Restricting access by device category
An administrator can restrict access to devices that do not support device security using IBM Traveler or devices by their user agent value.
The setting Prohibit devices incapable of security enablement can be enacted by device category (Windows Mobile, Nokia, or Apple) to prevent devices that do not support security enablement from syncing with IBM Traveler. Security enablement includes the ability of IBM® Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino IBM Traveler policy settings document (described in Creating an IBM Traveler policy settings document).
- Window Mobile: Enabling Prohibit devices incapable of security enablement prevents Windows Mobile devices running a IBM Traveler client before IBM Traveler 8.5 from syncing with the IBM Traveler server. Clients before 8.5 do not support remote wipe or the IBM Traveler device security settings.
- Nokia: Enabling Prohibit devices incapable of security
enablement prevents Nokia devices meeting the following criteria
from syncing with the IBM Traveler
server:
- Nokia devices running a IBM Traveler client before IBM Traveler 8.5.1
- Nokia devices that do not support the Nokia security application
- Nokia devices that do support the Nokia security application but do not have it installed
- Apple: Whether an Apple device is secured or unsecured
is determined by the level of the Exchange ActiveSync protocol it
uses and whether any of the enabled security settings are not supported
by that protocol level.
Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the IBM Traveler server.
- Android: Enabling Prohibit devices incapable of security enablement prevents
Android devices meeting the following criteria from syncing with the IBM Traveler server:
- Devices with Android OS level less that 2.2
- Devices where the user has not enabled the Device Administrator when prompted
When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the LotusTraveler.nsf device security view and device document Access field.
- You can use simplified flags in the notes.ini for the various device types
supported by IBM Traveler, to determine which ones can sync. Examples include:
Table 1. notes.ini value Description NTS_USER_AGENT_ALLOWED_ANDROID=true
IBM Verse for Android or IBM Notes Traveler for Android.
NTS_USER_AGENT_ALLOWED_APPLE=true
Apple iOS built in mail client.
NTS_USER_AGENT_ALLOWED_BB=true
BlackBerry 10 built in mail client.
NTS_USER_AGENT_ALLOWED_IBM_APPLE=true
IBM Verse for iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_ANDROID=true
MaaS360 Secure Mail client on Android.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_APPLE=true
MaaS360 Secure Mail client on Apple iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_WINPHONE=true
MaaS360 Secure Mail client on Microsoft Windows Phone.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_NOKIA=true
IBM Lotus Notes Traveler for Nokia.
NTS_USER_AGENT_ALLOWED_WM=true
IBM Lotus Notes Traveler for Windows Mobile.
NTS_USER_AGENT_ALLOWED_WINPHONE=true
Microsoft Windows Phone built in mail client, all OS levels.
NTS_USER_AGENT_ALLOWED_WINPHONE_10=true
Microsoft Windows Phone 10 built in mail client.Note: For Windows 10 Mobile devices, the first check will be run against NTS_USER_AGENT_ALLOWED_WINPHONE, as that applies to all Windows Phone devices (including Windows 10 Mobile). If that check passes, then NTS_USER_AGENT_ALLOWED_WINPHONE_10 is checked next. This means Windows 10 Mobile devices must pass both checks.NTS_USER_AGENT_ALLOWED_WINPC=true
Microsoft Windows Pro Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_WINTABLET_RT=true
Microsoft Windows RT Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_REGEX=.*
Used for finer grained control based on user agents of connecting client agents.
Note: IBM supported devices use on their own specific notes.ini values, listed above. Everything else is governed by NTS_USER_AGENT_ALLOWED_REGEX. NTS_USER_AGENT_ALLOWED_REGEX is checked after the device types defined above, and is used only if the command doesn't correspond to one of the known device types. NTS_USER_AGENT_ALLOWED_REGEX is the regular expression for User-Agent HTTP headers that are allowed to sync data. The default is ".*", which allows all devices to sync.NTS_USER_AGENT_ALLOWED_REGEX=.*
