Configuring One-Touch Join

Global configuration and settings for One-Touch Join (OTJ) in your organization are located in Settings in the Pexip Control Center (PCC). Configuration in PCC, such as setting up a provider and mailbox, must be completed before OTJ is enabled on any video conferencing system.

You can access general information about the Pexip Control Center platform here.

On this page:

Prerequisites

Before you begin, ensure that you have the fulfilled the following requirements:

  • The endpoints you want to include in One-Touch Join are already added in the Pexip Control Center and can connect with the Pexip Service.
  • In Pexip Control Center, you have the OTJ Admin role towards the company you want to configure, and that company is enabled for One-Touch Join.
  • You have the Global Admin role for your organization's Office 365 account. If you don't, a user who does have this role will need to provide consent on your behalf to the tenant being accessed by One-Touch Join.
  • You have verified your Microsoft 365 tenant domain by adding a DNS TXT record for your Microsoft 365 domain — see Verifying Microsoft 365 tenant domains for instructions.
  • Each physical room that will have a One-Touch Join endpoint in it has an associated room resource and mailbox. All room resources and mailboxes associated with your OTJ endpoints must be created in Microsoft 365 tenants only (on-premises mailboxes are not supported, even in Exchange hybrid deployments). This feature uses the Graph API to authorize access to the mailboxes used for OTJ.

Firewall configuration

Ensure you have configured your firewall appropriately (the full set of firewall rules is available here).

These are the port usage rules for One-Touch Join for Pexip Service:

Source Transport Service/Application Destination ports Rule Destination
Endpoints TCP HTTPS 443 Outgoing 185.94.240.0/22
185.124.96.0/22
Endpoints * UDP NTP 123 Outgoing 176.58.109.199/32

* For OTJ to display meetings at the correct time, the endpoint must have a synched clock. You may use your own NTP server instead of the one provided by Pexip above (and thus you do not need to allow this range), however you must inform your Pexip authorized support representative.

These are the domains that may need to be safelisted to allow traffic to pass without interference:

Domain Service/Application
otj.pexip.io for One-Touch Join for Pexip Service (Cisco & Poly)
auth.otj.pexip.io
cisco-macros.pexip.io
for One-Touch Join for Pexip Service (Cisco only)

Obtaining OTJ Admin rights

To set up One-Touch Join for a company, you must be logged in as a user with the OTJ Admin role (in addition to the Admin role) for that company.

To be granted this role:

  • Any user in your company who has both the Access Admin and Admin roles can grant you the OTJ Admin role. If you have these roles already, you can grant yourself (and others) the OTJ Admin role.
  • A user in your partner organization who has the Access Admin role, and the Admin role for your company, can grant you the OTJ Admin role.

Setting up a mail-enabled security group

As part of the One-Touch Join setup, we strongly recommend that you create a mail-enabled security group in the Microsoft Exchange Admin Center. However it is still possible to use One-Touch Join without a mail-enabled security group.

  1. Create a security group using either the EAC or Exchange Online PowerShell. For full instructions, see Microsoft's documentation for managing mail-enabled security groups using the EAC or using PowerShell.

    An example PowerShell command is given below — you must provide your own Name and Alias.

    Copy to clipboard
    New-DistributionGroup -Name "Pexip OTJ resource-mailboxes" -Alias otjrooms -Type security
  2. Add the desired mailboxes for rooms and users in your OTJ environment as members of the new security group.
  3. To restrict Pexip’s access to only the data it requires, create an application security policy using the PowerShell command below.

    You must change the PolicyScopeGroupId and can optionally change the description.

    Copy to clipboard
    New-ApplicationAccessPolicy -AppId 5b19f2a2-1969-4db2-9882-f7497a0bb6d2 -PolicyScopeGroupId <email of the mail-enabled security group> -AccessRight RestrictAccess -Description "Restrict Pexip OTJ app to selected room resource mailboxes"

Changes to application access policies can take up to 2 hours to start receiving OTJ meetings for an endpoint.

Configuring calendar processing on room resource mailboxes

Recommended configuration

To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you change the following calendar processing options from the default:

  1. The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar headers can be used (because the body will be deleted).
  2. When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name of the organizer (for more information, see this Microsoft article).

    Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room endpoints.

  3. The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as private in the room mailbox, you must set the RemovePrivateProperty flag to False.
  4. When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a response from a room that may not have been included in their original invitation, you can configure additional text that is sent to the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.

PowerShell command

To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room resource whose processing you want to change):

Copy to clipboard
Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the meeting from this room using Pexip One Touch Join."

Optional configuration

Hiding invitation details from other users

In order for One-Touch Join to function fully, the application must be able to access the body of the invitation (which is why we recommend that you set the DeleteComments property to False). However, this means that all other users in your deployment with access to the room resource calendar may also be able to view the body of the invitation (depending on your deployment's other policies). If you want to prevent this, you can use the following PowerShell command to restrict what users can see by default, without restricting what the application can access.

In the following command, replace resource_name with the name of the room resource, and replace role with one of the following roles:

  • AvailabilityOnly: users can view the room's availability, but nothing else.
  • LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.
Copy to clipboard
Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role

Allowing forwarding of external invitations

Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to determine what is appropriate in your environment.

  • If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users internal to your organization can forward external invitations to OTJ meeting rooms.

  • If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules include an exception for any URL starting with the domain https://teams.microsoft.com/

Checking calendar processing settings

The following PowerShell command can be used to check calendar processing settings on all of the rooms in the mail-enabled security group that was created for One-Touch Join.

We recommend copying and saving this as a file and running it from within PowerShell.

Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the mail-enabled security group (which is a type of Distribution Group) used in your own deployment.

Copy to clipboard
$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"

Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {
    Write-Host "Checking room '$($_.name)'"
    $processing = Get-CalendarProcessing -Identity $_.name
    $pass = $true
    if ($processing.DeleteSubject) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
        $deleted_subjects += $_.name
        $pass = $false
    }
    if ($processing.AddOrganizerToSubject) {
        Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
        $organizer_added += $_.name
        $pass = $false
    }
    if ($processing.DeleteComments) {
        Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
        $deleted_bodies += $_.name
        $pass = $false
    }
    if ($processing.RemovePrivateProperty) {
        Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
        $private_flag_reset += $_.name
        $pass = $false
    }
    if ($processing.AutomateProcessing -ne "AutoAccept") {
        Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -ForegroundColor Red
        $not_auto_accept += $_.name
        $pass = $false
    }
    # Optional permission for allowing the external invites:
    if ($processing.ProcessExternalMeetingMessages) {
        Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
        $process_external += $_.name
    }
    if ($pass) {
        Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
    }
}

Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
    if ($deleted_subjects) {
        Write-Host $deleted_subjects -Separator ", "
        Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
    if ($organizer_added) {
        Write-Host $organizer_added -Separator ", "
        Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
    if ($deleted_bodies) {
        Write-Host $deleted_bodies -Separator ", "
        Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
    if ($private_flag_reset) {
        Write-Host $private_flag_reset -Separator ", "
        Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
    if ($not_auto_accept) {
        Write-Host $not_auto_accept -Separator ", "
        Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
    if ($process_external) {
        Write-Host $process_external -Separator ", "
        Write-Host ""
}

Configuring One-Touch Join global settings

In this step you configure Pexip Control Center to enable One-Touch Join, including adding the calendar provider you are using and its associate endpoint mailboxes, and configuring meeting processing rules.

Ensure you meet all the Prerequisites, including ensuring that you have verified your Microsoft 365 tenant domain, and that in PCC you have the OTJ Admin role towards the company you want to configure, and that company is enabled for One-Touch Join.

You must first add a provider before you can add a mailbox.

Enabling One-Touch Join for a company

  1. Sign into your PCC account.
  2. In the menu on the left, go to Settings > One-Touch join.

    You see the One-Touch Join Global Configuration page.

  3. Toggle the button to the right of Enable One-Touch Join for this company to Enabled:

Configuring a calendar provider

In this step you provide consent for One-Touch Join to access nominated Microsoft O365 tenants.

  1. Sign into your PCC account.
  2. In the menu on the left, go to Settings > One-Touch join.

    You see the One-Touch Join Global Configuration page.

  3. From the General settings tab, select Add provider:

  4. From the Provider Configuration pop-up, select the Tenant and enter a unique name for your configuration:

  5. Either:

    • If you do not have Global Admin access to the Microsoft O365 tenant yourself, select Skip Microsoft 365 consent flow now and then select Copy consent link. Share this link with a Global Admin, asking them to consent to the required permissions.
    • Otherwise, select Next, complete the tenant authentication flow as an administrator, and consent to the required permissions:

    Required permissions

    Permission Details More information
    Read calendars in all mailboxes

    The Calendars.Read application permission allows the app to read events of all calendars in an organization / tenant without a signed-in user.

    We recommend the use of a mail-enabled security group to restrict One-Touch Join's access to only the data it requires.

    Application permissions:

    https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-11

    Sign in and read user profile The User.Read delegated permission is added by default for Microsoft Entra ID apps, but is not used by One-Touch Join. User permissions:  https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions

The provider appears under the Calendar Provider Configuration section of the One-Touch Join Global Configuration page:

To delete or edit a provider from your configuration, select the menu beside the provider and select Edit provider or Delete provider.

Configuring mailboxes

In this step you configure which video conferencing systems are supported in this One-Touch Join environment. To do this, you add each of the associated room resource mailboxes (for room-based video conferencing systems) and personal mailboxes (for personal endpoints).

  1. From the General settings tab, in the Mailbox Configuration section, select Add mailbox:

  2. From the Mailbox configuration pop-up, select the calendar Provider and enter the Mailbox email address:

  3. Select Save.

    The new mailbox appears in the Mailbox Configuration list:

  4. Repeat the steps above to add additional mailboxes.

To delete or edit a mailbox from your configuration, select the menu beside the mailbox and select Edit mailbox or Delete mailbox.

Configuring meeting processing settings

You can control how the calendar invitations in your One-Touch Join environment are processed and what meeting information is displayed on endpoints. The options are available from the One-Touch Join Global Configuration page, under the Meeting Processing Settings tab. You can edit these settings at any time:

Display non-video meetings If "Yes", all mailbox calendar events, including video and non-video meetings, are displayed on the endpoint. If "No", only video meetings are displayed.
Display private meetings Make private meetings visible on the endpoint. If enabled, you can ensure that private meeting subjects remain hidden with the next setting, Replace meeting subject.
Replace meeting subject You can choose to replace the original meeting subject of private meetings only, all meetings, or not at all. This is strongly recommended for private meetings as the subject may be visible to anyone with access to the endpoint if it is in a public space.
Replace subject with Replace the subject text with the name of the meeting organizer or some custom text.
PIN Codes

(Currently supported for Zoom meetings only)

If "Yes", OTJ will attempt to obtain the meeting PIN code / passcode and use it when joining the meeting. This means that users may not be required to enter a PIN when joining the meeting so for security, this setting should be set to "No" by default.

Additional domains to search (optional): You can add other domains that OTJ will search for in the meeting body, in addition to the existing meeting processing rules. The search will result in a match even if the URI includes one or more subdomains of the domain being searched for. The domain can also include subdomains. When there is a match, the full URI is used as the meeting alias. For example, if the domain is sales.example.com, that will match alice@sales.example.com and alice@us.sales.example.com but not alice@example.com.
Microsoft Teams
Process property header Process the Teams property header for matching rules. Recommended if your organization uses Teams meetings. This setting must be enabled if the invite body is deleted.
Property domain

(Shown when Process property header is enabled)

The domain to be appended to the meeting ID if the property rule is matched. This is used to create the alias that the endpoint will dial to join the meeting. The domain value is that used to dial in to your CVI, and therefore this rule will only work on invitations sent from within your domain.

When you are finished configuring the meeting processing settings, select Save changes.

Enabling OTJ for a video system

After you have enabled and configured OTJ globally for your organization, you must then enable it on an individual basis for video systems in your organization. All provisioned video systems and endpoints can be configured from your Pexip Control Center.

For information on how to enable OTJ on specific endpoints, see: