Creating an HCL Traveler policy settings document

Use the HCL Traveler policy settings document to define device preferences and security settings for syncing Domino® user mail database data with their mobile devices.

About this task

To take advantage of the latest settings, the template of the Domino directory on the Domino administration server should be updated to the latest HCL Domino 9.0.1 or higher template. For the latest updates for Domino, go to the My HCL Software Portal.

Note: HCL Traveler policies are not applied to HTMO clients.

To create a HCL Traveler policy settings document, follow these steps:

Procedure

Make sure that you have Editor access to the HCL Domino® directory and one of these roles:
- PolicyCreator role to create a settings document
- PolicyModifier role to modify a settings document
From the Domino® Administrator client, click the People & Groups tab, and then open the Settings view.
Click Add Settings, and choose HCL Traveler.
On the Basic tab, assign a name to the policy settings document and add a description.
Complete these fields on the Preferences > Sync tab:
Important: The following settings do not apply to devices running an Exchange ActiveSync client such as the iOS Apple Mail client.
Table 1. Sync preferences

Field Action

Synchronize

Specify one or more PIM types to sync with the device: Email, calendar, to-do, or contacts.

Table 1. Sync preferences
Field	Action
Synchronize	Specify one or more PIM types to sync with the device: Email, calendar, to-do, or contacts.

Complete these fields on the Preferences > Filter Settings tab:

Important: The following settings do not apply to devices running an Exchange ActiveSync client such as the iOS Apple Mail client.

Table 2. Filter Settings preferences
Field	Action
Email Body Truncation	Click to enable the email body truncation filter. When enabled, you can select the maximum number of email characters, in thousands of characters, to sync to the device. Specify how many characters from the body of the email are synced to the device before the email is truncated.
Maximum email Attachment Size Allowed - Administrator	Specify the maximum combined size of all attachments in a document, in KB, that can be synced to a device. Mobile client users cannot change this administrator setting, and this setting is always locked. Important: Setting this field to zero disables all email and calendar attachments including images for all devices, including iOS Apple Mail client. Important: Do not select the 'Don't set value' checkbox. Selecting this option will result in HCL Traveler ignoring this policy settings document. Note: A non-zero value only applies to the deprecated Windows Mobile and Symbian OS based Nokia devices. The HCL Traveler server no longer requires an artificial limit to be placed on attachment size for other devices. Note: Individual 'Prohibit download of attachments' settings exist under security settings for each device type as an alternative way to disable attachments.
Email Attachments	Enables automatic syncing of email embedded images up to the size configured in setting Email Attachment Size. This setting is not applicable to calendar events. Email and calendar inline email images automatically sync to HCL Verse Mobile clients. The automatic syncing of email/calendar attachments and calendar embedded images is controlled by the Attachment Download setting configured on HCL Verse Mobile clients. Embedded images and attachments not automatically downloaded can be downloaded on request from the client. This setting is not applicable to clients that use the Exchange ActiveSync protocol, such as the iOS Apple Mail app. To disable synchronization of email and calendar attachments including images to devices, you can enable the Prohibit download of attachments setting by device type under Default Preferences > Security Settings. Alternatively you can set Maximum email Attachment Size Allowed - Administrator to 0.
Email Attachment Size	Automatically download email embedded images smaller than this size when Email Attachments is enabled.
Email Date Filter	Click to enable the email data filter, and select the number of days to keep a mail message on the device. If the filter is not enabled, all messages are synced.
Filter Limit	Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their HCL Traveler client.
Email Importance	Click to enable syncing for mail messages of high importance only.
Calendar Date Filter - Past Events/Future Events	Specify the date ranges of calendar events to sync. A repeating event is included when any of its instances are within a date range. All dates from a repeating entry display on the device calendar. When all instances of a calendar event fall outside the past event date range, it is removed from the device. Specify a date range for past events and one for future events as described below. Past Events -- click to enable the filter for past events. Select the length of time (how far into the past), calendar entries are to be synced. When the filter is not enabled, all past events sync. Future Events -- click to enable the filter for future events. Select the length of time (how far into the future), calendar entries are to be synced. When the filter is not enabled, all future events will sync.
Filter Limit	Administrative setting that enforces a maximum past/future event filter window for users that either disable the past/future event filter or select a value greater than this limit from their HCL Traveler client.
Journal Date Filter	Click to enable the journal date filter, and select the amount of time to keep a journal entry on the device. Entries are removed from the device when their modified date is older than the filter range.
Filter Limit	Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their HCL Traveler client.
ToDo Status	Select Incomplete Status Only to sync only to-dos that have a status of Incomplete.

Complete these fields on the Preferences - Device Settings tab:

Important: The following settings do not apply to devices running an Exchange ActiveSync mail client, such as the iOS Apple Mail client.

Table 3. Device Settings preferences
Field	Action
Device Logging	Select On to enable device logging, or select Off to disable device logging.
Maximum Device Log File Size	Specify the maximum size, in KB, of the log file.

From the Preferences - Security Settings tab, select the tab for your device and configure its settings:

Note: If your Domino directory template is earlier than 9.0.1, you may be missing tabs for some of the device types. HCL Traveler is designed to pick up the security settings that have been defined for Apple Devices. Not all are applicable to all device types. It is recommended that the Domino directory template be at the latest 9.0.1 version. See Table 6 under the topic Default device preference and security setting values for a complete list of the device security policy capabilities. Ignore any tabs for device types no longer supported (Example: Windows Mobile and Nokia).

Note: For Apple Mail security settings, the only possible Violation Action is Enforce.

Table 4. Security Settings->Apple->Apple Mail
Setting	Description	Default value
Require device password	Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices. The Violation Action of Enforce applies to all sub-settings for this field.	Disabled
Prohibit ascending, descending and repeating sequences	Prohibits the use of ascending, descending and repeating sequences. A sequence is considered three or more consecutive numbers or characters.	Disabled
Require alphanumeric value	When enabled, both alphabetic characters and numbers are required in the password.	Disabled
Minimum password length	Smallest number of password characters allowed. Range is 4-16.	4
Minimum number of complex characters	Smallest number of non-alphanumeric characters required. Range is 0-4 characters.	0
Auto lock period (maximum)	Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.	30 minutes
Password expiration period	Number of days after which the device password must be changed. Range is 0-730 days.	90 days
Password history	The number of unique passwords required before reuse of a password is allowed. Range is 0-50.	3
Wrong passwords before wiping device	Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.	Disabled
Prohibit unencrypted devices	When enabled, only devices that support onboard data encryption are allowed to sync with the HCL Traveler server.	Disabled
Prohibit camera	Disables the camera on the device.	Disabled
Prohibit devices incapable of security enablement	Prevents devices which cannot support remote wipe or security profiles from syncing with the HCL Traveler server. If left disabled, any devices without security support can sync data. An Apple device is considered secured or unsecured by the level of the Exchange ActiveSync protocol it uses, and whether any of the enabled security settings are not supported by that protocol level. Protocol 2.5 level does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters". Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".	Disabled
Prohibit download of attachments	When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.	Disabled

Table 5. Security Settings > Apple > HCL Verse
Setting	Description	Default value
Require application password	Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for: Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field. Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication, SAML2 or TOTP, the Require application password feature cannot be enforced and is not supported by the HCL Verse Android application.	Disabled
Password type	Sets the password type from the following options: Numeric Alphabetic Alphanumeric Complex Server	Disabled
Minimum letters	Smallest number of alphabetic characters allowed. Range is 0-64.	0
Minimum non-letters	Smallest number of non-alphabetic characters allowed. Range is 0-64.	0
Minimum uppercase	Smallest number of uppercase characters allowed. Range is 0-64.	0
Minimum lowercase	Smallest number of lowercase characters allowed. Range is 0-64.	0
Minimum numeric	Smallest number of numeric characters allowed. Range is 0-64.	0
Minimum symbols	Smallest number of symbol characters allowed. Range is 0-64.	0
Minimum password length	Smallest number of password characters allowed. Range is 4-64.	4
Auto lock period (maximum)	Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.	30 minutes
Password expiration period	Number of days after which the device password must be changed. Range is 0-730 days.	0 days
Password history count	The number of unique passwords required before reuse of a password is allowed. Range is 0-50.	0
Wrong passwords before wiping application data	Enables device application to wipe the HCL Verse application configuration and data after the selected number of consecutive failed application password login attempts occur.	Disabled and 7 incorrect password attempts
Prohibit ascending, descending, and repeating sequences	Select to prohibit the use of ascending, descending, and repeating sequences	Disabled
Allow/Prohibit Touch ID	When enabled, and if the iOS device supports fingerprint recognition, users can unlock the HCL Verse application using Touch ID without having to enter their HCL Verse application password.	Prohibit Touch ID
Prohibit export of contacts to OS	Determines whether HCL Verse application can share its contacts with the device OS.	Disabled
Prohibit copy to clipboard	Select to disable the ability to copy HCL Verse application data to the device clipboard.	Disabled
Prohibit export of attachments	Select to disable the ability to export attachments from HCL Verse application.	Disabled
Prohibit download of attachments	When enabled, devices will not be able to download email and calendar attachments including images from the HCL Verse application when they sync with the HCL Traveler server.	Disabled
Require Mobile Application Management	When enabled, devices must be managed by a Mobile Application Management (MAM) provider to be able to sync mail with the HCL Traveler Server. Enforcement requires HCL Verse for iOS 12.0.7 or later.	Disabled

