Configuring One-Touch Join
Global configuration and settings for One-Touch Join (OTJ) in your organization are located in Settings in the Pexip Control Center (PCC). Configuration in PCC, such as setting up a provider and mailbox, must be completed before OTJ is enabled on any video conferencing system.
You can access general information about the Pexip Control Center platform here.
On this page:
- Prerequisites
- Obtaining OTJ Admin rights
- Setting up a mail-enabled security group
- Configuring calendar processing on room resource mailboxes
- Configuring OTJ global settings
- Enabling OTJ for video systems
Prerequisites
Before you begin, ensure that you have the fulfilled the following requirements:
- The endpoints you want to include in One-Touch Join are already added in the Pexip Control Center and can connect with the Pexip Service.
- In Pexip Control Center, you have the OTJ Admin role towards the company you want to configure, and that company is enabled for One-Touch Join.
- You have the Global Admin role for your organization's Office 365 account. If you don't, a user who does have this role will need to provide consent on your behalf to the tenant being accessed by One-Touch Join.
- You have verified your Microsoft 365 tenant domain by adding a DNS TXT record for your Microsoft 365 domain — see Verifying Microsoft 365 tenant domains for instructions.
- Each physical room that will have a One-Touch Join endpoint in it has an associated room resource and mailbox. All room resources and mailboxes associated with your OTJ endpoints must be created in Microsoft 365 tenants only (on-premises mailboxes are not supported, even in Exchange hybrid deployments). This feature uses the Graph API to authorize access to the mailboxes used for OTJ.
Ensure you have configured your firewall appropriately (the full set of firewall rules is available here).
These are the port usage rules for One-Touch Join for Pexip Service:
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
Endpoints | TCP | HTTPS | 443 | Outgoing | 185.94.240.0/22 185.124.96.0/22 |
Endpoints |
UDP | NTP | 123 | Outgoing | 176.58.109.199/32 |
These are the domains that may need to be safelisted to allow traffic to pass without interference:
Domain | Service/Application |
---|---|
otj.pexip.io | for One-Touch Join for Pexip Service (Cisco & Poly) |
auth.otj.pexip.io cisco-macros.pexip.io |
for One-Touch Join for Pexip Service (Cisco only) |
Obtaining OTJ Admin rights
To set up One-Touch Join for a company, you must be logged in as a user with the OTJ Admin role (in addition to the Admin role) for that company.
To be granted this role:
- Any user in your company who has both the Access Admin and Admin roles can grant you the OTJ Admin role. If you have these roles already, you can grant yourself (and others) the OTJ Admin role.
- A user in your partner organization who has the Access Admin role, and the Admin role for your company, can grant you the OTJ Admin role.
Setting up a mail-enabled security group
As part of the One-Touch Join setup, we strongly recommend that you create a mail-enabled security group in the Microsoft Exchange Admin Center. However it is still possible to use One-Touch Join without a mail-enabled security group.
-
Create a security group using either the EAC or Exchange Online PowerShell. For full instructions, see Microsoft's documentation for managing mail-enabled security groups using the EAC or using PowerShell.
An example PowerShell command is given below — you must provide your own Name and Alias.
Copy to clipboardNew-DistributionGroup -Name "Pexip OTJ resource-mailboxes" -Alias otjrooms -Type security
- Add the desired mailboxes for rooms and users in your OTJ environment as members of the new security group.
- To do this in the EAC, select the mail-enabled security group, and from the Microsoft's documentation. tab select . For full instructions, see
- To do this using PowerShell, use commands such as Add-DistributionGroupMember and Get-DistributionGroup.
-
To restrict Pexip’s access to only the data it requires, create an application security policy using the PowerShell command below.
You must change the PolicyScopeGroupId and can optionally change the description.
Copy to clipboardNew-ApplicationAccessPolicy -AppId 5b19f2a2-1969-4db2-9882-f7497a0bb6d2 -PolicyScopeGroupId <email of the mail-enabled security group> -AccessRight RestrictAccess -Description "Restrict Pexip OTJ app to selected room resource mailboxes"
Changes to application access policies can take up to 2 hours to start receiving OTJ meetings for an endpoint.
Configuring calendar processing on room resource mailboxes
Recommended configuration
To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you change the following calendar processing options from the default:
- The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar headers can be used (because the body will be deleted).
-
When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name of the organizer (for more information, see this Microsoft article).
Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room endpoints.
- The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as private in the room mailbox, you must set the RemovePrivateProperty flag to False.
- When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a response from a room that may not have been included in their original invitation, you can configure additional text that is sent to the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.
PowerShell command
To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room resource whose processing you want to change):
Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the meeting from this room using Pexip One Touch Join."
Optional configuration
Hiding invitation details from other users
In order for One-Touch Join to function fully, the
In the following command, replace resource_name with the name of the room resource, and replace role with one of the following roles:
- AvailabilityOnly: users can view the room's availability, but nothing else.
- LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.
Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role
Allowing forwarding of external invitations
Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to determine what is appropriate in your environment.
-
If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users internal to your organization can forward external invitations to OTJ meeting rooms.
- If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules include an exception for any URL starting with the domain https://teams.microsoft.com/
Checking calendar processing settings
The following PowerShell command can be used to check calendar processing settings on all of the rooms in the mail-enabled security group that was created for One-Touch Join.
We recommend copying and saving this as a file and running it from within PowerShell.
Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the
$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"
Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {
Write-Host "Checking room '$($_.name)'"
$processing = Get-CalendarProcessing -Identity $_.name
$pass = $true
if ($processing.DeleteSubject) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
$deleted_subjects += $_.name
$pass = $false
}
if ($processing.AddOrganizerToSubject) {
Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
$organizer_added += $_.name
$pass = $false
}
if ($processing.DeleteComments) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
$deleted_bodies += $_.name
$pass = $false
}
if ($processing.RemovePrivateProperty) {
Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
$private_flag_reset += $_.name
$pass = $false
}
if ($processing.AutomateProcessing -ne "AutoAccept") {
Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -ForegroundColor Red
$not_auto_accept += $_.name
$pass = $false
}
# Optional permission for allowing the external invites:
if ($processing.ProcessExternalMeetingMessages) {
Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
$process_external += $_.name
}
if ($pass) {
Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
}
}
Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
if ($deleted_subjects) {
Write-Host $deleted_subjects -Separator ", "
Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
if ($organizer_added) {
Write-Host $organizer_added -Separator ", "
Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
if ($deleted_bodies) {
Write-Host $deleted_bodies -Separator ", "
Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
if ($private_flag_reset) {
Write-Host $private_flag_reset -Separator ", "
Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
if ($not_auto_accept) {
Write-Host $not_auto_accept -Separator ", "
Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
if ($process_external) {
Write-Host $process_external -Separator ", "
Write-Host ""
}
Configuring One-Touch Join global settings
In this step you configure Pexip Control Center to enable One-Touch Join, including adding the calendar provider you are using and its associate endpoint mailboxes, and configuring meeting processing rules.
Ensure you meet all the Prerequisites, including ensuring that you have verified your Microsoft 365 tenant domain, and that in PCC you have the OTJ Admin role towards the company you want to configure, and that company is enabled for One-Touch Join.
You must first add a provider before you can add a mailbox.
Enabling One-Touch Join for a company
- Sign into your PCC account.
-
In the menu on the left, go to
.You see the One-Touch Join Global Configuration page.
-
Toggle the button to the right of Enable One-Touch Join for this company to Enabled:
Configuring a calendar provider
In this step you provide consent for One-Touch Join to access nominated Microsoft O365 tenants.
- Sign into your PCC account.
-
In the menu on the left, go to
.You see the One-Touch Join Global Configuration page.
-
From the General settings tab, select Add provider:
-
From the Provider Configuration pop-up, select the Tenant and enter a unique name for your configuration:
-
Either:
- If you do not have Global Admin access to the Microsoft O365 tenant yourself, select Skip Microsoft 365 consent flow now and then select Copy consent link. Share this link with a Global Admin, asking them to consent to the required permissions.
- Otherwise, select Next, complete the tenant authentication flow as an administrator, and consent to the required permissions:
Permission Details More information Read calendars in all mailboxes The Calendars.Read application permission allows the app to read events of all calendars in an organization / tenant without a signed-in user.
We recommend the use of a mail-enabled security group to restrict One-Touch Join's access to only the data it requires.
Application permissions:
https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-11
Sign in and read user profile The User.Read delegated permission is added by default for Microsoft Entra ID apps, but is not used by One-Touch Join. User permissions: https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions
The provider appears under the Calendar Provider Configuration section of the One-Touch Join Global Configuration page:
To delete or edit a provider from your configuration, select the menu beside the provider and select Edit provider or Delete provider.
Configuring mailboxes
In this step you configure which video conferencing systems are supported in this One-Touch Join environment. To do this, you add each of the associated room resource mailboxes (for room-based video conferencing systems) and personal mailboxes (for personal endpoints).
-
From the General settings tab, in the Mailbox Configuration section, select Add mailbox:
-
From the Mailbox configuration pop-up, select the calendar Provider and enter the Mailbox email address:
-
Select Save.
The new mailbox appears in the Mailbox Configuration list:
- Repeat the steps above to add additional mailboxes.
To delete or edit a mailbox from your configuration, select the menu beside the mailbox and select Edit mailbox or Delete mailbox.
Configuring meeting processing settings
You can control how the calendar invitations in your One-Touch Join environment are processed and what meeting information is displayed on endpoints. The options are available from the One-Touch Join Global Configuration page, under the Meeting Processing Settings tab. You can edit these settings at any time:
When you are finished configuring the meeting processing settings, select Save changes.
Enabling OTJ for a video system
After you have enabled and configured OTJ globally for your organization, you must then enable it on an individual basis for video systems in your organization. All provisioned video systems and endpoints can be configured from your Pexip Control Center.
For information on how to enable OTJ on specific endpoints, see: