Add-ins and Extensions Deployment

FIM 2010 R2 Add-ins and Extensions Deployment

Forefront Identity Manager 2010 R2 includes a rich client that can be used for password registration, password reset and the FIM Add-in for Outlook. FIM 2010 R2 has a 32-bit and 64-bit version of the client. These are located on the installation media under Add-ins and Extensions. This section is composed of the following:

The following section includes information on installing the FIM 2010 R2 Rich Client. This section does not discuss unattended installation of the Add-ins and Extensions. For information on this see Unattended installation of FIM 2010 R2 Self-Service Password Reset later in this document.

Manual Installation of Add-ins and Extensions

To manually install the Add-ins and Extensions.msi file, do the following:

Manually installing Add-ins and Extensions

  1. On the FIM Splash screen from a client select either Install Add-ins and Extensions, 64-bit or Install Add-ins and Extensions, 32-bit depending on the client. This will start the installation wizard.

  2. On the Welcome screen, click Next.

  3. On the End-User License Agreement screen, read the agreement, place a check in I accept the terms in the License Agreement and then click Next.

  4. On the FIM Customer Experience Improvement Program screen, choose whether or not to join the Customer Experience Improvement Program and click Next.

  5. On the Custom Setup screen, you can choose whether or not to install the FIM Add-in for Outlook. For SSPR, ensure that FIM Password and Authentication Extensions is selected and click Next.

    Rich Client Install 1

  6. On the Configure FIM Add-ins and Extensions screen, enter the name of the FIM Service Server address and then click Next.

    Rich Client Install 2

  7. On the Configure FIM Add-ins and Extensions screen, enter the Intranet Registration Portal URL and click Next.

    Rich Client Install 3

  8. On the Ready to Install Forefront Identity Manager Add-ins and Extensions click Install.

  9. Once the installation completes, click Finish.

Deploying Via Group Policy

In very large FIM 2010 R2 deployments with a lot of clients, it may not be feasible to manually install the clients to every user machine in the organization. For this reason, the Add-ins and Extensions.msi file can be deployed via a group policy object. Depolying msi packages via group policy is outside the scope of this documentation, but you can refer to Editing Domain-Based GPOs Using ADMX Files using the ADMX and ADML files provided below. For detailed explanations of the registry settings see FIM 2010 R2 Rich Client later in this document.

ForefrontIdentityManager.admx File

The ADMX file for deploying via group policy.

