Creating an HCL Traveler policy settings document

Use the HCL Traveler policy settings document to define device preferences and security settings for syncing Domino® user mail database data with their mobile devices.

About this task

To take advantage of the latest settings, the template of the Domino directory on the Domino administration server should be updated to the latest HCL Domino 9.0.1 or higher template. For the latest updates for Domino, go to the My HCLSoftware Portal.
Note: HCL Traveler policies are not applied to HTMO clients.

To create a HCL Traveler policy settings document, follow these steps:

Procedure

  1. Make sure that you have Editor access to the HCL Domino® directory and one of these roles:
    • PolicyCreator role to create a settings document
    • PolicyModifier role to modify a settings document
  2. From the Domino® Administrator client, click the People & Groups tab, and then open the Settings view.
  3. Click Add Settings, and choose HCL Traveler.
  4. On the Basic tab, assign a name to the policy settings document and add a description.
  5. Complete these fields on the Preferences > Sync tab:
    Important: The following settings do not apply to devices running an Exchange ActiveSync client such as the iOS Apple Mail client.
    Table 1. Sync preferences
    Field Action

    Synchronize

    Specify one or more PIM types to sync with the device: Email, calendar, to-do, or contacts.

  6. Complete these fields on the Preferences > Filter Settings tab:
    Important: The following settings do not apply to devices running an Exchange ActiveSync client such as the iOS Apple Mail client.
    Table 2. Filter Settings preferences
    Field Action

    Email Body Truncation

    Click to enable the email body truncation filter. When enabled, you can select the maximum number of email characters, in thousands of characters, to sync to the device. Specify how many characters from the body of the email are synced to the device before the email is truncated.

    Maximum email Attachment Size Allowed - Administrator

    Specify the maximum combined size of all attachments in a document, in KB, that can be synced to a device. Mobile client users cannot change this administrator setting, and this setting is always locked.
    Important: Setting this field to zero disables all email and calendar attachments including images for all devices, including iOS Apple Mail client.
    Important: Do not select the 'Don't set value' checkbox. Selecting this option will result in HCL Traveler ignoring this policy settings document.
    Note: A non-zero value only applies to the deprecated Windows Mobile and Symbian OS based Nokia devices. The HCL Traveler server no longer requires an artificial limit to be placed on attachment size for other devices.
    Note: Individual 'Prohibit download of attachments' settings exist under security settings for each device type as an alternative way to disable attachments.

    Email Attachments

    Enables automatic syncing of email embedded images up to the size configured in setting Email Attachment Size. This setting is not applicable to calendar events.

    Email and calendar inline email images automatically sync to HCL Verse Mobile clients. The automatic syncing of email/calendar attachments and calendar embedded images is controlled by the Attachment Download setting configured on HCL Verse Mobile clients. Embedded images and attachments not automatically downloaded can be downloaded on request from the client. This setting is not applicable to clients that use the Exchange ActiveSync protocol, such as the iOS Apple Mail app.

    To disable synchronization of email and calendar attachments including images to devices, you can enable the Prohibit download of attachments setting by device type under Default Preferences > Security Settings. Alternatively you can set Maximum email Attachment Size Allowed - Administrator to 0.

    Email Attachment Size

    Automatically download email embedded images smaller than this size when Email Attachments is enabled.

    Email Date Filter

    Click to enable the email data filter, and select the number of days to keep a mail message on the device. If the filter is not enabled, all messages are synced.

    Filter Limit

    Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their HCL Traveler client.

    Email Importance

    Click to enable syncing for mail messages of high importance only.

    Calendar Date Filter - Past Events/Future Events

    Specify the date ranges of calendar events to sync. A repeating event is included when any of its instances are within a date range. All dates from a repeating entry display on the device calendar. When all instances of a calendar event fall outside the past event date range, it is removed from the device. Specify a date range for past events and one for future events as described below.

    • Past Events -- click to enable the filter for past events. Select the length of time (how far into the past), calendar entries are to be synced. When the filter is not enabled, all past events sync.
    • Future Events -- click to enable the filter for future events. Select the length of time (how far into the future), calendar entries are to be synced. When the filter is not enabled, all future events will sync.

    Filter Limit

    Administrative setting that enforces a maximum past/future event filter window for users that either disable the past/future event filter or select a value greater than this limit from their HCL Traveler client.

