You'll need to use a 3:rd party tool for this as there is no native function in CM to build configuration based on some trigger, like user imported from LDAP. There are quite a few options available, the one I'm familiar with is ZPC, Ziro Provisioning for Cisco. It used to be named SMACS and is made by a company named Ziro. Another option is to build/code something yourself, the AXL api is pretty well documented, but not all that easy to use if you ask me, hence the many different 3:rd party options for provisioning.

CUCM does have the Self-Provisioning IVR, which allows administrators to pre-provision all of the settings necessary to deploy devices including Jabber. It's not simple, but once working is effective. It is not auto-provisioning like the 3rd-party tools that @Roger Kallberg cited, but is rather a pre-provisioning tool.

For the Self-Provisioning IVR, what categories of devices are provisioned for a user depends on the User Profile, which is a component of the Feature Group Template with the FGT being the thing that is associated with LDAP integration.

So I can think of two ways to have some users get Jabber set up for self-provisioning and others not. The key is having the correct User Profile associated with the user account.

First, you could pre-provision your users as local accounts, setting the User Profile as part of the account setup. At LDAP integration CUCM would 'find' the local account with the same userID and associate the LDAP account with it. The local setting for the User Profile should win out over the LDAP-Directory-associated FGT/Profile, but I'm not 100% sure on that.

Second - and better - would be to have two LDAP Directories (two synchronization agreements). One integration would capture the folks in that security group (and I'd schedule that integration to sync 'before' the second one). That LDAP Directory would need an LDAP Filter that identifies the folks in the security group. Then that LDAP Directory would have an FGT that is configured with a User Profile that includes a Jabber universal device template. The second LDAP Directory would capture everyone else and would be associated with an FGT that configured with a User Profile that does not have a Jabber universal device template.

Neither is simple and both have issues. CUCM was not designed with auto-provisioning in mind, which means the pre-provisioning tool it has was bolted on later. CUCM's pre-provisioning feature is a remnant of Cisco Prime Provisioning which was terrible software. The UDT/ULT/FGT components that Cisco ported over to CUCM were the only good thing about it.

Here is a link to the Self-Provisioning IVR setup for CUCM 15:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/15/systemConfig/cucm_b_system-configuration-guide-15/cucm_b_system-configuration-guide-14_chapter_0100010.html 

Let us know if you have questions.

Maren

As far as I know, self-provisioning works only for phones and not for Jabber. For Jabber, you need third-party provisioning tools like Kurmi.

Instead of Jabber, if you are using the Webex app with cloud-connected UC, there is a feature called Auto-Provisioning of Webex App for Calling in Webex (Unified CM).

This feature allows auto-provisioning of following devices types in Unified CM for the users when they sign into Webex App from various device platforms:

• Android Device (BOT)

• Chromebook/iPad Devices (TAB)

• Windows/MAC Devices (CSF)

• iPhone Device (TCT)

https://help.webex.com/en-us/article/ki34wo/Auto-Provisioning-of-Webex-App-for-Calling-in-Webex-(Unified-CM)