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.0"
    schemaVersion="1.0"
    xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="fim" namespace="Microsoft.Policies.IdentityManagement" />
    <using prefix="Windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <categories>
    <category name="FIMROOT" displayName="$(string.FIMROOT_NAME)" explainText="$(string.FIMROOT_EXPLAIN)" />
    <category name="ADDINS" displayName="$(string.ADDINS_NAME)" explainText="$(string.ADDINS_EXPLAIN)">
      <parentCategory ref="FIMROOT"/>
    </category>
    <category name="CMCLIENT" displayName="$(string.CMCLIENT_NAME)" explainText="$(string.CMCLIENT_EXPLAIN)" >
      <parentCategory ref="FIMROOT"/>
    </category>
  </categories>
  <policies>
    <policy
        name="MONACCTNAME"
        displayName="$(string.MONACCTNAME_NAME)"
        explainText="$(string.MONACCTNAME_EXPLAIN)"
        presentation="$(presentation.MONACCTNAME)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="MONACCTNAME_TEXT" valueName="MonitoredAccountName" required="false"/>
      </elements>
    </policy>
    <policy
        name="VALIDSENDERS"
        displayName="$(string.VALIDSENDERS_NAME)"
        explainText="$(string.VALIDSENDERS_EXPLAIN)"
        presentation="$(presentation.VALIDSENDERS)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="VALIDSENDERS_TEXT" valueName="ValidApprovalRequestSenders" required="false"/>
      </elements>
    </policy>
    <policy
        name="SHOWMGMTUI"
        displayName="$(string.SHOWMGMTUI_NAME)"
        explainText="$(string.SHOWMGMTUI_EXPLAIN)"
        presentation="$(presentation.SHOWMGMTUI)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <enum id="SHOWMGMTUI_ENUM" valueName="ShowGroupManagementUi" required="false">
          <item displayName="$(string.SHOWMGMTUI_DISABLE)">
            <value>
              <decimal value="0"/>
            </value>
          </item>
          <item displayName="$(string.SHOWMGMTUI_ENABLE)">
            <value>
              <decimal value="1"/>
            </value>
          </item>
        </enum>
      </elements>
    </policy>
    <policy
        name="PORTALURL"
        displayName="$(string.PORTALURL_NAME)"
        explainText="$(string.PORTALURL_EXPLAIN)"
        presentation="$(presentation.PORTALURL)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="PORTALURL_TEXT" valueName="PortalUrl" required="false"/>
      </elements>
    </policy>
    <policy
        name="ADDRBOOKGRP"
        displayName="$(string.ADDRBOOKGRP_NAME)"
        explainText="$(string.ADDRBOOKGRP_EXPLAIN)"
        presentation="$(presentation.ADDRBOOKGRP)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="ADDRBOOKGRP_TEXT" valueName="AllGroupsAddressBookName" required="false"/>
      </elements>
    </policy>
    <policy
        name="ADDRBOOKMBRS"
        displayName="$(string.ADDRBOOKMBRS_NAME)"
        explainText="$(string.ADDRBOOKMBRS_EXPLAIN)"
        presentation="$(presentation.ADDRBOOKMBRS)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="ADDRBOOKMBRS_TEXT" valueName="AllMembersAddressBookName" required="false"/>
      </elements>
    </policy>
    <policy
        name="DELETEAPPROVAL"
        displayName="$(string.DELETEAPPROVAL_NAME)"
        explainText="$(string.DELETEAPPROVAL_EXPLAIN)"
        presentation="$(presentation.DELETEAPPROVAL)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Add-ins"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <enum id="DELETEAPPROVAL_ENUM" valueName="DeleteApprovalRequest" required="false">
          <item displayName="$(string.DELETEAPPROVAL_DISABLE)">
            <value>
              <decimal value="0"/>
            </value>
          </item>
          <item displayName="$(string.DELETEAPPROVAL_ENABLE)">
            <value>
              <decimal value="1"/>
            </value>
          </item>
        </enum>
      </elements>
    </policy>
    <policy
        name="SERVICEADDRESS"
        displayName="$(string.SERVICEADDRESS_NAME)"
        explainText="$(string.SERVICEADDRESS_EXPLAIN)"
        presentation="$(presentation.SERVICEADDRESS)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\Intranet"
        class="Machine">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="SERVICEADDRESS_TEXT" valueName="Address" required="false"/>
      </elements>
    </policy>
    <policy
        name="CACHEINTERVAL"
        displayName="$(string.CACHEINTERVAL_NAME)"
        explainText="$(string.CACHEINTERVAL_EXPLAIN)"
        presentation="$(presentation.CACHEINTERVAL)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <decimal id="CACHEINTERVAL_TEXT" valueName="CacheInterval" minValue="0" maxValue="2147483647" required="false"/>
      </elements>
    </policy>
    <policy
        name="MAXOFFSET"
        displayName="$(string.MAXOFFSET_NAME)"
        explainText="$(string.MAXOFFSET_EXPLAIN)"
        presentation="$(presentation.MAXOFFSET)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <decimal id="MAXOFFSET_TEXT" valueName="MaxOffset" minValue="0" maxValue="2147483647" required="false"/>
      </elements>
    </policy>
    <policy
    name="SITELOCKCLM"
    displayName="$(string.SITELOCK_NAME)"
    explainText="$(string.SITELOCK_EXPLAIN)"
    presentation="$(presentation.SITELOCK)"
    key="Software\Policies\Microsoft\Clm\v1.0\SmartCardClient"
    class="User">
      <parentCategory ref="CMCLIENT"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="SITELOCK_TEXT" valueName="SiteLock" required="false"/>
      </elements>
    </policy>
    <policy
        name="REGPORTALURL"
        displayName="$(string.REGPORTALURL_NAME)"
        explainText="$(string.REGPORTALURL_EXPLAIN)"
        presentation="$(presentation.REGPORTALURL)"
        key="Software\Policies\Microsoft\Forefront Identity Manager\2010\Extensions\PasswordRegistrationPortal"
        class="User">
      <parentCategory ref="ADDINS"/>
      <supportedOn ref="Windows:SUPPORTED_ProductOnly"/>
      <elements>
        <text id="REGPORTALURL_TEXT" valueName="PasswordRegistrationPortalUrl" required="false"/>
      </elements>
    </policy>    
  </policies>
</policyDefinitions>

ForefrontIdentityManager.adml File

The ADML file for deploying via group policy.

