Editor's note: Know a lot about this topic? Want to share your expertise? Participate in the IBM Lotus software wiki program today.
Lotus Domino administration policies and Lotus iNotes
With Lotus Domino 8.5, Lotus Domino administration mail policies are now properly supported by Lotus iNotes; they are no longer applicable only for Lotus Notes® users. For organizations that have deployed both Lotus Notes and Lotus iNotes, this availability now gives a more consistent experience, as users are properly restricted from updating various locked preference settings. Administrators can now also provide a different set of capabilities for two different users that are on the same Lotus Domino server. For example, an administrator can now easily remove major functional areas (such as Notebook or To Dos) from all users or a subset of users.
Because there is much to cover on this topic, this article is the second in a series and provides a detailed overview of the primary improvements to lite mode and administration policies. The first article, "New features in IBM Lotus iNotes 8.5: Full mode," covers improvements to full mode. The final article, "New features in IBM Lotus iNotes 8.5: Ultra-light mode and the redirector," covers the new Lotus iNotes ultra-light mode.
Lotus iNotes settings that influence behavior
Lotus iNotes retrieves settings from several different places:
- User preferences. Users have the ability to set their
own calendar and mail settings using the Preferences user interface.
Many of these settings are shared with the Lotus Notes client, but
others are specific to Lotus iNotes. Most of these settings are stored
in the following profile documents:
- Calendar profile. Used to store calendar and mail settings (shared with the Lotus Notes client).
- Color profile. Used to store certain preference settings, such as attention indicator settings, where changes can result in the need to rebuild key mail views (shared with the Lotus Notes client).
- iNotes profile. Used to store settings that are either unique to iNotes or had to be duplicated by iNotes as the comparable Lotus Notes client setting is not accessible by iNotes because the setting resides on a Lotus Notes client workstation and not the Domino server (used only by Lotus iNotes).
- DOLS profile. Used to store DOLS-specific settings (used only by Lotus iNotes).
- Server configuration document. Server configuration settings specific to Lotus iNotes can be found in the Lotus iNotes tab (the Lotus Domino Web Access tab in earlier releases). The server configuration document settings apply to all users on a particular server. They cannot be used to configure a subset of users in a particular way.
- NOTES.INI file on the Lotus Domino server. There are also many NOTES.INI settings that are available to customize Lotus iNotes. Similar to server configuration document settings, these settings apply to all users on a server.
Server configuration settings and NOTES.INI settings also typically affect only mail file replicas running on that server. If the same settings are not duplicated on the other servers housing mail file replicas, users might experience slightly different behavior based on which server is being accessed. Policies provide a way to have a consistent experience across all database replicas.
How do Lotus Domino policies work?
Lotus Domino has had policies support since Lotus Domino 6.0. Mail policies were supported by the Lotus Notes client in Lotus Notes and Domino 7.0. In the following few paragraphs we go over the building blocks for policies and how to use them as part of a Lotus iNotes deployment. For a detailed description of Lotus Domino policies, refer to other developerWorks® articles and administration help:
A policy is a group of settings that alter the user experience for a user or a group of users. In Lotus Domino, a policy is a document that resides in the Lotus Domino directory, and it references settings that are also separate documents that reside in the Domino directory. Let’s begin our walkthrough.
Start with the administration client
The administration client is where all of this process starts. As mentioned, a policy document references one or more settings documents, so let’s introduce the settings.
Creating a settings document
A settings document is a group of settings that are related to a particular area or a process in Lotus Domino. We have several types of settings: desktop, mail, security, registration, archive, and more. Figure 1 shows the Policy Settings view. Through these settings you can establish default values for various user settings and also specify whether the user can modify the settings. For example, you can prevent users from changing their mail file ownership, force them to encrypt all outgoing mail, or set a password policy for all your users. In a settings document, you need to specify only the settings you want to explicitly enforce and leave the rest for the users to select their own settings, by selecting the Don’t set value option shown in figure 2.
Figure 1. Policy Settings view
Locking down settings
You can set the initial value of a particular setting in a settings document, make it change back every time the user changes its value, and lock it down so that the user can’t change its value. This option is called How to apply this setting. See figure 2.
Figure 2. How to apply options
This ability to lock down settings gives administrators flexibility and control over how their users use the product, makes better use of the company’s hardware resources, and prevents users from getting into trouble. In Lotus iNotes, if you lock down (that is, if you select Set value and prevent changes), then the preference is disabled for that particular user or group of users. Hovering over a locked-down field displays a message, “This preference has been disabled by your administrator," as shown in figure 3.
