IBM Notes plugins are powerful little bits of code that can do a lot to enhance and customize your Notes desktops, but they can be a challenge to deploy in a secure yet efficient manner. Many companies lock down the end user’s Notes environment, and for good reason. Many a help desk call is the result of a user experimenting in their configuration files not really knowing what they are doing, resulting often in a non-functioning Notes client. So what are some best practices for deploying Notes plugins?
Keep it safe!
First and foremost, you must preserve the integrity and safety of your internal resources. A key to this is to never, under any circumstances, permit installation of any unsigned JAR files. To allow unsigned plugins to be installed is simply asking for trouble! You would not trust an unsigned SSL certificate, so why would you trust unsigned code?
Keep it consistent!
There are multiple methods that can be used to install plugins, each with different benefits and drawbacks, but it is best to have a single approved method. This way, your end users will not be as prone to go rogue and try installing something they found on the public Internet – no matter how cool it is - without going through appropriate approval channels.
Keep it simple!
The decision point of what and how plugins are installed should not be in the hands of the end user. There are way too many variables, and frankly the technical aspects of such decisions may be well beyond the scope of many users.
What to do?
- Utilize a widget catalog, which is a Notes database with all the Notes security and ACL controls available
- Enforce rules and policies to validate and control what is placed in the catalog
- Lock down the Notes desktop sufficient to prevent end users from installing plugins via other methods
- Establish a communication avenue to alert users when a new plugin is available, or when an existing one is to be removed
- Enable a workstation inventory tool to validate appropriate plugins are installed and at correct version levels (Hint: this is a good idea for ALL software on the workstation)
The best thing would be to automate management of plugins. This can be accomplished with a product like BCC’s ClientGenie for example. Which can automate plugin deployment and removal and many of the other best practice tasks such as;
- The initial setup, lock-down and future changes of the Notes client configuration,
- Workstation inventory, and
- Manage Roaming and Mobile users,
- And much more.
This way, your end users are relieved of much of the technical burden and decision-making. Also, your Notes Admin can enforce the policy defined by your organization's Security Officer, and can ensure that all - and only - the appropriate plugins are installed. This may not guarantee zero calls to the help desk for a broken Notes client or that no malicious code will ever find it’s way into your environment, but it will go a long way to preventing both of these potential problems.
Interested in learning about ClientGenie?