The following tables list user agents by device for 8.5.3, 8.5.2, and pre-8.5.2 IBM Traveler clients. Windows Mobile and Nokia user agents change with each new IBM Traveler release. Apple, however, updates their user agent values with each OS update. As a result, there are many more variations of Apple user agents than for Windows Mobile or Nokia.Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the IBM Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.logNote: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.Table 2. Android IBM Traveler user agents Release User agent IBM Traveler 9.0.0 Lotus Traveler Android 9.0 Lotus Notes® Traveler 8.5.3 Lotus Traveler Android 8.5.3 Lotus Notes Traveler 8.5.2 Lotus Traveler Android 8.5.2.1 Table 3. Apple IBM Traveler user agents Device User agent IBM Verse for iPhone Traveler-iOS-iPhone/9.1.2.20150514 IBM Verse for iPad Traveler-iOS-iPad/9.2.0.20150616 Apple iPhone (OS 9) Apple-iPhone7C2/1301.344 Apple iPhone (OS 8) Apple-iPhone7C2/1202.466 Apple iPhone (OS 7.1) Apple-iPhone6C2/1104.169 Apple iPhone (OS 7) Apple-iPhone4C1/1104.257 Apple iPhone (OS 6) Apple-iPhone5C2/1001.525 Apple iPhone (OS 5) Apple-iPhone3C3/902.206 Apple iPhone (OS 4) Apple-iPhone2C1/801.306 Apple iPhone (OS 3.1.2) Apple-iPhone/704.11 Apple iPhone (OS 3.0) Apple-iPhone/701.341 Apple iPhone (OS 2) Apple-iPhone/508.11 Apple iPad (OS 9) Apple-iPad4C2/1301.344 Apple iPad (OS 8) Apple-iPad4C2/1201.405 Apple iPad (OS 7.1) Apple-iPad4C1/1104.167 Apple iPad (OS 7) Apple-iPad4C1/1104.201 Apple iPad (OS 6) Apple-iPad3C1/1001.523 Apple iPad (OS 3) Apple-iPad/702.367 Apple iPod (OS 2) Apple-iPod/508.110001 Traveler Companion TravelerCompanion/2.0.2 CFNetwork/485.12.7 Darwin/10.4.0 Traveler To Do TravelerToDo/8.5.4.201210312104 CFNetwork/548.1.4 Darwin/11.0.0 Table 4. Nokia Series 60 and Symbian^3 IBM Traveler user agents Release User agent Lotus Notes Traveler 8.5.3 Lotus Notes Traveler Nokia 8.5.3.0 Lotus Notes Traveler 8.5.2 Lotus Notes Traveler Nokia 8.5.2.0 Lotus Notes Traveler pre-8.5.2 SyncML HTTP Client Table 5. Windows Mobile IBM Traveler user agents Release User agent Lotus Notes Traveler 8.5.3 Lotus Notes Traveler WM 8.5.3.0 Lotus Notes Traveler 8.5.2 Lotus Notes Traveler WM 8.5.2.0 Lotus Notes Traveler pre-8.5.2 IBM SyncML Client Table 6. Windows Phone IBM Traveler user agents Device User agent Windows 10 Mobile MSFT-WIN-4/10.0.10581 Windows Phone 8.0 MSFT-WP/8.0 Windows Phone 7.8 MSFT-WP/7.10.8853 Windows Phone 7.5 MSFT-WP/7.10.8773 IBM Traveler Companion 1.1.0 TravelerCompanion WP/1.1.0 Table 7. Windows RT IBM Traveler user agents Device User agent Windows RT WindowsMail/16.4.4406.1205 Table 8. BlackBerry 10 IBM Traveler user agents Device User agent Z10 RIM-Z10-STL100-1/10.0.10.261 Blackberry 10.x BLACKBERRY-Z10-STL100-1/10.0.10.261 Table 9. MaaS360 IBM Traveler user agents Device User agent Android/4.1-EAS-1.3 MaaS360 on Android Apple-iPhone MaaS360 on Apple Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.The following user agents are only supported by the IBM Mail Service for Microsoft Outlook (IMSMO) product. This solution is limited availability. Please contact your sales representative for more information.Table 10. Microsoft Outlook user agents Device User agent MS Outlook 2013 Outlook/15.0 (15.0.4505.1002; MSI; x64) MS Outlook 2013 IBMMailAddin/901.2013.828.122 The following table shows known user agents of devices not supported by IBM Traveler.Note: These values are subject to change by the application provider at any time.Table 11. Unsupported user agents Device User agent Touchdown application Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD Blackberry Work Connect BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0 Blackberry Work Connect Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0 Blackberry Work Connect Android/4.4.4 BLACKBERRY-WorkConnect/3.0 OpenPeak OP/4.2 AT&T Toggle Toggle/3.0 Microsoft Outlook Web App (OWA) Outlook-iOS-Android/1.0 There are many possible examples where different User-Agent portions are combined. Here are a few:- Apple - all Apple devices are allowed to sync, but no other devices.
- (IBM SyncML Client)|(IBM Traveler WM) - All Windows Mobile devices (old and new) are allowed to sync, but no other devices.
- (Nokia SyncML HTTP Client)|(IBM Traveler Nokia) - All Nokia devices (old and new) are allowed to sync, but no other devices.
- Lotus Notes Traveler * 8.5.2 - Only 8.5.2 Windows Mobile and Nokia clients are allowed to sync, but not Apple devices.
- (Apple)|(Lotus Notes Traveler WM) - Only Apple and 8.5.2 Windows Mobile clients are allowed to sync, but not Nokia devices.
- Apple-iPhone/7 - only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile and Nokia devices are not allowed either).
- IBM Traveler Android - Only Android devices are allowed to sync.
- NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$ - This blocks Toggle and OWA, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.
- NTS_AS_PROTOCOL_VERSIONS - specifies the Exchange ActiveSync Protocol versions
that the server supports. The server supports 2.5, 12.0, and 12.1. Apple OS 2.x devices only support
AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would
like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support
12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1
while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not
contain spaces. For example:
NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1