Figure 3. Preferences (hovering over a locked-down field)
Creating a policy
Now that you have created settings documents for various groups of users, you can now group these settings as you want within a policy document. One policy could allow users to change their mail file ownership and not force them to encrypt mail, while another might lock down this setting so that users' outgoing mail is always encrypted and signed. For example, a manufacturing plant worker can have a policy to disable the ability to attach files and the calendar, but an executive might need spell checking on send and delegation turned on. See the policies view shown in figure 4 and the mail policy document shown in figure 5.
Figure 4. Policies view
Figure 5. Mail policy document
Assign the policy to a user or a group of users
After you create policies that aggregate settings that you created earlier, you can assign a specific policy to certain users or groups of users through the Administrator client UI. You can do this in one of two ways: Either select one or more users and select the Assign Policy action (see figure 6), or open an individual person document and select the desired policy from the Administration tab.
Figure 6. Assign Policy action
After you select the Assign Policy action, you are prompted to select options in the Assign Policy Options window, shown in figure 7.
Figure 7. The Assign Policy Options window
Wait for Adminp or force update
Now that your policy has been created and assigned to the user, it needs to be applied to the user’s profile documents. This application is made through a server task called Adminp. The Adminp process applies policies once every 12 hours by default, or you can manually issue the following server console command to force the immediate processing of any relevant policy changes:
< tell adminp process mail policy
When Adminp runs, it determines the user's effective policy and applies it to that user's documents. After the process is done, the desired policy settings for the users are in effect. This application is true for Lotus iNotes only; the Lotus Notes client itself needs to run a separate process to finish the policy update.
Extending policies to other profile documents
Prior to the Lotus Domino 8.5 release, updating profile documents through Adminp worked only for the user’s calendar profile document. In version 8.5, this approach has been extended to include other profile documents and has been done in a general-purpose way. Various settings in the mail settings document can now be mapped to any other profile document.
A new item has been added to the mail settings document called $Profiles, which has a list of pairs: a prefix and a profile name delimited by a colon. For example, $DWA:inotesprofile means that any item that starts with $DWA (all prefixes must start with a “$”) is pushed over (without the prefix) to the inotesprofile document for that user. We’ve also added a $FieldsSetByPolicy item to the specified profile document to report which fields have been modified by applying the policy, rather than by a user action (for example, by changing the preference and clicking OK). See figures 8 and 9.
Figure 8. $Profiles item on mail settings document in NotesPeek
Figure 9: $FieldsSetByPolicy item on mail settings document in NotesPeek
Where are the Lotus iNotes policy settings?
When implementing support for policies in Lotus iNotes, we decided to leverage the applicable existing settings that were already used by the Lotus Notes client. In this manner, policies already in effect for Lotus Notes client deployments are now honored for Lotus iNotes as well. This approach minimizes the effect on Lotus Domino administrators who are already familiar with the existing policies.
We honor the existing mail, desktop, and security settings documents that pertain to Lotus iNotes. For example, we allow the user to change mail file ownership, forcing messages to be encrypted or signed and setting the default duration for meetings and appointments. See figure 10.
Figure 10. Mail Settings document
For the Lotus iNotes-specific settings, we grouped them together under a new tab in the mail policy settings document named Lotus iNotes as shown in figure 11. If you are trying to set the startup view in Lotus iNotes, force a particular user to use only the lite mode, or select the functional areas (mail, calendar, contacts, and so on) that you want enabled for a group of users, look under the Lotus iNotes tab. All the settings under the Lotus iNotes tab are copied to the Lotus iNotes profile document by Adminp using the method described previously in the section, "Extending Policies to Other Profile Documents."
Figure 11. New Lotus iNotes tab in the Mail Settings document
You should keep the following cautionary details in mind:
- You need at least one mail policy settings document for the desktop policy settings to work. Adminp runs for a particular user only if that user has a Mail Settings document specified in the relevant policy, and that Mail Settings document has to have at least one option selected. Because Lotus iNotes is primarily a mail application, we expect that all policies applied satisfy this condition.
- Users need to log out and log back in for policies to take effect. Another detail is that Lotus iNotes detects new policy settings only when a user first logs in and starts the Lotus iNotes session or when there is a specific need to reload session information such as when preferences are saved.
- Wait for the Adminp cycle or issue a tell process command. Another detail that was mentioned earlier is that the application of the policy after its assignment doesn’t happen right away. Instead, it happens when Adminp processes the policy change request.
Table 1 shows a list of the supported Lotus iNotes policies.
Table 1. Supported Lotus iNotes policies
|DWA Preference UI tab||DWA Preference UI text||Where to find it in the Mail Settings policy (which tab)|
|Basics||This mail file belongs to:||Mail Basics|
|Mail - General||Delete documents in my Trash folder||Mail Basics|
|Mail - General||Spell-check message before sending||Mail Basics|
|Mail - General||When I delete a calendar document from any view or folder:||Mail Basics|
|Mail - General||Allow others to recall mail sent to you||Mail Message Recall|
|Mail - Follow Up||Set the importance level for Quick Follow Up||Mail Follow Up|
|Mail - Follow Up||Set default Follow Up date||Mail Follow Up|
|Mail - Follow Up||Follow Up from when the Follow Up flag is set||Mail Follow Up|
|Mail - Follow Up||Follow Up from when the Follow Up flag is set||Mail Follow Up|
|Mail - Follow Up||Set default Follow Up time||Mail Follow Up|
|Mail - Follow Up||Set an Alarm||Mail Follow Up|
|Mail - Follow Up||Alarm will go off relative to Follow Up Date and Time||Mail Follow Up|
|Mail - Follow Up||Use these alarm settings for Quick Follow Up||Mail Follow Up|
|Mail - Follow Up||Time of day||Mail Follow Up|
|Mail - Attention Indicator||Display when I am the only recipient||Mail Attention Indicators|
|Mail - Attention Indicator||Display when I am one of no more||Mail Attention Indicators|
|Mail - Attention Indicator||Recipients in the To field||Mail Attention Indicators|
|Mail - Attention Indicator||Display when I am in the cc field||Mail Attention Indicators|
|Calendar - General||Calendar entry type||C&S Basics|
|Calendar - General||Appointment and meeting duration||C&S Basics|
|Calendar - General||Anniversaries repeat for||C&S Basics|
|Calendar - General||Automatically check for time conflicts when scheduling||C&S Basics|
|Calendar - General||Enable calendar alarms||C&S Basics|
|Calendar - Display||Start displaying times in Calendar at||C&S Display|
|Calendar - Display||Stop displaying times in Calendar at||C&S Display|
|Calendar - Display||Each calendar time slot lasts||C&S Display|
|Calendar - Display||Don't display new calendar entries and notices in the All Documents view of Mail||C&S Display|
|Calendar - Display||Don't display new Meeting invitations in the Sent view of Mail||C&S Display|
|Calendar - Display||Remove Meeting invitations from your Inbox after you have responded to them||C&S Display|
|Calendar - Display||Types of Meeting notices to be shown in your Inbox||C&S Display|
|Calendar - Display||Display new (unprocessed) notices||C&S Display|
|Calendar - Display||Process cancelled meetings automatically:||C&S Display|
|Calendar - Display||Remove from calendar |
Show as cancelled in calendar
|Calendar - Display||Do not display To Do Entries||C&S Display|
|Calendar - Work Hours||My normal office hours are||C&S Scheduling|
|Calendar - Rooms Resources||Preferred Site:||C&S Rooms and Resources|
|Calendar - Rooms Resources||Use this site as the default when finding rooms and resources.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Prompt to reset this default when scheduling within another site.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Prompt me to add rooms to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Always add rooms to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Never add rooms to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Prompt me to add resources to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Always add resources to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Rooms Resources||Never add resources to my list when scheduling meetings.||C&S Rooms and Resources|
|Calendar - Autoprocess||Enable automatic responses to meeting invitations||C&S Auto processing|
|Calendar - Autoprocess||Perform the following action:||C&S Auto processing|
|Delegation - Mail, Calendar||The following people or groups have access to your mail file||Access & Delegation Access to your mail and calendar|
|Delegation - Schedule||Who can see your schedule information||Access & Delegation Access to your schedule|
|Delegation - Schedule||What schedule information can they see||Access & Delegation Access to your schedule|
|Delegation - Schedule||Do not include the subject of a calendar entry when detailed information is made available||Access & Delegation Access to your schedule|
The supported Ddesktop policy settings include the following:
- Enable right double-click to close window
- Mark documents read when opened in preview pane
- Sign mail that you send
- Encrypt mail that you send
- Save sent mail
- Default mail message format
- Prefix each line with
- Wrap lines at
- Prompt when new mail arrives
- Check for new mail every n minutes
- Show Mail Quota indicator on client
The supported security policy settings allow users to change their Internet passwords over HTTP.
The Lotus iNotes tab in the Mail Policy settings page provides the following:
- User UI mode
- Functional areas to enable
- When opening Lotus iNotes, open Home Page to
- Maximum attachment size (KB)
- Mail threads
- Do not show remote images without permission
- Browser cache management
- Automatically install browser cache management
- Automatically logout when browser window is closed
- Default cache scrubbing level
- Clear history when browser window is closed
- Disallow attachments if not installed
- Maintain static code archive between browser sessions
- Instant messaging features
- Set default spell check dictionary
- Lotus iNotes ActiveX file attachment utility
- Set feeds
- Set feeds secured
- Feeds protocol name
- Show the Widgets folder in the Mail outline
- Allow users to create widgets from XML
- Allow Lotus Quickr Integration
- Allow calendar subscriptions
- Allow user to go offline
- Synchronize offline Internet password
- Include server's Domino Directory
- Compact mail file after synchronization
- Update full text index after synchronization
- Encrypt offline mail databases
- Limit document attachments during synchronization
- Only synchronize documents modified in the last days
Improvements to lite mode
The following developerWorks article gives full details on Lotus iNotes lite mode, "Introducing IBM Lotus Domino 8.0.1 Web Access Lite mode."
The 8.5 version of Lotus iNotes lite mode has several improvements as well, but most importantly it has retained the same performance characteristics of low bandwidth and empty browser cache. It continues to consume less bandwidth than full mode and loads faster than full mode when starting with an empty cache. Client performance tests on Lotus iNotes 8.5 lite mode show it to be slightly faster than its 8.0.1 counterpart in most areas.
The 8.0 or later version of lite mode does not allow a mechanism to turn off the full/lite mode switch, as preferences are available only from full mode. With version 8.5, preferences are now also available directly from lite mode, and it now opens within a managed tab. Hence, it is now possible to configure users to use only lite mode, rather than just starting in lite mode.
The current functional area tab is no longer anchored to the left. The first tab displayed is the supported area that Lotus iNotes is configured to start in. If another area is opened, a new tab is now opened to display that area. In 8.0 or later versions, the left tab was always replaced with the “current” area that was switched to.
Lite mode now also supports a quota indicator so that you can easily see if you are approaching an administrator-specified mail file size restriction. If you pass a warning threshold, it indicates this level by changing color and offering suggestions to resolve the situation when you hover over the quota indicator. It is also important to note that the display of this indicator is delayed slightly during startup, so that the configured startup view is displayed as fast as possible.
The menu widget has also been improved to reduce flickering and also supports retaining the "dropped-down state." If you click the drop-down arrow on one top-level menu item, just hovering over the drop-down area of other top-level menus displays those menus. Previously, you needed to click each of these items to display the contents of each drop-down menu.
The sidebar menu has been replaced with the Show menu. Clicking the top-level entry expands the sidebar if it is collapsed.
The lite sidebar has added support for including multiple panels. The sidebar has added a help panel and provides the ability to show only the day-at-a-glance calendar, only help, or both help and the day-at-a-glance calendar by using a split panel. The help provided in this release of lite mode has also been completely rewritten to provide more information on each new mode of Lotus iNotes. See figure 12.
Figure 12. Lite mode framework enhancements
Like full mode, lite mode now also supports the Safari 3.1 browser on Mac OS 10.5. Mac users now have a choice of using either Mozilla Firefox or Apple Safari. The first article in this series, "New features in IBM Lotus iNotes 8.5: Full mode," covers various Safari restrictions.
Lite mode now also supports bidirectional languages, Hebrew and Arabic, but with IMicrosoft nternet Explorer and Firefox only.
Some additional simplifications
The New menu in each functional area now displays only items relevant for that functional area. For example, Contact is no longer available from the New menu from the Mail area.
New Follow Up Message is no longer offered from the Follow up top-level menu.
Calendar functional area
Lite mode now has a calendar area with one day, one work week, and one month views (a subset of the full mode views). For administrators who do not want to offer Calendar functionality to their users, policies provide a way to achieve the desired configurations by removing the capability from lite mode. See figure 13.
Figure 13. New lite mode Calendar views
The calendar views are written with the same philosophy as the lite mode mail views: minimizing the amount of script needed to get the view displayed, retrieving data asynchronously, and lazy-loading code for various actions as needed. It supports entry type color coding and drag to reschedule entries, in-place editing to change descriptions, and the display of unprocessed meeting invitations, which can be opened and processed directly from the calendar view and visually identifying cancelled meetings. Starting with this release, the iNotes calendar views no longer attempt to merge unprocessed meeting notices into the calendar using a separate view, but rather rely on the main $Calendar view already used by the Lotus Notes client in version 8.0. This approach does require that your home server be a Lotus Domino 8.0 or later server, but it does allow for avoiding various issues encountered in prior releases with duplicate entries being displayed when the Show/Display Notices in Calendar option is enabled. This option is no longer offered in iNotes 8.5.
Opening notices in lite mode displays a redesigned and optimized notices screen, akin to the lite mode message screens. Lite calendar forms, shown in figure 14, allow you to quickly read and process your invitations and provide simple yet essential actions to accept, decline, accept with comments, and decline with comments. These new forms also provide a link back to full mode for advanced actions not currently supported by lite mode.
Figure 14. New lite mode Calendar forms
Mail view improvements
The mail view continues to use an optimized virtual list control, but this control has now been enhanced to offer some additional productivity improvements. The list now supports right-click menus. This feature lets you right-click a particular document or a selected range of documents and then invoke one of the offered actions. See figure 15. This approach avoids needing to refocus on the Action bar area to complete most frequent operations. There is also a right-click menu available from folders within the outline to allow quick access to folder management operations.
Figure 15: Mail productivity enhancement: Right-click menus
Another productivity improvement added to lite mode is the ability to drag documents from the list view and drop them into a folder to file messages. If the destination folder is collapsed, it automatically expands as you drag the contents to be filed over it.
A mail preview pane has also been added to lite mode to facilitate the quick reading of messages. Lite mode supports only preview on the bottom of the screen, as the simplified virtual list control for lite mode doesn’t support the narrow width display format critical for side preview. See figure 16.
Figure 16. Mail productivity enhancements: Bottom preview pane
Lotus iNotes now offers a new mail preference setting: Spell check message before sending. This setting resides in the Mail - General tab, and if checked, lite mode and full mode always perform a spell check prior to sending a message. If any errors are encountered, the Spell Check suggestions window includes both Send As Is and Cancel Send buttons.
The mail view continues to use a more optimized virtual list control; however, right-click support and drag support for filing messages have been added. Out of Office functionality is now also available from the Mail view and also opens up within a managed tab.
The 8.0 or later release of lite mode does not have the same customization callbacks that were supported for full mode. With version 8.5, newer forms were added with a _Lite suffix that now implement comparable support for the newer pages that leverage the newer Lite page architecture.
Table 2 lists some examples of the new forms.
Table 2. New subforms in Lotus iNotes 8.5 lite mode
|Old form or subform||New subform||Description|
|Custom_JS||Custom_JS_Lite||Most customization functions|
|Custom_ActionsHelper||Custom_ActionsHelper_Lite||Helper functions to add or remove action bar items|
|Forms to modify the Lotus iNotes logos|
Most of the functions work the same way, but some of the parameters have changed. Comments in these forms provide more details about these functions. Be on the lookout for additional articles on this topic.
With the addition of policies support in Lotus iNotes 8.5, administrators now have unprecedented abilities to enable different sets of features for different users. One user can be configured to have all the capability offered by Lotus iNotes whereas another might be given access only to the Mail functional area in lite mode. Lite mode has also continued to evolve by adding several key productivity improvements that users have been asking for, and it now has matured to a point where it might be the only mode offered to a set of users. The final article in this series will cover the new Lotus iNotes ultralite mode.
- Participate in the discussion forum.
- Read the developerWorks Lotus article, "New features in IBM Lotus iNotes 8.5: Full mode."
- Read the developerWorks Lotus article, "New features in IBM Lotus iNotes 8.5: Ultra-light mode and the redirector."
- Read the developerWorks Lotus article, "Introducing IBM Lotus Domino 8.0.1 Web Access Lite mode."
- Read the developerWorks Lotus article, "Enabling secure, remote access to IBM Lotus iNotes using IBM Lotus Mobile Connect."
- Refer to the IBM Redbooks® publication, "iNotes Web Access: Deployment and Administration."
- Refer to the IBM Redbooks publication, "Domino Web Access 6.5 on Linux."
- Refer to the IBM Support Techdoc, "Key Content Resources for Lotus Mobile Connect."
- Refer to the support pages for IBM Lotus Domino Web Access.