17.3 Configuring Global Client Policies

The iFolder administrator uses the global client policies to control which features the user can configure for the iFolder client and what the default settings are. Client policies are rules that govern the iFolder client behavior. Global policy settings apply to all iFolder clients and servers. You can override global policies for individual users by setting user policies.

Before you permit users to access the iFolder system for the first time, you must review the default settings and configure policies to meet your network needs. Later, if you modify policies, you must consider how iFolder effects your changes. In general, client policy changes require only that users log out and log in to the iFolder client to effect the changes. However, changes might not apply to existing accounts or clients. To apply the changes you make, click Update Client Policy.

  1. If you are not logged in, go to the iFolder Management Console, click Global Settings, enter your administrator username and password, then click login. For details, see Logging In to the iFolder Management Console.

  2. Click Global Policies > Client Policies > Display > Client Policy Settings.

    Figure 17-1 Global Settings > Global Policies > Client Policies > Display > Client Policies Settings

  3. Set the global client policies, then click Update Client Policy.

For information about global server policies, which includes user disk quotas, see Section 19.2, Configuring Global Server Policies.

17.3.1 Understanding iFolder Client Policies

Client policies specify default settings or values, whether the user can modify the default, and whether the user can view the policies.

The iFolder administrator sets three policy levels for the global client policies:

  • Default Policies: To enable the policy, check the On check box or specify a value. If the default policy setting is not Enforced or Hidden, users can modify the default setting, according to their personal preferences.

    In general, if you modify a policy’s default setting, the change applies automatically to new iFolder accounts and new client installs or upgrades. For existing iFolder accounts and clients, if the specific policy is modifiable, you must enable Enforced to force this change to take effect.

    If the specific policy is not modifiable for existing accounts, changes do not apply even if they are enforced or hidden. For examples, see Encryption and Recover Passphrase policies.

    If the specific policy is not modifiable for existing instances of the iFolder client, a change does not apply even if it is enforced or hidden. For an example, see the iFolder Location policy.

  • Enforced: To enforce the default setting, check the Enforced check box. If this option is enabled, the default setting is dimmed in the iFolder client. Users can view the default setting, but they cannot change it. If this option is disabled, users can modify the default setting, according to their personal preferences.

    For both global and user client policies, you must enable the Enforced option when setting or changing policies that you want to override the user’s personal preferences. Enforced settings apply automatically to new iFolder accounts. If the specific policy is modifiable for existing accounts or clients and you enable Enforced, the change takes effect the next time the user logs in to their iFolder account, installs a new client, or upgrades an existing client. If it is not a modifiable policy for accounts or clients, enabling Enforced has no effect.

    For user client policies, you must enable the Enforced option when setting or modifying a policy that you want to override the corresponding global client policy. If it is not a modifiable policy for iFolder accounts or clients, enabling Enforced for a user client policy has no effect.

  • Hidden: To hide the policy and its default setting from the user, check the Hidden check box. Users cannot view or modify the default setting. Hidden features are enforced by default.

You set the default values and behavior for the following client policies:

  • Encryption: [Default: On, Not Enforced, Not Hidden] Allows the user's local data to be encrypted as it leaves a workstation to travel to the iFolder server, resides on the server, and travels to another workstation, where it is unencrypted; the user's data resides on the user's workstations in unencrypted form.

    Encryption policies cannot be modified for existing accounts. Once set for an iFolder account, the decision applies for the life of the account and across all instances of the iFolder client that the user installs. If you want to change marked features for all users after accounts exist, you must coordinate with users to delete their accounts and recreate them with the new settings enforced. For more information about encryption, see Section A.1, Authentication and Encryption.

  • Save Password: [Default: Off, Not Enforced, Not Hidden] Allows automatic entry of the user's password during any iFolder login sequence.

    IMPORTANT:The iFolder client does not pass on system warnings about grace logins. If your organization requires frequent password changes, we recommend that users be notified of pending change requirements by alternate means so users can proactively change the stored password, if they select this option.

  • Save Passphrase: [Default: Off, Not Enforced, Not Hidden] Allows automatic entry of the user's encryption passphrase during any iFolder login sequence.

  • Recover Passphrase: [Default: On, Not Enforced, Not Hidden] Allows the iFolder administrator to recover the user's encryption passphrase.

    IMPORTANT:Because the Passphrase is the user's encryption key, the administrator is able to decrypt the user's data files on the iFolder server. Allowing this option implies a trusted relationship for the iFolder administrator.

    Recover Passphrase policies cannot be modified for existing accounts. Once set for an iFolder account, the decision applies for the life of the account and across all instances of the iFolder client that the user installs. If you want to change marked features for all users after accounts exist, you must coordinate with users to delete their accounts and recreate them with the new settings enforced.

  • Automatic Sync: [Default: On, Not Enforced, Not Hidden] Allows the iFolder client to automatically synchronize the user's iFolder files between the local iFolder directory and the iFolder server.

    • Sync to Server Delay: [Default: 5 seconds with a minimum of 3 seconds, Not Enforced, Not Hidden] If Automatic Sync is allowed, sets the default time (in seconds) that the iFolder client waits after a file in the local iFolder directory changes until it automatically uploads the file to the iFolder server. Also sets the minimum and maximum values allowed.

    • Sync from Server Interval: [Default: 20 seconds with a minimum of 10 seconds, Not Enforced, Not Hidden] If Automatic Sync is allowed, sets the default time (in seconds) after a synchronization occurs that the iFolder client waits to check with the iFolder server to determine if there are changed files it needs to automatically download to the local iFolder directory. Also sets the minimum and maximum values allowed.

    For information on synchronization strategies for users, see the Novell iFolder 2.1 User Guide.

  • Conflict Bin Space: [Default: 25 megabytes with a minimum of 0 (zero) megabytes, Not Enforced, Not Hidden] Sets the default size (in MB) of the Conflict Bin for the user's iFolder account. Also sets the minimum and maximum allowed values.

    The iFolder client uses a Conflict Bin to help prevent the inadvertent loss of user files. Each workstation where users install the client has its own bin on the local hard drive. The iFolder client stores files in the bin on a first-in, first-out basis. As the bin size nears the maximum space allotted, the iFolder client purges documents from the bin to make room for newer files that might be in conflict. If a file in conflict exceeds the size of the bin, iFolder automatically purges the file from the bin.

    In general, the default size of the Conflict Bin should be about 10 to 15 percent of the Initial Client Quota. At a minimum, the space allocated should be larger than the largest file size that a user might store in the iFolder account.

  • iFolder Location: [Default: {My Documents}\iFolder\{User Name}\Home, Not Enforced, Not Hidden] Sets the default path of the user's local iFolder directory.

    Changes to this policy apply only to new instances of the iFolder client for existing accounts or to new iFolder accounts.

Some policies apply only to new iFolder user accounts. The related options appear in the first instance of an iFolder client install for that user. After the user sets the preferences, the items no longer appear in the login sequence or in subsequent installations of the iFolder client by that user.

Changing the marked policy has no effect for existing users; it applies only for all subsequently created accounts. If you want to change marked features for all users after accounts exist, you must coordinate with users to delete their accounts and recreate them with the new settings enforced.

17.3.2 Examples of Global Client Policies

Consider the following examples to help you understand how to use the policy levels.

Example Policy: All users must enable iFolder encryption.

If you want every user to encrypt iFolder data, set Encryption to On, Enforced, and Hidden as a global client policy, then click Update Client Policy. The user must specify an encryption passphrase the first time he or she logs in to iFolder. The passphrase serves as the encryption key for the user’s iFolder account.

Example Policy: Administrators must be allowed to recover user passphrases.

If you want to enable the iFolder administrator to recover all users’ encryption passphrases, set Recover Passphrase to On, Enforced, Hidden and set the Security Passphrase for the administrators to use when recovering passphrases. Then click Update Client Policy. The first time a user logs in, iFolder does not prompt the user with the option to Recover Passphrase because the policy is mandatory and hidden from view.

Example Policy: Guest users must use clear text when storing iFolder data on the iFolder server.

If you want an individual user account to use clear text only, go to the User Account > Edit Client Policies, then set the Encryption, Save Passphrase, and Remember Passphrase policies to Off, Enforced, and Hidden as user client policies. Then click Update Client Policy. iFolder does not prompt the user with a choice to encrypt iFolder data.

Example Policy: Users must synchronize files manually to minimize bandwidth requirements.

If you want users to synchronize iFolder files only as needed, set Automatic Synchronization to Off, Enforced, and Not Hidden as a global client policy. Then click Update Client Policy. The users cannot take advantage of automatic synchronization. In the iFolder client, the automatic synchronization option is disabled (unchecked) and dimmed on the Account Information > Preferences page. The user must use the manual Sync and Stop Sync options to synchronize files, using the iFolder client.

Example Policy: Users must authenticate manually at login.

Because the client requires that users log in to change their passwords, they can be locked out if the password changes while they are logged out of iFolder. If your environment requires frequent password changes, you can avoid users being accidentally locked out of their iFolder accounts by setting Save Password to Off, Enforced, and Hidden as a global client policy. Then click Update Client Policy. The users must enter a valid password each time they log in to the iFolder client.