Overview and Scope

Overview

The Partner Managed Devices functionality is a Device Management (DM) option available to the Webex Cloud calling offers (Webex Calling and Webex Wholesale RTM) that allows Partners and Customers to support security compliant 3rd Party SIP Devices (Phones and Gateways) on Webex at Scale using a publicly exposed API solution, in conjunction with an external DM tool.

This functionality, along with the existing DM options, allows Webex customers and partners to have a flexible device management strategy where they can support Cisco devices with a fully managed Cisco-on-Cisco experience with deep Webex integration, as well as a self-managed DM option (Partner Managed Devices and Customer Managed Devices) for Non-Cisco Devices via Cisco Public API integration, enabling them to cater to new and already deployed SIP devices at scale.

Scope

The Partner Managed Devices solution covers all third party devices that comply to Cisco’s security and support requirements. All the existing supported third party devices can either be provisioned as Cisco Managed 3rd Party Devices per the existing functionality or they can be supported as Partner Managed Devices based on Partner/Customer’s DM and customization requirements. Note that all Cisco devices are excluded from the scope of this solution and can be supported as Cisco managed devices are they are today.

Cisco Security and Support Requirements

The Partner Managed Devices solution allows Webex Partners and Customers to support any non-Cisco SIP device (phones and gateways) on the Webex platform that complies with Cisco’s security and support requirements as listed below.

  • Support for TLS 1.2

  • Support for the IdenTrust Certification Authority

  • Basic failover capabilities (single primary/secondary)

  • Support Cisco’s minimum Password security requirements

  • Active support from Device Vendor

  • Webex Cloud Certification

  • PSTN capability (in case you want to test PSTN calling)

  • Security requirements for Webex Calling

Availability

The Partner Managed Devices solution is available for the below Webex Cloud Calling offers

  • Webex Calling

  • Wholesale Route to Market (RTM)

Partner Managed Devices can be provisioned and managed through

  • Webex Control Hub

  • Webex User Hub (in development)

  • Webex APIs

  • DM tool portal (if applicable)

Process Flow

Devices supported on Webex as Partner Managed Devices are managed by Partners/Customers using an external DM tool. This means that Partners/Customers own the DM, host config files, and firmware via the external DM tool and also own the initial support for the provisioned devices.

  • The external DM tool is a key part of this solution. The first step in implementing and using this solution is to integrate your DM tool with Webex and provide it with the necessary permissions to provision and manage the non-Cisco devices on Partner/customer’s behalf. More details on this in the upcoming sections of this document.

  • Once you have setup the DM tool integrations, you can provision a Partner Managed Device (Phone or Gateway) via CH or Cisco Public APIs or through your DM tool’s interface if it has that capability. The feature will also be enabled on User Hub in the coming months.

  • As you provision a Partner Managed Device, Webex generates a partial Device config file called as “Device info file” and stages that on our platform. Device Info Files contain the necessary information required for devices to successfully register and operate in the Webex Calling environment. The DM tool downloads this device information file, applies it to the templates that the partner/customer has defined, and build a full working configuration file.

  • The DM tool then presents those full configuration files to the device which consumes the configs and onboards to the Webex platform and register.

  • Once the device is successfully registered with the Webex platform, it is visible in Control Hub as a Partner Managed Device.

    Support flow for PDM

Capabilities

The solution enables two Generic Partner Managed Device Options in Webex.

  • Partner Managed Phone (20 lines max)

    • All Server side calling features are available by default.  DM Vendor builds Phone configuration which sets feature availability.
    • Uses the Configure lines feature to assign Primary and Shared Lines.
    • Supports multiple Primary line appearances.
    • Allows Monitoring List via Calling Advanced Features.
  • Partner Managed Gateway (100 lines max)
    • Uses the Configure Ports feature to assign lines to individual Ports.
    • Does not support multiple line appearances of the same line.

DM Tool Setup Process

There are two key steps in setting up your DM tool to be used with Webex to provision and manage the Partner Managed Devices.

  1. Setting up Webex API integrations

    Partners wishing to manage Webex services on behalf of their customers via Cisco Public APIs should create Webex API Integrations for help, see: Integrations and Authorization and request proper authorization.

  2. Setting up device configuration access

    For using Third-Party Device Management (DM) solutions, special access to device configuration information (Device Info File) created from user assignments and other options managed in Control Hub needs to be granted. This special access is granted via a managed integration called 'Service App' (SA). SA is created by DM partners and are authorized at the Partner or Customer level, providing access only to the required information those DMS partners need to manage individual device configurations.

