Hot Desk PIN Security ensures that all hot desk users create strong (resistant to guessing) PINs by forcing them to create PINs that adhere to a set of strengthening rules. MiCollab Nupoint UM and MiVoice Business work together to provide user PIN strengthening.
On the next hot desk login after a hot desk user’s Personal Identification Number (PIN) becomes weak or expires, MiVoice Business automatically places a callback to the hot desk user. When the user answers, MiVoice Business makes a call using the Call Coverage Service Interactive Voice Response (IVR) digits to the MiCollab Nupoint UM Voice Mail Hunt Group. When MiCollab Nupoint UM answers the call, it guides the hot desk user through a PIN change process. After the PIN is updated, MiCollab Nupoint UM sends the new PIN (and data such as strength and expiration) information to MiCollab and MiCollab writes it to the user's primary MiVoice Business database. Until this process is complete the hot desk user is placed in call restricted mode. In call restricted mode, users can only place emergency calls and calls to the system attendant; however, they receive all incoming calls. While an internal hot desk user is call restricted mode, PIN RESTRICTED appears on the user’s set display (PIN RESTRICTED mode is very similar to Phone Lock mode). External hot desk users do not receive indication of PIN Restricted mode.
If hot desk users choose not update their PINs, they remain logged in and MiVoice Business applies phone service restrictions.
MiCollab and MiVoice Business must all be configured for Hot Desk PIN Security to work. Each component has its own provisioning for proper integration.
PINs created with the following tools and systems are considered strong because they apply the PIN strengthening rules:
MiCollab Client
MiCollab User Portal
MiCollab Nupoint UM IVR
PINs created with the following tools and systems are considered weak:
MiVoice Business Group Administration Tool
MiCollab Users and Services Provisioning (USP) Application
MiVoice Business Desktop Tool
TUI Superkey
TUI Feature Access Code
MiCollab Nupoint UM Web Console
MiCollab Nupoint UM Text Console
These PIN strengthening rules are implemented by the MiCollab Nupoint UM system:
Digits only from 0 to 9.
Length from 4 to 10 digits. (Note: PIN length is device dependent and ranges from 0 to 8 digits on the 5604, 5607, and 5614 SIP Phones and 0 to 10 on other phones.)
Cannot match the user's mailbox number.
Cannot be a sequence of digits such as 3, 4, 5, 6.
Cannot be a set of digits repeated more than three times, for example, 1111. The PIN 31111 is accepted.
MiCollab allows a 4 to 10 digit PIN consisting of telephony digits (*, #, 0-9).
The new PIN cannot match the old PIN.
The default PIN (set by Mitel Integrated Configuration Wizard) is the user's directory number.
Directory numbers that contain * or # are not supported for Hot Desk User Login or SIP Authentication PINs.
All features except for the following are disabled for hot desk users who log in with a weak PIN:
MiNET IP telephones - When a hot desk user is idle, "PIN Restricted" appears on the display.
NOTE: The HTML branding application overwrites the "PIN Restricted" display message and so should not be provisioned on hot desk devices.
Hot desk users receive feature active dial tone.
Incoming calls - All line appearances continue to receive calls as usual (but with restricted service applied) and standard call processing information appears for incoming calls. Restrictions applied to incoming calls:
Hot desk users can answer the prime line (ringing or flashing) for any incoming call.
Hot desk users can hang up a call using the CANCEL key.
must go off-hook to answer calls and they cannot use the flashing line key to answer calls. To answer calls on non-prime, non-private lines, the Ringing Line Select Class Of Service (COS) option must be enabled.
Hot desk users can use only the prime line key to answer calls and they cannot use the flashing line key to answer non-prime line calls. Instead, they must answer calls (oldest to newest) by going off-hook.
Softkeys are presented but not operational except for the following idle display softkeys: HotDesk and Logout.
All Feature Access keys except Phone Lock, Hotdesk Group Presence, Personal Group Presence, and Hand-off are disabled.
Audible ringing is provided (if configured) for all calls to line appearances regardless of whether the hot desk user can answer the call.
Call destinations - All call destinations restricted except for the following destinations:
Emergency trunk routes
Emergency ring groups
Attendant consoles
Automated call to IVR number
Superkey - When a hot desk user presses the Superkey or Message hard key, a call is automatically placed to the MiCollab IVR for new PIN creation.
Settings Key - The Settings keys is disabled on all IP Phones.
Hard Keys - All hard keys are disabled except for the following:
Prime line key
Hookswitch
Superkey
Message key
Dial pad keys
Left, right, up down arrow and home keys
All Feature Access Codes (FAC) are disable except for the following:
Hot desk login
Hot desk logout
Hot desk remote logout
Phone lock
Phone unlock
User PIN - Store
Message deactivation
Group Presence FACs
Personal Group Presence Join and Leave FACs
Hand-off
ACD Agent login and agent logout
When hot desk users in PIN Security restricted service dial a destination or FAC that is not allowed, their call is automatically routed to the Call Coverage Service IVR digits (MiCollab IVR system) to update their PIN.
Applies to hot desk users only on IP, EHDU, and SIP telephones.
Each hot desk user must have a voice mailbox on the MiCollab system.
The voice mail system must be hosted on MiCollab and MiCollab Single Point of Provisioning must be enabled.
PINs created by system administrators are considered weak.
PINs become out of sync when users perform the following actions:
MiCollab updates a MiVoice Business user's PIN from the user's primary IP Communications Platform (ICP) only. If the user is resilient, MiVoice Business shares the updated PIN with the user’s backup MiVoice Business system. If a user’s primary system is down or not reachable, MiCollab does not update the user’s backup system, nor does MiCollab re-try the update at a later time. This can cause hot desk user PINs to be out of sync between MiVoice Business and MiCollab.
Changing a user's PIN from MiVoice Business causes it to become out of sync with MiCollab.
Use tools that create weak PINs. System administrators must use MiCollab User Service Provisioning (USP) to define users, telephones, and voice mailboxes. This ensures synchronization.
MiVoice Business does not enforce PIN Security for hot desk users registered on their backup controller. They are treated as though their PINs are strong from a PIN security perspective. For hot desk users configured for PIN Security, MiVoice Business blocks updating their PIN from the TUI while the hot desk user is registered on their backup controller.
NOTE: In the future when MiCollab is able to update MiVoice Business backup controllers, the different backup controller handling will be removed.
System administrators must not use the MiCollab Nupoint UM "Add MiCollab VM Box" option to create an orphan mailbox. All orphan mailboxes must be assigned to users using the MiCollab USP application.
Hot Desk PIN Security is not supported over QSIG trunks.
These forms do not implement PIN strengthening rules:
User and Services Configuration
Multiline IP Sets
Wireless IP Sets
A hot desk user who logs in with a strong PIN, initiates a Superkey session, and navigates to the "Set User PIN" menu is automatically routed to the MiCollab IVR system for a PIN change.
A hot desk user who logs in with a strong PIN and dials the User PIN - Store Feature Access Code is automatically routed to the MiCollab IVR system for a PIN change.
A hot desk ACD agent in PIN Security restricted service has an operational idle display Logout soft prompt because pressing the Superkey launches a PIN Security Service call to the agent's Call Coverage IVR digits.
To apply PIN security to hot desk members of Personal Ring Groups (PRG) and/or Multi-Device User Groups (MDUG), the administrator must use MiCollab USP to configure a single user with multiple telephones; one telephone for each PRG or MDUG member. One MiCollab mailbox is required for one of the user’s telephones and the mailbox number must match the telephone’s directory number. On MiVoice Business, the MiCollab user’s telephone that is configured with a matching MiCollab mailbox must be configured as the PRG or MDUG prime member.
Hot Desk users should NOT change their PIN if hot desking on SIP-Dect handsets (612, 622, 632, 650).If the PIN is changed while the user is logged in to these devices, the system will force a log out. Subsequent log in attempts will fail because the device base station will NOT have the new PIN.
Choose the "Yes" option for PIN Security.
Enter the IVR number (0 to 26 digits) in the IVR Number field. The IVR Number is the MiCollab voice mail directory number (PIN service endpoint).