Restricting access by device category
An administrator can restrict access to devices that do not support device security using IBM Traveler or devices by their user agent value.
The setting Prohibit devices incapable of security enablement can be enacted by device category to prevent devices that do not support security enablement from syncing with IBM Traveler. Security enablement includes the ability of IBM® Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® IBM® Traveler policy settings document (described in Creating an IBM Traveler policy settings document).
- Apple Mail Whether an Apple device is secured or unsecured is determined by the level of
the Exchange ActiveSync protocol it uses and whether any of the enabled security settings are not
supported by that protocol level.
Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the IBM® Traveler server.
- Android: Enabling Prohibit devices incapable of security enablement prevents
Android devices meeting the following criteria from syncing with the IBM Traveler server:
- Devices with Android OS level less than 2.2
- Devices where the user has not enabled the Device Administrator when prompted
When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the administration application device security view and device document Access field.
notes.ini
file define which
devices can be restricted from syncing with IBM Traveler by user agent value or Exchange ActiveSync
protocol level: - You can use simplified flags in the
notes.ini
for the various device types supported by IBM Traveler, to determine which ones can sync. Examples include:Table 1. notes.ini value Description NTS_USER_AGENT_ALLOWED_ANDROID=true
IBM Verse for Android or IBM Notes Traveler for Android.
NTS_USER_AGENT_ALLOWED_APPLE=true
Apple iOS built in mail client.
NTS_USER_AGENT_ALLOWED_BB=true
BlackBerry 10 built in mail client.
NTS_USER_AGENT_ALLOWED_IBM_APPLE=true
IBM Verse for iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_ANDROID=true
MaaS360 Secure Mail client on Android.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_APPLE=true
MaaS360 Secure Mail client on Apple iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_WINPHONE=true
MaaS360 Secure Mail client on Microsoft Windows Phone.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_NOKIA=true
IBM Lotus Notes Traveler for Nokia.
NTS_USER_AGENT_ALLOWED_WM=true
IBM Lotus Notes Traveler for Windows Mobile.
NTS_USER_AGENT_ALLOWED_WINPHONE=true
Microsoft Windows Phone built in mail client, all OS levels.
NTS_USER_AGENT_ALLOWED_WINPHONE_10=true
Microsoft Windows Phone 10 built in mail client.Note: For Windows 10 Mobile devices, the first check will be run againstNTS_USER_AGENT_ALLOWED_WINPHONE
, as that applies to all Windows Phone devices (including Windows 10 Mobile). If that check passes, thenNTS_USER_AGENT_ALLOWED_WINPHONE_10
is checked next. This means Windows 10 Mobile devices must pass both checks.NTS_USER_AGENT_ALLOWED_WINPC=true
Microsoft Windows Pro Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_WINTABLET_RT=true
Microsoft Windows RT Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_REGEX=.*
Used for finer grained control based on user agents of connecting client agents.
Note: IBM supported devices use on their own specificnotes.ini
values, listed above. Everything else is governed byNTS_USER_AGENT_ALLOWED_REGEX
.NTS_USER_AGENT_ALLOWED_REGEX
is checked after the device types defined above, and is used only if the command doesn't correspond to one of the known device types.NTS_USER_AGENT_ALLOWED_REGEX
is the regular expression forUser-Agent HTTP
headers that are allowed to sync data. The default is ".*
", which allows all devices to sync.NTS_USER_AGENT_ALLOWED_REGEX=.*
The following tables list user agents for supported clients. The IBM Verse for Apple user agent changes based on the client build. The Apple Mail client user agent is based on the hardware plus the OS level.
Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the IBM Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.logNote: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.Table 2. IBM Verse for Android user agents Release User agent IBM Verse for Android Lotus Traveler Android 10.0
Table 3. Apple Mail, IBM Verse, IBM Traveler Companion and IBM Traveler To Do user agents Device User agent IBM Verse for iPhone Traveler-iOS-iPhone/9.5.1.2018081415
IBM Verse for iPad Traveler-iOS-iPad/9.5.0.2018070911
Apple iPhone (OS 9) Apple-iPhone7C2/1301.344
Apple iPhone (OS 8) Apple-iPhone7C2/1202.466
IBM Traveler Companion TravelerCompanion/9.1.3.2017111715 CFNetwork/902.2 Darwin/17.7.0
IBM Traveler To Do for iPad TravelerToDo-iPad/9.1.2.2018081315
0IBM Traveler To Do for iPhone TravelerToDo-iPhone/9.1.2.2018081315 Table 4. Windows™ Phone user agents Device User agent Windows™ 10 Mobile MSFT-WIN-4/10.0.10581
Windows™ Phone 8.0 MSFT-WP/8.0
Windows™ Phone 7.8 MSFT-WP/7.10.8853
Windows™ Phone 7.5 MSFT-WP/7.10.8773
IBM Traveler Companion 1.1.0 TravelerCompanion WP/1.1.0
Table 5. Windows™ RT user agents Device User agent Windows™ RT WindowsMail/16.4.4406.1205
IBM Traveler does not explicitly support the IBM Maas360 clients. The following user agents are provided as a reference only.Table 6. BlackBerry Traveler user agents Device User agent Z10 RIM-Z10-STL100-1/10.0.10.261
Blackberry 10.x BLACKBERRY-Z10-STL100-1/10.0.10.261
Table 7. MaaS360 user agents Device User agent Android/4.1-EAS-1.3 MaaS360 on Android
Apple-iPhone MaaS360 on Apple
Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.The following user agents are only supported by the IBM Mail Service for Microsoft Outlook (IMSMO) product.Table 8. IBM mail for Microsoft Outlook user agents Device User agent MS Outlook IMSMO1.0.0
The following table shows known user agents of devices not supported by IBM Traveler. This list is not exhaustive.Note: These values are subject to change by the application provider at any time.Table 9. Unsupported user agents Device User agent Touchdown application Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD
Blackberry Work Connect BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android/4.4.4 BLACKBERRY-WorkConnect/3.0
OpenPeak OP/4.2
AT&T Toggle Toggle/3.0
Microsoft Outlook Web App (OWA) Outlook-iOS-Android/1.0
There are many possible examples where different User-Agent portions are combined. Here are a few:-
Apple
- all Apple devices are allowed to sync, but no other devices. Apple-iPhone/7
- only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).IBM Traveler Android
- Only Android devices are allowed to sync.NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$
- This blocks Toggle and OWA, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.
-
NTS_AS_PROTOCOL_VERSIONS
- specifies the Exchange ActiveSync Protocol versions that the server supports. The server supports 2.5, 12.0, and 12.1. Apple OS 2.x devices only support AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support 12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1 while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not contain spaces. For example:NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1