roles, info barrier groups, and disclaimers can be assigned to specific groups of users. These examples can be used as references for common LDAP Sync tasks. Please note that corresponding configuration is required on the LDAP Server.

Mapping a group to receive entitlement, role, info barrier group, or disclaimer assignments During the initial configuration steps described above, we explained that entitlements are configured by updating the file groupMappings.json These group mappings are used to configure:

• Roles: SUPER_ADMINISTRATOR, ADMINISTRATOR, SUPER_COMPLIANCE_OFFICER, COMPLIANCE_OFFICER, L1_SUPPORT, L2_SUPPORT - Symphony Roles Available for Mapping to LDAP Groups (Please refer to the Roles section of the Admin Guide for details of what each role can do) • Optional entitlements for Super Compliance Officers and Compliance Officers: a. MONITOR_WALL_POSTS b. MONITOR_ROOMS c. BAN_AND_UNBAN_ROOM_MEMBER d. LOCK_AND_UNLOCK_ROOM • Feature Entitlements: sendFilesEnabled, delegatesEnabled, isExternalIMEnabled, isExternalRoomEnabled, canShareFilesExternally, canUpdateAvatar, canCreatePublicRoom, isScreenSharingEnabled, canCreatePushedSignals • Info Barrier group membership: Information Barrier ID number as listed in Admin portal. • Disclaimers: The disclaimer should be created in the Admin portal. LDAP sync then uses the disclaimer name to assign the appropriate disclaimers to the end users.

Note: The Screen Sharing feature is currently in customer beta trials. Note that we were previously referring to “External Communications” using an internal code name: “Cross Pod”. We have changed the entitlement name as shown in the list above but will continue to support the previous entitlement name:

New Entitlement Names: isExternalIMEnabled, isExternalRoomEnabled, Replaces: isCrossPodEnabled

We advise customers to move to the new entitlement name in order to avoid unwanted issues if support for the old entitlement name is dropped in the future.

At least one of these two new entitlements must be set for a user to appear in the global directory and be able to communicate externally.

In the example below we are still using the company “Fakecorp” which should be changed to your own company domain name used by your LDAP system. We show how to assign two roles: ADMINISTRATOR and COMPLIANCE OFFICER, how to grant the right to send files, how to configure information barrier group membership and finally how to assign disclaimers. [ { "dn": "CN=ComplianceOfficers,CN=Users,DC=fakecorp,DC=local", "roles": ["COMPLIANCE_OFFICER"]

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 }, { "dn": "CN=Entitlements,CN=Users,DC=fakecorp,DC=local", "entitlements": ["sendFilesEnabled"] }, { "dn": "CN=Admins,CN=Users,DC=fakecorp,DC=local", "roles": ["ADMINISTRATOR"] }, { "dn": "CN=IBGroupA,CN=Users,DC=fakecorp,DC=local", "infoBarrierGroups": ["56e700f6e4b088a70f00a1e5"] }, { "dn": "CN=IBGroupB,CN=Users,DC=fakecorp,DC=local", "infoBarrierGroups": ["56e700ffe4b0665dac11e117"] }, { "dn": "CN=Disclaimer,CN=Users,DC=fakecorp,DC=local", "disclaimerName": “Name of the disclaimer” } ]

UPGRADE INSTRUCTIONS

The following instructions are for upgrading an existing Directory Bridge installation with version 1.49 or later. If the existing installation has an earlier version than 1.49, then the latest version of Directory Bridge must be installed from scratch.

Upgrading Directory Bridge as simple as downloading the latest distribution from the Admin Console (the same tar.gz file used for installation), and then running the following command from the existing Directory Bridge installation directory:

/bin/upgrade

DIRECTORY BRIDGE CONFIGURATION REFERENCE

End user management of avatars

In order to allow end users to manage manage their avatars in Symphony, the “photo” and “photoURL” attributes must be absent from userAttributeMappings.json.

If the “photo” or “photoURL” attribute is present in userAttributeMappings.json, then DirectoryBridge will eventually overwrite or delete any avatar that an end user sets himself via Symphony.

Main Configuration File (directorybridge.properties)

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Name Required? Description

source- yes The host for the source LDAP system. server-host

source- yes The port for the source LDAP system. server-port

source- yes The DN of the LDAP user that LDAP Sync uses to connect to the server-bind- LDAP source system. dn

source- yes The password associated with the bind DN. server- password NOTE: You may encrypt this or any other property value using the encrypt-property script in the /bin directory. Run './encrypt- property --help' for usage information.

ldap-user- yes LDAP base DN used for searching for users by username (related search- to ldap-username-attr) basedn

symphony-url yes The base Symphony URL (example format: https://.symphony.com)

symphony- yes Symphony service account username used to issue REST API calls. user This account must have the User Provisioning role.

symphony- yes Symphony security key for authentication of the specified Symphony auth service account.

proxy-host no The host of the proxy used when connecting to Symphony.

proxy-port no The port of the proxy used when connecting to Symphony.

ldap- yes LDAP attribute that contains a value that corresponds to Symphony username- username. This is used to find Symphony usernames for LDAP DNs, attr and vice versa.

ldap-group- yes LDAP attribute containing a set of DNs that specify group member-attr membership. Default value is "member".

ldap- yes LDAP attribute containing a set of DNs corresponding to the groups memberof- that the user specified by the entry belongs to. Default value is attr "memberOf".

ldap-user- no If set, a match of the user attribute "isDisabled" causes the deactivation- corresponding user account to be deactivated in Symphony. This field value supports a special prefix, "bitmask:", to allow matching against bit masks. E.g., a value of "bitmask:0x2" can be used to configure user deactivation in Microsoft Active Directory for LDAP Sync. If this prefix is not used, then a Java regular expression match is performed.

disable-user- no If this property is set to "true", LDAP Sync will not create or activate activation users in Symphony. This is useful if you want to use LDAP Sync only

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Name Required? Description

for syncing attributes of existing Symphony users. Default value is "false".

disable-user- no If this argument is set to "true", LDAP Sync will not deactivate users in deactivation Symphony. This is useful if you want to use LDAP Sync only for syncing attributes of existing Symphony users. Default value is "false".

symphony- no LDAP DN of a group that is used to control synchronization. If users-ldap- defined, users will be created/activated/deactivated based on group membership to the group. NOTE: Either symphony-users-ldap-group OR symphony-users-ldap- filter must be defined.

symphony- no LDAP filter used to control synchronization. If defined, users will be users-ldap- created/activated/deactivated based on whether they match the filter filter. NOTE: Either symphony-users-ldap-group OR symphony-users-ldap- filter must be defined.

sync-rate- no How long the periodic sync service waits after each sync iteration seconds finishes before starting the next sync iteration. If not defined, the default is 60 seconds.

User Attribute Mappings (userAttributeMappings.json)

Mandatory fields in the user attributes mappings file The userAttributeMappings.json file is used to specify which user attributes are synced between a company’s LDAP system and Symphony. If the userAttributeMappings.json file does not contain an entry for an attribute, then that attribute will not be set by Directory Bridge on the Symphony user, regardless of whether the attribute exists on the LDAP entries.

Certain Symphony attributes are required to be present in userAttributeMappings.json, which are indicated in the table below. Failure to include the required attributes will result in no new users being created.

Example userAttributeMappings.json [ { "symphony": "mail", "ldap": "mail" }, { "symphony": "givenName", "ldap": "givenName" }, { "symphony": "mobileNumber", "ldap": "mobileNumber" }, { "symphony": "sn",

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 "ldap": "sn" }, { "symphony": "displayName", "ldap": "displayName" }, { "symphony": "deptName", "ldap": "department" }, { "symphony": "divName", "ldap": "division" }, { "symphony": "location", "ldap": "l" }, { "symphony": "title", "ldap": "title" }, { "symphony": "jobFunction", "ldap": "jobFunction" }, { "symphony": "industry", "ldap": "industry" }, { "symphony": "assetClass", "ldap": "assetClass" }, { "symphony": "photo", "ldap": "photo" } ]

Available Symphony User Attributes The full list of "to-attribute" values that are accepted for Symphony users are as follows: attribute required description name

mail YES email address

givenName YES first name

sn YES last name

assetClass no name of the asset class to which the user's work is related

deptName no name of the department to which the user belongs

displayName no

divName no name of the division to which the user belongs

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 attribute required description name

industry no industries of interest for the user

jobFunction no

location no primary location of the user's workplace

title no professional title

mobileNumber no mobile phone number

workPhone no work phone number

companyName no company name Note: This is only allowed to be set to a predefined set of values, and Symphony will return an error if Directory Bridge attempts to set a value different from these.

isDisabled no powers activation/deactivation of Symphony accounts; see ldap- user-deactivation-value (deprecated since 1.52)

photo no binary data for avatar photo (either photo or photoUrl can be mapped, but not both)

photoUrl no URL from which the binary data for the photo may be retrieved (either photo or photoUrl can be mapped, not both)

Group Mappings (groupMappings.json)

Group mappings are used to associate membership of certain groups to specific attributes or assignments in Symphony. Group mappings are configured in groupMappings.json. Below is a valid groupMappings.json example. Note: each element in the JSON list must have a "dn" field and at least one of the "roles", "entitlements", "infoBarrierGroups", or "disclaimerName" fields. Example groupMappings.json [ { "dn": "CN=Symphony Compliance Officers,CN=Users,DC=fakecorp,DC=local", "roles": ["COMPLIANCE_OFFICER"] }, { "dn": "CN=Symphony External Communication,CN=Users,DC=fakecorp,DC=local", "entitlements": ["isExternalRoomEnabled", "isExternalIMEnabled"] }, { "dn": "CN=Symphony Super Users,CN=Users,DC=fakecorp,DC=local", "roles": ["SUPER_ADMINISTRATOR", "SUPER_COMPLIANCE_OFFICER"], "entitlements": ["delegatesEnabled"] }, { "dn": "CN=IBGroupA,CN=Users,DC=fakecorp,DC=local", "infoBarrierGroups": ["56e700f6e4b088a70f00a1e5"] }, {

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 "dn": "CN=IBGroupB,CN=Users,DC=fakecorp,DC=local", "infoBarrierGroups": ["not "] }, { "dn": "CN=Disclaimer A,CN=Users,DC=fakecorp,DC=local", "disclaimerName": "Disclaimer A" } ]

Available Group Mapping Types

Use Case Description Configuration

Roles: Map an Configure LDAP Sync to ensure that a certain Configure with "roles" field on LDAP Group to role in Symphony is assigned to all members elements of a specified LDAP group. Once configured, in groupMappings.json a Role in adding a user to this group assigns the role to Symphony that user in Symphony. Removing the user from the group will remove the role from the user in Symphony. See Role Management for detailed description of individual roles. Roles Available for Mapping: ADMINISTRATOR SUPER_ADMINISTRATOR COMPLIANCE_OFFICER SUPER_COMPLIANCE_OFFICER L1_SUPPORT L2_SUPPORT EF_POLICY_MANAGEMENT

Entitlements: Configure LDAP Sync to ensure that a certain Configure with "entitlements" Map an LDAP entitlement in Symphony is assigned to all field on elements members of a specified LDAP group. Once in groupMappings.json Group to an configured, adding a user to this group Entitlement in assigns the entitlement to that user in Symphony Symphony. Removing the user from the group will remove the entitlement from the user in Symphony. Entitlements Available for Mapping: delegatesEnabled sendFilesEnabled isCrossPodEnabled canShareFilesExternally canUpdateAvatar canCreatePublicRoom

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Use Case Description Configuration

Disclaimers: Configure LDAP Sync to ensure that a certain Configure with "disclaimerName" Map an LDAP disclaimer in Symphony is assigned to all field on elements Group to a members of a specified LDAP group. A user in groupMappings.json. The Disclaimer in should belong to at most one disclaimer-mapped configured disclaimer name should Symphony LDAP group, since a user can only be assigned match the unique name given to one disclaimer in Symphony at a time. the disclaimer in Symphony.

Information Configure LDAP Sync to ensure that all Configure with "infoBarrierGroups" Barriers: Map members of a specified LDAP group belong to a field on elements an LDAP Group specified Information Barrier Group in in groupMappings.json. The to an Information Symphony. configured info barrier group Barrier Group in should match the unique ID Symphony assigned to that group in Symphony. Note that the Info Barrier Group ID is NOT the same as the Info Barrier Group Name.