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.0"
    schemaVersion="1.0"
    xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
  <displayName>Forefront Identity Manager</displayName>
  <description>Configuration for Forefront Identity Manager clients</description>
  <resources>
    <stringTable>
      <string id="FIMROOT_NAME">Forefront Identity Manager</string>
      <string id="FIMROOT_EXPLAIN">Configuration for Forefront Identity Manager</string>

      <string id="ADDINS_NAME">Add-ins and Extensions</string>
      <string id="ADDINS_EXPLAIN">Configuration for Add-ins and Extensions</string>

      <string id="CMCLIENT_NAME">Certificate Management</string>
      <string id="CMCLIENT_EXPLAIN">Configuration for Certificate Management</string>

      <string id="MONACCTNAME_NAME">Configure FIM Service mailbox address</string>
      <string id="MONACCTNAME_EXPLAIN">
        With this policy setting, you can specify the mailbox address of the FIM Service service account that processes incoming requests sent by the FIM Add-in for Outlook.

        If you do not configure this policy setting, the mailbox address specified during setup will be used.
      </string>

      <string id="VALIDSENDERS_NAME">Configure valid senders of approval requests</string>
      <string id="VALIDSENDERS_EXPLAIN">
        With this policy setting, you can specify the mailbox addresses of valid service accounts which can send approval requests that are being accepted by the FIM Add-in for Outlook. You need to configure this policy setting if you change the FIM Service service account, e.g. by using the policy setting “Configure FIM Service mailbox address”. This policy setting should contain both the new and old mailbox addresses to make sure all previously sent approval emails are still treated as valid. You can specify several mailbox addresses by separating them with semicolon.

        If you do not configure this policy setting, only the mailbox address in “Configure FIM Service mailbox address” will be used.
      </string>

      <string id="SHOWMGMTUI_NAME">Configure group management in the UI</string>
      <string id="SHOWMGMTUI_EXPLAIN">
        With this policy setting, you can specify whether the FIM Add-in for Outlook should show the group management options in the UI.

        If you do no configure this policy setting, the group management options in the UI will be enabled.
      </string>
      <string id="SHOWMGMTUI_DISABLE">Disable Group Management UI</string>
      <string id="SHOWMGMTUI_ENABLE">Enable Group Management UI</string>

      <string id="PORTALURL_NAME">Configure FIM Portal address</string>
      <string id="PORTALURL_EXPLAIN">
        With this policy setting, you can specify the URL for the FIM Portal used in the FIM Add-in for Outlook when the user selects “Group Management Website”.

        If you do not configure this policy setting, the URL specified during setup will be used.
      </string>

      <string id="ADDRBOOKGRP_NAME">Configure the address book containing valid groups</string>
      <string id="ADDRBOOKGRP_EXPLAIN">
        With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects groups to add members to.

        If you do not configure this policy setting, the address book All Groups will be used.
      </string>

      <string id="ADDRBOOKMBRS_NAME">Configure the address book containing valid members</string>
      <string id="ADDRBOOKMBRS_EXPLAIN">
        With this policy setting, you can specify the address book used by the FIM Add-in for Outlook when the user selects members to add to groups.

        If you do not configure this policy setting, the address book Global Address Book will be used.
      </string>

      <string id="DELETEAPPROVAL_NAME">Configure Approval Request deletion</string>
      <string id="DELETEAPPROVAL_EXPLAIN">
        With this policy setting, you can specify whether the FIM Add-in for Outlook should delete the Approval Request email when the user has responded.

        If you do not configure this policy setting, the user can configure this setting in the FIM Add-in for Outlook. The default is to delete those emails.
      </string>
      <string id="DELETEAPPROVAL_DISABLE">Do Not Delete</string>
      <string id="DELETEAPPROVAL_ENABLE">Delete</string>

      <string id="SITELOCK_NAME">Configure valid ActiveX sites</string>
      <string id="SITELOCK_EXPLAIN">
        With this policy setting, you can specify the sites used by the FIM CM Client component. The ActiveX control will only run from sites specified in this list. You can specify several sites by separating them with semicolon. Do not include a prefix (e.g. http://).

