MeetingSphere Portable Server Box Administration Manual

Administration Handbook

MeetingSphere Portable Server 3

Contents

1. Bringing the Server into service (Basics) .......................... 5

1.1 Starting and stopping the Server ................................................................................. 5

1.2 Setting up the local (wireless) network ....................................................................... 5

1.2.1 WLAN Access Point ............................................................................................... 5

1.2.2 IP address assignment (DHCP) ............................................................................. 6

1.2.3 Domain name resolution (DNS) ........................................................................... 6

1.3 First login ..................................................................................................................... 6

1.3.1 Login to the Server Console ................................................................................. 7

1.3.2 Login to the Meeting center................................................................................. 7

1.3.3 Initial configuration of the Meeting center.......................................................... 8

2. The Server Console ......................................................... 9

2.1 Network settings ......................................................................................................... 9

2.1.1 Setting the server's network address ................................................................... 9

2.1.2 The DHCP service................................................................................................ 10

2.1.3 Domain name resolution (DNS) ......................................................................... 10

2.1.4 Wireless network ............................................................................................... 11

2.1.5 Extending the network ....................................................................................... 11

2.2 Log control ................................................................................................................. 11

2.3 Notification settings / Contact info server administration ....................................... 13

2.4 Backup and restore .................................................................................................... 13

2.4.1 Create Backup .................................................................................................... 13

2.4.2 Restore databases from backup ......................................................................... 14

2.4.3 Restore complete server machine ..................................................................... 15

3. Meeting center settings ................................................ 15

3.1 General Meeting center settings ............................................................................... 16

3.2 Terms of use for acceptance after login .................................................................... 17

3.3 Layout and content of login page .............................................................................. 17

3.3.1 Branding ............................................................................................................. 18

3.3.2 Terms of use ....................................................................................................... 18

3.4 Authentication settings ............................................................................................. 19

3.4.1 Password complexity requirements ................................................................... 20

3.4.2 Scheduled change of password .......................................................................... 21

3.4.3 User administration control ............................................................................... 22

3.5 Screen saver ............................................................................................................... 23

3.5.1 Re-authentication ............................................................................................... 24

3.5.2 Specification of the screen lock ......................................................................... 25

3.6 Default report logo .................................................................................................... 25

3.7 Notification and contact info ..................................................................................... 26

3.8 Template settings ...................................................................................................... 28

3.9 Log file ........................................................................................................................ 28

4. User administration ...................................................... 29

4.1 User accounts ............................................................................................................ 30

4.1.1 One-time participants ........................................................................................ 30

4.1.2 Non-personal Facilitator accounts ..................................................................... 30

4.1.3 Regular users ...................................................................................................... 30

4.2 Administrators ........................................................................................................... 35

4.3 Automatic deletion and removal of users from trash ............................................... 36

5. Subscription administration ......................................... 37

5.1 File-based administration of subscriptions ............................................................... 37

5.2 Maintaining the Portable Server subscription .......................................................... 41

5.3 Self-administration of Non-personal Facilitator Subscriptions ................................. 41

5.3.1 Subscription administration in the MeetingSphere Store ................................. 42

5.3.2 Understanding the participant limit ................................................................... 43

5.4 Reportable events ..................................................................................................... 43

6. Session settings ............................................................ 44

6.1 Binding meeting settings ........................................................................................... 44

6.2 Default values for meeting setup .............................................................................. 46

7. Default welcome screen ............................................... 48

8. Software update ........................................................... 50

8.1 Critical updates .......................................................................................................... 50

8.2 Update process .......................................................................................................... 50

8.2.1 Checking for updates .......................................................................................... 50

8.2.2 Download the update from the update server .................................................. 51

8.2.3 Upload the update installer to the Portable Server ........................................... 51

9. Technical specification .................................................. 51

9.1 Client .......................................................................................................................... 51

9.2 Network connectivity ................................................................................................ 52

9.3 Security ...................................................................................................................... 52

9.3.1 Protection of traffic ............................................................................................ 52

9.3.2 Protection against malicious code ..................................................................... 52

10. Protection of privacy .................................................... 53

10.1 Protection of content ................................................................................................ 53

10.2 Anonymity ................................................................................................................. 53

10.3 Privacy in the meeting report .................................................................................... 54

10.4 Logs and lists .............................................................................................................. 54

Appendix A: Auditable events ........................................... 56

This manual describes the administration of a MeetingSphere Portable Server. It is complemented by MeetingSphere’s guide “How to set up a Wireless Network for MeetingSphere Portable Server” which is also available on MeetingSphere’s website.

If you are concerned with a Portable Server SCIF Edition you want to download that product's specific handbook.

1. Bringing the Server into service (Basics)

The Portable Server is delivered pre-installed on a Portable Server Box which is, in fact, a highpowered "headless" server optimized for easy off-Internet deployment on an ad-hoc local network. The Portable Server does not require keyboard nor monitor as all configuration is achieved through the Portable Server application via a browser.

The Portable Server is accessed through two URLs

• http://meetingsphere.net for meetings and Meeting center administration.

• http://console-meetingsphere.net for setting the server's IP addresses and for restoring

the database from backup in the server console (only user "serveradmin")

1.1 Starting and stopping the Server

Switch on the Portable Server with the front-side power switch.

• Give the server 30 seconds to boot the operating system and come "up"

• When the light is on, do not pull the power cord

• Always shut down the server

o by selecting that option when logging out

o with the power switch. Press once. Wait till the light is off.

1.2 Setting up the local (wireless) network

The Portable Server is designed for use on a separate, private (Off-Internet) network. The Portable Server will control its network via its inbuilt DHCP and DNS services.

Do not run the server on networks where DHCP or DNS are provided by other devices (such as a DSL-Router) as these services are bound to clash with those of the Portable Server.

1.2.1 WLAN Access Point

The Portable Server Box is equipped with a GBit ethernet interface into which the Wireless Access Point is plugged.

Be aware that most consumer products – especially those “given away” by broad-band providers – are liable to start dropping connections even with small numbers of participants. Quality

consumer Access Points such as Apples Airport series (2nd generation) will reliably support up to about 50 connections (user machines; check the specs!). If you must expect a saturated radio spectrum (such as inner London, New York, Paris), there is no way around truly professional kit from the likes of Ruckus that will find and exploit the gaps. Use multiple Access Points with "Roam- ing" for larger numbers of connecting computers.

Note that a Router is not an “Access Point” as we use the term here. If your favoured device happens to be a router, you may be able to switch it to “Access Point” (“AP”) or “Bridge” mode

thereby disabling the unwanted router functionality. If you cannot switch to AP or Bridge mode, buy another router which can do this or buy a (non-router) Access Point or check out MeetingSphere’s guide “How to set up a Wireless Network for MeetingSphere Portable Server” which is available on MeetingSphere’s website.

Configure the Access Point as follows:

IP = 192.168.1.3 (an address reserved in the server's DHCP) Router address (if asked): 192.168.1.1 (the Portable Server) DNS server (if asked): 192.168.1.1 (the Portable Server) SSID: visible, e.g. MeetingSphere Encryption: WPA PSK2, AES (recommended) Password: Pronounceable, e.g. MeetingSphere

1.2.2 IP address assignment (DHCP)

The MeetingSphere Portable Server is licensed only for operation on separate private networks and is delivered with factory defaults 192.168.1.1 (Meeting center) and .2 (console). The integrated DHCP server provides IP addresses from 192.168.1.16 through .254 dynamically to clients. Addresses 192.168.1.3 through .15 are reserved for devices with fixed IP such as Access Points, printers or routers for extending the address range to very high numbers. For details, see chapter “Network settings”

Note that, in the server console, the network of the Portable Server can be changed from e.g.

192.168.1 to e.g. 192.168.2. In this case, all IP addresses given above would change relative to that new network number.

1.2.3 Domain name resolution (DNS)

The Portable Server is equipped with a DNS server which resolves name requests for

• meetingsphere.net (the Meeting center application)

• console-meetingsphere.net (the server console)

1.3 First login

After the Portable Server has been made available on the wireless network, log in to the two components of the Server application and change passwords.

1.3.1 Login to the Server Console

First, login to the server console by entering the console's URL to the address field of your browser:

http://console-meetingsphere.net

User name: serveradmin

Password: changeme! (change at first login)

You must enable pop-ups for the server console.