INSTALL GUIDE FOR DIRECTORY BRIDGE PRIOR TO VERSION 1.49 Please contact your Technical Account Manager or Solution Engineer if you need access to the installation and configuration instructions for the legacy Directory Bridge (i.e. any version prior to 1.49)

COMPLIANCE CONTENT EXPORT

Organizations with strict compliance and information retention policies will already have archiving infrastructure in place. Symphony can be configured to interoperate with these archiving platforms. All messaging, events, and chat room data from your private pod can be exported in an XML format based on the frequency you configure (the default value is 24 hours).

Two approaches to content export have been developed. Originally customers were able to establish to use SFTP to access stored exports in their private pods. While this approach did resolve the short term content export requirements for financial service customers, it was not aligned with Symphony’s customer-controlled encryption key mechanism.

IP Address White-Listing: You must provide the IP address of the system(s) that downloads the content from the SFTP site – your own system for testing purposes for example and others as required. These IP addresses must be provided to Symphony global services so that they can be registered for

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 access to the SFTP server. You should also configure your firewall to allow the computers used to access your pod’s SFTP server on port 22 (sftp).

More recently, Symphony has introduced a Content Export Bridge which works in conjunction with the on premises Key Manager to decrypted exported content locally. This approach protects the privacy and confidentiality of customer data.

Formats: Three formats are supported, each with a specific advantage, so it is important to understand the difference before making your choice: Symphony format: This is the default for all pods and has the advantage of including “Read by” information, meaning it tracks who read each message post and when they read the post. The Symphony file is compressed in zip format. Important: Use this format unless you intend to integrate with Actiance Vantage or other equipment/archiving services. Actiance format — Should only be used by customers using Actiance Vantage equipment. Two XML files are created —one for IM and chats and another for wall posts, these are both provided in a single zip file. No “Read by” information is included. EML format – is widely used by various compliance and archiving solutions and may help the organization avoid the need to develop a Symphony-specific parser. Content export generates a single Zip file containing EML files for each active conversation. Note 1: While it is possible for customers to direct their .EML files directly into compatible archiving systems it must be clear that Symphony is responsible for generating the .EML content export files, not for the ongoing processing of these files. Note 2: The maximum size for EML files will be 100MB. Conversations that would normally generate larger file sizes when exported will be delivered in multiple smaller files.

Frequent Export: You can configure your export to run at a regular frequency, the default value is 24 hours. Starting at 23:59:59 UTC. When programming your download process, please allow enough time (for example, 2 hours) for the export process to complete before beginning your download script. Manual Exports: You can also generate a manual (Ad Hoc) export based on a date range. We cover this in more detail in a later section. The first task is to install a host computer for the Key Manager and Software SM.

Notice of planned obsolescence of secondary information in Content Export files

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 In Q1 2019, Symphony will offer a new feature for customers to be able to retrieve receipt information for any message.

The Receipt Information feature will be available via the Admin and Compliance portal (ACP) and via public APIs.

Customers will be able to use the ACP or APIs to submit a message ID and get a list of all:

• Delivery receipts • Read receipts • Email notification receipts • Download receipts for any attachments in the message

Once the Receipt Information feature is available, Symphony will simplify the content export files it generates as follows: 1. Symphony will remove messages marked as 'isArchived' from the Symphony XML format. o isArchived information for a message will instead be available via the Receipt Information feature by querying for the delivery receipts of that message. 2. Symphony will stop providing the downloadedBy information in the Symphony XML format. o downloadedBy information for an attachment in a message will instead be available via the Receipt Information feature by querying for the Download receipts for any attachments in that message. 3. Symphony will remove events of type 'Email Notifications' from the Symphony XML format, the Actiance format, and the EML format. o Email Notification events for a message will instead be available via the Receipt Information feature by querying for the Email notification receipts of that message.

EXPORTING CONTENT IN THE MESSAGEML FORMAT Starting with Release 1.50, Content Export has been extended to export content natively created in the messageML format. As of this release, the agent creates messages using this new format. The desktop client will start creating messages in this format in a near future release. CE will export message content generated by these clients as native HTML content. This may impact post processors using the Symphony XML output files: all such post processors must be able to parse html content in CDATA.

IDENTIFICATION OF MULTI-COMPANY ROOMS Starting with Release 1.50, Content Export has been extended to identify multi-company rooms in all 3 formats (Symphony XML, EML and Actiance). All external rooms are now classified as either bilateral or multi-company. Note that customers must upgrade to CEB 1.50 in order to get that information.

EVENTS GENERATED BY EMAIL INTEGRATION FEATURE Note that email integration is a future roadmap item. In anticipation of a future release, Content Export has been extended to include events generated by the email integration feature. Two new events have been added. Note that customer must upgrade to CEB 1.50 in order to get that information.

FORWARDED MESSAGES

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Customers participating the Message forwarding beta are strongly advised to upgrade their CEB to version 1.50 before using this feature. Older CEBs do not extract the forwarded content cleanly: they correctly export the content of the forwarded message but incorrectly also include a metadata payload (CustomEntities). Upgrading to the v1.50 CEB eliminates this issue.

NEW CAPABILITIES IN VERSION 1.5.7 OF SYMPHONY XSD FILE The schema for the Symphony XML format has been upgraded to v1.5.7 and includes a new element: deletedByDelegate.

Installing the Content Export Bridge Only one Content Export Bridge can be connected to your Pod. The Content Export Bridge should have the following characteristics: • 8 GB of memory (see note below) • 4 CPU Cores • 250 GB disk • Operating System: Linux RHEL Fedora 2015.03 (This AWS supported OS has been validated by Symphony) or CentOS 7.1 (used in our example below) • JVM: Java 8 Standard Edition, Enterprise Edition - a Java development kit (JDK) is recommended. See additional instructions for upgrading to TLS 1.2 below. • JVM 64-bit is recommended • CD Drive • Virtual Servers: both on-premises and cloud-hosted are supported

Installing the Java Cryptography Extension (JCE) The default Java7 distribution uses TLS 1.0. Symphony requires TLS 1.2 available with the Unlimited Strength Jurisdiction Policy Files.

Do that by downloading the package from here: http://www.oracle.com/technetwork/java/javase/downloads/jce- 7-download-432124.html accept the license agreement and download "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7” (UnlimitedJCEPolicyJDK7.zip)

Copy this package to the server where you will run KeyManager and unzip it. UnlimitedJCEPolicyJDK7.zip contains 3 files 1. local_policy.jar

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 2. README.txt 3. US_export_policy.jar

And override the files in your local java installation. Copy local_policy.jar and US_export_policy.jar to one of the following: JDK installation: $JAVA_HOME/jre/lib/security JRE installation: $JAVA_HOME/lib/security

CentOS Installation the Community Enterprise Operating System or CentOS is a Linux distribution that attempts to provide a free, enterprise class community-supported computing platform. We will install the Full ISO image of CentOS version of Linux (v7.1). Note that the full ISO image comes equipped with Java SDK version 1.7 and GNOME. To check the version of Java installed, use the following command. $:> java –version

Name the Server and Attach it to your Network The server will now need to be connected your corporate network. Please refer to the instructions available with RedHat or CentOS. Ensure this machine has access to your Symphony Pod: https://YourSymphonyPod.com/ on port 443. Install a web browser To simplify the steps required to download and install your CE Bridge, you can optionally install a web browser. To install the latest version of Chrome, visit https://www.google.com/chrome/browser/ and choose the appropriate installation package: 64-bit version for CentOS in our example. Type the install command in the terminal and you will see the following screenshot

$:> sudo yum install packagename.rpm

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Now enter the password and you will see chrome and the additional dependencies being installed. After the installation is complete, you will see a list of dependencies listed along with the success message.

Configure the Content Export Account and Download the Content Export Bridge and Tomcat Log in to the Admin Portal and select Export Content. Then select the EXPORT SERVICE ACCOUNT. Select Show Key and copy the resulting security key. This will be used later when configuring the Content Export Bridge. Note: The Key can be displayed with the “Show Key” button and this should be configured on the Content Export Bridge.

Then click on the Export Clients tab and review (and store) the information shown in step 2.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

…

Then select Download from the left Nav. and download both the Content Export Bridge. This zip file contains the Content Export Bridge RPM (This includes Tomcat). Once you have unzipped this file you can then follow the instructions below. Option 1: CE Bridge standard installation

Installing Tomcat and establishing trust relationship with Symphony Some organizations may prefer to use an internally approved version of Tomcat. We provide instructions for installing the CE Bridge combined with your own version of Tomcat in the next section. Customers should contact Symphony Global Services to ensure that the internally approved version is compatible with the Content Export Bridge. Warning: it is not currently possible for the CE Bridge to use the same Tomcat library as the Key Manager (see earlier section). Install tomcat with the following command: $> sudo rpm -ivh tomcat-8.0.24-18.x86_64.rpm If you prefer to use a previously installed version of Tomcat please make the following changes:

catalina.home = /opt/tomcat

catalina_base = /data/tomcat Configuring Tomcat Please edit the Tomcat environment.sh file and customize it for your specific installation. This file is identical to the environment.sh file used by the Key Manager and certain lines highlighted below will need to be deleted. Please carefully review the example file below. $> vi /data/tomcat/conf/environment.sh #!/usr/bin/env bash

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 DATA_BASE="/data/tomcat/" CATALINA_BASE="/opt/tomcat/" JAVA_HOME="/usr/java/jdk1.7.0_79" //Update with your java path CATALINA_OPTS="-server -Xms5048m -Xmx5048m -XX:MaxPermSize=256m \ -Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Dlog4j.configuration=file:$DATA_BASE/config/log4j.xml \ -Djava.endorsed.dirs=$CATALINA_BASE/endorsed \ -classpath $CATALINA_BASE/bin/bootstrap.jar:$CATALINA_BASE/bin/tomcat-juli.jar \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_BASE \ -Djava.io.tmpdir=$CATALINA_BASE/temp \ -Dsession.cookie.domain=.pubmy.mykeymanager.com \ -Daccess.control.allow.origin=podId.yourdomain.com,keymanager.yourdomain.com \ // pls change the first value to your domain url, and the second value to your on-prem keymanager -Djava.library.path=$CATALINA_BASE/native/ \ // The crypto lib compatible with your os version -Djavax.net.ssl.keyStore=$DATA_BASE/certs/keystore \ // we create an empty keystore for you, please make sure you replace this when you deploy to production -Djavax.net.ssl.keyStorePassword=password \ // and your keystore password -Djavax.net.ssl.trustStore=$DATA_BASE/certs/truststore \ // delete this line for CE Bridge -Djavax.net.ssl.trustStorePassword=changeit \ //delete this line for CEB -Dcom.symphony.keymanager.sdk.maxtotalconnections=2000 \ //delete this line for CEB -Dcom.symphony.keymanager.sdk.maxconnectionsperroute=1000 \ //delete this line for CEB -Dserver.bot.port=8444 \ //delete this line for CEB -Dserver.port=8443 \ -Dajp.port=8009 \ //delete this line for CEB -Dserver.command.port=8005 \ //delete this line for CEB -Dmax.threads=4000” \ -Dhost.name=change.it.to.full.server.host.name" //delete this line for CEB -Dceb.config.path=/opt/tomcat/symphony_cecs \ //optional, the folder containing the configuration.prepertites and key folder -Dproxy.uri=http://proxy.com:8080"// this is the default, please add it if you use a proxy in your environment, and this proxy should support https requests PATH=$JAVA_HOME/bin:$JAVA_HOME/bin/jre:$PATH //ENDS

Note: Symphony does not recommend that customers create and manage their own trust store; instead they should rely on the default JDK cacerts. If your policy requires you to use your own trust store, you must import the cacerts into the trust store for the Content Export Bridge to function properly.

Next you will need to create a Tomcat keystore with the same name we assigned in the script above “keystore”: $> keytool -keystore keystore -genkey -alias tomcat -keyalg RSA When installing the password used to trust the Symphony cert you will be prompted for the cert password please contact Symphony Global Services to obtain this password. Now establish the trust relationship with Symphony:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $> sudo openssl s_client -connect podID.symphony.com:443 symphony.cert $> sudo keytool -importcert -trustcacerts -keystore $CATALINA_BASE/certs/keystore - file symphony.cert -alias symphony

If you previously installed the key manager, please also trust the certificate from your key manager.