Table 6. Security Settings > Android
Setting	Description	Default value
Require device password	Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Password type, Minimum password length, Auto lock period, Password expiration period, Password history count, Wrong passwords before wiping device, and Prohibit unencrypted devices.	Disabled
Password type (OS 10+ only)	Sets the password type Android 10 and later versions from the following options: Low Medium High Low password type allows: Pattern PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences Medium password type allows: PIN with no repeating or ordered sequences, length at least 4 alphabetic, length at least 4 alphanumeric, length at least 4 High password type allows: PIN with no repeating or ordered sequences, length at least 8 alphabetic, length at least 6 alphanumeric, length at least 6	Disabled
Password type (Pre-OS 10 only)	Sets the password type from the following options: Unrestricted Numeric Alphabetic Alphanumeric Complex (OS 3+ only) Note: HCL Traveler lists the order of password types (top-to-bottom) as weakest to strongest. Unrestricted is the weakest, and allows any type of password, including fingerprint and pattern. Note that if you select Unrestricted as the Password type, then the Password length setting is no longer applicable.	Disabled
Require alphanumeric value	Require password to contain at least one alphabetic and one numeric character. Note: Obsolete.	Disabled
Minimum password length	Minimum number of characters for the password.	4
Password expiration period (OS 3+ only)	Number of days after which the device password must be changed. Range is 0-730 days.	0 days
Password history count (OS 5+ only)	The number of unique passwords required before reuse of a password is allowed. Range is 0-50.	0
Wrong passwords before wiping device	Enables wiping of the device after a specified number of incorrect passwords are entered.	Disabled and 7 incorrect password attempts.
Prohibit unencrypted devices (OS 5+ only)	Select to only allow devices that are encrypted to sync with the HCL Traveler server.	Disabled
Require application password	Select to require users to enter their HCL Verse – password to access their HCL Verse client application and its data. This option must be selected to use any of these subsettings: Wrong passwords before wiping application data, Auto lock period. Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication or SAML2, the Require application password feature cannot be enforced and is not supported by the HCL Verse Android application.	Disabled
Wrong passwords before wiping application data	Enables the device application to wipe the HCL Verse client application configuration and data after the selected number of consecutive failed application password attempts occur.	Disabled and 7 incorrect password attempts
Auto lock period (maximum)	Specifies the maximum setting for device inactivity time until the device locks due to inactivity.	30 minutes
Disable local password storage	Selecting this option will prevent the HCL Traveler password from being saved in application storage. Enabling this option will require the user to enter their HCL Traveler password whenever the HCL Traveler application service restarts, including at phone startup. HCL Traveler will not synchronize data until the password is entered. Note: When using authentication systems that do not require a password to be entered for HCL Verse, such as Certificate Based Authentication or SAML2, the Disable local password storage feature cannot be enforced and is not supported by the HCL Verse Android application.	Disabled
Prohibit copy to clipboard	Select to disable the ability to copy HCL Traveler data to the device clipboard.	Disabled
Prohibit export of attachments to file system	Select to disable the ability to export attachments from HCL Traveler mail to the device's file system.	Disabled
Prohibit download of attachments	When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.	Disabled
Allow only approved applications to access attachments	Selecting this option enforces that attachments synced to the device can only be viewed by applications that are defined in the Approved Application list.	Disabled
Prohibit camera (OS 4+ only)	Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above.	Disabled
Require external domain validation	Enables a warning message when sending mail to a user from a HCL Traveler client (Android only) not in a domain listed in the internal mail domains list. This option must be selected to use any of these sub-settings: Internal mail domains, Custom warning message, and Confirmation behavior.	Disabled
Internal mail domains	List of domains that do not require a confirmation warning message on the device when sending a mail. An "*" can be used as a wildcard. Separate entries with a "," or a ":"	(blank)
Custom warning message	By default, the HCL Traveler client will present the message "This mail contains external recipients." along with the external addresses to be confirmed. You can define a different message here; any message entered will not be translated and will be used regardless of the device's language.	(blank)
Confirmation behavior	Select "Notify" to present the user with a list of mail addresses with domains not included in the "Internal mail domains" list. The user can either continue sending the mail to all addresses or cancel. Select "Confirm each external recipient" to present the user with a checkbox list of mail addresses with domains not included in the "Internal mail domains" list. The user can select the intended addresses and continue sending the mail to only the selected addresses or cancel.	Confirm each external recipient
Prohibit devices incapable of security enablement	Prevents devices which cannot support remote wipe or security profiles from syncing with the HCL Traveler server.	Disabled
Require Mobile Application Management	When enabled, the HCL Verse for Android client must be managed by a Mobile Application Management (MAM) provider to be able to sync with the HCL Traveler Server.	Disabled

Note: For Windows™ Phone device security settings, the only possible Violation Action is Enforce. Settings defined here may also apply to Windows RT and Tablet devices. See the Windows Tablet Limitations and Restrictions section for any exceptions for the security settings