A change of password is forced at first login.

Make sure to take down the new password and store it in a safe place as you will need to access the Server Console to

• Change the Server's IP addresses (possibly)

• Review logs (possibly)

• Restore the Server Console or the Meeting center from Backup (hopefully not!)

1.3.2 Login to the Meeting center

Now, login to the Meeting center with the username (your email address) sent to you from the MeetingSphere Store by entering the Meeting center's URL to the address field of your browser:

• http://meetingsphere.net

• User name: your email address

• Password: changeme! (change at first login)

You must enable pop-ups for the server console.

Make sure to remember the new password. You will need to access the Meeting center in your role of Subscription Administrator and (at least initially) Meeting center Administrator with your personal account.

Host account(s). You will have purchased one or more Facilitator subscriptions for non-personal user accounts which you will find in the Meeting center's user database. Log in and change the default password at first login.

• http://meetingsphere.net

• User name: e.g. Host01@meetingsphere.net

• Initial password: changeme! (change at first login)

Note that, on a Portable Server, as far as MeetingSphere is concerned, you are free to share the login details of these non-personal Facilitator accounts between several persons. Check wether such sharing of accounts is also in line with the policies of your organization.

Facilitators simply change the Firstname and Surname of the account in the user profile. This puts the right name on the cover sheet of the report.

1.3.3 Initial configuration of the Meeting center

First login

The Subscription administrator is the first Meeting center administrator of the Meeting center. The Subscription administrator signs in under

http://meetingsphere.net

with the credentials (s)he has received on purchase, i.e. email address and initial password

“changeme!” (change at first login).

Open Meeting center administration

Access is limited to administrators of the Meeting center i.e. initially the Subscription administrator.

Review and adapt the following settings:

Company name and welcome message (Meeting center settings > Meeting center)

The name of your organization is maintained in the MeetingSphere Store. Specify a suitable possessive pronoun for the Meeting center’s welcome message at login, for instance “Welcome to the Meeting center “of” “Example Inc.”

End-user licence Agreement. (Meeting center settings > Terms of use) If required, specify a document which users must accept (once) after signing in.

Customize login page. (Meeting center settings > Layout and content of login page)

If required, customize the login page with your organization’s logo or terms of use which must be

accepted at sign-in.

Authentication requirements (Meeting center settings > Authentication settings) Specify the authentication requirements in keeping with your organization’s rules.

Default report logo (Meeting center settings > Default report logo)

Upload your organization’s logo for printing on the cover sheet of meeting reports. Note that Facilitators can customize the logo of any report.

Contact info (Meeting center settings > Contact information)

Which contact info shall be displayed to users under “Help > Support”? If applicable, add a note

on service availability e.g. office hours.

Brand your welcome screen (Default welcome screen)

Participants enter and exit a meeting via the welcome screen. Brand your Meeting center by uploading a wallpaper for the default welcome screen. Note that Facilitators can customize the wel-

come screen for any meeting.

Administer users (User accounts and privileges) Create users manually or by import from file.

• Create and maintain members of your organization in the “internal users” tab.

• Create and maintain “external users” in that tab

• Assign administrative privileges by editing the respective user profiles.

2. The Server Console

The Server Console is called via:

• URL: http://console-meetingsphere.net

• User name: serveradmin

• Password: as set on first login (factory default: changeme!)

The Server Console is for:

• configuring the network settings

• controlling and reviewing logs

• configuring the backup and restore process

2.1 Network settings

Portable Servers are designed and licensed for being run on a separate (wireless) LAN on which the server provides the

• the DHCP service (assignment of IP addresses to clients)

• the DNS service (name resolution to IP addresses)

These services cannot be switched off.

To avoid conflict and technical failure, make sure that there are no other devices on the network which also provide these services.

2.1.1 Setting the server's network address

The Portable Server requires two IP addresses, namely "1" (Meeting center) and "2" (Console) on a class C network (default: 192.168.1). These IPs are given by the server's DNS when the Meeting center or the Console are called on the network:

http://meetingsphere.net IP 192.168.1.1 (factory default)

http://console-meetingsphere.net IP 192.168.1.2 (factory default)

Server console >> Server administration

Change this only for good cause.

Changing the server's network to e.g. 192.168.2 will change these addresses to 192.168.2.1 and

192.168.2.2 respectively.

2.1.2 The DHCP service

The server’s DHCP service allocates network addresses to devices that connect to the network.

Depending on the server's IP address, the DHCP server will:

• reserve the following 13 IP addresses for peripherals with a fixed IP address such as ac-

cess points, routers or printers and

• allocate addresses to clients with "automatic" IP address assignment after that

Examples:

On shipping, factory defaults:

Meeting center IP address: 192.168.1.1

Server Console IP address: 192.168.1.2

Adresses reserved in DHCP 192.168.1.3 through 192.168.1.15

Addresses allocated by DHCP 192.168.1.16 through 192.168.1.254

With custom IP address:

Meeting center IP address: 192.168.2.1

Server Console IP address: 192.168.2.2

Adresses reserved in DHCP 192.168.2.3 through 192.168.2.15

Addresses allocated by DHCP 192.168.2.16 through 192.168.2.254

2.1.3 Domain name resolution (DNS)

The Portable Server's DNS server resolves name requests for:

• meetingsphere.net (the Meeting center application)

• console-meetingsphere.net (the server console)

to the IP addresses specified above.

2.1.4 Wireless network

The Portable Server Box is equipped with a GBit ethernet interface into which a Wireless Access Point can be plugged.

A professional WLAN Access Point (not router!) must be procured separately in accordance with local regulations (legal frequencies, channels). Unlike consumer products, Business Access Points will reliably support up to about 50 users (check the specs!).

Configure the Access Point as follows (IP address based on factory defaults):

Access point IP address 192.168.1.3

SSID: visible; e.g. MeetingSphere

Encryption: WPA PSK2, AES (recommended)

Password: Pronounceable, e.g. MeetingSphere4711

2.1.5 Extending the network

For up to 200 connecting clients, extend the network by adding (professional!) access points and enable "roaming". If you are unfamiliar with building a wireless LAN for many users, check the download pages on meetingsphere.com for more info or, preferably, ask a network professional for help.

Should your requirements exceed the offered address range (i.e. 192.168.1.16 - .254), use separate (WLAN-)routers with separate DHCP to extend it.

Configure the extra router(s) as follows (IP addresses based on factory defaults):

WAN (uplink) IP address 192.168.1.4 (must be reserved in server's DHCP)

LAN IP address e.g. 192.168.2.1

DHCP: on

DNS server IP of the Portable Server i.e. 192.168.1.1 (default)

Add wireless Access Points (with roaming) to provide reliable radio connectivity for the extended address range.

2.2 Log control

Changes to the log settings become effective on confirmation.

The Portable Server keeps two separate logs:

1. The sytem log which logs miscellaneous system events for the purpose of debugging

2. The (optional) audit log which keeps track of all security-related events

Both logs can be viewed from the console or downloaded for analysis.

System logs older than 6 months are automatically purged from the system.

Audit log The (optional) audit log keeps track of all security related events including but not limited to

• Changes to security or authentication settings

• Login events

• Changes to passwords or user accounts

• Uploads or downloads

• Export or import of content

• Access to meetings

• Creation or deletion of meetings

• Backup or restore from backup

The anonymity of contributions is protected.

Auditable events are listed in Appendix A “Auditable events” of this handbook.

Log control

Retain log-files for (days) (Default: 90) Number of days for which log-files are maintained on the server.

Response to audit log processing failure

• Overwrite (default)

If a log entry cannot be written (for lack of space), an older log will be overwritten

• Shutdown Meeting center

If a log entry cannot be written – for whatever reason – the Meeting center will be shut down.

2.3 Notification settings / Contact info server administration

Contact information for server administration. This may be personal or group related (e.g. a helpdesk).

Information given here is displayed for reference in the contact information section of the Meeting center.

2.4 Backup and restore

The backup and restore procedure described below relates to restoring the system databases after (partial) system failure. Facilitators create backups of individual meetings by copying those

meetings within the database (technically: Creating new meeting from existing meeting) or by exporting the meeting as an .mssf file via the toolbar of meeting setup.

