Skip to main content

MCE Content Copying and Export

Overview

The group content copying and export controls are determined by the Security Context(s) in which a group is created. Enabling or disabling content copying can be set for an individual Security Context, but there are also configurable global default options for the controls set on a Security Context meaning it is not necessary to specify the option on each Security Context controls using the PowerShell command. For more documentation on changing the configuration of a Security Context, please refer to the Set-MceSecurityContext Powershell command.

caution

If you are upgrading from a version prior to 23.6, see the following section on how to enable this functionality for pre-existing groups: Enabling content features on existing deployments.

Content Copying

The integrity of message data is supported by allowing the configuration of an MCE chat's content copying rule. This rule allows the selection and copying options of message content to be disabled. This feature is designed to remind users that the content of a chat is sensitive and to provide a user experience that dissuades message content leaving the chat. Instead, users that may wish to export group content should now do so through the secure chat content export feature, if enabled.

The default behaviour for content copying can be toggled through the MCE configuration section in the Management Tool:

Content copying

Content copying can be modified for a particular Security Context via the Set-MceSecurityContext Powershell command. For example:

Set-MceSecurityContext -Id $ID -ContentCopying 'Enabled'

Set-MceSecurityContext -Id $ID -ContentCopying 'Disabled'

Set-MceSecurityContext -Id $ID -ContentCopying 'Inherited'

See Example Scenario for more detail.

info

Whenever creating a group with multiple Security Contexts, the most restrictive options will be taken. That is to say, content copying will only be enabled if it is said to be enabled by all the included Security Contexts.

caution

When considering if content copying is enabled for a particular group, if a group's Security Context's ContentCopying is set to Inherited it will be interpreted as either Enabled or Disabled based on the value of the "Disable content copying by default" toggle in the management tool (shown above) at the time the group in question was created. I.e: if at the time a group is created the toggle was set, any Inherited value would be interpreted as Disabled. This can lead to confusing behaviour if the configuration is changed in between the creation of different groups.

The recommendation for administrators is to set this configuration value once and then refine content copying rules using explicit ContentCopying settings on Security Contexts.

Content Export

Exporting content from a group chat can be represented as a five step process:

  1. Retrieve the local user's public certificate from Active Directory
  2. Send this certificate to the MLA web client
  3. Encrypt any selected messages using the public certificate on the MLA web client
  4. Send the encrypted messages alongside some metadata back to the MCE server
  5. Package and send the encrypted messages as an S/Mime email using the configured SMTP server

Visualized by the diagram below:
Chat content export process

It's important to note that the MindLink server does not have access to the message content due to the messages being encrypted on the MindLink Anywhere client. This protects the integrity of the message data in MCE groups.

This feature can be enabled in the General section of the Email Management Center configuration page.

Secure content export

  • Enable chat content export: Enables securely exporting chat content and allows further configuration of the feature.
  • LDAP Search filter template: Specifies the filter used to find users and retrieve user certificates used for encryption. Requires a template value of {0} which represents the linked authentication identity for users (default (msRTCSIP-PrimaryUserAddress={0})).
  • Primary S/MIME Certificate Attribute Name: The first attribute name that will be used for looking up valid S/MIME certificates. Leaving blank will default to userSMimeCertificate.
  • Secondary S/MIME Certificate Attribute Name: The second attribute name that will be used for looking up valid S/MIME certificates if no certificates are found against the primary attribute name. Leaving blank will default to userCertificate.
  • Sender email address Specifies the email address used as the sender for exported chat content.
  • Email subject: Specifies the email subject when receiving exported content emails. Supports template for including the group name in email subject by including template string {GroupName}.
  • Email body prefix: Specifies the prefix to include before the exported group chat content within the email. Supports template for including the Security Contexts of the exported group by including template string {SecurityContext}.
  • Email body suffix: Specifies the suffix to include after the exported group chat content within the email. Supports template for including the Security Contexts of the exported group by including template string {SecurityContext}.
  • Enable secure chat content export by default: Determines the default value for secure chat export on Security Contexts which do not explicitly specify a value.

Example Scenario

Given an existing MCE deployment with no existing rooms and Management Tool settings:

  • Chat content export: enabled
  • Chat content export by default: enabled
  • Content copying by default: disabled
  • Protocol headers:
    • X-Classification: {Classification}
    • X-SecurityContext: {SecurityContext}
  • Email subject: Export from {GroupName}
  • Email body prefix: {SecurityContext}
  • Email body suffix: {SecurityContext}
  • Remaining settings left to default

New MCE rooms created in this environment without setting explicit content export or copying settings on Security Contexts will result in rooms having:

  • Content copying disabled (all room members will not be able to select or copy any chat content)
  • Content export enabled (all room members will be able to export the entire chat history of messages using their email)

Each email exporting the room conversation will have the group information substituted into the appropriate sections specified in the configuration.

As described above, rooms will not allow content copying and allow export by default. However, if we wanted to create a room with the inverse of these options, we would require setting a Security Context like so:

Set-MceSecurityContext -Id $ID -SecureContentExport 'Disabled' -ContentCopying 'Enabled'

Then, creating rooms with the above Security Context will disable content export and enable content copying.

info

Whenever creating a group with multiple Security Contexts, the most restrictive options will be taken. That is to say, content export will only be enabled if it is said to be enabled by all the included Security Contexts.

Enabling content features on existing deployments

In order for the features above to function with pre-existing groups created in previous versions the following PowerShell commandlets must be invoked:

Start-MceGrain -Id <group-guid> -GrainType "MindLink.Core.MceAdmin.Engine.Contracts.Projection.GroupControls.IGroupControlsProjectionModelGrain"
Start-MceGrain -Id <group-guid> -GrainType "MindLink.Core.Mce.Contracts.Grains.IGroupNotificationPropertiesProjectionModelGrain"
Start-MceGrain -Id <group-guid> -GrainType "MindLink.Core.Mce.Contracts.Grains.IGroupUserInvitationsProjectionModelGrain"

Alternatively this can be applied to all groups (or a filtered collection of groups) by piping the output of the Get-MceGroup commandlet.