Lync phones come in a variety of types, including information worker (IW) phones, conferencing phones, and common area phones. With Lync Enterprise Voice deployments becoming more common in organizations today, a discussion about using policies to secure these phones is sure to come up. The bottom line is that you shouldn't leave your Lync phones exposed without any security measures. Just like you can create policies for users, you can create policies for phones. These policies are called voice policies.

Creating voice policies is pretty straightforward. You just need to:

  1. Create objects that represent the phones.
  2. Create a voice policy.
  3. Assign the voice policy to the phone objects.

As a demonstration, I'll show you how to create a voice policy for phones in common areas, such as lobbies and break rooms. You need to be an administrator to create a voice policy.

1. Create the Phone Objects

Almost everything in Lync can be controlled by some type of policy. Phones are no different. To control phones with voice policies, you first need to create objects representing the phones, just like you create objects representing users. You can use the Lync Server Management Shell to create the phone objects.

To create a common area phone object, you use the New-CsCommonAreaPhone cmdlet in a command such as:

                              
New-CsCommonAreaPhone
  -LineUri tel:+14255551212
  -RegistrarPool "lon-pool"
  -OU "OU= Users,DC=domain,DC=com"
  -Description "Room number 30-1000"
  -DisplayName "Building 30 Lobby"
  -DisplayNumber "1 (425) 555-0112"

​As you can see, you use the:

  •  -LineUri parameter to specify the telephone number (in E.164 format) that you're assigning to the phone
  • -RegistrarPool parameter to specify the location of the Registrar pool where this object should reside
  • -OU parameter to specify the Active Directory (AD) organizational unit (OU) where this object should reside
  • -Description parameter to provide more information about the phone, such as its purpose or location in the building
  • -DisplayName parameter to provide a user-friendly name for the object
  • -DisplayNumber parameter to provide the phone number as it should be displayed in Lync

After running the command, you'll see results like those shown in Figure 1. Notice the area I outlined in red. These properties aren't defined because the command didn't set them.

Figure 1: Creating an Object Representing a Common Area Phone

2. Create the Voice Policy

The next step is to create a voice policy governing the usage of the common area phones. You can create this policy in the Lync Control Panel or in the Lync Server Management Shell.

Lync Control Panel. To create the voice policy in the Lync Control Panel, open the panel and click Voice Routing in the navigation pane on the left. On the Voice Routing page, click the Voice Policy tab. Once there you can create a new voice policy with a User scope, as seen in Figure 2. In this case, the new policy is named "Restricted Voice Policy."

Figure 2: Creating a Voice Policy in the Lync Control Panel

After the voice policy is created, you can specify which features you want and don't want the common area phones to have. For example, as Figure 3 shows, the Restricted Voice Policy disables the following features on the common area phones: call forwarding, call transfer, and simultaneous ringing of phones.

Figure 3: Editing the Restricted Voice Policy

Lync Server Management Shell. To create a voice policy in the Lync Server Management Shell, you use the New-CsVoicePolicy cmdlet. In this case, you'd run the command:

                              
New-CsVoicePolicy
  -Identity "Restricted Voice Policy"
  -AllowCallForwarding $False
  -EnableCallTransfer $False
  -AllowSimulRing $False

 

To verify that the call forwarding, call transfer, and simultaneous ringing features have been disabled, you can use the Get-CsVoicePolicy cmdlet to view the voice policy. The command to look at the Restricted Voice Policy is:

                              Get-CsVoicePolicy -Identity "Restricted Voice Policy"

Figure 4 shows the results. In the Identity property row, notice that the voice policy's name includes the prefix "Tag:" This prefix is added to the names of policies created at the per-user scope. It only appears when you look at the policy name in the Identity property.

Figure 4: Viewing the Restricted Voice Policy in the Lync Server Management Shell

3. Assign the Voice Policy to the Phone Objects

Believe it or not, the hardest part is over. Now comes the easiest part: using a single command to assign the voice policy to the common area phone objects. To assign the Restricted Voice Policy to the common area phone objects, you'd run the command:

                              
Get-CsCommonAreaPhone |
  Grant-CsVoicePolicy -PolicyName "Restricted Voice Policy"

If you want to confirm that the Restricted Voice Policy has been applied to the common area phone objects, you can run this command:

                              Get-CsCommonAreaPhone

As you can see in Figure 5, the policy has been applied. As a result, the call forwarding, call transfer, and simultaneous ringing features have been disabled on the common area phone created in step 1.

Figure 5: Confirming the Restricted Voice Policy Has Been Applied to the Common Area Phone

Additional Policy Options

In the examples I showed you so far, the voice policy allows the common area phones to be used to make any type of call (e.g., internal, local, long distance, international). If that's unacceptable, you can configure Public Switched Telephone Network (PSTN) Usages to specify the dialing permissions for the common area phones. PSTN Usages in the Lync world are like Class of Services in the telephony world.

You can specify the PSTN Usages using the New-CsVoicePolicy cmdlet's - PstnUsages parameter. For example, the following command creates a voice policy that specifies that the common area phones can only be used to make internal and local calls:

                              
New-CsVoicePolicy
  -Identity CAPvoicepolicy
  -PstnUsages @{add="Internal","Local"}
  -AllowSimulRing $False
  -AllowCallForwarding $False
  -EnableDelegation $False
  -EnableTeamCall $False
  -EnableCallTransfer $False

The other parameters in this command tell Lync to disable the simultaneous ringing, call forwarding, call delegation, team call, and call transfer features.

You can even configure a policy so that a common area phone serves as a hot-desk phone. On a hot-desk phone, users can enter their phone number and/or extension and a PIN. If they're authenticated, Lync transfers all their Lync-related contact information to the hot-desk phone.

To create a hot-desk phone, you use the New-CsClientPolicy cmdlet and with its -EnableHotdesking parameter, as this command shows:

                              
New-CsClientPolicy
  -Identity HotDeskPhonesPolicy
  -EnableHotdesking $True
  -HotdeskingTimeout 00:30:00

After the policy is created, you apply it by using a command such as:

                              
Get-CsCommonAreaPhone |
  Grant-CsClientPolicy -PolicyName "HotDeskPhonesPolicy"

Secure Your Common Area Phones

In an Enterprise Voice deployment, you need to consider how you're going to regulate the Lync phones being used by multiple users or the public. One easy and effective way to secure these phones is to use voice policies. After you become familiar with voice policies and develop a game plan, you can put your plan into action using the Lync Server Management Shell.