2.4.1 Create Backup

Backups can be created by any administrator or Facilitator by calling that function in Meeting center administration.

On execution of "Create backup", backups of the system databases are created, encrypted and presented for download.

After download is complete, the backup file is deleted from the server.

Downloaded backup files should be moved to a secure medium or system as soon as possible.

Create backup panel

2.4.2 Restore databases from backup

A restore from backup occurs in the Server Console which is called under http:\\console-meetingsphere.net.

To restore the server's databases, the Server administrator ("serveradmin")

• uploads a backup to the server's backup partition

• selects the relevant backup from the backup partition for restore.

Select backup to be restored

Server administrators should be aware that the Portable Server

• can only decrypt and apply backups which have been encrypted with its specific crypto-

graphic secrets

• may reject very old backups created on a no-longer supported version of the software

• will reject backups created on a more recent version of the software

• will reboot on completion of the restore operation

SUBSCRIPTION STATUS UPDATE REQUIRED! Note that a restore from backup is a reportable event as it includes subscription information on the server. You must complete a status update cycle within 7 days.

2.4.3 Restore complete server machine

After physical loss, catastrophic failure or after replacing a banged-about Portable Server Box with a new one, the system can be rebuilt from backup if a backup of the Meeting center databases exists. Proceed as follows:

1. Arrange for a new Portable Server Box with identical Server-ID through your Meeting-

Sphere sales partner.

2. Restore the databases

3. Complete a subscription update cycle to report the restore operation to the Meeting-

Sphere Store.

3. Meeting center settings

The Subscription administrator is the first Meeting center administrator of the Meeting center. The Subscription administrator signs in under

http://meetingsphere.net

with the credentials (s)he has received on purchase, i.e. email address and standard password “changeme!” (change at first login).

Meeting center administration is accessed via the Meeting center toolbar

Meeting center administration – main menu

3.1 General Meeting center settings

Meeting center settings govern the appearance and accessibility of the Meeting center. Further, support and contact information is specified

General Meeting center settings include

• URL of the Meeting center

On the Portable Server's local network, the Meeting center is called under http://meetingsphere.net or its IP address 192.168.1.1 (shipping default).

• Displayed name of organization

shows the name of the organization which owns the Portable Server. This name is used in the Meeting center and on the login page. It is specified in the MeetingSphere Store.

• Possessive pronoun

A possessive pronoun is needed for the salutary text in the Meeting center and for sys-

tem email. It must suit the chosen default language. In English this is typically “of” as in “Welcome to the Meeting center of Example Inc.”

• Supported languages

Specifies the languages supported by the Meeting center.

• Default language

Sets the default language of the Meeting center for new users.

General Meeting center settings

3.2 Terms of use for acceptance after login

Upload a PDF for display if users of the Meeting center must accept a written statement at first login.

The specified document will be displayed once after successful login.

If you require users to accept terms of use every time at login, customize the login page for this.

Specification of end-user agreement

3.3 Layout and content of login page

The login page of the Meeting center can be customized for the purposes of

• branding

• requesting the acceptance of use terms at each login

For customization, select option "Customized with centered login box". A wire frame of the layout is given.

Customization of login page: Upload graphic files (logo)

3.3.1 Branding

The wire frame of the brandable login screen gives three zones into which graphic content can be uploaded for display:

1. The "Upper Logo Header" which sits above the login box and can display one graphics

file

2. The "Logo Header above main field" which sits below the login box above the main field

and can display one graphics file

3. The "Main field" which can display either one graphics file or text.

To upload a graphics file, select option "Display graphic" and upload a file in bmp, gif, jpg, jpeg or png format. Display is limited by hight and scaled accordingly. Test different resolutions and remember that fat files are a pain to load over slow lines. Decide whether the graphic shall be displayed left aligned, right aligned or centered.

3.3.2 Terms of use

If you want the main field to display text, select that option.

Text is entered via multiple text fields. Add and delete fields as required.

Customization of login page: Specify text

Each text field can hold multiple paragraphs but can only be formatted as a whole. This means that all text in a field will be "Large", "Bold" or "Italic" (or not) and be listed under one bullet (or not).

Select option "Users must accept terms of use" to change the caption on the login button to "Login - I accept the terms of use" instead of plain "Login".

Preview the result before saving.

"Save" to render the new login screen "active".

If you want to keep your login screen clean and merely require users to accept terms of use once, consider feature "Terms of use for acceptance after login" as an alternative.

3.4 Authentication settings

Any authentication requirements for users with role " Meeting center administrator" automatically apply also to the Server administrator ("serveradmin") in the Server Console.

Unless prohibited by Meeting center administration, Facilitators may invite participants to join their meetings without authentication. If required, disable "open meetings" in Meeting center administration/meeting settings.

When considering authentication requirements for the Portable Server, keep in mind that these Servers are designed and licensed only for operation on separated local area networks. The first

and most important line of defence is to control access to that network and to protect the confidentiality and integrity of traffic on that network at the network level.

If you are concerned about your Portable Server holding sensitive content i.e. the results of meetings, you should instruct users who run meetings (Facilitators) not to leave meetings on the server but to export and delete them when done. Of course, you can back up such an instruction administratively by limiting the storage of content on the Server.

3.4.1 Password complexity requirements

Password complexity requirements

• Enforce password change at first login (Default: yes)

Specifies if users are forced to specify a personal password after logging on with the system-generated initial password.

• Password requirements

Specifies the minimum requirements for a valid password:

o Minimum length (Default: 8) o Quorum of capital letters (Default: 0) o Quorum of numbers (Default: 0) o Quorum of special characters (Default: 0) o Quorum of lower case letters (Default: 0) o Quorum of changed characters (Default 1)*

* The quorum of changed characters is checked and enforced versus the previous password. A change in position i.e. 69 vs 96 or 123456789 vs 923456781 counts as 2 changed characters. This is independent of the "Reject last passwords" feature which tests new passwords for an exact match against the hashes (an encrypted simile) of the given number of previous passwords.

• Allow browsers to save login credentials (Default: selected)

Deselect so prevent browsers from offering to save user credentials. Some passwordmanager applications may ignore this setting.

3.4.2 Scheduled change of password

The requirements for scheduled changes of passwords can be differentiated between internal users (members of the organization) and external users. They can also be limited by user privilege.

Force scheduled change of password

• Force password change after days (Default: 0 = not)

Requires users to change their password after the given number of days. Any number > 0 enables the further elements for specifying this feature.

• Reject last passwords (Minimum: 1)

Specifies the number of last-used passwords that will be rejected. Example: "12" will allow reuse of an old password only after 12 changes.

• Applies to

specify to which user types the settings shall apply:

o Administrators (Default: selected)

IF you require scheduled changes of passwords, that requirement should certainly apply to administrators.

o Facilitators (Default: deselected)

This setting depends on your IT policy. If you consider Facilitators (users who can run meetings on the Meeting center) as "privileged users" i.e something similar to administrators you should apply scheduled changes of passwords also to Facilitators. If you consider them simply as users (as most people do) you may choose not to.

Moreover, administrators should be aware that Facilitator accounts on the Portable Server are are typically used by several people who must be informed of any change of password. If they must expect users to share such changing information by insecure means - for instance, a post-it note that is stuck on the Portable Server

- any requirement for scheduled password changes may backfire.

IF you must tighten security by forcing passwords to be changed on a schedule, make the Portable Server’s Non-personal Facilitator accounts personal. For this you must purchase and assign a Non-personal Facilitator subscription for each person who is to use the Server as Facilitator and instruct these users not to share their credentials regardless of this being allowed under the subscription agreement.

o Participants (Default: deselected)

You should only require participants to periodically change their password if you must. Participants are neither Facilitators nor administrators and are merely asked to attend an authenticated meeting where they cannot cause much harm. Many of these users will log into the Meeting center only occasionally and find it

hard to remember a complex password even if they don’t have to keep changing

it.

3.4.3 User administration control

User admin control determines how users are administered and if privileged accounts are incompatible with operational use.

User administration control

• Exclude User admin from operational use (Default: deselected)

Select to require users with user admin privileges to use separate user accounts for their administrative role and for joining or running meetings as participant or Facilitator.

Since, on a Portable Server, Facilitator privileges are tied to specific non-personal accounts this means that

• Non-personal Facilitator accounts are excluded from the role of User admin

• User admins need a separate account for participating in meetings

Select if non-personal Facilitator accounts (e.g. Host01@meetingsphere.net) are shared between users. Separation or roles is recommended for security (you do not want users to

share administrator accounts) and for keeping the stock of users whose accounts are maintained administratively apart from user accounts which are created by Facilitators and, consequently, subject to sanitization.

• Exclude Meeting center admin from operational use (Default: deselected)

Select to require users with Meeting center admin privileges to use separate user accounts for their administrative role and for joining or running meetings as participant or Facilitator.

Since, on a Portable Server, Facilitator privileges are tied to specific non-personal accounts this means that

• Non-personal Facilitator accounts are excluded from the role of Meeting center

admin

• Meeting center admins need a separate account for participating in meetings

Select if non-personal Facilitator accounts (e.g. Host01@meetingsphere.net) are shared between users.

• Exclude Subscription admin from operational use (Default: deselected)

Select to require the Subscription admininistrator to use separate user accounts for his/her administrative role and for joining meetings as participant.

Since, on a Portable Server the system always prevents the assignment of Subscription admin privileges to non-personal Facilitator accounts, this means that

• The Subscription admin needs a separate account for participating in meetings

Select if required by your security policy.

• Exclude Session admin from operational use (Default: deselected)

Select to require users with Session admin privileges to use separate user accounts for their administrative role and for joining or running meetings as participant or Facilitator.

Since, on a Portable Server, Facilitator privileges are tied to specific non-personal accounts this means that

• Non-personal Facilitator accounts are excluded from the role of Session admin

• Session admins need a separate account for participating in meetings

Select if non-personal Facilitator accounts (e.g. Host01@meetingsphere.net) are shared between users.

3.5 Screen saver

Another option for tightening security is the locking of client screens by a "screen saver" which

• kicks in after a specified interval of inactivity (no input by that user, no movement of the

mouse)

• blocks visibility of and input to the MeetingSphere application (Note: In the server con-

sole, the Server administrator "serveradmin" is logged off)

• can only be disabled by whatever authentication requirements apply to that user

As users following a presentation or facilitated process steps may well be technically inactive while actually very much "on the ball", they receive a countdown alert warning them that "Screen will lock in X seconds." 30 seconds before their screen is locked. Acknowledgement by "OK" or indeed any activity interupts the period of inactivity and resets the inactivity timer.

Screen saver – Re-authentication with password

3.5.1 Re-authentication

The type of meeting i.e. how the affected user authenticated for the now-locked meeting, determines the re-authentication requirement:

• authenticated users must give their password.

• users who participate in an open meeting protected by a "meeting code" must give that

code

• users who participate in an open meeting without "meeting code" must merely recon-

nect

• Server administrator "serveradmin" must sign in again after having been logged off

3.5.2 Specification of the screen lock

Enable Screen saver (Default: deselected) enables the screen lock feature for all users of the Meeting center.

Activate after (minutes) (Default: 15) specifies the length of the interval of inactivity before the screen lock kicks in (Server administrator is logged off).

Screen saver specification

3.6 Default report logo

Upload a graphics file (.png, .gif, .jpg) for the logo that shall be printed by default on the cover sheet of the automatically generated report.

Upload default logo for meeting reports

To fit in with the overall lay-out, the logo should be

• 20 - 40 mm (printed) high

• No more than 70mm (printed) wide

For printing you should use a high resolution image of no less than 300dpi.

Confirm any changed settings then preview and print the result for reports in PDF or Word (docx) format.

3.7 Notification and contact info

Contact information tells users who to call or email. It is displayed

• in Online help for Facilitators

• in Online help for administrators

Contact info maintained by the MeetingSphere Store and the Server console

The following roles are maintained in and by the MeetingSphere Store:

• Customer service

Contact info for all commercial or subscription matters. Published on the support page of admin help.

• Subscription administrator

Contact info for all subscription matters. Published on the support pages of both Facilitator and admin help.

The Server administrator info is maintained in the Server console.

Augment this information by contact information for the roles given below. This information may refer to individuals or groups such as a help desk that assures notification of a "real person" admin with the privileges in question. Contact details may include a free text note on the availability of the service.

Administratively maintained contact info

• Meeting center administration

Contact info for Meeting center administration.

Select "publish" to display on the support pages of both Facilitator and admin help.

• User administration

Contact info for user administration.

Select "publish" to display on the support pages of both Facilitator and admin help

• Session administrator

Contact info for meeting administration.

Select "publish" to display on the support pages of both Facilitator and admin help.

• Template management

Contact info for template matters.

Select "publish" to display on the support pages of both Facilitator and admin help.

• Facilitator support

User support for Facilitators.

Select "publish" to display on the support pages of both Facilitator and admin help.

3.8 Template settings

Template settings govern how the Meeting center deals with templates that may be offered freeof-charge by MeetingSphere or the MeetingSphere sales partner who serves you.

Template settings

• Template admins can delete vendor provisioned templates (Default: yes)

select to enable Template administrators of your Portable Server to delete vendor-provisioned templates.

• “Receive templates provided by MeetingSphere” (Default: yes)

select to receive free-of-charge templates offered by MeetingSphere. New and updated templates are made available in the TemplateExplorer automatically. Superseded templates are deleted automatically.

o "Do not restore deleted templates" (Default: yes)

select to prevent templates which have been deleted by your Template admin from being restored automatically by the next update. Deselect to have all deleted templates restored by the update service.

• “Receive templates provided by [salespartner]” (Default: yes)

select to receive free-of-charge templates offered by the sales partner who serves you. New and updated templates are made available in the TemplateExplorer automatically. Superseded templates are deleted automatically.

o "Do not restore deleted templates" (Default: yes)

select to prevent templates which have been deleted by your Template admin from being restored automatically by the next update. Deselect to have all deleted templates restored by the update service.

On Portable servers which lack an online connection to the MeetingSphere Store, templates are provisioned with software updates.

3.9 Log file

The system log file contains log entries for events on the Portable Server.

Meeting center administrators can

1. view the system log

2. download the system log file

Note that the (optional) Audit log which records security related events is available only via the server console which is called under http://console-meetingsphere.net (requires serveradmin privileges).

4. User administration

User accounts, i.e. the technical representation of the people who use and administer the Meeting center, are maintained in two respects:

1. The account owner (user record)

which maps the technical entity "user account" to a real person (the account owner) by giving that person's gender, organizational affiliation, name and email. The creation and maintenance of accounts is the business of the User administrator. Maintenance ensures that changes of name, email address or organizational affiliation are reflected in the user record. It includes control of the automatic deletion and removal from trash of inactive users.

• Administrative account privileges

which assign administrative roles and the associated privileges to user accounts and thereby allow the account owner to fulfil certain adminstrative tasks. (Un)assignment of administrative privileges requires Meeting center administrator privileges. Except for Subscription administrator, admin privileges can be assigned to non-personal Facilitator accounts. Only the role of Subscription administrator must be assigned to a named natural person.

MeetingSphere recommends separating administrative roles from non-personal Facilitator accounts if non-personal accounts are shared between individuals in your organization. Administrative privileges should only be assigned to real persons.

Facilitator privileges

On a Portable Server, Facilitator privileges are tied to non-personal user accounts which are created by the upload of subscription files to the Meeting center. These non-personal user accounts can carry admin privileges except Subscription admin privileges which can only be exercised by a real person.

Note that the (temporary) loss of Facilitator privileges does not change that Facilitator account's ownership or read access rights to any meeting. These rights are tied to the - in this case non-personal - user account. The (temporary) loss of Facilitator privileges merely means that the respective user accounts cannot exercise their rights as the required Facilitator functionality is denied to them.

4.1 User accounts

A Portable Server knows three fundamentally different types of users:

• One-time participants who only exist in the context of an open meeting

• Non-personal user accounts created in the MeetingSphere Store when a Facilitator sub-

scription is purchased for the Portable Server

• Regular users (real persons) with user name and passwords

4.1.1 One-time participants

One-time participants exist only on the participant list of an open meeting. They are of no concern for user administration.

4.1.2 Non-personal Facilitator accounts

Non-personal user accounts are specific to Portable Servers. They are created in the MeetingSphere Store when a Facilitator subscription is purchased. Non-personal Facilitator accounts may be used by any user who knows such an account's user name and password.