Create and Authorize Service App

1

Create a user under your Partner org through Control Hub. Please note that this user is to be used only for creating the Service app (let’s call it 'SA user' for future reference). For help, see: Add users manually in Control Hub.

2

Activate the SA user’s Webex account by signing into Webex for the first time on desktop or mobile and verifying the SA user’s email address.

3

Using the SA user credentials, log in to the Developer Portal and create Service App with scope:  spark-admin:devices_config_read

4

Capture the Client ID and Client Secret for the Service App from the developer portal.

5

Request authorization of your service app by clicking 'Request Admin Authorization' from your service app page in developer portal.

6

Contact your Partner administrator to approve your Service App request.

7

Once the service app is approved, SA user can generate tokens through Developer Portal . Pass the token and client id to the third-party device management vendor or the DM tool to enable them to download the device info files while provisioning Partner Managed Devices

Steps for Partner Admin to Authorize the Service App

1

Login to Partner Hub using Partner Admin credentials ( https://admin.webex.com).

2

Cross launch into Control Hub of your org.

3

Find the Service App you want to authorize. Service Apps can be found under Management > Apps > Service Apps. If you cannot see the Service App in question, you need to ask the developer to have them submit for Admin Authorization or App Hub submission You can click the Service App and will see the service app’s description, developer info, and requested scopes.

4

When ready to authorize the Service App, click Authorize followed by Save. Your name is shown as the authorizing user in Control Hub. An entry in AdminAudit events is also created, documenting who authorized the Service App.

5

Optionally, you may also wish to inform the developer/SA user that you have authorized their Service App.

DM partners will have worked with Cisco on connectivity for retrieving Device Info Files, and on how to consume them and merge with other configuration capabilities they may directly support for configuring individual devices.

Security

Password Management

Webex doesn't set passwords for Partner Managed Devices. SIP passwords should be set by Customers or by Partners on their behalf, and must adhere to strong password practices, of which some basic guidelines are listed below. These passwords can be set individually via Control Hub, or using public APIs documented in the Webex Developer portal mentioned above.

Password practices that must be enforced by Partners

  • Each device must have its own individual SIP credentials (password)

  • SIP passwords should have a minimum of length of 8 characters

  • SIP password must have a combination of upper and lowercase letters, digits, and special characters

  • Password management API

Devices to be used as Partner Managed Devices need also to adhere to WxC Security requirements such as support for TLS 1.2 and IdenTrust Certificate Authority, support DNS SRV, provide User-Agents with Make and Model (not mandatory but essential to allow proper device identification in Control Hub), and have passed Tekvision Basic Device Certification.

Provisioning

Provision Partner Managed Devices via Control Hub or APIs

Enterprise administrators can add and manage third-party devices from Control Hub. You can cross-launch and select solution partners for configuring Webex Calling devices. For help see: Add your partner managed device.

Webex Developer APIs References

Support

As Partner Managed Devices are managed by the partner/customer, they are expected to provide Tier 1 support to the end users. If there are issues around device configuration, FW, provisioning, customizations etc., the Tier 2 support can be provided by the DM partner (if applicable) and or Device Vendor. If the issues are around the Webex server side/call control, Cisco TAC will provide the support.

Feature Enablement

The Partner Managed Devices solution will be enabled and available for all partners and customers. To enable the solution fully, few steps/considerations are as below.

  • The scope required to authorize the service app for Partner Managed Devices and be able to download the Device info files (spark-admin:devices_config_read) will not be enabled automatically. Partners and customers would need to contact Cisco to enable it for their Orgs.

  • Partners and Customers that wish to use their own DM tools to use the solution would require additional details/documentation around the Device info file, which can be obtained by contacting Cisco.

  • You can reach out to this email with your Partner/Customer Org details to enable the feature, webex-wholesale-pm@cisco.com

DM Partner Integration-Phonism

Webex partners and customers can leverage the Partner Managed Devices solution using a DM tool capable of supporting the solution requirements, provided the DM tool is cleared for integration by the Webex team and the partners have the technical capability to integrate the DM tool and support the devices.

The solution can be used to support non-Cisco devices using a DM tool; however, a level of technical expertise is required by partners/customers to set up an external DM tool and manage devices using the same.

For partners/customers that do not wish to do this themselves, we have integrated with an external DM partner “Phonism” who can be leveraged by the partners/customers to support and manage non-Cisco devices on their behalf. Phonism is a cloud-based Device Management SaaS platform that specializes in deploying, managing, securing, and migrating devices at scale.