$> sudo openssl s_client -connect podID-keymanager.symphony.com:443 keymanager.cert

$> sudo keytool -importcert -trustcacerts -keystore $CATALINA_BASE/certs/keystore - file keymanager.cert -alias keymanager import symphony public key $> sudo rpm --import https://resources.symphony.com/SYMPHONY-GPG-KEY.public Install the Content Export Bridge Locate the Content Export Bridge RPM file downloaded earlier and begin the installation: $> sudo rpm -ivh --prefix=/opt/tomcat --replacefiles symphony-external-ceservice- centos70-0.14.0-45.x86_64.rpm Note: the file name in the previous command will need to be the same as the RPM file downloaded from the Symphony Admin Portal. Please use the latest version. Update the configuration.properties file located in $catalina.home/symphony_cecs, in our configuration it is located in: /opt/tomcat/symphony_cecs. The value for shared key is the Security key generated in the previous step. # Information for pod access version=1.0.0 podURL=https://YourSymphonyPod.com sharedKey= ThisIsYourSecurityKey archiveDirectory=/data/retention_result Create the local directory to store exported content with ownership tomcat.tomcat with the following two commands: $> sudo mkdir /data/retention_result $> sudo chown tomcat.tomcat /data/retention_result Option 2: CE Bridge Installation using a separate version of Tomcat Using an existing Tomcat and establishing trust relationship with Symphony

The first part of this section describes how to install a separate (approved) version of Tomcat. Customers who have already installed Tomcat can skip to section 7 below.

We assume that Java has already been set up (eg: sudo yum install java).

1. Download sample tomcat http://mirror.cc.columbia.edu/pub/software/apache/tomcat/tomcat-7/v7.0.63/bin/apache- tomcat-7.0.63.zip

2. Unzip the package Assuming you already set up unzip (otherwise: $> sudo yum install unzip)

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $> sudo unzip -d [tomcat folder] 3. Add permission $> cd [tomcat folder]/bin $> sudo chmod 755 *.sh

4. Create setenv.sh under bin folder containing the following information: #[correct it if needed! It should be the tomcat folder] CATALINA_BASE="/tmp/tomcat/" #[correct it if needed! It should be the jdk folder] JAVA_HOME="/usr/lib/jvm/jre/" CATALINA_OPTS="-server -Xms1024m -Xmx2048m -XX:MaxPermSize=256m \ -Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.endorsed.dirs=$CATALINA_BASE/endorsed \ -classpath $CATALINA_BASE/bin/bootstrap.jar:$CATALINA_BASE/bin/tomcat-juli.jar \ -Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_BASE \ -Djava.io.tmpdir=$CATALINA_BASE/temp \ -Djava.library.path=$CATALINA_BASE/native/ " PATH=$JAVA_HOME/bin:$JAVA_HOME/bin/jre:$PATH

5. Create the tomcat user and tomcat group

$> sudo useradd -U tomcat

6. Start Tomcat for your Content Export Bridge (CEB)

$> sudo ./startup.sh

7. Install Content Export Bridge rpm

If you already have a working Tomcat configuration, you can start here. First log into the Symphony Admin portal and select Download from the left Nav. and then select the Content Export Bridge rpm file.

Unzip the file and install the rpm (the rpm filename may have a different version number than the one shown below and prefix refers to the tomcat path) $> sudo rpm -ivh --prefix=/opt/tomcat --replacefiles symphony-external-ceservice- centos70-0.14.0-45.x86_64.rpm

Configuration properties

Information for pod access version=1.0.0 podURL=https://.symphony.com sharedKey= ThisIsYourSecurityKey archiveDirectory=/data/retention_result

Local directory to store exported content, please create this directory with ownership tomcat.tomcat Using the command below:

$> sudo chown tomcat.tomcat /data/retention_result

The security key used by the Content Export Bridge to authenticate with the Symphony service can be obtained from the Content Export option in the Admin Portal. We provide instructions on how to obtain this key in a previous section. archivedDirectory in the previous command refers to the location where you will be storing your export files.

Create the retention directory from the one you configured above

$> sudo mkdir /data/retention_result

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 $> sudo chown tomcat.tomcat /data/retention_result

Once installation is complete, you will see a new symphony_cecs folder under tomcat catalina.home

Managing and Upgrading the Content Export Bridge You can start the Content Export Bridge using the following command:

$> sudo service tomcat start

At this point the CE Bridge should be running, you can check whether this is the case by running:

$> sudo service tomcat status

You can stop tomcat with the following command:

$> sudo service tomcat stop

To upgrade the Content Export Bridge: Log into the Admin Portal and download the latest CEB distribution using the DOWNLOADS option in the left Nav. First stop the CEB: $> sudo service tomcat stop Then upgrade using the RPM file downloaded from the Admin Portal: $> sudo rpm -Uvh --prefix=/opt/tomcat --replacefiles single-cecservice-0.0.1- 0.x86_64.rpm and then start the Content Export Bridge again: $> sudo service tomcat start

To uninstall the Content Export Bridge: $> sudo rpm -e cecservice

Significant Performance Enhancements to Content Export Bridge

With Release 1.47, Content Export job creation takes about half the time compared to previous versions.

The Content Export Bridge in Release 1.47 uses v1.5.2 of the Symphony xsd file. The changes from previous version of the xsd file are as follows:

• Addition of two new events: ban and unban users • Recording of the Content Export client version in the Platform field

o For example, Instead of ,

The record will now state .

o If the version of the client is unknown, the value recorded will be “” (empty string)

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Enabling Content Export The export process is activated by selecting CONTENT EXPORT in the Admin portal. You will be guided through the creation of a dedicated SFTP user account for accessing your SFTP server. To enable content export from the admin portal:

• In the left navigation panel, select CONTENT EXPORT. The Configure Content Export window appears.

• Click Enable Content Export.

Enabling SFTP Content Export Legacy installations may still be using the SFTP export process. Select SFTP and the content export feature will be enabled and the preset password for the SFTP account will be displayed.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

10. • To change the password, in the Configure Content Export window, click Reset Password. • The Reset your content export password popup appears

• Enter the new password or click Generate. • Remember to copy the generated password (press ctrl+c). • Click Submit to confirm the password change.

Recurring Export You can program content export to run at a regular frequency. The default value is 24 hours starting at 23:59:59 UTC. You can also select which format you want to use: Symphony (which contains Read-by information), Actiance, or EML format – see the screenshot below:

You can change the export setting to run more frequently than every 24 hours using the drop-down box. It is important to understand that these settings are relative in that you will get different results depending on when you decide to change the frequency and also, when an export was last run. Here are some examples:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 1. It is 03:00 hrs. UTC and you change export frequency from 24 hours to 2 hours. In this case a first export will immediately run and will contain 2 hours worth of information (up to 02:00 hrs. UTC). Your next file will be created at 04:00 hrs UTC. 2. It is 07:15 hrs. UTC and you change export frequency from 24 hours to 2 hours. In this case three exports will be triggered, one for: a. 02:00 hrs. UTC b. 04:00 hrs. UTC c. 06:00 hrs. UTC 3. The next job to run would be at 08:00 hrs. UTC 4. Now lets make things a bit more complex. Imagine I work in New York and I actually want my exports to run with a frequency of 24 hours at midnight New York time, which corresponds to 05:00 hrs. UTC. To accomplish this, I make two changes: a. At 23:05 hrs. UTC (18:05 hrs. ET) I set the frequency to 6 hours – this will cause an export to run at 05:00 hrs. UTC (midnight in New York) and it will contain 6 hours of data. b. At 07:05 hrs. UTC (02:05 hrs. ET) I set the frequency to 24 hours. This second step will cause a 24-hour content export to run every night at midnight in New York. The previous 6-hour frequency is cancelled and replaced with this new schedule. 5. Important: In this third example, I waited the extra two hours in order to let the 6-hour job to complete because the Symphony scheduler requires the previous job to have successfully completed in order to book a new start time that uses the previous job’s end time (in our case midnight in New York). 6. In this third example we have illustrated: a. How smaller frequencies can be used to move the start time to a later time b. How partial exports can be interrupted mid-way to reset the start time to the last completed export time

Manual Export (AD-HOC) You can run a manual (AD-HOC) export based on a date range (see screenshot below) and as for frequent export, you select either: Symphony (which contains Read-by information), EML or Actiance format. Next, select the start-date and end-date for your export – dates will be shown in mm/dd/yyyy format. The times used will be 23:59:59 UTC to 23:59:59 UTC of the next day. It is important to recognize that the use of UTC may cause unanticipated difference in the way data is retrieved. • Rule 1: Dates are always based on 24hrs starting and finishing at 23:59:59 UTC • Rule 2: No partial days are retrieved – information from the current day will be retrieved only after 23:59:59 UTC of the current day, this corresponds to 6:59:59pm ET. This means that when testing the feature, admins in New York should enter test data leading up to 7pm ET and then run manual exports at 7pm ET onwards in order to see their test records in the manual export. When ready, press Start Manual Export. The export will be loaded into your SFTP content export site. Access the information using the machine with the IP address you registered with Symphony Global Services. Note: There is currently no facility to cancel the export jobs that are running; however, the export jobs that are waiting in the queue can be canceled.

File names

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 AD HOC file names the zip file name will be, _CD-_GD-.zip the individual files are: in Actiance format, it will be _CD-_GD-_content_import.xml _CD-_GD-_conversation.xml

In EML format, it will be _Part_CD-_GD-_timestamp.xml

In Symphony format, it will be _CD-_GD-.xml File Names for frequent export

_SD-_ED-_GD- .zip

For Actiance format, it will be: _SD-_ED-_GD- _content_import.xml __SD-_ED-_GD- _conversation.xml

In EML format, it will be: _Part_SD-_ED-_GD- _timestamp.xml

The reason that there is no hour in EML format individual file is that, the stream conversation can be very short, e.g. few minutes.

In Symphony format, it will be: _SD-_ED-_GD- .xml EML files contain the following:

• The Manifest of all the .EML files in the .ZIP file o Total number of EML files o List of EML files with the number of records (messages) in each • A hash file for the zip file: .MD5 • Multiple .EML files: streamType_StreamID-_PartOf_ContentStartDateUTC-_ContentStopDateUTC-_GenTimestampUTC-.eml • Symphony internal data integrity file: .JSON

Example of zip and md5 file names: e_xyz-na-prod-chat-glb-1_SD-2015-10-25-00_ED-2015-10-26-00_GD-2015-10-26_1445817600518.zip.md5 e_xyz-na-prod-chat-glb-1_SD-2015-10-25-00_ED-2015-10-26-00_GD-2015-10-26_1445817600518.zip

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Content Export Verification

Content Export includes an option entitled EXPORTED FILE LOG that will list each content export and flag any error that might have occurred with each export. The checks currently performed include:

• the zip file is not corrupted, • all content is included in the export, • content is decrypted.

The screen shot below shows the EXPORTED FILE LOG option:

Accessing the exported SFTP repository For legacy installations, the downloaded file is stored on an SFTP server using a similar name structure to other servers described in this document: e.g. -tools.symphony.com. It can be accessed with the SFTP user name (podname-ContentExporter) along with the password that was created during the activation process. The password for the SFTP account is preset but can be changed in the admin portal. This user account is not a Symphony user account and cannot be used to log into the admin portal or Symphony client—it is only used for downloading the exported content. You cannot delete your content from the SFTP server. Actiance Vantage with SFTP This equipment does not currently support SFTP and therefore an intermediary script, running on another system, will need to be configured to download the Actiance zip file and place it in a location where the Actiance Vantage can access it. In this case, it is the intermediary server running the script that should be whitelisted to use port 22 on the firewall and its IP address should be provided to Symphony Global Services so that it can be whitelisted - see diagram below.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Allowed IP Addresses 22 SFTP ZIP Server Files

Symphony Access Control

Exported Content The timestamp used for content export is in the form HH:MM:SS:mm where mm represents milliseconds. The following information is exported: New messages

A message may be created in an IM conversation, chat room or a wall post.

If a message was posted within the time range (24 hours), then it's considered a new message. The following data is provided in the Symphony export file:

• Attachments • SentTo: • for IM and chat - members of an IM/Room; • for Wall post - owner of the wall • ReadBy: • List of users who have read the message within the time range

When a message is being sent to an external user (a user located on a different Pod) then the message manifest will include the first name, last name, email address and company name of the external user.

Old messages

A message may have been sent to an IM conversation, chat room or a wall post.

Old messages are messages that were created before the current 24-hr time range. Symphony tracks who read the message during the time range and sends the “Read by” information that relates to those read events. Previously reported “Read by” information is not repeated, only the new “Read by” information.

The following data is provided:

• Attachments (any kind of file) • ReadBy: list of users who have read the message within the time range

Events

The following events are also included if they occurred within the time range (24 hours):

• Create room • Activate room • Deactivate room • User joins room

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • User leaves room • User in room is promoted to owner/demoted from owner • User is banned or unbanned by an SCO or CO; this event is only visible in CE file of the company in which the event took place • Room setting update for the following settings:

o Room Name o Room Description o Type of room (private / public) o Copy Enabled o Read Writable o Member Invitations o Search

• Room is locked or unlocked by an SCO or CO; this event is only visible in CE file of the company in which the event took place • Message is shared (wall post only) – includes any posted attachments • Message is deleted (wall post only) – original message is also included • Like a Message (wall post only) – original message and any attachments are also included • Share a Message (wall post only) – original message and any attachments are also included. Attachments are exported in three formats: Symphony XML, Actiance, and EML. • Chimes • Email notification was sent either by the sender or by the system • Message suppression events

Content Export for Rich Text Editing Users have the option to highlight their posts and IMs using rich text editing. This highlighting can include bold, italics and bullets. Pasted content may also be handled as an attachment rather than native text. In either case, content export will include this markup in the content export. We show an example of the markup that would be included in the export.

Escaped Characters

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The Symphony client encodes rich text such as bold, Italics and bullets using a standard markdown syntax. For example, if the user inserts rich text as follows:

• testing bold, italics and bullets then in the xml content export, this is translated to:

If on the other hand, the user types a message containing the ‘*’, ‘-‘ or ‘_’ characters, then these will be encoded with an escape backslash in the content export file. Original text entered by the user: testing asterisk *, dash - and underscore _ converted as follows in the XML version:

Content Export Self-Healing (CESH) CESH helps provide timely delivery of content to compliance and surveillance teams. CESH also minimizes the amount of troubleshooting expected of customers for content export errors. CESH enables timely exports of messages by: • Limiting the re-export to messages that encountered errors during the initial content export runs. • Automating the re-export of relevant messages at the next regularly scheduled content export run. • Equipping the Symphony customer service team with diagnostic tools to ensure all messages are either exported or otherwise accounted for. CESH features are applicable to regularly scheduled jobs, not to ad-hoc jobs. The following table describes the CESH changes in Content Export Bridge (CEB) v1.44.2 or newer version.

Category Change Customer Action CEB eliminates the content export Customers parsing this file must update verification file result.JSON. their script when they upgrade to CEB v1.44.2 or newer version. Changes to the validation.JSON file: Customers parsing this file may need to Content - Includes a new section for the list of update their script when they upgrade to export messages that CEB is exporting via the CESH feature. See below for more details. CEB v1.44.2 or newer version. verification - Decryption exceptions are no longer listed. Symphony customer service team will automatically investigate the exceptions, and take appropriate action such as eliminating false positives, or contacting the customer if needed. Re-run CEB will automatically re-export internally No need to manually re-run the content content flagged messages. export job when the CEB returns errors export to related to message exports. fix errors

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Category Change Customer Action The Message_counts.csv file will continue None. Message counting messages for the current retention counts period, and not include messages exported by CESH. The CEB will create a separate EML file for Please be aware whenever CEB re-exports each stream/room per job. For example, if a record in this way, the content export will on day X the CEB exports content from show it as: “Record re-exported” stream 1 and re-exports content from stream - CEB identifies the re-exported content with EML a new x-header “x-symphony-ReExported” 1 of days X-5 and X-8, it will create three which is set to the unique ID of the job used content eml files for stream 1: one each for content to re-export the message; for example “x- exports symphony-ReExported: 2ee1a48e-d364- from days X, X-5, and X-8. 46da-85c2-82709977f50b” - To work with the Global Relay de-duping logic, the CEB extends the email subject A new x-header in EML files will list any re- string to show the date and time as follows: exported content. exported 1/1/2016 00:00:00 GMT CEB v1.44.2 uses v1.5.1 of the Symphony Customers tracking this version of the XML Symphony XML Schema which adds an optional may need to update their post processor XML attribute, "isReExported=true", in "record" when they upgrade to CEB v1.44.2 or newer schema node if the record is flagged for re-export. version.

Format of the catchup section in the validation.JSON file:

"catchup": { "346900e3-26a3-431b-9512-96073b46fa08": { "jobId": "346900e3-26a3-431b-9512-96073b46fa08", "exported": { "hkyIKihCmckkwFjKd3JSO3///qYzXIcSdA==": [ "Pw/BiiVemSleVt58WGU3/n///qYzXEGpdA==" ], "ZJFUFpq1VQVmSvPk+T+kz3///qYzXI4wdA==": [ "coaIcw/xZZR2MkLshIGUIn///qYzXEK7dA==", ] } }, "a4c0d151-7cb0-4d45-b19a-4711cb6c9512": { "jobId": "a4c0d151-7cb0-4d45-b19a-4711cb6c9512", "exported": { "hkyIKihCmckkwFjKd3JSO3///qYzXIcSdA==": [ "2yqof0mEReIPK5BsU3Bu53///qYzXILgdA==" ], "ZJFUFpq1VQVmSvPk+T+kz3///qYzXI4wdA==": [ "eSDHBOfc4APzVP8SVpUZnX///qYzXImidA==", "p/ZX4ujBfiFBExU3c4us0X///qYzXIhRdA==" ] } }

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 }

In this example, the catchup section indicates content was re-exported for 2 previous scheduled jobs (e.g.: "jobId": "346900e3-26a3-431b-9512-96073b46fa08" and "jobId": "a4c0d151-7cb0-4d45-b19a-4711cb6c9512"): For each job, the json element shows the list of streams and for each stream the list of messages re-exported for that stream (e.g.: message ID "2yqof0mEReIPK5BsU3Bu53///qYzXILgdA==" in stream ID"hkyIKihCmckkwFjKd3JSO3///qYzXIcSdA==") External Communications

Timestamp

The timestamp used for content export is in the form HH:MM:SS:mm where mm represents milliseconds.

WALL POST INFORMATION

Complete information is now included for wall post events as shown below:

• Message is shared (wall post only) – includes any posted attachments • Message is deleted (wall post only) – original message is also included • Like a Message (wall post only) – original message and any attachments are also included • Share a Message (wall post only) – original message and any attachments are also included. Attachments are exported in three formats: Symphony XML, Actiance, and EML.

“FROM HEADER” IN EML EXPORT

Sets the “From header” to be the email address of the first person to either post content or create an event in a chatroom or IM in a given retention period. For example, the first action in a given retention period may be the creation of the IM or room or may be the addition of a member, etc. in such a case, the individual user who took that action. This might be the creator of the chatroom or a member who posted something to the room.

Note: the event could be from a service account that is not a member of the room (from S39 onward) since the room membership may be managed via the chat room provisioning APIs

RECORDING WALL POST LIKES The email addresses of all users who “Liked” a post are shown in the “To List” in all formats. TRACKING OF BLASTID IN ALL FORMATS

Include the blast ID with each exported blast message. This applies whether the blast was created by an internal account or created by an external account.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 EML format: When exporting a blast message created by an internal account, include the blast ID as follows:

• 2016-03-19T20:43:09.080Z [email protected] says • test message M1 • Message ID: 3Kxt+IKF+KO4a1Ei4u/Gln///qvlXj1QdA== • BlastID: 7696581424657

Symphony XML: when exporting a record for a blast message created by an internal account, whether as a new message or an archived=True message, include an element listing the blastID. For example:

7696581424657

Actiance Format: adds the blastID to the content export as follows:

ac_god 1464028203682

Note: this only applies to blasts created using the Sprint 38+ version of blasts. EXPORTING SHARED ARTICLES CEB exports shared articles using HTML in all 3 formats. Older versions of the CEB export shared articles using JSON. The use of HTML allows the surveillance team to view the shared article in the same format as the format originally presented to the user.

EXPORTING MESSAGES CREATED BY AN APPLICATION ON BEHALF OF A USER • The 1.51 Content Export Bridge (CEB) is able to identify messages created by applications on behalf of (OBO) end users in all 3 formats (Symphony XML, Actiance, and EML). • The schema for the Symphony XML format has been upgraded to v1.5.6 and includes a new element: postedByApplication which contains the applicationID of the app that generated the message.

MESSAGEMLV2 FORMATTED MESSAGES As of 1.51, the desktop client will send messages in the new messageMLv2 format that the CEB then exports as html-based content in all 3 formats (Symphony XML, Actiance, and EML). The html format applies to all content entered by the sender including: o Links o Bulleted lists o @mentions o #tags, $tags o Bold text o Italicized text

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 o Tables o Emojis o Code snippets

Mobile clients are not yet able to send messageMLv2 formatted messages and thus the CEB will export messages from mobile using the legacy text-based and markdown format.

CEBs older than 1.50 can export the content created by any client but can only export that content using the legacy text-based and markdown content.

Note: There is a forward compatibility issue with the 1.50.0 CEB when run against a pod running 1.51.0 or higher. Specifically, if a message contains a table, the table will show twice in the message exported by the 1.50.0 CEB. Upgrading to the 1.51.0 CEB resolves this issue.

CONTENT EXPORT VERIFICATION A file entitled results.json is included in each content export and will include the value “SUCCESS” if:

1. Download was successful 2. Decryption was successful 3. File matched what was sent

This file no longer exists once the CEB is upgraded to v1.44 or greater. Refer to the information in the Content Export Self-Healing section above for more details. USER SUMMARY INFORMATION A file entitled Message_Counts.CSV is now included in each content export and shows summary usage data for each user on the Pod. Obtaining Historical Data On the day that CONTENT EXPORT is activated all the content for the 24-hour period (23:59:59 UTC – 23:59:59 UTC) will be included in the first run of the procedure initiated at 9am UTC. This does not include any historical data generated prior to the day of activation. It may be possible for Symphony Global Services to generate historical data on behalf of early stage customers if required. Contact Symphony Global Services if you need to generate historical data. ACTIVE COMPLIANCE Compliance features are listed in the left Nav:

Expression Filters Companies will enforce expression filtering to reduce the risk of their employees generating inappropriate content and thus potentially impacting the reputation or compliance of the company. One example is profanity filtering.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 First select Expression Filters from the left Nav. and you will be presented with the Dictionary Management interface.

This interface uses simple expressions as well as more complex regular expression rules. You can edit an expression by checking the relevant box to the left of the expression and then pressing the “edit” pen located to the right of the expression:

You can then enter a regular expression. Please note that expression filters are powerful and you run the risk of introducing unexpected filtering if you’re not careful. We strongly recommend that you test your regex to ensure your expression works as you intend.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Example: If the admin were to include the following keyword /dang/ then the result would be that words such as “dangerous” would be blocked and this may not be the desired behavior. Please structure regular expressions carefully to avoid undesirable results.

Words loaded without regex syntax will be interpreted as follows: /\sdang\s/ in other words we assume leading and trailing spaces. Admins seeking to be absolutely sure of the behavior of their expression filters should use regex syntax and test carefully.

Symphony supports JavaScript Regex syntax. Please refer to the following resource for more information: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions Filtering Using Unicode Unicode characters can be entered as regular expressions. For example, the expression to filter a Unicode character 877e would be: /[\u877e]+/

Audit Trail for Expression Filters The compliance officers can view an audit trail showing whenever expression filter rules were updated. In addition, the compliance officers can now view an audit trail showing whenever the expression filter (EF) policy was enforced.

Expression Filters v2

Expression Filters v2 (EFv2) adds new features to the existing messaging parsing logic from Expression Filters. With EFv2, you can now apply your company's Data Loss Prevention (DLP) policies to Symphony messages. You can mitigate risk by applying your corporate policies to the message content being sent by your employees in both internal or external conversations, in real time. The DLP system can either warn the user and let the user decide whether to send the content, or block the message and require the user to edit the content.

With EFv2, admins can: ● Create and manage multiple policies via the Admin and Compliance Portal UI (ACP UI) or using APIs. ● Warn or block end users from sending a specific term or phrase. ● Create and apply a policy in log-only mode. When log-only mode is selected, violations are logged, but the message is sent through even if the content triggers a violation. The violations can be retrieved via the violation APIs. As an added benefit, this feature provides customers the capability to test their policies before turning them on. ● Control what the policy effects: message content, room name and description, signal name and description, or all of the above. ● Control whether to apply a filter to external or internal conversations, or both. ● Retrieve alerts generated by the EFv2 system.

Your organization can run EFv1 and EFv2 simultaneously. EFv2 requires the following:

• A component called the Symproxy to decrypt and parse content. • A `ceservice` account to call the Symphony Violations Management endpoints. • A Service User account with the Expression Filter Policy Management role to call the Dictionary Management and Policy Management endpoints.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Note: If the Key Manager is deployed on-premises, the Symproxy has to be deployed on-premises as well.

When this feature is turned on, a Super Administrator can define content violation policies with dictionary terms and the appropriate policy scoping (Internal or External) for messages, streams, and signals. As Symphony client end users perform certain actions (specifically, sending messages and creating or updating rooms and signals), the system may block or warn the user when any content matches terms defined in the policy, as follows:

• LOG-ONLY: The end user can send the message, but Symphony logs the violation. The end user does not get any warning about the violation. • BLOCK: The end user can’t send the message or create or update the room or signal. • WARN: The end user can rectify the issue by either: o Removing the text that matched policy terms. o Sending the content as is and ignoring the warning.

Note 1: Please be aware that while Expression Filtering V2 is now a GA (Generally Available) capability, it has not been enabled automatically onto your Pod. Please liaise directly with your Account Manager or Solutions Architect should you wish to test this functionality so that they can arrange enablement.

Note 2: Legacy clients, including the iOS and Android clients, won’t show EFv2 BLOCK and WARN messages on the interface. Because there is no interface to prevent users from performing an action, the content is sent and the violation is recorded. EFv1 blocks have been and continue being supported by the iOS and Android clients. Updated versions of iOS and Android clients capable of showing EFv2 Block and EFv2 Warn messages will be made available in H1 2018.

Note 3: Companies must upgrade their Symproxy to v1.51 to use this feature.

When an end user’s communication results in a BLOCK or WARN, the EFv2 functionality records these violation events. POLICIES

The Policies tab displays summary information about your EFv2 policies. Click Status to filter by enabled or disabled policies.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Create a New Policy

1. Click Create New Policy. 2. Specify options for Name, Policy Type, Content Type, Scope, and Add Dictionaries. 3. The policy type can be: a. Log-only b. Block from posting c. Warn before posting 4. Click Save. This creates a disabled draft of the policy. 5. Click Edit to enable policy to access the policy details window. 6. Confirm the information in Basic Details and Dictionaries. 7. Click Enable.

Dictionaries The Dictionaries tab displays your EFv2 dictionaries. There are two dictionary types: exact match on plain text terms and regular expressions.

Create a New Dictionary

1. Create a .csv file of either plain text terms or regular expressions with no header row and one term or regular expression per line. 2. Click Create New Dictionary. 3. Specify options for Name and Type. 4. Upload the .csv file. 5. Click Save. Messages appear to confirm that the dictionary and the terms were successfully imported, and the new dictionary appears at the top of the summary list.

Note: if you get an error stating the dictionary cannot be loaded, please check that you have at least one Symproxy successfully connected to the pod.

Proxies

The Proxies tab displays summary information about your EFv2 proxies. Note that:

• When a proxy is rebooted, this generates a new entry with a new proxy ID. • Any proxies that have been stopped or disconnected for more than two weeks do not appear in the summary list.

Be sure to set the Pool Failure Default behavior for how the system handles new content when the proxy pool fails or has insufficient capacity. Select or deselect the Block sending all new content when proxy pool fails checkbox to meet your company’s requirements.

Hierarchy of Expression Filter Policies

Dictionary terms can appear in multiple types of policies. When that happens, the “Block” policies take precedence, followed by “Warn” and “Log-only” policies.

Audit Trails

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The Audit Trails tab contains the Policies Audit Trail and Dictionary Audit Trail subtabs. Use the filter at the top of an audit trail list to find a specific policy or dictionary.

CREATING AND MANAGING DICTIONARIES AND POLICIES

Overview

EFv2 policies can be created and managed via the ACP UI or APIs by creating:

1. Dictionary terms a. Dictionaries can be a list of words, phrases or a list of regular expressions. 2. Policy a. Assign one or more dictionaries to the policy. b. Select whether to warn or block the dictionary. c. Select what content to apply the policy to (i.e. message content, room metadata, or signal metadata). d. Select whether the policy should be applied to external or internal communications, or both. e. Enable the policy. At this point, the policy will start being enforced as long as you have EFv2 enabled in your pod and you have deployed Symproxy (see below for Symproxy installation instructions).

Enabling EFv2 at the Pod Level You must be a super admin to enable and use EFv2. (Note: Existing Expression Filters and Expression Filters v2 can run at the same time.) 1. Select the Expression Filters (v2) section in the left nav to manage EFv2. 2. Select Enable to turn on EFv2 for the pod. When disabled at the pod level, the system will ignore all policies.

Creating Dictionaries

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 1. Select the Dictionaries tab.

2. Click “Create New Dictionary.”

3. Assign a name to the dictionary. 4. Select the type of dictionary: a. Exact Match: Each term can be a single word or a phrase b. Regular Expression: Each term must be a Regular Expression (regex) 5. Import the CSV of terms. Instructions for building your CSV file: a. No headers b. One term per line c. Make sure the CSV does not include invisible special characters at the end of the file or at the end of each line

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 6. Each dictionary is uniquely identified by its ID and changes made to the dictionary are tracked in the Dictionary Version.

7. Changes made to dictionaries can be tracked in the Dictionary Audit Trail. View past versions by clicking on the version number.

Modifying Dictionaries You can rename a dictionary or update the list of terms at any time. Load a new CSV to replace all the previously imported terms. (Note: We do not support delta dictionary updates in this release.)

Dictionaries can be deleted only if it is not used by any policies. You can view the policies associated with a dictionary by: 1. Select the dictionary you want to review. 2. Click on “Policies.” 3. Under the “Policies” tab it will list the policies associated with this dictionary. HOW TO WRITE DICTIONARIES

Dictionary validation rules

• The maximum term length is 200 • Character set is limited to UTF-8 • Each term must be line-separated. • Regexes that don't compile will not be accepted. • Regexes that match the empty string ("") will not be accepted.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Exact Match Terms Dictionary

Used for matching terms in dictionary to entire or parts of words in the text sent by the Symphony user. Before the matching is done, the entire text, sent by Symphony user, goes through the process of tokenization. Here is how the text is tokenized:

1. Text is parsed into words separated by whitespace characters. 2. The parsed words are additionally tokenized to create more words if the word contains one or more special character tokens - $#.\\/:?&={}[]<>\"\',;*_-!^()~`|+

Example 1: Message text from user: "How are you doing John.Doe?" will result in following tokens being considered for exact match:

1. How 2. are 3. you 4. doing 5. John.Doe? 6. John 7. Doe

Example 2: Message text from user: "My email address is: [email protected]" will result in following tokens being considered for exact match:

1. My 2. email 3. address 4. is 5. [email protected] 6. warnedregex@mailxy 7. com

Example 3: Message text from user: "Should it block percent%" will result in following tokens being considered for exact match:

1. Should 2. it 3. block 4. percent%

Example 3: Url text from user: "https://test-dash.com/path1/path2?parameters=123&stuff=b" will result in following tokens being considered for exact match:

1. https://test.com/path1/path2?parameters=123&stuff=b 2. https 3. test 4. dash 5. com 6. path1 7. path2

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 8. parameters 9. 123 10. stuff 11. b

Exact Match Phrases

You can use this capability to do exact phrase matches. Below are some examples for phrases matches:

Input text Dictionary Found phrase (maked in red) Explanation Phrase

could you buy some BUY some could you buy some IBM please Phrase was found IBM please IBM because matching is case insensitive.

could you buy some could you buy some IBM please Dictionary phrase buy some IBM IBM and input text have please different number of spaces, but we treat such phrases as same

could you buy some buy some could you buy some IBM please. Input text contains IBM please. IBM please the same phrase, but dot is present after word please. Despite the presense of special character, phrase will be found

could you [buy] buy some could you [buy] some+_- IBM please Special characters some+_- IBM please IBM at the start and end of words are ignored. There, match is found for such phrases

could you buy some buy some NONE Dictionary contains IBM please IBM. special characters in a word IBM but this character is not present in input text. Hence, for such phrases will not be found.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 could you buy_some buy some NONE In this IBM IBM case, buy_some is treated as a single word. Such a word is not present in input phrase.

john buy I.B.M please buy i.b.m buy I.B.M please Special characters for me please within a word (I.B.M in this case) are considered part of the word. This combination matches.

john buy I.B.M please buy ibm NONE Special characters for me please within an input word (I.B.M in this case) are considered part of the word. This combination doesn't match.

john buy IBM please buy i.b.m NONE Special characters for me please within a dictionary phrase word (i.b.m in this case) are considered part of the word. This combination doesn't match.

Regex Dictionary

Symphony uses Java 8 regex library for enforcing regexes. For more details and limitations on regex usage please refer: https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html Regexes should be written with care and tested before adding them to the dictionary. Regex provide much more power when compared to Exact Match dictionaries. We do not do any tokenization on text sent from Symphony user when we do regex pattern match. You can write phrases, consider word boundaries etc. as part of your regex pattern. Notes:

• Regex, phrases and exact match term matches are case-insensitive.

Limitations

• Supports English only.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • Exact word match for @mention's will trigger violation alert where the term matches part of name following the first name. • Example 1: Say you have a word dictionary with term "Doe", then a message with mention for person "John Doe" will result in a match. • Example 2: Say you have a word dictionary with term "John", then a message with mention for person "John Doe" will not result in a match.

Creating and Managing EFv2 Policies via the ACP Go to the policies tab to view/manage existing policies, or to create new ones.

Create a new policy: 1. Name the policy. 2. Select the type of policy: log-only, block or warn. 3. Select the content type the policy applies to: message content, chat room names and descriptions, and/or signals and tags. 4. Select the scope to apply the policy to: internal or external chats. 5. Specify the dictionary to apply this to. You can apply one or more dictionary of terms/regexes.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

6. New policies are created in the disabled state. Policies MUST be tested in your UAT environment before it can be turned on. 7. Select your policy to enable it.

Testing Policies

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 The block and warn policies have a direct impact on the user experience. It is therefore necessary to test each policy in UAT first. When you are ready to deploy into production, you can optionally turn on log-only mode to test how the policy performs in a real-world environment. For example, you may want to check for false positives and for the number of messages that trigger the policy. Once you are confident that the policy is preforming as intended, you can switch the policy to warn or block as needed.

Viewing Violations When a message triggers a policy, the violation is reported in two ways: 1. Enforcement Audit Trail: This tracks all policies triggered by a given message. The audit trail does not

include the actual content of the message.

2. Violation APIs provide granular information about the violation. This includes the payload of the message that triggered the policy. Refer to the EFv2 API section below for more details.

Exporting Policies, Dictionaries, and the Enforcement Audit Trail You can download a list of all the EFv2 policies and dictionaries defined in your pod via the export option.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

EFV2 APIS

APIs Definition Public APIs are provided to: 1. Define and manage dictionaries. 2. Define and manage policies. (Note: Symphony may add more policies beyond “block” or “warn” in the future, without changes to the API version. Developers should make sure they write code to account for new policy types.) 3. View violations.

For more details on requirements and definitions of APIs, refer to: https://rest- api.symphony.com/v1.49/docs/dlp-overview

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 INSTALL GUIDE FOR SYMPROXY (EFV2)

The installation instructions for the Symproxy service are as follows.

Pre-requisites

• 16 GB RAM • 4 CPU Cores (3.0+ GHz) • 250 GB disk • Operating System: Linux RHEL Fedora 2015.03 • JVM: 64-bit Java 8 Standard, Enterprise Edition - a Java development kit (JDK) is required. NOTE: we only support the ORACLE version of JAVA • Install JCE • Onpremise Agent Server - version 1.50 and Higher

Installation

1. Install Oracle Java JDK 8

2. Install Java Cryptography Extension

Download and install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8". Please download using this link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download- 2133166.html.