        If you do not configure this policy setting, the sites specified during setup will be used.
      </string>

      <string id="SERVICEADDRESS_NAME">Configure FIM Service address</string>
      <string id="SERVICEADDRESS_EXPLAIN">
        With this policy setting, you can specify the address to the FIM Service used by password reset. The format is: http://serveraddress:5725

        If you do not configure this policy setting, the address specified during setup will be used.
      </string>

      <string id="CACHEINTERVAL_NAME">Configure cache duration for password reset registration</string>
      <string id="CACHEINTERVAL_EXPLAIN">
        With this policy setting, you can configure how often the password reset registration status is checked for a user at logon.

        If you do not configure this policy setting, the password reset registration status will be checked at every time the user logs on.
      </string>

      <string id="MAXOFFSET_NAME">Configure max random offset for password reset registration</string>
      <string id="MAXOFFSET_EXPLAIN">
        With this policy setting, you can configure the offset for the policy setting “Configure cache duration for password reset registration” in order to prevent all password reset registration checks for all users during the same day.

        If you do not configure this policy setting but have configured “Configure cache duration for password reset registration” then password reset registration checks for all users will occur at the next login after the duration has been reached.

        If you do not configure this policy setting and have not configured “Configure cache duration for password reset registration” then password reset registration checks will happen at every login for all users.
      </string>


      <string id="REGPORTALURL_NAME">Configure FIM password registration portal URL for password reset registration</string>
      <string id="REGPORTALURL_EXPLAIN">
        With this policy setting, you can configure the registration portal URL which the default browser will navigate to during password reset registration.
       
        If you do not configure this policy setting, the registration portal URL specified during setup will be used.
      </string>

    </stringTable>
    <presentationTable>
      <presentation id="MONACCTNAME">
        <textBox refId="MONACCTNAME_TEXT">
          <label>FIM Service mailbox address</label>
        </textBox>
      </presentation>
      <presentation id="VALIDSENDERS">
        <textBox refId="VALIDSENDERS_TEXT">
          <label>Valid senders of approval requests</label>
        </textBox>
      </presentation>
      <presentation id="SHOWMGMTUI">
        <dropdownList refId="SHOWMGMTUI_ENUM" defaultItem="0">Show group management in the UI</dropdownList>
      </presentation>
      <presentation id="PORTALURL">
        <textBox refId="PORTALURL_TEXT">
          <label>FIM Portal address</label>
        </textBox>
      </presentation>
      <presentation id="ADDRBOOKGRP">
        <textBox refId="ADDRBOOKGRP_TEXT">
          <label>Address Book</label>
        </textBox>
      </presentation>
      <presentation id="ADDRBOOKMBRS">
        <textBox refId="ADDRBOOKMBRS_TEXT">
          <label>Address Book</label>
        </textBox>
      </presentation>
      <presentation id="DELETEAPPROVAL">
        <dropdownList refId="DELETEAPPROVAL_ENUM" defaultItem="0">Approval Request deletion</dropdownList>
      </presentation>
      <presentation id="SITELOCK">
        <textBox refId="SITELOCK_TEXT">
          <label>Configure valid ActiveX sites</label>
        </textBox>
      </presentation>
      <presentation id="SERVICEADDRESS">
        <textBox refId="SERVICEADDRESS_TEXT">
          <label>FIM Portal address</label>
        </textBox>
      </presentation>
      <presentation id="CACHEINTERVAL">
        <decimalTextBox refId="CACHEINTERVAL_TEXT" defaultValue="14">Registration status cache duration (in days)</decimalTextBox>
      </presentation>
      <presentation id="MAXOFFSET">
        <decimalTextBox refId="MAXOFFSET_TEXT" defaultValue="5">Maximum random offset (in days)</decimalTextBox>
      </presentation>
            <presentation id="REGPORTALURL">
        <textBox refId="REGPORTALURL_TEXT">
          <label>Registration Portal URL</label>
        </textBox>
      </presentation>
    </presentationTable>
  </resources>
</policyDefinitionResources>

Show: