Hope you all are staying safe in this mess(COVID-19) around the globe.
due to WFH policies I have allowed users to use softphones but now I observe that users are using cracked phones or any softphone. so i want to restrict users to use only use softphone recommended by our Technical Team.
Is there any way that I can restrict users to use only one softphone or like if I recommend zoiper so they can only use zoiper no other softphone.
Not easily. You would only be able to deny calls but you couldn’t stop REGISTERs since there’s no method to parse those requests. At best you can look at the User Agent via the dialplan of the contact and decide if you want to deliver/allow calls to/from it.
You can’t, there is no method for it. You would have to implement a proxy like Kamailio or OpenSIPS to deal with that as they would let you parse/read/rewrite/etc the SIP requests before they hit the PBX.
Use any softphone that supports remote provisioning and does not permit the password to be viewed in the settings. Then, the end user won’t know the secret for his extension so won’t be able to use another client.
Perhaps you should look at providing a webrtc (websocket / wss://) soft client service (perhaps FOP2 or UCP ), they just need a supporting browser, Chromium being a good choice for phones and desktops.
If you are using SIP registration, wouldn’t be hard to make a little bash script that would kick off every minute maybe, check the active peer registrations, grep out for the "Useragent " type and if it isn’t matching the softphone model you want, could unregister the phone maybe?
Forcing an unregister is troublesome and arguably mostly useless.
The phone will just re-register in however many seconds it defaults to. Even unregistered it can probably still make calls, but won’t receive them. The user will likely be totally unaware the phone is not 100% operational until a caller complains calls to the user are going to VM.
IMO, the iptables solution is best if not using TLS, otherwise you will need some dialplan code/context to check the user agent and redirect calls from invalid agents to some sort of not authorized error message.
I’ll write some code up today and try it out for you.
As @jerrm indicated, sending unregister command isn’t the best idea, although if done, and you had a firewall going, it would probably cause the phone to be blocked fire firewall automatically.
Anyway, couple of hours, i’ll #bash something together!
Registration is for Inbound Requests to the endpoint. You register with your provider or a phone to the PBX, you are telling them where to send requests to that endpoint. You need to auth to register.
Outbound calls do not require a registration as it’s outbound and not related to inbound. When you make the call the systems will challenge and auth you (like a register) and as long as that auth is correct the call can happen.
Being able to stop outbound calls if there are no registered contacts is something that can be handled in the device OR at a higher level but FreePBX/Asterisk has no logic for that baked in.
Basically this script will look at all active SIP extensions,
Pulls a list of all active extensions and then looks at what kind of device it is.
It will remove pulls the IPS of matching extensions and puts in a firewall ban.
When the script is run, it will take a look at the previous IPS it put in as a ban, then remove them if applicable.
It will wait a pre-determined amount of time (you can enter in the duration) after it has cleared everything to allow everyone to reconnect that might have been blocked.
It will then look at their devices and reban if necessary.
You could kick the script off every minute or whatever.
If any problems let me know.
The very bottom of the script. Put a command on that “eval” command.
If you want to test, that is the command that puts in firewall bans. So commenting it, the script will just skip it.
#Comment out this next line if you want to test, but not apply any rules to the firewall