3. Download Symproxy zip file from Admin Portal Downloads page and unzip it. You will find two files inside 'symprox' folder: ● versioned symprox jar file. ● application.properties file.

Note: The ZIP file can also be found here https://resources.symphony.com/symprox-1.0.0.zip

4. Copy symprox folder downloaded above to a root folder (for e.g. /opt/symphony)

# mkdir -p /opt/symphony

# cp -r symprox /opt/symphony

5. Prepare application.properties file

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 a. Get your secret key - You need to obtain 'ceservice' user's shared unencrypted secret key. You can obtain this secret from Admin and Compliance Portal as shown below:

b. You need to encrypt the secret obtained above. Run Symproxy application in secret encryption mode

java -jar symprox-${JAR_VERSION}.jar --enableEncryptMode

Symproxy will start in encryption mode and will prompt for the secret key and a password to encrypt the secret key. Please enter ceservice user's secret key you obtained in Step 1, and your password for encrypting the secret. Note: The password you used above to encrypt the secret key will be used for starting the Symproxy application.

c. Once you enter your secret and the password, the Symproxy application will output a message with the encrypted secret key. You need to take the encrypted secret key and add it to your application.properties file.

d. Edit application.properties file and put the correct values.

Make the application.properties file writable.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 # chmod +w /opt/symphony/symprox/application.properties

You need to provide the following values:

• podHost - Set this value to your Pod's Host • secret - Put the encrypted secret string you obtained in Step 5(b) above.

podHost=${SYMPROX_POD_HOST} <-- Change to FQDN (remove $ and {}) ... i.e. sup.symphony.com

secret=ENC(

e. Change the permission for application.properties file so it is readable only by the owner that is going to be running the Symproxy application.

# chmod 400 /opt/symphony/symprox/application.properties

6. Start Symproxy application.

# cd /opt/symphony/symprox

# export PROPSPWD=

# java -Xms2g -Xmx2g -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled - XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=50 - XX:+ScavengeBeforeFullGC -XX:+CMSScavengeBeforeRemark -XX:+PrintGCDateStamps -verbose:gc - XX:+PrintGCDetails -jar symprox-${JAR_VERSION}.jar

To verify that the Symproxy application started properly please refer section “Verifying that Symproxy application is running fine” below.

Note:

When Symproxy starts and it detects that the secret key is encrypted, it will try to decrypt the secret property using a password stored in the environment variable 'PROPSPWD'. If you need to use any other environment variable, then pass encPropertiesPasswordEnvVar to JVM when starting the java process. For e.g:

java -DencPropertiesPasswordEnvVar=SYMPROX_PASSWORD ... -jar symprox- ${JAR_VERSION}.jar will tell Symproxy to read SYMPROX_PASSWORD environment variable to get the password.

• Running `export PROPSPWD=...` command will result in password viewable in shell history. You can either (a) use different mechanism to set the environment variable PROPSPWD or (b) clean up the shell history after the startup. • JAR_VERSION above is the version of jar file.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • You need to start JVM process as a monitored service that keeps running even when the current user session ends. The java command shown above is only to show how the JVM should be initialized. • Logs will be sent to standard output. If you want to stream the logs to a certain directory on disk, then you need to edit the startup script - /opt/symphony/symproxy/onprem-start.sh. You need to append additional parameters (shown below) at the time of starting the java process:

--fileLoggingDir If set, then file logging is enabled and logs are sent to this directory

--fileLoggingMaxFileSizeMB Maximum log file size in MB before new file is created (default: 10) --fileLoggingMaxNumFilesPerDay Maximum number of files retained/day (default: 5)

The logs from java process are written to /symproxy.log

Example: Your java process startup command (minus other JVM tune options) could look like:

java -jar symproxy-${JAR_VERSION}.jar --fileLoggingDir /opt/symphony/logs -- fileLoggingMaxFileSizeMB 2 --fileLoggingMaxNumFilesPerDay 5

In the example above, the logs will be written to /opt/symphony/logs/symproxy.log

• If you want to have the Symprox connection talk to Pod using a proxy, then please add following system properties when you execute the jar

-Dproxy.uri=http://proxy.com:8080 \ // Please add if POD is behind a proxy

-Dproxy.km.uri=http://proxy.com:8080" // Please add if the KEYMANAGER is behind a proxy

Verifying that Symproxy application is running fine

1. If you just started Symproxy application, then you should see log messages similar to below. If you are checking status of existing running Symproxy process then proceed to Step 2 below.

______/ __/______/ / ______\ \ / // // ' \ / _ \ / _ \/ _ \ / _ \/ // / /___/ \_, //_/_/_// .__//_//_/\___//_//_/\_, / /___/ /_/ /___/ 2017-09-22T16:10:20,320 INFO [main] EFv2App info - JVM networkaddress.cache.ttl setted up to: 10 2017-09-22T16:10:20,345 INFO [main] HealthCheckServer info - Health Check Server started on port 8081 2017-09-22T16:10:20,361 INFO [main] SymphonySessionBuilder info - Connecting to Pod: https:// 2017-09-22T16:10:22,077 INFO [main] SharedKeyClientAuthenticator info - INFO SESSION

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 TRUE CSRF TRUE 2017-09-22T16:10:22,281 INFO [main] SymphonySessionBuilder info - Got Pod Info: { "data" : { "externalPodId" : 105, "rtcMediaBridgeEvents" : false, "publicPod" : false, "podId" : 105, "currentRotationStarted" : null, "baseUrl" : "https://", "emailLookupService" : null, "memberBanningAvailable" : true, "segmentWriteKey" : "<...>", "cep" : false, "enforcePostMessageLengthCheck" : false, "clientEventLoggingAllowed" : true, "featureRtcVideo" : true, "featureRtcScreenSharing" : false, "logPerformance" : true, "featureRtcSwitchMeetingViewModeAvailable" : false, "defaultMeetingViewMode" : "EMBEDDED", "pubnubPublishKey" : "pub-c-798b0bcd-395d-4957-b205-df281477f338", "configurationType" : "podInfo", "currentRotationId" : 0, "keyManagerUrl" : "https://", "canShowHistory" : true, "featureRtcAudio" : true, "sessionExpirationHours" : 336, "showCheckForMissingMessages" : true, "rotationPeriod" : null, "pubnubSubscribeKey" : "sub-c-b90be12e-710b-11e4-94ac-02ee2ddab7fe", "roomLockingAvailable" : true, "doAutoSearchForMissingMessages" : null, "discovery" : null, "emailService" : null, "featureRtcDoubleEncryption" : false } } 2017-09-22T16:10:22,796 INFO [main] SharedKeyClientAuthenticator info - INFO SESSION TRUE CSRF TRUE 2017-09-22T16:10:22,996 INFO [main] SymphonySessionBuilder info - Retrieved PrivateRSA from KM. Length: 1679 2017-09-22T16:10:23,007 INFO [main] EFv2Service info - Login Successful 2017-09-22T16:10:23,288 INFO [main] SymphonySession info - Retrieved wrappedAccountKey from KM. 2017-09-22T16:10:23,421 INFO [main] SymphonySession info - Unwrapped AccountKey 2017-09-22T16:10:23,421 INFO [main] EFv2Service info - Retrieved Account Key 2017-09-22T16:10:23,550 INFO [main] SymphonySession info - Retrieved EntityKeyInfo from KM. 2017-09-22T16:10:23,550 INFO [main] EFv2Service info - Retrieved Entity Key 2017-09-22T16:10:23,956 INFO [main] SymproxyOperation info - Symproxy session

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 started with id: 59c59860e4b0973c06911fc0 2017-09-22T16:10:23,956 INFO [main] EFv2Service info - Retrieved symproxy id: 59c59860e4b0973c06911fc0 2017-09-22 16:10:23,975 main INFO Log4j appears to be running in a Servlet environment, but there's no log4j-web module available. If you want better web container support, please add the log4j-web JAR to your web archive or server lib directory. 2017-09-22T16:10:23,983 INFO [main] status of - No valid proxy info provided. 2017-09-22T16:10:23,999 INFO [main] SymproxCloudLoggerFactory initCloudLogger - Remote Cloud logging configured. Status: Connected 2017-09-22T16:10:24,015 INFO [main] status of - No valid proxy info provided. 2017-09-22T16:10:24,018 INFO [main] EFv2Service info - Metrics initialized 2017-09-22T16:10:24,091 INFO [main] PolicyLoader info - Policies Cache built with 1000000 terms as maximum 2017-09-22T16:10:24,345 INFO [main] PolicyLoader info - Read # of terms: 10 from dictionary [id:59baae53e4b0e46dc87de985, name:av shapes dict 1, version:1.2] 2017-09-22T16:10:24,361 INFO [main] PolicyLoader info - Read # of terms: 48 from dictionary [id:59baf80ce4b0e46dc87deb68, name:Updated agent demo dictionary, version:1.2] 2017-09-22T16:10:24,363 INFO [main] PolicyLoader info - Policies cache initialized with 2 policies 2017-09-22T16:10:24,363 INFO [main] EFv2Service info - Loaded EF Policies! 2017-09-22T16:10:24,368 INFO [main] RLPProtobufServiceBinder info - ReceiverPoolSize: [30] URL: [https://] 2017-09-22T16:10:24,372 INFO [main] RLPProtobufServiceBinder info - Initializing EFv2Service: 59c59860e4b0973c06911fc0 2017-09-22T16:10:24,373 INFO [main] ReverseLongPollServiceReceiver start - Starting service receiver servicePool with id ~dlp.SymProxy~dlp.LoggerService~:59c59860e4b0973c06911fc0 to url https:///container-manager/service/ of size 30 2017-09-22T16:10:24,380 INFO [main] RLPProtobufServiceBinder info - EFv2Service RLP Started: https:///container-manager/service/ 2017-09-22T16:10:24,383 INFO [main] EFv2Service info - Application Started in : 4.027 s

If you see errors/exceptions during startup of application then it indicates some sort of issue during application initialization. Search for exception stack trace and contact Symphony support for help in debugging the issue.

2. Invoke the Symproxy health-check endpoint to get an idea if Symproxy is running fine or not. For e.g.

curl http://:/status

Note: Default healthcheck port (controlled by "healthcheck.port" settings in application.properties file) is 8081.

A sample good health status is shown below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 {"status":"ok","canLoadPolicies":true,"canConnectToKeystore":true,"processingErrorRate":0.0

For more explanation, please refer section "Symproxy Error and Unhealthy States".

3. Go to Admin and Compliance portal and check if you see your Symproxy process status as "CONNECTED". See below:

The "CONNECTED" status indicates that the running Symproxy instance is able to connect to the Pod and it is sending heartbeat periodically.

4. Check for exception messages in the logs to see obvious issues with running Symproxy process. Please contact Symphony support team for assistance in case you see logs with exception stack traces.

Stopping running Symproxy process

1. Find the Process ID of running Symproxy instance on your machine by either:

Grepping for Symproxy process in list of running processes: `ps -ef | grep -i symprox`.

Look for "Process ID" column values in the table that contains list of all Symprox instances running against your Pod (see above). Check for values in rows for "CONNECTED" Symproxy instances.

2. Send SIGINT to the process.

kill -s SIGINT

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Symproxy Error and Unhealthy States Below are some of the possible Symproxy unhealthy states:

1. Cannot load the policies: If a symproxy encounters an error while trying to load, decrypt and parse the policies, then the symproxy is considered unhealthy. Any incoming requests to the symproxy will still be enforced against any loaded policies if applicable. However, if there is at least one policy from SBE that symproxy could not understand and is not enforcing, then the Symproxy is considered unhealthy. 2. Cannot connect to keystore: If a symproxy encounters an error while retrieving public room content keys from the keystore then the symproxy is unhealthy. Symproxies cache all public room content keys for all rotation Ids for a set amount of time (default is one hour). When the cache expires, symproxy will make another request to the keystore to retrieve the latest public room content keys. These keys are required to decrypt dictionary content. If symproxy cannot decrypt dictionary content it cannot enforce content. 3. Processing error rate: Every symproxy keeps track of the number of enforcement requests it processes. It also tracks the number of requests that encounter errors. If the rate of errors to total requests is greater than 5%, the symproxy is considered unhealthy. The rate is based on an exponentially-weighted one-minute count. Therefore, more recent errors will have more weight in the calculation of the error rate.