    Journal Date Filter

    Click to enable the journal date filter, and select the amount of time to keep a journal entry on the device. Entries are removed from the device when their modified date is older than the filter range.

    Filter Limit

    Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their HCL Traveler client.

    ToDo Status

    Select Incomplete Status Only to sync only to-dos that have a status of Incomplete.

  7. Complete these fields on the Preferences - Device Settings tab:
    Important: The following settings do not apply to devices running an Exchange ActiveSync mail client, such as the iOS Apple Mail client.
    Table 3. Device Settings preferences
    Field Action

    Device Logging

    Select On to enable device logging, or select Off to disable device logging.

    Maximum Device Log File Size

    Specify the maximum size, in KB, of the log file.

  8. From the Preferences - Security Settings tab, select the tab for your device and configure its settings:
    Note: If your Domino directory template is earlier than 9.0.1, you may be missing tabs for some of the device types. HCL Traveler is designed to pick up the security settings that have been defined for Apple Devices. Not all are applicable to all device types. It is recommended that the Domino directory template be at the latest 9.0.1 version. See Table 6 under the topic Default device preference and security setting values for a complete list of the device security policy capabilities. Ignore any tabs for device types no longer supported (Example: Windows Mobile and Nokia).
    Note: For Apple Mail security settings, the only possible Violation Action is Enforce.
    Table 4. Security Settings->Apple->Apple Mail
    Setting Description Default value

    Require device password

    Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered three or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Minimum number of complex characters

    Smallest number of non-alphanumeric characters required. Range is 0-4 characters.

    0

    Auto lock period (maximum)

    Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    Number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    3

    Wrong passwords before wiping device

    Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled

    Prohibit unencrypted devices

    When enabled, only devices that support onboard data encryption are allowed to sync with the HCL Traveler server.

    Disabled

    Prohibit camera

    Disables the camera on the device.

    Disabled

    Prohibit devices incapable of security enablement

    Prevents devices which cannot support remote wipe or security profiles from syncing with the HCL Traveler server. If left disabled, any devices without security support can sync data.

    An Apple device is considered secured or unsecured by the level of the Exchange ActiveSync protocol it uses, and whether any of the enabled security settings are not supported by that protocol level. Protocol 2.5 level does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".

    Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.

    Disabled

    Table 5. Security Settings > Apple > HCL Verse
    Setting Description Default value

    Require application password

    Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for:  Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.
    Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication, SAML2 or TOTP, the Require application password feature cannot be enforced and is not supported by the HCL Verse Android application.

    Disabled

    Password type

    Sets the password type from the following options:
    • Numeric
    • Alphabetic
    • Alphanumeric
    • Complex
    • Server

    Disabled

    Minimum letters

    Smallest number of alphabetic characters allowed. Range is 0-64.

    0

    Minimum non-letters

    Smallest number of non-alphabetic characters allowed. Range is 0-64.

    0

    Minimum uppercase

    Smallest number of uppercase characters allowed. Range is 0-64.

    0

    Minimum lowercase

    Smallest number of lowercase characters allowed. Range is 0-64.

    0

    Minimum numeric

    Smallest number of numeric characters allowed. Range is 0-64.

    0

    Minimum symbols

    Smallest number of symbol characters allowed. Range is 0-64.

    0

    Minimum password length

    Smallest number of password characters allowed. Range is 4-64.

    4

    Auto lock period (maximum)

    Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    Number of days after which the device password must be changed. Range is 0-730 days.

    0 days

    Password history count

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping application data

    Enables device application to wipe the HCL Verse application configuration and data after the selected number of consecutive failed application password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit ascending, descending, and repeating sequences

    Select to prohibit the use of  ascending, descending, and repeating sequences

    Disabled

    Allow/Prohibit Touch ID

    When enabled, and if the iOS device supports fingerprint recognition, users can unlock the HCL Verse application using Touch ID without having to enter their HCL Verse application password.

    Prohibit Touch ID

    Prohibit export of contacts to OS

    Determines whether HCL Verse application can share its contacts with the device OS.

    Disabled

    Prohibit copy to clipboard

    Select to disable the ability to copy HCL Verse application data to the device clipboard.

    Disabled

    Prohibit export of attachments

    Select to disable the ability to export attachments from HCL Verse application.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download email and calendar attachments including images from the HCL Verse application when they sync with the HCL Traveler server.

    Disabled

    Require Mobile Application Management

    When enabled, devices must be managed by a Mobile Application Management (MAM) provider to be able to sync mail with the HCL Traveler Server. Enforcement requires HCL Verse for iOS 12.0.7 or later.

    Disabled

    Table 6. Security Settings > Android
    Setting Description Default value

    Require device password

    Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Password type, Minimum password length, Auto lock period, Password expiration period, Password history count, Wrong passwords before wiping device, and Prohibit unencrypted devices.

    Disabled

    Password type (OS 10+ only) Sets the password type Android 10 and later versions from the following options:
    • Low
    • Medium
    • High
    Low password type allows:
    • Pattern
    • PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
    Medium password type allows:
    • PIN with no repeating or ordered sequences, length at least 4
    • alphabetic, length at least 4
    • alphanumeric, length at least 4
    High password type allows:
    • PIN with no repeating or ordered sequences, length at least 8
    • alphabetic, length at least 6
    • alphanumeric, length at least 6
    Disabled

    Password type (Pre-OS 10 only)

    Sets the password type from the following options:
    • Unrestricted
    • Numeric
    • Alphabetic
    • Alphanumeric
    • Complex (OS 3+ only)
    Note: HCL Traveler lists the order of password types (top-to-bottom) as weakest to strongest. Unrestricted is the weakest, and allows any type of password, including fingerprint and pattern. Note that if you select Unrestricted as the Password type, then the Password length setting is no longer applicable.

    Disabled

    Require alphanumeric value

    Require password to contain at least one alphabetic and one numeric character.
    Note: Obsolete.

    Disabled

    Minimum password length

    Minimum number of characters for the password.

    4

    Password expiration period (OS 3+ only)

    Number of days after which the device password must be changed. Range is 0-730 days.

    0 days

    Password history count (OS 5+ only)

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables wiping of the device after a specified number of incorrect passwords are entered.

    Disabled and 7 incorrect password attempts.

    Prohibit unencrypted devices (OS 5+ only)

    Select to only allow devices that are encrypted to sync with the HCL Traveler server.

    Disabled

    Require application password Select to require users to enter their HCL Verse – password to access their HCL Verse client application and its data. This option must be selected to use any of these subsettings: Wrong passwords before wiping application data, Auto lock period.
    Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication or SAML2, the Require application password feature cannot be enforced and is not supported by the HCL Verse Android application.
    Disabled
    Wrong passwords before wiping application data Enables the device application to wipe the HCL Verse client application configuration and data after the selected number of consecutive failed application password attempts occur. Disabled and 7 incorrect password attempts

    Auto lock period (maximum)

    Specifies the maximum setting for device inactivity time until the device locks due to inactivity.

    30 minutes

    Disable local password storage

    Selecting this option will prevent the HCL Traveler password from being saved in application storage. Enabling this option will require the user to enter their HCL Traveler password whenever the HCL Traveler application service restarts, including at phone startup. HCL Traveler will not synchronize data until the password is entered.
    Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication or SAML2, the Disable local password storage feature cannot be enforced and is not supported by the HCL Verse Android application.

    Disabled

    Prohibit copy to clipboard

    Select to disable the ability to copy HCL Traveler data to the device clipboard.

    Disabled

    Prohibit export of attachments to file system

    Select to disable the ability to export attachments from HCL Traveler mail to the device's file system.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.

    Disabled

    Allow only approved applications to access attachments Selecting this option enforces that attachments synced to the device can only be viewed by applications that are defined in the Approved Application list. Disabled

    Prohibit camera (OS 4+ only)

    Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above.

    Disabled

    Require external domain validation

    Enables a warning message when sending mail to a user from a HCL Traveler client (Android only) not in a domain listed in the internal mail domains list. This option must be selected to use any of these sub-settings: Internal mail domains, Custom warning message, and Confirmation behavior.

    Disabled

    Internal mail domains

    List of domains that do not require a confirmation warning message on the device when sending a mail. An "*" can be used as a wildcard. Separate entries with a "," or a ":"

    (blank)

    Custom warning message

    By default, the HCL Traveler client will present the message "This mail contains external recipients." along with the external addresses to be confirmed. You can define a different message here; any message entered will not be translated and will be used regardless of the device's language.

    (blank)

    Confirmation behavior

    Select "Notify" to present the user with a list of mail addresses with domains not included in the "Internal mail domains" list. The user can either continue sending the mail to all addresses or cancel.

    Select "Confirm each external recipient" to present the user with a checkbox list of mail addresses with domains not included in the "Internal mail domains" list. The user can select the intended addresses and continue sending the mail to only the selected addresses or cancel.

    Confirm each external recipient

    Prohibit devices incapable of security enablement

    Prevents devices which cannot support remote wipe or security profiles from syncing with the HCL Traveler server.

    Disabled

    Require Mobile Application Management

    When enabled, the HCL Verse for Android client must be managed by a Mobile Application Management (MAM) provider to be able to sync with the HCL Traveler Server.

    Disabled

    Note: For Windows Phone device security settings, the only possible Violation Action is Enforce. Settings defined here may also apply to Windows RT and Tablet devices. See the Windows Tablet Limitations and Restrictions section for any exceptions for the security settings
    Table 7. Default Preferences > Security Settings > Windows Phone
    Setting Description Default value

    Require device password

    Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum number of complex characters

    Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4.

    2

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Auto lock period (maximum)

    The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    The number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit unencrypted devices

    When enabled, only devices that support on-board data encryption are allowed to sync with the HCL Traveler server.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.

    Disabled

    Note: For BlackBerry device security settings, the only possible Violation Action is Enforce.
    Table 8. Security Settings > BlackBerry
    Setting Description Default value

    Require device password

    Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum number of complex characters

    Smallest number of non-alphanumeric characters required. Range is 1-4 characters.

    2

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Auto lock period (maximum)

    The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    The number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit unencrypted devices

    When enabled, only devices that support on-board data encryption are allowed to sync with the HCL Traveler server.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.

    Disabled

    Note: For the Verse mobile clients, some of the security settings have a violation action that must be configured. If the local device security setting does not match the security policy, the violation action runs on the device.
    Table 9. Violation action settings
    Setting Description

    Report

    If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the HCL Traveler server. The mobile device user is notified on the HCL Traveler status screen with a security lock icon and a message.

    Disable Synchronization

    If the setting is not compliant, the violation is reported to the HCL Traveler server and any further syncing or data exchange with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation.

    Enforce

    The HCL Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and the mobile device user and syncing is disabled until the violation is corrected.

    Table 10. Device Access
    Setting Description Default value

    Require approval for device access

    Selecting this setting will make all new devices able to register, but not sync data with HCL Traveler. The device will be in a locked state until approved by the Administrator.

    Deselected

    Number of devices to allow per user before approval is required

    This setting allows the Administrator to auto approve a given number of devices per user. The number refers to registered devices per user and is not time sensitive. For example if set to 1, the first device to register for a user will not require approval, but any new devices will. Completely deleting a device from the database and security record removes it from being considered in this calculation.

    1

    Optional: Addresses to notify when approval action is pending

    This allows an Administrator to be notified when an approval action is required. The notification would include the User ID, Device ID, Device Type, and date of registration. The notification list can include users, groups and Mail-In DBs. The registering user will always receive a notification when a device registers and requires approval. The e-mail copy sent to the administrator includes a link to LotusTraveler.nsf.

    Blank, which means no addresses

  9. Click the Comments tab, and specify or modify comments regarding this policy settings document.
  10. Click the Administrator tab, and enter or select the owners and administrators of this document.
  11. Click Save and Close.
  12. Add the settings document to either an existing or new policy document. For more information about policies, see the Policies topic in the latest Domino® Administrator section of this information center.
    Note: The policy change is not pushed to affected user mail databases immediately. The admin process task performs this push operation periodically, every six hours by default. To update immediately, run the Domino® Console command tell adminp process traveler on the mail servers that are hosting users affected by the new policy.

Results

When a mobile device registers for the first time with the HCL Traveler server, the device settings match those from the administrator-defined policy. If no policy has been defined for the user, then the Default device preference and security setting values are used. After registration is complete, the mobile device settings are saved in the mail database of the user as a device profile. If the user later registers a new device, then its default settings come from the current effective policy, if any. Those settings are saved to unique device profiles in the mail database for the user.

Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked. If the policy administrator locks a setting or changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.

Note: Any settings not included in the Domino® policy (either because the Domino® policy template is downlevel or the Don't set value option has been selected for the How to apply setting in the Domino® Policy) get their value from those defined in the Default device preference and security setting values. For example, scheduled sync, filter limits, and new Android security settings.