In the midst of a 2010 to 2013 migration, a requirement was proposed that was, well, one of those ‘head scratcher’ asks:
"We are upgrading from Group Chat 2010 to Persistent Chat but we don't want Persistent Chat users to be able to IM each other. IM must be disabled for the users who utilize Persistent Chat".
I’ll openly admit I struggled with understanding why one would require to do that, but it was a business requirement by the managers of the specific business units so we simply had to take it as-is and move on. One of the big advancements with Lync 2013 was that the Persistent Chat client was built-in to the normal Lync client application and did not require the deployment of a separate application like Group Chat 2010. Given the desire to upgrade to the newer client and newer back-end, a few options are available, all with caveats and issues to consider. So without further a-do, the options:
Option 1 – Keep Using the Group Chat 2010 Client
Given that the Group Chat 2010 client is supported with Persistent Chat, it does provide you a method to allow the restriction of IM but allow the usage of P-Chat. It’s not exactly an elegant solution, however, especially if you want to take advantage of the built-in functionality of P-Chat within the Lync 2013 (or Skype 2015/2016) client. You’re now maintaining two different sets of applications and having to ensure they only get installed on systems that require it. Not ideal and certainly not the easiest of solutions.
Option 2 – Deploy Client-Side Registry Keys to Disable IM
This one comes from way back in the OCS days where you could utilize registry keys to manage the client modalities and functionalities. Even with the newest clients, there are still registry keys that take precedence over what a client receives through in-band policy configurations.
reg add HKLM\Software\Policies\Microsoft\Office\15.0\Lync /v DisableIM /t REG_DWORD /d 1 /f reg add HKLM\Software\Policies\Microsoft\Office\16.0\Lync /v DisableIM /t REG_DWORD /d 1 /f reg add HKCU\Software\Policies\Microsoft\Office\15.0\Lync /v DisableIM /t REG_DWORD /d 1 /f reg add HKCU\Software\Policies\Microsoft\Office\16.0\Lync /v DisableIM /t REG_DWORD /d 1 /f
- Using Office 2013? Make sure you’re using the ‘15.0’ key above.
- Using Office 2016? Make sure you’re using the ‘16.0’ key above.
- Disabling IM for every user on a machine? Make sure you use one of the ‘HKLM’ keys above.
- Disabling IM for a specific user on a machine? Make sure you use on of the ‘HKCU’ keys above.
You can add the registry key to your standard Windows Image, add it via Group Policy Preferences or add it to a batch file for usage by SCCM or login scripts. However you accomplish it, it should look something like this when you’re done:
Option 3 – Use Ethical Walling Software
This would be the equivalent of Hub Transport rules in the Exchange Server world, but in Lync Server these are applications that run MSPL and/or UCMA functionality to examine and intercept SIP traffic. There are several third-party solutions that could be utilized for ethical walls:
- Ethical Wall for Lync (Microsoft)
- Vantage (Actiance)
- Ethical Wall (MultiEx)
- Ethical Wall (SkypeShield)
None of these are free, however, and given the desire to remain low-cost by this client, any third-party solutions were simply not an option.
As a result of the deliberations, Option #2 above was chosen and implemented. The registry key was pushed out to the enterprise. Following the registry key push, restart the Skype4B (or Lync 2013) application and when you do, you’ll notice that IM capabilities are now not available…
…while the Persistent Chat functionality is available…
I can chat away, all day long, within the confines of Persistent Chat but I have no ability to utilize normal Instant Messaging features within the client. Problem solved, right?
Given that this is a client-side registry key, it only applies to systems the key is installed on. Unfortunately this leaves a very large gap of places that someone could use IM:
- Systems that don’t have the registry key deployed
- Outlook Web App IM
- Mobility Clients
- Skype Basic Clients (or Lync Basic)
- Lync for Mac 2011 clients
- Skype for Business for Mac client
Generally speaking, Options 1 & 2 at the top of the post are valid ways to prevent users – in a well managed desktop environment – from utilizing IM. That being said, there are still numerous ways to potentially circumvent these settings and be able to send IM’s. Most circumventions could be managed by various policy configurations within Lync and/or Exchange, but in my opinion, you are far better off to look at utilizing ethical walling software to limit those interactions and to provide reporting on your users that may have breached those policy requirements.