Phonism is the only approved and tested DM tool available for the Partner Managed Devices solution at the moment. Any other DM tool will have to be approved and tested by Cisco. Partners/Customers can reach out to webex-wholesale-pm@cisco.com for the same. For more information, see: https://phonism.com/customers/cisco-webex

Commercials

  • There are no additional Webex licensing considerations to enable and use the Partner Managed Devices solution I.e. the solution is available for all applicable packages across the Flex and Wholesale offers.

  • Any commercial considerations with using an external DM tool will be between Partner/Customer and the DM vendor where Cisco will not be involved.

  • If Partners/Customers wish to use Phonism for this solution, they will need to agree commercials with Phonism directly.

Maintenance

  • The Partner Managed Devices solution and any updates/patching etc. will be supported by Webex and communicated as required.

  • Any Device Firmware/configuration templates/Feature updates/staging etc. will be handled and supported by the DM tool working with the Device vendors as necessary.

  • A Webex Cloud certification is necessary to support any Third-Party Device as Partner Managed. For more information, see: Device Cloud Certification Requirements

Device Cloud Certification Requirements

Webex Cloud Certification is mandatory to support any device on the Webex platform as a Partner Managed Device. This will ensure the devices have the correct configuration, can onboard successfully, function as desired and can be supported properly.

The Webex Cloud certification will be valid per Device model/Family similar to BroadWorks IVT certification. Webex has partnered up with TekVizion, a third-party solution testing provider to provide the Webex Cloud certification service.

There are three key components of the Webex Cloud certification:

  1. BroadWorks IVT Certification as Generic SIP: BroadWorks IVT as a Generic SIP device is the base certification required to support any SIP device as a Partner Managed Device. A device needs to be certified on BroadWorks version R24 or above as a generic SIP device (rather than with specific Device profile) which will simplify supporting devices within an external DM tool.
  2. Webex Validation: Once a device has been certified on BroadWorks R24 or above as generic SIP, it needs to be validated on Webex. This includes provisioning the device on the Webex platform as a generic SIP device and running a set of validation test cases to ensure the device works properly on the Webex platform using the Cisco SSE/MSE SBCs.
  3. DM tool support: Devices must be supported on the DM tool used by partners/customers to use the Partner Managed Devices functionality. Once the Device is BroadWorks IVT certified and Webex validated, it can be supported on an external DM tool using the Partner Configuration Guides and CPE kits created as an output of the earlier certifications. If Phonism is being used as a DM tool, this component will be taken care of by them

The BroadWorks IVT generic SIP certification and Webex Cloud validation is applicable per Device model/Family. Webex has partnered up with TekVizion, a third-party solution testing provider to provide the Webex Cloud certification service. Device vendor’s and partners/customer can request this Webex Cloud certification for Partner Managed Devices via the TekVizion website (link added below). For any additional information on the certification, you can reach out to TekVizion directly.

Monitoring and Reporting

  • Devices provisioned through this solution will be visible as Partner Managed Phone or Partner Managed Gateway, followed by the Device Make and Model (as available and extracted from the Device user agent) in the Devices section of Webex Control Hub.

  • Other information like Activation status, Device details and DM options will also be available via the Device page in Control Hub.

Engagement Flow for Partners and Customers

The Engagement flow steps for Partners and Customers that wish to use the Partner Managed Devices solution are summarized as below

Engagement flow for PDM

  1. Select DM Options: Partners/Customers should start with selecting the DM tool they wish to use for provisioning and managing the Partner Managed Devices.

  2. Commercials: Partners/Customers should agree any commercials directly with the external DM vendors. This includes any T&C around Device provisioning subscriptions, DM capabilities, ongoing support etc.

  3. Device Certification:

    • All devices need to go through a Webex cloud certification in order to be supported as Partner Managed Devices with Webex. Device Vendors can get this done via Cisco’s certification partner TekVizion. Any commercials for the certification efforts would be between TekVizion and the Device Vendor or Partner/Customers as applicable.
    • In addition to certification, the DM tool should also support the Device with the correct Firmware and configuration templates. This will be taken care of by the DM vendor.
  4. Enablement: The feature can be enabled as per the details in the Feature Enablement section of this document.
  5. Once all the steps are in place, Partners and Customers will be able to use the Partner Managed Devices solution to support all eligible SIP devices on Webex.