INFORMATION BARRIERS Control internal information flow between groups of users in order to avoid inappropriate communication and collaboration that could result in compliance violations.

Use the Admin Portal to create internal boundaries between groups. First create an IB Group by clicking GROUP MANAGEMENT, and then selecting Create an IB Group, as shown below:

Assign users to the group by searching for them in the Membership window.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Activate Block Policy between groups as follows: Select POLICY MANAGEMENT and click Create IB Policy.

Block members of the IB group from communicating with another group:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

CHAT ROOM REMEDIATION When the owner of a room is removed because of a new Information Barrier policy or because of a change to their external communications entitlement. The room will continue after the lone owner is removed by promoting the oldest member who is free of an IB or Entitlement constraint to owner.

DISCLAIMERS Admins and later compliance officers can configure warning messages to be displayed following specific user actions – at this time, this is when users communicate with external users. Disclaimers can contain up to 1,500 characters.

To create a disclaimer, select DISCLAIMER INSERTION from the left Nav. Disclaimers can be set for individual users. This is accomplished by first creating a named disclaimer and then assigning the named disclaimer at the user level.

A disclaimer can be set to display based on a specific number of days: every two day etc. Setting this value to ‘0’ will cause the disclaimer to be displayed every time the user posts a message externally.

AUDIT TRAIL FOR DISCLAIMERS Allows the super administrator to view all the changes made to any disclaimer in the pod.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

The super administrator can also select a specific disclaimer and view the changes to that disclaimer, as shown below:

CONTENT SEARCH IN ALL CONVERSATIONS The Super Compliance Officers and the Compliance officers can use the All Conversations option in the left Nav. to

1. Search all IM, group IMs and Rooms created by their users via a set of filters 2. Search for content in messages in IMs, group IMs and rooms: unfurl the Search Messages section to search using 3 filters a. Message Created By (User), b. Message Created In (Timeframe), and c. Keywords (3 Max.).

The table includes a Scope tab showing either Internal or External, Member count, whether the conversation is enabled, the company that created the conversation and the person who created the conversation as well as basic information about activity and status (see the screenshot below for the complete list).

The S/CO must first filter the conversations down 200 or less before doing keyword searches. When message filters are used, each conversation in the results will include the number of matching messages per room. In the example below, the search for all conversations containing messages created by a specific user returned 9 conversations. There are 3 messages created by this user in the first conversation.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Clicking on the number of matching messages in a given room allows the S/CO to view the list of messages in that room.

Furthermore, if the S/CO needs more information to understand the context of a specific message, the S/CO can click on the View in Room History link to view the history of the room at that time.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

MONITORING The SCO and CO’s with appropriate entitlement will be able to display a room or wall post (per user) and monitor it in real time. First select ALL Conversations from the left Nav (see above). Then display the room details by clicking on the room from the list and selecting the Monitor Room button located top right of the room details (shown in the screenshot below).

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Here is an example of a room monitor in progress:

SESSION LOG SCO and CO’s will be prompted to provide an explanation for their session and the description and relevant statistics related to the session will be logged and searchable in the audit trail.

Select SCO/CO SESSION LOG and a list of logins will be displayed as shown below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Select the username and then Audit Trail from the user detail screen. Each login will be accompanied by an explanation based on what was entered when the compliance officer logged in.

VIEW DELETED WALL POSTS

Super Compliance Officers and Compliance Officers can use the POSTS tab to view wall posts that end users have deleted. Click the toggle to the right of the end user’s name to view or hide the deleted post.

THE SYMPHONY PLATFORM This section is an extract from information provided on the Symphony developer site: https://developers.symphony.com REST API

The Symphony REST API lets you build tools and applications on top of Symphony's secure messaging platform:

• Use the Pod endpoints to build tools to manage Symphony for your organization. Pod API endpoints

don't require encryption or decryption of content and include operations such as managing chat rooms

or users.

• Use the Agent endpoints to build applications that send and receive messages and content. Agent

API endpoints require an on-premises Agent installation to encrypt and decrypt content.

Agent Installation

The Agent server can be downloaded from the developers.symphony.com and requires:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • Centos 6.5 and 7.0 (update 80)

• Java 8

• Tomcat 8.0.26

• Atlas configuration (instructions provided)

Other Prerequisites

The Agent will be installed as part of an operational Symphony service where a certificate-based trust relationship has been established between your dedicated Symphony cloud service and your Key Manager.

In the diagram below, we show the various elements included in the certificate-based trust infrastructure. Two naming conventions for their dedicated Symphony services are available for customers:

1. MyCompany.Symphony.com 2. Symphony.mycompany.com and the approach for generating certificates is specific to the domain name option selected:

On the Agent server, install:

A. Root cert for the pod (scenario 1 or 2) added to the Trust Store B. The Key Manager's root cert (preferably from an external CA) in the Trust Store

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 C. The Agent's Server cert added to the Agent's Key Store - obtained from internal PKI

The commands below can be used to install the certificates on the Agent server. The first command is used for adding A and B (from the diagram above) to the Trust Store and the second command is used for adding C to the Key Store:

$> keytool -importcert -trustcacerts -keystore /data/tomcat/certs/truststore -file

YourFile.CRT -alias pod -storepass changeit

$> keytool -genkeypair -keyalg RSA -alias 1 -keystore

./atlas/symphony/global/certs/server.keystore -storepass changeit -validity 730 -keysize 2048

CONFIGURING THE AGENT APPLICATION Follow the three steps below to configure your Agent app on your pod: Step 1: Install a root signing cert for your app

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Step 2: Create a service account for the app using the Admin Portal

Step 3: Configure certificates on the App host A. install root certs for the pod (scenario 1 or 2) in the Trust Store of the Bot.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 B. Install a Client Type cert in the Key Store of the BOT - obtained from internal PKI CA

The commands below can be used to install the certificates on the Agent app host machine. The first command is used for adding A (from the diagram above) to the Trust Store and the second command is used for adding B to the Key Store:

$> keytool -importcert -trustcacerts -keystore /data/tomcat/certs/truststore -file

YourFile.CRT -alias pod -storepass changeit

$> keytool -genkeypair -keyalg RSA -alias 1 -keystore

./atlas/symphony/global/certs/server.keystore -storepass changeit -validity 730 -keysize 2048

CLIENT EXTENSION API (JAVASCRIPT) The Client Extension API lets developers extend the functionality of the Symphony client by creating standalone applications. It also includes methods for adding items to the left navigation and adding buttons and interactions to the user interface. Managing Applications Symphony provides APIs for Extending and Enriching the symphony experience with new functionality and third–party content. Several partners such as Dow Jones, FinTech Studios and Selerity are currently providing free versions of their applications to Symphony users and these as well as any in-house applications developed using the Symphony APIs can be activated using the APP MANAGEMENT option located in the left Nav of the Admin Portal.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Installing a New Application To install a new in-house application, first select APP MANAGEMENT from the left Nav of the Admin Portal – see screenshot below. You are presented with a list of currently installed applications. To add a new application to this list, click on the Add Custom App button. Symphony will present the following form (fields marked with stars are required):

Provide a name for your application and then provide the URL for the iFrame containing the app. This URL must be reachable from the network used by your target users. Provide the name of the developer and then provide a domain restriction for your app. This is the domain name portion of the URL provided above and is a preliminary security feature used to prevent cross-site scripting – additional protections will be incorporated in the future.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 You can also optionally provide a description as well as the location of an image to be used as an icon in the app store. This is the image users will see when they use the application inside Symphony. Once you are satisfied with the information provided for your application, press Add and this application will be added to your list. Application Entitlement The next step is to entitle your users to see, install and use the application. The steps described in this section are also applicable to third-party applications such as the ones described at the beginning of this section. You can either manage App Entitlement for all users at once (system-wide settings) or at the individual user level. To manage at a system-wide level either click on the APP SETTINGS screen (see screenshot below)

Global Status is used to set the application to Enabled or Disabled. This setting is the entry point for the release of the application to users in your organization. If the application is Disabled then users will not be able to see, install or use the application. Visibility (Visible or Hidden) determines whether users can see the application in their App Stores. Installation determines whether the application is Automatically installed for all users or whether it must be installed by users themselves: Manual. If Manual is set, it is still possible to fine tune this setting for specific users using individual Applications option within the User Detail screen shown below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

In this case, setting the Installation option to Installed will install the application for this user, otherwise if the application is set to Visible but the Installation field is set to Not Installed, then this user has to select Add from the App Store, see screenshot below:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Application Subscription Management Once an application partner has registered a premium app, it can be allocated and installed for users by the Pod Administrator. Users will either see the new app in the Symphony Market (Symphony’s application hub) from where they can install it, or the admin may prefer to have it installed automatically for their users. This can be configured using the APP SETTINGS option in the left Nav. of the admin portal.

In the screenshot below, we show a list of APPLICATIONS being assigned to a specific user. Standard applications are free, whereas Premium applications require a subscription.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

When using the APP MANAGEMENT option, the admin can also display their current balance: • Licenses used • Licenses remaining (balance) • Total Licenses (used and remaining)

Audit trails are available to track when applications are assigned to users. The following events are tracked:

• App enabled/disabled • Licenses granted/removed for a product • App installation changed - automatic/manual • App visibility changed - visible/hidden

The audit trail displays, for each event:

• Date of event • Initiator (internal user, or publisher) • Product impacted • User impacted (for installs and subscriptions)

Symphony Analytics App Setup & Administration

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 App will be installed by Symphony Support and licenses assigned as per MSA.

Configuring default App Settings for Symphony Analytics App

Go to Admin Console and click on APP SETTINGS in left navigation menu

The recommended settings for the Symphony Analytics App are:

Global Status Visibility Installation

Enabled Hidden Manual

Update the settings and click Save Review changes in the “Save Changes” dialog and click Save to confirm the changes

Managing Application

Go to Admin Console and click on APP MANAGEMENT in left navigation menu

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Click on the Symphony Analytics application

The APP INFORMATION tab will give details on the Subscription Licenses; number used, remaining and total.

Assigning Licenses to Users

Access to the Symphony Analytics application is managed on each user record. Search for the desired user and click on the APPLICATIONS tab

Update Visibility, Installation and Subscription as desired

If Visibility = Hidden and Installation = Installed, the user should be able to see the Symphony Analyt ics app under Applications

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 If Visibility = Visible and Installation = Not Installed, the user should be able to see the application in the Symphony Market and be able to install it themselves

Licenses Types

Subscription levels are as follows:

Standard Unlimited licenses A preview of the available metrics should the user be enabled for the Premium version of the app and details on how to get a license.

Premium 5 licenses, or as agreed on in MSA Access to POD and TEAM usage

Premium 5 licenses, or as agreed on in MSA Access to POD and TEAM usage, as well as Plus INDIVIDUAL usage and tracking

Standard

A preview of the available metrics should the user be enabled for the Premium version of the app and details on how to get a license.

Premium

5 licenses, or as agreed on in MSA. Includes access to analytics and metrics for the following:

● POD Usage, including; ○ Daily, weekly, and monthly activity ○ Message Sent distributions ○ External communication (xpod) summary ○ Attachment, Mobile, and Desktop tracking ○ App usage ● Team breakdowns, including; ○ Provisioned, Active and Inactive users per team ○ Activity by department ○ Activity by division

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 ○ Activity by country

Premium Plus

5 licenses, or as agreed on in MSA. Includes access to analytics and metrics for the following:

● All PREMIUM metrics, as described above ● Individual usage, including; ○ Top users ○ Inactive users ○ Bot activity ○ App usage ○ Externally communicating users

For any questions about app content, installation, management, or user feedback, please contact [email protected].

MANAGEMENT OF SYMPHONY INTEGRATIONS Integrations connect software applications directly with the Symphony platform using webhooks technology. The Integrations currently available are JIRA, Salesforce, GitHub, Zapier and the Universal Webhook. Symphony users can receive updates from these applications directly within Symphony chats. Administrators can view the configuration history of Integrations by navigating to APP MANAGEMENT in the left NAV and selecting an Integration such as JIRA. The APP INFORMATION tab provides the configuration history as shown below.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Configuration Description Created By The username of the person who configured the Integration in Symphony. Date Created The date and time the Integration was configured. Last Updated The last time the configuration was changed. Last Active The last time the Integration sent a notification to a Symphony chat. Total Rooms The number of chat rooms and IMs receiving notifications from the Integration. If the notifications are being delivered to one-on-one IMs, this number is displayed as 0. Posting In The names of chat rooms receiving notifications from the Integration.

Hovering over the “Posting In” field displays a pop up with the names of all the chat rooms receiving notifications from the Integration.

PROVISIONING APIs Developers can use the Provisioning APIs to manage roles and assign optional entitlements to Compliance Officers programmatically. • Example roles that developers can assign programmatically are Administrator, Super Administrator, Super Compliance Officer, User, etc. • Example entitlements that developers can assign are: o Can monitor rooms o Can ban or remove a ban from accounts Note that optional entitlements or actions can only be assigned to the Compliance Officer role. Developers can access the documentation for the Provisioning APIs here: https://developers.symphony.com/. Examples APIs included in the documentation are as follows: • List all roles and optional entitlements that can be assigned • Find all accounts that have a given role • Find all accounts that have a given role and optional entitlement • View the list of roles and optional entitlements assigned to an account • Add role or optional entitlement to an account • Remove a role or optional entitlement from an account BULK MANAGE ACCOUNTS (CSV IMPORT) You can use the BULK MANAGE ACCOUNTS option to make changes to or add multiple users at once. In this section we provide the information you need for creating CSV files and managing the upload process. OVERVIEW Here’s a quick summary of the steps you’ll use:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 1. Select the BULK MANAGE ACCOUNTS option. 2. Obtain the CSV template. 3. Load the CSV file into a spreadsheet or other editor. 4. Enter user information in CSV format.

Note: The `firstName` and `lastName` attributes have a 64-character limit. All other attributes have a 256-character limit.

5. Save your updates (be careful to save as a CSV file). 6. Drag and drop your CSV file into the drag and drop zone on the Symphony Admin portal. 7. The CSV file will be validated. 8. Press Import. 9. A further verification will be carried out on the file contents. 10. View the report and fix any errors encountered. GET THE CSV TEMPLATE To help you set up the column headings of the CSV file correctly, we provide a CSV template file for you to download. The first time you do this, you may want to see the empty version. Later on, you will always pre- populate the file with your current user definitions. This is the best way to ensure you have the latest profile information for your users. Remember multiple admins may be making changes.

• Select BULK MANAGE ACCOUNTS on the Admin portal and you will see the screen below. First decide whether you want an empty template (de-select the Include all existing users… box) or select the box to get the complete list of users on your system. • Then click Download Sample CSV button.

INTRODUCING THE CSV FORMAT The CSV format is officially defined in RFC 4180. However, you will find various interpretations of the “standard,” which can lead to unpredictable behavior. To provide consistency, we recommend the following:

1. Eliminate leading or trailing spaces as these will be interpreted as belonging to the field and that might not be what you want:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Example: Leonardo,Fibonacci rather than Leonardo,Fibonacci

2. You will need quotes when importing fields that contain commas Example: “Department of IT, Networking and Communications” And you should make sure the quote character is the ASCII 34 (22Hex) symbol rather than your word processor’s quotation marks, which will be interpreted as part of the field, rather than as a CSV delimiter. To illustrate this challenge - I am typing this document in Word, which intelligently displays hyphenation marks whenever I press the quote symbol on my keyboard. This of course is not what I want for my examples, so I have to manually enter the ASCII symbol which delivers " rather than “.

CSV FOR SYMPHONY End-User and Admin Accounts: the CSV import process cannot be used to promote regular users to admins. Use the Admin Portal to:

• Promote regular users to admins/demote admins to regular users • Deactivating and reactivating accounts

Column Headings: The first row of the CSV file contains the column headings. The column order does not matter but the headings must use the following values: In release 1.52 Username,emailAddress,twoFactorAuthPhone,mobileNumber,workPhone,password,prettyName, firstName,surname,assetClass,industry,title,deptName,divName,location,jobFunction, companyName,entitlement,active,active,disclaimer In release 1.51 username,surname,firstName,prettyName,emailAddress,title,location,workPhone,mobileNumber, twoFactorAuthPhone,companyName,jobFunction,assetClass,industry,deptName,divName, password,active,disclaimer Note: twoFactorAuthPhone is the primary login phone number used for two-factor authentication of ACP users. The list of company names can be accessed by going to CREATE AN ACCOUNT and looking for the companyName drop down menu under Business Information as shown below. In release 1.52, Admins can use the Bulk Manage Accounts feature to view, add, or remove user entitlements. • The Admin can access a list of all entitlements assigned to each user account by clicking ‘Download Template with User Info’ in the Bulk Manage Accounts section or by clicking ‘Export all accounts’ in the browse accounts section. The entitlements are separated by

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 ‘%’.

Bulk entitlement report to show entitlements per user

• The Admin can assign entitlements when creating accounts using the bulk process. Admins can also update the entitlements of existing user accounts using the bulk process. • Note that updating the list replaces all entitlements with the new list. Therefore, if an account had entitlement E1 before and the csv for the updated lists E2%E3, then after the update, E1 is disabled while E2 and E3 is enabled.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

Case-Sensitive: Column headings are case-sensitive and must follow the format shown above. Size Limit: The maximum number of data rows (rows containing information about your users) is 3000. Required Fields: The required fields (emailAddress, surname, firstName, prettyName, password) must be included. Username: If you activate SSO then this field will be used to identify and authenticate your users with your corporate directory. You should use the same unique identifiers that you use for your corporate directory. Optional Fields: Any combination of the optional fields can also be included and in this case a null value (empty field) will delete the contents of that field for that user. However the “password” field is a special case (see below).

Password field In this section we’ll focus specifically on the password field. While it is acceptable to create and update other optional fields at the same time, our examples will be limited to password actions. Creating Users: When we create a user with the CSV import process, we have two options: Password: We can either type in a valid password manually (15 characters minimum, uses upper and lower case, includes a number and includes a special character). SEND_EMAIL: Enter “SEND_EMAIL” in which case Symphony will generate an email prompting that user to Set password. This option enables you to avoid the burden of coming up with valid passwords on behalf of your users and communicating these passwords to them. Equally important, you avoid the need to secure or preferably delete the CSV file after use. Password Example 1 – Manually Setting the password username,surname,firstName,prettyName,emailAddress,password LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],First7Fibonacci#s

Password Example 2 – Triggering the “Set Password” Email username,surname,firstName,prettyName,emailAddress,password LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],SEND_EMAIL Updating existing users’ passwords: To make changes to user accounts, it is strongly recommended that the admin first generate an up-to-date view of user definitions by downloading the CSV from the admin portal. The process for doing this is similar to the one we followed when we downloaded the CSV template earlier. This time, select Include all existing users in spreadsheet and then press Download sample CSV:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

When you do this, you will notice that any users who have set their passwords will have password information represented by an asterisk in their password field. Users who have not set their passwords will have blank null password fields. username,surname,firstName,prettyName,emailAddress,password LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected], LFib,Fibonacci,Leonardo,Leo Fibonacci,[email protected],* If SSO has been set, you should expect to see mostly blank password fields. If SSO is not enabled and you used the “SEND_EMAIL” method, then blank values will indicate users who have not yet set their passwords and therefore have not yet started using Symphony. You may decide to trigger an additional email to those users to encourage them to activate their accounts: username,surname,firstName,prettyName,emailAddress,password LBonacci,Bonacci,Leonardo,Leo Bonacci,[email protected],SEND_EMAIL Using the password field, we have three options with the CSV files:

1. No change to the password: Leave the password field with one or more asterisks, or (if no password had been set). 2. Manually set a new password: Type in a valid password string in the password field. 3. Generate a set password email: enter “SEND_EMAIL” in the password field.

In SSO mode: The third option can still be used if the pod has been configured for SSO. While it may seem redundant to allow a password to be set on an account that will not normally use one, there may be exceptions such as certain mobile scenarios where having a password is needed. MORE ABOUT SEND_EMAIL It’s worth spending a little more time discussing the “SEND_EMAIL” instruction in order to avoid undesired outcomes. Note: Symphony does not recommend reusing a CSV file and encourages you to delete CSV files after use in order to avoid security issues. If you decide to reuse a CSV file, you may have left SEND_EMAIL instructions in the password field. This would trigger an additional “Set Password” email to those users when they may have already set their passwords. Being asked to reset their passwords for no reason will be perceived as an annoyance. To help avoid this, certain rules have been implemented:

1. Active for 24 hours: The set password link is active for 24 hours and then expires. 2. No Repeat Usage during the 24 hours: If a CSV upload contains a request to “SEND_EMAIL” to a user who has an active set password email or a user who has set their password within the last 24 hours, then Symphony will flag that row as an error and move onto the next row in the file. 3. Use the Admin Portal: Use the admin portal to trigger the set password email if you need to override the two rules above. IMPORTING CSV

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 • Select Import in the Admin Portal and simply Drag and Drop your CSV file into the area shown on the Symphony interface.

• Symphony will verify the file and if an error is encountered you will see a message similar to the one shown below:

• If all went well on the other hand, the Import users button will be activated – click on the button.

Symphony will process the CSV file and once completed, will provide a link to a report as follows:

DISPLAYING BULK JOB HISTORY If you click on the BULK JOB HISTORY option to display the summary report, you’ll see a list of CSV uploads similar to that shown below.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018

If you click on a row, you will then see details concerning this bulk import. Users will be grouped by:

• Created • Updated • Errors • Unchanged

HANDLING ERRORS Follow these steps when resolving import errors to avoid any unforeseen impact on the users who were successfully processed.

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 Note: Most such situations have been anticipated but they will still generate error messages when you try to process previously imported rows.

1. Edit the CSV file and remove the successfully created users. 2. Fix the remaining error records (the import report provides some guidance on where problems may exist). 3. Save and re-upload the CSV file. CREATE AND MODIFY USERS Admins may want to combine account creation with account updates, see the example below: username,surname,firstName,prettyName,emailAddress,password LBonacci,Bonacci,Leonardo,Leo,[email protected],* LeoFib,Fibonacci,Leonardo,Leo Fibonacci,[email protected],SEND_EMAIL In the first data row, we are updating an existing user by changing his prettyName. In the second I am adding a new user and have set the password field to SEND_EMAIL, which will trigger a Set password email. MANAGING ADMIN ACCOUNTS WITH THE CSV FILE While it is certainly possible to make changes to profile info of admin accounts using the CSV import process, you cannot promote a regular user to an administrator using CSV. This needs to be done via the UI in the Admin Portal. CSV BEST PRACTICES Your CSV files contain information that identifies your users, their departments and potentially, even their passwords. So when you’re not actively working on a CSV file, it is important that you secure and preferably delete it. DEACTIVATING ACCOUNTS There is no explicit way to deactive an account using the CSV important process. Changing a password to something unknown by the user will not have an immediate effect on that user – it really depends on the duration of the user’s current session (Symphony uses a 20-hour session time span). Once their timespan has elapsed, that user would be asked to re-authenticate which they would not be able to do until you communicate their password to them. USAGE STATISTICS AND AUDIT TRAIL USAGE STATISTICS Symphony Admins can take the pulse of their private pod at any time by selecting USAGE STATISTICS from the left nav. Symphony generates statistics for the last 24 hours and last 7 days, up to the time at which this option is selected: Total number of user accounts defined on the system – end-users and admins (any de-activated accounts will not be included in this number) % of users that have logged in at least once % of users that have logged in during the last 24 hours % of users that have sent a message at least once during the last 24 hours Top 10 users who sent the most messages over the last 7 days – Symphony lists the users’ email addresses

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018 If usage statistics are being displayed for the purposes of trending then it is important to select this option at the same time each day.

Note: Usage Statistics generated during the first week after your Pod is activated will gradually populate this data. Full 7-day statistics will commence after the first week.

APPENDIX 1: CONTENT EXPORT SCHEMA

Please note CEB v1.52 and above uses v1.5.7 of the Symphony xsd shown below.

Important note for Actiance customers: The schema below is not applicable to the Actiance XML format. Actiance customers (customers with registered Actiance accounts) can obtain the Actiance xsd specification as follows:

1. Access the Actiance documentation portal: https://webhelp.actiance.com/Vantage/ 2. Select 2015_R2.

Symphony XML:

I ADMINISTRATION GUIDE – ENTERPRISE & BUSINESS TIERS 31 AUGUST 2018