Note: MeetingSphere permitting non-personal user accounts to be shared does not mean your organization must allow this, too. Simply purchase a separate Facilitator subscription for each individual who shall run meetings on the Portable Server and instruct these individuals not to share their credentials.

Facilitator accounts are listed in user administration tab “Facilitators”.

Non-personal Facilitator accounts

• have a distinct fixed user name such as "Host01@meetingsphere.net"

• are shipped with initial password "changeme!"

• can be assigned administrative roles except Subscription administrator, unless the mix-

ing of administrative and operational use is forbidden by Meeting center administration

• can be edited to give the "First name" and "Surname" of the person using the account

• cannot be deleted while their subscription is valid

• are defined by the number of participants (25, 50, 100, 200 or over 200) that can be in

meetings of that Facilitator at any given time.

For the why and what of Facilitator subscriptions, refer to chapter “Self-administration of Non-

personal Facilitator subscriptions”.

4.1.3 Regular users

Regular user accounts, i.e. real person accounts created in the Meeting center's user database with user name and password, are listed in two views which distinguish users for information only:

• Tab Internal users (employees)

lists typically lists users who belong to the customer organization, its parent, subsidiary or affiliated companies.

• Tab External users (guests)

lists users who do not qualify as “internal” (employee). Guest records are often created by Facilitators when drawing up the participant list of a regular meeting which will only admit authenticated users.

User administration

User administrators create users of both categories either manually or by import from file.

4.1.3.1 Adding users manually

In the applicable view, i.e. "Internal" or "External", the user admin opens the "create user" panel via the "Plus" button in the toolbar.

Manual creation of users requires the specification of

• gender (for purposes of salutation)

• last name

• first name

• title (e.g. Dr, Prof, Count)

• organization (internal users: department or cost center; external users: name of organi-

zation)

• password (!)

• email address

Create user panel

Change of initial password

The initial password must be communicated to the user and changed at first login.

Administrator privileges can only be assigned by users who hold "Meeting center administrator" privileges.

4.1.3.2 Importing users from file

Users imported from file will be categorized as either "Internal" (employee) or "External" (guest) depending on which table you import them to. Do not mix records of internal and external users in one file!

The import file must contain exactly six fields in the following sequence

1. gender ("m" or "f"; for purposes of salutation, may be empty)

2. last name

3. first name

4. title (may be empty)

5. organization (internal users: department or cost center; external users: name of organi-

zation)

6. email address

Fields must be separated by comma.

Records are separated by line delimiter, either "LF", "CR" or CR+LF".

Import records are matched to existing records by email address:

• Non existing users are created

• Existing one-time participants become regular users

• Existing external users become internal users or vice versa (depending on the table you

import to)!

• Existing users are updated

Automatic standard password

The initial password for imported users is automatically set to "changeme!". The password must be changed at first login.

Import occurs robustly. Faulty lines (records) do not cancel processing. After the (test)import, the import log is displayed.

4.1.3.3 Editing of user records

Users are edited manually for two purposes:

1. to change the user's name or email or organizational affiliation if these have changed in

reality

2. to (un)assign administrative privileges (requires Meeting center admin privileges)

Be aware that,

• users can edit their name and user name in their profile which they can access in the

portal toolbar. They can request a new password on the login page.

• Facilitators can edit the name and user name of users they have created based on the

principle that users can edit information they have created.

4.1.3.4 Deleting and removing users from trash

Users are removed from the system in two steps:

1. By "deletion" which moves the user record to the trash can from where it can be restored

2. By "removal from trash" which purges the user record irrevocably

Move to trash

Users can be moved to trash

• manually with the "minus" button in the toolbar of user administration.

• by elapsed time of inactivity as specified under menu option "Automatic deletion" of the

main user admin menu

Deleted users (in trash) are unknown to the system in all respects except for the option of restoration.

Non-personal Facilitator accounts with a valid subscription cannot be deleted.

Restore from trash

Deleted users can be restored from trash

• manually by highlighting the relevant user and executing "Restore" from the trash can's

toolbar

• by import if an imported user record matches the user record in trash

Restoration will restore the user record as it was at the time of deletion i.e. with all ownership rights and privileges.

Users in trash can

Remove from trash (irrevocably)

Deleted users are removed from trash (purged) after the period specified under menu option "Automatic deletion" (Default: 10 days).

Removal of users from trash is irrevocable:

• There is no option to "restore users to trash"

• Import or manual creation of a user record with identical properties will not restore the

removed user account. It will merely create a new user record that looks like the purged record. Ownership rights, privileges etc of the purged user account are not restored.

Purged users will, however, remain listed on the participant list of meetings where applicable.

4.1.3.5 Confidentiality – Data protection

Data protection on a Portable Server differs fundamentally from that of other MeetingSphere deployments. While it is perfectly in order under the terms of MeetingSphere's Software Subscription Agreement to share non-personal Facilitator accounts between multiple users, such sharing will pass on access to and ownership of meetings between the people who share a Facilitator account.

To preserve the confidentiality of such meetings, Facilitators must

• Sanitize the Portable Server before passing it on

Instruct users to remove all their content (users, meetings) from the Portable Server by executing the automatic sanitization function via the toolbar of portal view “My meetings”

• Treat non-personal Facilitator accounts as personal

Provide and assign separate non-per Facilitator accounts to users and instruct users not to share credentials as a matter of your organization's security policy.

Example: Joe Example always uses and keeps private account "Host01@meetingsphere.net" while Joanne Sample always uses and keeps private account "Facilitator02@meetingsphere.net".

4.2 Administrators

The "Administrators" tab of user administration lists administrators by privileges. Meeting center administrators assign or revoke privileges by editing the user record.

The following administrator roles are distinguished:

• Subscription administrator

The Subscription administrator is responsible for subscription administration (e.g. procuring, renewing or terminating Facilitator subscriptions) through the MeetingSphere Store. The role includes user administrator privileges. There is exactly one Subscription admin on the Portable Server’s Meeting center.

The role is assigned and passed on to a successor who must be a real person through the MeetingSphere Store. Non-personal accounts cannot carry Subscription administrator privileges.

• Meeting center administrator

Except for subscription administration, this role includes all other administrator roles of the Meeting center.

Meeting center administrators are responsible for administration of the Meeting center and the assignment of admin privileges (not for Subscription admin privileges).

• User administrator

Responsible for user administration.

• Session administrator

Responsible for administering the meetings archive. The meeting administrator can assign new readers (but not themselves) to "orphaned" meetings i.e. meetings without reader and delete unwanted meetings from the archive.

• Template manager

Responsible for making "best practice" templates available to all Facilitators of the Meeting center by declaring them "public". Template managers can delete unwanted templates.

Template managers must be licensed as Facilitator meaning that, on a Portable Server, this role must be assigned to a non-personal Facilitator account.

• Server administrator "serveradmin"

This role is tied to the standard user account "serveradmin" and only exercised in the server console which is called on the server's local network under http://console-meetingsphere.net. The console provides for change of the server's IP address and restore of the database from backup.

The default password "changeme!" must be changed at first login!

4.3 Automatic deletion and removal of users from trash

Automatic deletion and removal of users is controlled by that option of the main menu of portal administration.

Automatic deletion of users after a given period of inactivity and their subsequent removal from the trash can occurs as part of automatic data maintenance. Automatic data maintenance will

• delete internal or external users after a given period of inactivity (Default: 12 months).

Deletion will move users to the trash can from where they can be restored until they are purged from trash.

Users with administrative privileges and non-personal Facilitator accounts are exempt from automatic deletion.

• purge (remove) users from the trash can after the specified number of days (Default: 10

days).

Automatic purging applies to all users in trash.

Automatic deletion and removal of inactive users

5. Subscription administration

The administration of subscriptions is the business of the Subscription administrator. The Subscription administrator is the person who has been nominated as the customer's representative in all commercial matters regarding the Portable Server. At any given time, there can only be one Subscription administrator. The role can be passed on via the MeetingSphere Store by the current Subscription administrator in self administration or by Store personnel ("customer care") at the customer's written request (email).

The main task of the Subscription administrator is to maintain valid the two types of subscription which are required for the Portable Server to be operational:

1. The Portable Server subscription

which procures the right to run the Portable Server for the term of the subscription.

2. At least one non-personal Facilitator subscription

to run meetings on the Portable Server.

The administration of subscriptions occurs in the MeetingSphere Store. Communication between the Portable Server and the MeetingSphere Store occurs by exchanging subscription (status) files.

5.1 File-based administration of subscriptions

In the MeetingSphere Store, subscriptions are administered

• by Store personnel at the customer's request, or

• by the Subscription administrator in self-administration.

Communication between the Portable Server and the MeetingSphere Store occurs by the exchange of subscription (status) files in a 5-step process. The Subscription administrator initiates this process via the blue button “Subscription administration” in the toolbar of Meeting center administration:

1. Download the current subscription-status file (any admin)

Export and save the current subscription status to disk via the blue toolbar button “Sub-

scription administration”. The export dialogue gives the address of the relevant Meet-

ingSphere Store. Only that MeetingSphere Store will accept upload of this status file. The subscription status file is named, for example,

SubscriptionStatus-2144264383-0000000000-export-1-20.11.2015.mssx.

Panel for downloading and uploading subscription files

2. Upload the subscription-status file to the MeetingSphere Store (Subscription admin or

customer care)

For this, the Subscription admin connects with her browser to the MeetingSphere Store's URL given in the download dialogue. The MeetingSphere Store will require the Subscription admin to authenticate with her Meeting center user name and password a hash of which is encrypted in the subscription-status file.

Sign-in and upload of subscription status file to the MeetingSphere Store

3. Administer the required changes in the MeetingSphere Store (Subscription admin or

customer care)

MeetingSphere Store - Self-administration menu

Transactions can be reviewed in the "shopping cart" prior to checkout.

4. Download the new subscription file from the MeetingSphere Store (Subscription admin

or customer care)

On checkout, the new subscription file is presented for download. A copy is sent to the Subscription administrator's email address.

The new subscription file is named, for example

SubscriptionFile-2144264383-6165022055-import-1-20.01.2017.mssi

Download of new subscription file on checkout from Store

5. Upload the new subscription file to the Meeting center (any admin)

The new subscription file must be uploaded via the blue toolbar “Subscription admin-

istration” without delay. Wilful delay (more than 7 days) in implementing a new sub-

scription file on the Portable Server is a breach of the Software Subscription Agreement. It is also bound to result in technical malfunctioning.

Note that in the case of unavailability of the Subscription administrator, download and upload of subscription files with the blue toolbar “Subscription administration” can occur by other administrators of the Meeting center. As these users cannot upload the file and authenticate in the MeetingSphere Store, they must email the subscription status file to “customer care” who will

implement the required changes on behalf of the customer (steps 2, 3 and 4) and return a new subscription file for implementing the changes on the server.

Note further that, only as an exception, file-based administration of subscriptions without prior upload of the current subscription-status file is possible for senior staff of the MeetingSphere Store. In that case, only the upload of the subscription file must occur by an administrator of the Portable Server's Meeting center.

5.2 Maintaining the Portable Server subscription

(Self-)administration of of the Portable Server subscription includes

• Renewal of the Software subscription

Extend the term by 1, 2, 3, 4 or 5 years.

• Terminate the subscription

The subscription can be terminated without notice. Expiration of the Portable Server will render all Facilitator subscriptions useless. There is no refund for any remaining term.

• Update subscriber ("owner") information

Update the name or address of the organization who owns the Portable Server.

• Update billing information

Specify or update a separate billing address to which invoices are sent.

• Pass on the role of Subscription administrator

Appoint another user (real person) on your Portable Server as the new Subscription admin for your Portable Server. The change becomes effective on confirmation of the shopping cart. The new Subscription admin is notified by email.

• Pay invoices online

via PayPal or any popular credit card.

On checkout from the MeetingSphere Store, all transactions are coded into a subscription file which is emailed to the Subscription administrator. To become effective, this subscription file must be uploaded to the server via the blue “Subscription administration” button without delay.

Invoices are sent to the subscriber's (owner's) email address or a separate invoicing address and to the Subscription administrator. Confirmations of free-of-charge transactions are sent only to the Subscription administrator.

5.3 Self-administration of Non-personal Facilitator Subscriptions

The Facilitator tab of user administration lists all user accounts with Facilitator privileges. On a Portable Server, these user accounts do not resemble real persons but are non-personal accounts which can be used by several people - one at a time. Non-personal user accounts are created in the MeetingSphere Store when a Facilitator subscription is purchased.

Note: The fact that MeetingSphere permits non-personal user accounts to be shared does not mean your organization must allow this, too. Simply purchase a separate Facilitator subscription

for each individual who shall run meetings on the Portable Server and instruct these individuals not to share their credentials.

Non-personal Facilitator accounts

• have a distinct fixed user name such as "Host01@meetingsphere.net"

• are shipped with initial password "changeme!"

• can be assigned administrative roles except Subscription administrator, unless the mix-

ing of administrative and operational use is forbidden by Meeting center administration

• can be edited to give the "First name" and "Surname" of the person using the account

• cannot be deleted while their subscription is valid

• are defined by the number of participants (25, 50, 100, 200 or over 200) that can be in

meetings of that Facilitator at any given time.

5.3.1 Subscription administration in the MeetingSphere Store

Except for

• changing the associated First name and Surname (typically by the person who uses it)

• assigning administrative privileges (by the Meeting center administrator)

non-personal Facilitator accounts are administered in the MeetingSphere Store either by Store personnel at the customer's request or by the Subscription administrator in self-administration. Any administration of subscriptions is initiated via the blue toolbar button “Subscription admin-

istration”. In self service, the Subscription administrator will download the Portable Server's cur-

rent subscription status and upload that file to the MeetingSphere Store to initiate a self-service meeting. Customers, who rely on being served by personnel of the MeetingSphere Store, download the subscription status file and email it to customer care.

The store offers the following options for non-personal Facilitator subscriptions on a Portable Server:

• Purchase additional Facilitator subscription(s)

with a specific participant limit of 25, 50, 100, 200 or "more than 200" participants and a term of 1, 2, 3, 4 or 5 years. Additional Facilitator subscriptions will be numbered Facilitator02@meetingsphere.net, Facilitator03@meetingsphere.net and so on.

• Renew Facilitator subscription

by adding another term of 1, 2, 3, 4 or 5 years. The participant limit can be changed on renewal and become effective immediately. A higher participant limit is charged pro rata for the remaining term.

• Increase participant limit

for the remaining term. The price for the higher limit is charged pro rata for the remaining term.

• Terminate Facilitator subscription

Like all MeetingSphere subscriptions, Facilitator subscriptions can be terminated at any time without notice. There is no refund for any remaining term.

On checkout from the MeetingSphere Store, all transactions are coded into a subscription file which is presented for download and is emailed to the Subscription administrator. To become effective, this subscription file must be uploaded to the server via the blue button “Subscription

administration without delay.

5.3.2 Understanding the participant limit

The participant limit of a Facilitator subscription applies to all participants in meetings of the Facilitator at a given time. With a participant limit of 25, a Facilitator could run one sesson with 10 participants and another with 15 participants in parallel. The 11th of the first meeting or the 16th participant of the second meeting would be rejected at login unless an existing participant of either meeting logs off to create an opening.

Multiple Facilitator subscriptions

The participant limit applies to the non-personal Facilitator account, not the Portable Server. Multiple Facilitators (non-personal Facilitator user accounts) can run multiple meetings within their respective participant limits.

The following rules apply:

• The participant limit applies accross all meetings of a Facilitator account

• Per Facilitator account only one login is possible at any time i.e. a Facilitator can run mul-

tiple meetings concurrently but only "be" in one meeting at a time

• Multiple Facilitators with different participant limits may run meetings in parallel on the

same Portable Server. While the meetings of each Facilitator are linked by their shared participant limit, there is no link between the meetings of one Facilitator and those of other Facilitators.

• The participant limits of multiple Facilitator accounts cannot be combined: 4 Facilitator

subscriptions with a limit of 25 each cannot be used to run one meeting with 100 participants

5.4 Reportable events

Certain events which have a bearing on the Software Subscription Agreement with MeetingSphere such as

• Change of the Portable Server machine's MAC address

• Change of system time on the server machine

• Restore of the databases from backup

6. Session settings

Administrative meeting settings divide in binding settings that cannot be changed by the Facilitator of a meeting and in default values, which merely initialize controls when a new meeting is created and can then be changed.

6.1 Binding meeting settings

The following specifications can be made in Meeting center administration:

Open meetings permitted (Default: Yes) Facilitators may grant access to meetings via a meeting – but not user! – specific URL. Undetermined participants may enter such meetings without authentication.

Session settings

Logging of activity non-participation permitted (Default: Yes) Determines whether the Facilitator of a meeting may activate non-participation logging in the meeting setup. Non-participation logging does not compromise the anonymity of contributions.

If logging is activated, persons who have participated in the meeting but not in an activity, will be named in the report: "The following participants have not participated in the activity: Frank Example, Julia Instance." This is useful for keeping track of who – if anybody – of the participants did not participate in a vote or discussion.

Activity non-participation logging affects the automatic report. Accordingly, the admissibility of logging can also be specified in Meeting center administration/Report settings.

Facilitator may export content of activities (Default: Yes) Allows Facilitators to export the content of activities, for instance the results table of multi-criteria analysis, to file in .csv format for processing in databases or spread sheets.

Disable only for good cause.

Allow export of meetings (Default: Yes) Allows Facilitators to export entire meetings or templates in MeetingSphere’s proprietary .mssfformat. This is useful for transferring meetings or templates between Meeting centers or for storing sensitive meetings on a non-web server.

Disable only for good cause.

Limit storage of meetings to (days) (Default: no) Limits the storage of meetings to the specified number of "X" days (Default: 730) after the point in time specified below:

• after specified end date

Deletes meetings X days after the end date specified in meeting setup. Deletion is independent of the meeting subsequently being accessed or the status of the meeting.

Facilitators can prevent deletions by moving out the end date of finished meetings far into the future.

• after meeting has been "closed"

Deletes meetings X days after the Facilitator has changed the meeting status to "closed". Deletion is independent of the meeting subsequently being accessed.

Facilitators can prevent deletions by not closing their meetings or switching the status back to "in preparation", "announced" or "active".

• after specified end date and last access (Default)

Deletes meetings X days after the end date specified in meeting setup. Any subsequent access by participants (if still active), the Facilitator or by Co-facilitators resets the timer for deletion.

This setting prevents deletion of meetings that are still in use even after they are past their planned end date. Facilitators can prevent deletions by moving out the end date of finished meetings far into the future.

• after last access

Deletes meetings X days after last access by participants (if still active), the Facilitator or by Co-facilitators regardless of the meeting's status or planned end date. Any access resets the timer for deletion.

Facilitators can prevent the scheduled deletion of meetings by accessing them periodically. Note that this setting may cause deletions of long-running meetings with "any time" participation after a prolonged period of inactivity as may occur in the holiday season!

o Delete irrevocably (no restore from trash can) (Default: no)

Prevents meetings from being moved to the trash can from where Facilitators could restore them prior to "hard" deletion. Hard deletion of trash items occurs automatically after another 10 days.

Select this setting only if you must.

Delete orphaned meetings/templates after X days (Default: 365) Determines the period after which meetings (private templates) without owner or reader are purged from the system. Note that a meeting may "lose" its owner or readers when these users lose their Facilitator privileges.

Attachment size limit (Default: 200MB) Limits the size of files that can be attached to (1) instructions (2) specifications or reports in ActionTracker. Also limits the size of presentations in the Presentation tool. A file size of “0kB” pre- vents any upload of attachments or presentation files (pdf).

Enable sanitization (Default: yes) Sanitization protects confidentiality by allowing Facilitators to clean up their server by the push of a button. This is useful after a project has ended. It is strongly recommended before the server is returned to the pool or handed over to a colleague who will use the same Facilitator account to run her meeting.

Sanitization, on confirmation, purges

• all meetings of the Facilitator account (but not templates)

• all user accounts created by the Facilitator account

• unless these users are participants of another Facilitator's (not-yet closed) meeting

Organizations who want to maintain a stock of users in the user database who are not subject to sanitization, should create those users with a separate user administrator account. This policy should be underscored by separating user accounts with user admin privileges from those in operational use.

6.2 Default values for meeting setup

The following default values can be defined for the meeting setup:

Log non-participation in activities in report (Default: yes) Default for meeting setup. Only available if the tracking of participation in activities is allowed (meeting settings).

Open Sessions (if permitted) unless open meetings are forbidden, the following defaults may be set for participant sign-in:

• Ask for email address (Default: yes) o Email address is mandatory (Default: yes)

• Ask for name (Default: yes) o Name is mandatory (Default: yes)

Defaults for meeting setup

7. Default welcome screen

The welcome screen is the entry point for participants joining a meeting. Further, it serves as the electronic waiting hall “between” activities.

Specification of the default welcome screen (picture shows factory default)

As a consequence, participants will look at this screen for extended periods of time.

Facilitators are free to customize the welcome screen of individual meetings or templates. In most cases, however, they rely on the automatically supplied default welcome screen.

Take the opportunity to display a branded page.

Background color

Select a color for the background of the welcome screen.

Wallpaper

Upload a branded default wallpaper (*.svg, *.png, *.gif, *.jpg).

Use a scalable vector graphic (*.svg) for optimum adaptation to different participant display resolutions and minimized loading time. By default, the SVG-file is positioned to "fit" (100%) of the welcome screen. It can be scaled down by entering a lower percentage value. To cover the

complete welcome screen, use an aspect-ratio (w/h) of 1.524 : 1. If you want to display your logo off-center, do this positioning when creating the SVG-file.

Off-center positioning of your logo is strongly recommended as the center of the welcome screen will be occupied by system dialogues most of the time.

Should your SVG-file be displayed with errors, open that file with a professional graphics application such as Adobe Illustrator and re-export the file to SVG-format (in Illustrator via Script for saving to SVG). Note that the mere wrapping of a bitmap into an SVG-file does not make it a scalable vector graphic.

If you use a bitmap-based graphics file (*.png, *.gif, *.jpg), be aware that large pictures with high resolution can be a nuisance for participants with a slow connection!

You may "center", "fit" or "stretch" but not scale bitmap-based wallpapers.

Text

You may enter a text with clickable links which is displayed on the background. Position the text field with the mouse.

Default Session instruction.

Adapt the default text (possibly in multiple languages!) of the meeting instruction. This message is displayed to all participants when they enter a meeting.

Default meeting instruction

The meeting instruction of any meeting can be customized by the Facilitator.

8. Software update

From time to time, MeetingSphere releases updates of the server software. Updates introduce both bug fixes and new features.

8.1 Critical updates

While application of most updates, which is strongly recommended in every case, is a matter of customer choice or policy, some updates are critical as they provide changed functionality which is required for the fault-free communication with the MeetingSphere Store and, indeed, the provisioning of updates.

8.2 Update process

The process of updating occurs in three steps

1. Check for updates

2. Download the update installer

3. Upload and apply the update

Portable Server Update panel

8.2.1 Checking for updates

The update panel is opened from the main menu of Meeting center administration. It provides a clickable link to MeetingSphere's update server which contains information regarding the Portable Server's identity and current release.

Copy this link to the address field of your browser (via your computer's clipboard or, e.g. a text editor) and connect to the Internet. Connect to MeetingSphere's update server which will tell you whether an update is available for your Portable Server.

8.2.2 Download the update from the update server

If there is an update, the update server will provide the update installer for download.

The update installer typically includes the complete code of the application but not the cryptographic secrets that were included in the original installer. It may also include some extra payload e.g. supplementary non-MeetingSphere packages required by the new release of the software. Consequently, expect the update installer to be some 600 – 2,000 MB in size.

Download to your hard disk or to a fast USB device. A fast download to a slow device can crash your browser.

8.2.3 Upload the update installer to the Portable Server

Reconnect to your Portable Server and return to the Update panel. Upload the update installer via the "Apply Update" button. Should you operate several Portable Servers, be aware that any update installer is specific to the server it has been created for. It will not work on any other system. If in doubt, check the update installer's number against your server's ID.

After upload is complete, the Portable Server will automatically run the update installer and reboot. Reboot may take up to three minutes.

Log on again.

9. Technical specification

MeetingSphere is a web application which has been optimized for security and minimized requirements regarding network access and client environment.

9.1 Client

MeetingSphere is a web application that runs on computers and iPad.

Users require

• On computers (also Chrome book)

o A browser, e. g.

▪ Chrome ▪ Firefox ▪ Internet Explorer ▪ Opera

▪ Safari

o The Adobe® Flash® plug-in from version 11.2 o Enablement of JavaScript (in Internet Explorer, this is tied to enabling "ActiveX" con-

trols)

• On iPad participant use the MeetingSphere app which is available in the Apple® appstore

9.2 Network connectivity

Clients (browser or app) connect to the Portable Server’s Meeting center via a standard HTTP connection.

9.3 Security

MeetingSphere is a secure web application. Built in security extends protection of traffic and protection against malicious code:

9.3.1 Protection of traffic

In contrast to Meeting centers which are deployed on the Internet, the exchange of text, commands and GUI elements between the browser and the Portable Server is not protected by SSL encryption as this would introduce an unwarranted level of complexity to the local network deployment.

Data traffic is solely protected by securing the local network via up-to-date encryption (at least WPA PSK 2, AES). Secure configuration of the local network rests exclusively with the operator.

9.3.2 Protection against malicious code

The Meeting center application affords several layers of protection against malicious code. They include:

• Validation of user entries

All content entered by users is validated in such a way that no active script elements can be injected into the application. This prevents attacks such as "cross site scripting" or "DOM injection".

• HTML commands

Networked Meeting center deployments will not execute HTML commands or script entered in the text. Rather, if it finds a text string that typically represents an HTTP resource or email address it provides its own predefined function call to make that link executable by click.

On Portable Servers, the execution of HTTP function calls is disabled.

• Protection at database level

All access to the database layer is restricted to prepared queries. Users cannot formulate and execute potentially abusive SQL queries anywhere in the program.

10. Protection of privacy

Protection of privacy includes the protection of content, the protection of user’s personal rights and their assured anonymity.

10.1 Protection of content

MeetingSphere gives its all to protect your privacy. The content of a meeting may only be accessed by

• Participants

of the "active" meeting. Access is limited to the tools in which the participants have been started by the Facilitator.

• The Facilitator

who owns the meeting.

Since, on a Portable Server, Facilitator accounts are non-personal and can be shared between multiple users, ownership may extend de facto to multiple persons i.e. anyone who shares in the access info of that account. Measures for containing this potential weakness are discussed in chapter “Confidentiality – Data protection” of this handbook.

• Co-facilitators

i. e. users with a Facilitator subscription whom the Facilitator has entered to the list of Co-facilitators of that meeting

Administrators who are not also Participant or Facilitator or Co-facilitator of the relevant meeting cannot access the content of meetings.

10.2 Anonymity

Brainstorming meetings, discussions or votes are often easier and produce better, more to-thepoint results if contributions are anonymous.

That is why MeetingSphere provides complete personal anonymity.

• Untagged contributions

By default, contributions are not tagged at all. This means that nobody can identify the originator of a contribution.

• Tagging by "team"

Sometimes it helps to know from which perspective a contribution or comment is made. For this, brainstormings, ratings and discussions can be conducted with "team identity": Participants select a given team whose name is appended to each of their contributions. Personal anonymity is guaranteed.

Changes in the tagging policy of a tool are implemented in a way that protects anonymity:

• Any lessening of anonymity is o always explicit to users

o never affects existing contributions

• Any extension of anonymity e. g. switching from named to anonymous always affects all

contributions in the tool.

Technical authorship information. In an ongoing activity, to keep track of editing privileges, MeetingSphere keeps information that identifies the contributor.

That authorship information is deleted when the participant exits the activity. Thereafter, authorship of a contribution is unknown and cannot be reconstructed even at system level.

Participants can render their contributions completely anonymous at will even at the technical level simply by exiting an activity to the Welcome screen: any exit from a tool will delete the authorship information for that user in the tool.

10.3 Privacy in the meeting report

MeetingSphere provides meeting minutes (the report) at the push of a button. These auto-matic minutes list all participants of the meeting on the cover sheet. For transparency of who was (not) involved in specific tools (activities), Facilitators may log the fact that listed participants have not contributed to a specific activity.

If non-participation logging is enabled, the report will detail for each activity which of the participants listed on the cover sheet have not participated in the specific activity by stating, for example, "The following persons have not participated in the Rating: Susan X, Steve Y, Mary Z."

Non-participation logging is not based on any indexation of contributions and does not compromise anonymity in any way. Rather, non-participation logging is equivalent to qualifiers in conventional minutes such as “"Ms X leaves the meeting at Y hours" which simply means that "Ms X" cannot be held responsible for anything that occurred after she has left.

Changes to the non-participation-log settings are only possible as long as no participant has been active. This ensures

• that this logging is made explicit in the minutes and cannot be veiled retroactively.

• that the retroactive activation of non-participation logging is not possible.

When non-participation logging is disabled, the minutes will only give the number of participants active in the given activity, e.g. "X participants were active in the discussion."

Non-participation logging can be prohibited administratively.

10.4 Logs and lists

MeetingSphere does not provide views or generate logs or lists for analyzing user activity.

The display of meetings (as list items) in the Meeting center is governed by the user’s privileges.

• Unauthenticated participants of open meetings

are contained in that session. They have no access to Meeting center views.

• Regular users without Facilitator privileges

can only access the view "Invitations" which gives announced or active meetings they are invited to.

• Facilitators

see

o meetings they are invited to and that are either "announced" or "active" (view

"Invitations")

o their own meetings, i.e. all meetings they (have) run unless deleted (view "My

meetings").

o meetings they can read i.e., all meetings of which they are Co-facilitator (view

"Co-facilitators)

• Session administrators

See all meetings of the Meeting center. The administrative view "All meetings" permits sorting by Facilitator. The meeting admin may only view the setup of any meeting including participants and readers - not the content.

The administrative view "All meetings" does not provide for sorting or searching by participants or readers.

Auditable log. The Portable Server keeps an "auditable log" if this is required by the organization’s security policy. The auditable log only includes events which are relevant for IT security such as login events, changes of passwords or the upload of (potentially dangerous) file attachments. The "auditable log" is only accessible by Server administrators. It is not accessible from within the Meeting center application.

Security logging is not concerned with contributions to meetings and does not impair the anonymity of contributions.

Appendix A: Auditable events

The following events are logged in the audit log:

Logging: events pertaining to the audit log itself

• LogDeletion: An old audit log was deleted.

filename: the name of the file which was deleted maxAge: the max age setting which caused the deletion

• LogRotation: This event is the first event logged when the audit log was rotated.

previousLogName: the name of the previous audit log file; if the log was compressed, this will be the name of the compressed archive checksum: the length and the MD5 sum or the log in the format length:md5sum archiveChecksum: (only when compressed) the length and the MD5 sum of the compressed archive

Policy change: changes to parameters that control system behaviour

• ServerPropertyFix: The server corrected some properties of its server.properties file.

The properties which are changed are also logged individually as a ParamChange. reason: the reason for this change

• paramChange: A parameter was changed.

epc: (optional): Extended Product Code of the Meeting center aepc (optional): Auxiliary Extended Product Code of the Meeting center name: the name of the parameter in question oldValue: the old value newValue: the new value changeKind: whether the param was changed, removed or added userId: the ID of the user who changed the param userIdContext (optional) if the user ID is not from the same sub system, (e.g. a console user changed a server property)

Account management: actions pertaining to user accounts

• createUserAccount: A MeetingSphere user account was created.

epc: Extended Product Code of the Meeting center aepc (optional): Auxiliary Extended Product Code of the Meeting center originator: Internal ID of the Person who caused the change user: internal ID of the new Person entity email: username of the new Person entity

• changeUser: An attribute of a MeetingSphere user was changed.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity attribute: an attribute name old: the old attribute value new: the changed attribute value

• disableUser: A MeetingSphere user account was disabled.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity

• enableUser: A MeetingSphere user account was enabled.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity

• changeAuthority: The admin privileges of a MeetingSphere user account were changed.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity old: the old authority new: the changed authority value

• assignHost: A user was licensed as Facilitator.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity

• unassignHost: A user was unlicensed as Facilitator.

originator: Internal ID of the Person who caused the change user: internal ID of the Person entity

• deleteUser: A MeetingSphere user account was deleted automatically.