Table 7. Default Preferences > Security Settings > Windows™ Phone
Setting	Description	Default value
Require device password	Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field.	Disabled
Prohibit ascending, descending and repeating sequences	Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.	Disabled
Require alphanumeric value	When enabled, both alphabetic characters and numbers are required in the password.	Disabled
Minimum number of complex characters	Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4.	2
Minimum password length	Smallest number of password characters allowed. Range is 4-16.	4
Auto lock period (maximum)	The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.	30 minutes
Password expiration period	The number of days after which the device password must be changed. Range is 0-730 days.	90 days
Password history	The number of unique passwords required before reuse of a password is allowed. Range is 0-50.	0
Wrong passwords before wiping device	Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.	Disabled and 7 incorrect password attempts
Prohibit unencrypted devices	When enabled, only devices that support on-board data encryption are allowed to sync with the HCL Traveler server.	Disabled
Prohibit download of attachments	When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.	Disabled

Note: For BlackBerry device security settings, the only possible Violation Action is Enforce.

Table 8. Security Settings > BlackBerry
Setting	Description	Default value
Require device password	Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field.	Disabled
Prohibit ascending, descending and repeating sequences	Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.	Disabled
Require alphanumeric value	When enabled, both alphabetic characters and numbers are required in the password.	Disabled
Minimum number of complex characters	Smallest number of non-alphanumeric characters required. Range is 1-4 characters.	2
Minimum password length	Smallest number of password characters allowed. Range is 4-16.	4
Auto lock period (maximum)	The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.	30 minutes
Password expiration period	The number of days after which the device password must be changed. Range is 0-730 days.	90 days
Password history	The number of unique passwords required before reuse of a password is allowed. Range is 0-50.	0
Wrong passwords before wiping device	Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.	Disabled and 7 incorrect password attempts
Prohibit unencrypted devices	When enabled, only devices that support on-board data encryption are allowed to sync with the HCL Traveler server.	Disabled
Prohibit download of attachments	When enabled, devices will not be able to download email and calendar attachments including images from HCL Traveler applications when they sync with the HCL Traveler server.	Disabled

Note: For the Verse mobile clients, some of the security settings have a violation action that must be configured. If the local device security setting does not match the security policy, the violation action runs on the device.

Table 9. Violation action settings
Setting	Description
Report	If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the HCL Traveler server. The mobile device user is notified on the HCL Traveler status screen with a security lock icon and a message.
Disable Synchronization	If the setting is not compliant, the violation is reported to the HCL Traveler server and any further syncing or data exchange with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation.
Enforce	The HCL Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and the mobile device user and syncing is disabled until the violation is corrected.

Table 10. Device Access
Setting	Description	Default value
Require approval for device access	Selecting this setting will make all new devices able to register, but not sync data with HCL Traveler. The device will be in a locked state until approved by the Administrator.	Deselected
Number of devices to allow per user before approval is required	This setting allows the Administrator to auto approve a given number of devices per user. The number refers to registered devices per user and is not time sensitive. For example if set to `1`, the first device to register for a user will not require approval, but any new devices will. Completely deleting a device from the database and security record removes it from being considered in this calculation.	1
Optional: Addresses to notify when approval action is pending	This allows an Administrator to be notified when an approval action is required. The notification would include the User ID, Device ID, Device Type, and date of registration. The notification list can include users, groups and Mail-In DBs. The registering user will always receive a notification when a device registers and requires approval. The e-mail copy sent to the administrator includes a link to `LotusTraveler.nsf`.	Blank, which means no addresses

Click the Comments tab, and specify or modify comments regarding this policy settings document.
Click the Administrator tab, and enter or select the owners and administrators of this document.
Click Save and Close.
Add the settings document to either an existing or new policy document. For more information about policies, see the Policies topic in the latest Domino® Administrator section of this information center.
Note: The policy change is not pushed to affected user mail databases immediately. The admin process task performs this push operation periodically, every six hours by default. To update immediately, run the Domino® Console command tell adminp process traveler on the mail servers that are hosting users affected by the new policy.

Results

When a mobile device registers for the first time with the HCL Traveler server, the device settings match those from the administrator-defined policy. If no policy has been defined for the user, then the Default device preference and security setting values are used. After registration is complete, the mobile device settings are saved in the mail database of the user as a device profile. If the user later registers a new device, then its default settings come from the current effective policy, if any. Those settings are saved to unique device profiles in the mail database for the user.

Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked. If the policy administrator locks a setting or changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.

Note: Any settings not included in the Domino® policy (either because the Domino® policy template is downlevel or the Don't set value option has been selected for the How to apply setting in the Domino® Policy) get their value from those defined in the Default device preference and security setting values. For example, scheduled sync, filter limits, and new Android security settings.