Creating an IBM Traveler policy settings document

Use the IBM Traveler policy settings document to define device preferences and security settings for syncing Domino® user mail database data with their mobile devices. IBM Traveler syncs mail, calendar, and address book data in real time, and on select devices such as Windows Mobile and Nokia, it also supports the synchronization of to-do and journal data.

About this task

Note: To take advantage of the latest settings, the template of the address book on the Domino Administration server should be updated to an updated IBM Domino 9 template. This version includes security settings for Windows Phone and Blackberry security settings. For information on the updated IBM Domino 9 template, see this document.

To create a IBM Traveler policy settings document, follow these steps:

Procedure

  1. Make sure that you have Editor access to the IBM® Domino® directory and one of these roles:
    • PolicyCreator role to create a settings document
    • PolicyModifier role to modify a settings document
  2. From the Domino® Administrator client, click the People & Groups tab, and then open the Settings view.
  3. Click Add Settings, and choose IBM® Traveler.
  4. On the Basic tab, assign a name to the policy settings document and add a description.
  5. Complete these fields on the Preferences > Sync tab:
    Important: The following settings do not apply to Apple devices.
    Table 1. Sync preferences
    Field Action

    Synchronize

    Specify one or more PIM types to sync with the device: Email, calendar, to-do, contacts, or journal.

    • For Windows Mobile devices, if either email or calendar are selected, both email and calendar sync.
    • For Nokia devices, if either calendar or to-do are selected, both calendar and to-do sync.
  6. Complete these fields on the Preferences > Filter Settings tab:
    Important: The following settings do not apply to Apple devices.
    Table 2. Filter Settings preferences
    Field Action

    Email Body Truncation

    Click to enable the email body truncation filter. When enabled, you can select the maximum number of email characters, in thousands of characters, to sync to the device. Specify how many characters from the body of the email are synced to the device before the email is truncated.

    Maximum email Attachment Size Allowed - Administrator

    Specify the maximum combined size of all attachments in a document, in KB, that can be synced to a device. This administrator setting is one that IBM® Notes® client users cannot change, and this setting is always locked.
    Note: This setting only applies to the deprecated Windows Mobile and Symbian OS based Nokia devices. The IBM Traveler server no longer requires an artificial limit to be placed on attachment size for other devices.

    Email Attachments

    Click to enable attachments to sync with the device.

    Email Attachment Size

    Select the total combined size of attachments in a document, in KB, allowed to sync with the device. The value you specify cannot exceed the value in the Maximum Email Attachment Size Allowed - Administrator field.

    Email Date Filter

    Click to enable the email data filter, and select the number of days to keep a mail message on the device. If the filter is not enabled, all messages are synced.

    Filter Limit

    Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their IBM Traveler client.

    Email Importance

    Click to enable syncing for mail messages of high importance only.

    Calendar Date Filter - Past Events/Future Events

    Specify the date ranges of calendar events to sync. A repeating event is included when any of its instances are within a date range. All dates from a repeating entry display on the device calendar. When all instances of a calendar event fall outside the past event date range, it is removed from the device. Specify a date range for past events and one for future events as described below.

    • Past Events -- click to enable the filter for past events. Select the length of time (how far into the past), calendar entries are to be synced. When the filter is not enabled, all past events sync.
    • Future Events -- click to enable the filter for future events. Select the length of time (how far into the future), calendar entries are to be synced. When the filter is not enabled, all future events will sync.

    Filter Limit

    Administrative setting that enforces a maximum past/future event filter window for users that either disable the past/future event filter or select a value greater than this limit from their IBM Traveler client.

    Journal Date Filter

    Click to enable the journal date filter, and select the amount of time to keep a journal entry on the device. Entries are removed from the device when their modified date is older than the filter range.

    Filter Limit

    Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their IBM Traveler client.

    ToDo Status

    Select Incomplete Status Only to sync only to-dos that have a status of Incomplete.

  7. Complete these fields on the Preferences - Device Settings tab:
    Important: The following settings do not apply to Apple devices.
    Table 3. Device Settings preferences
    Field Action

    Device Logging

    Select On to enable device logging, or select Off to disable device logging.

    Maximum Device Log File Size

    Specify the maximum size, in KB, of the log file.

  8. From the Preferences - Security Settings tab, select the tab for your device (Windows Mobile, Nokia, or Apple), and configure its settings:
    Note: If your Domino® directory template is version 8.5.2 or earlier, you will not see the tab used to define the security settings for Android devices. The user interface will be delivered in a future template version. However, for this situation, IBM Traveler is designed to pick up the security settings that have been defined for Apple devices in this Traveler Settings document and to apply those settings to Android devices. Note that Android devices only support a subset of the security policy features that Apple devices support. See Table 6 under the topic Default device preference and security setting values for a complete list of the Android device security policy capabilities.
    Note: For Apple device security settings, the only possible Violation Action is Enforce.
    Table 4. Apple Security Settings
    Setting Description Default value

    Require device password

    Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered three or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Minimum number of complex characters

    Smallest number of non-alphanumeric characters required. Range is 0-4 characters.

    0

    Auto lock period (maximum)

    Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    Number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    3

    Wrong passwords before wiping device

    Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled

    Prohibit unencrypted devices

    When enabled, only devices that support onboard data encryption are allowed to sync with the IBM Traveler server.

    Disabled

    Prohibit camera

    Disables the camera on the device.

    Disabled

    Prohibit devices incapable of security enablement

    Prevents devices which cannot support remote wipe or security profiles from syncing with the IBM Traveler server. If left disabled, any devices without security support can sync data.

    An Apple device is considered secured or unsecured by the level of the Exchange ActiveSync protocol it uses, and whether any of the enabled security settings are not supported by that protocol level. Protocol 2.5 level does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".

    Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

    Disabled

    Table 5. Default Preferences > Security Settings > IBM Verse
    Setting Description Default value

    Require application password

    Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for:  Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Password type

    Sets the password type from the following options:
    • Numeric
    • Alphabetic
    • Alphanumeric
    • Complex
    • Server

    Disabled

    Minimum letters

    Smallest number of alphabetic characters allowed. Range is 0-64.

    0

    Minimum non-letters

    Smallest number of non-alphabetic characters allowed. Range is 0-64.

    0

    Minimum uppercase

    Smallest number of uppercase characters allowed. Range is 0-64.

    0

    Minimum lowercase

    Smallest number of lowercase characters allowed. Range is 0-64.

    0

    Minimum numeric

    Smallest number of numeric characters allowed. Range is 0-64.

    0

    Minimum symbols

    Smallest number of symbol characters allowed. Range is 0-64.

    0

    Minimum password length

    Smallest number of password characters allowed. Range is 4-64.

    4

    Auto lock period (maximum)

    Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    Number of days after which the device password must be changed. Range is 0-730 days.

    0 days

    Password history count

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit ascending, descending, and repeating sequences

    Select to prohibit the use of  ascending, descending, and repeating sequences

    Disabled

    Allow Touch ID

    When enabled, and if the iOS device supports fingerprint recognition, users can unlock the IBM Verse application using Touch ID without having to enter their IBM Verse application password.

    Disabled

    Prohibit export of contacts to OS

    Determines whether IBM Verse application can share its contacts with the device OS.

    Disabled

    Prohibit copy to clipboard

    Select to disable the ability to copy IBM Verse application data to the device clipboard.

    Disabled

    Prohibit export of attachments

    Select to disable the ability to export attachments from IBM Verse application.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download attachments from the IBM Verse application when they sync with the IBM Traveler server.

    Disabled

    Table 6. Android Security Settings
    Setting Description Default value

    Require device password

    Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Require alphanumeric value, Minimum password length, Auto lock period, and Wrong passwords before wiping device.

    Disabled

    Password type

    Sets the password type from the following options:
    • Unrestricted
    • Numeric
    • Alphabetic
    • Alphanumeric
    • Complex (OS 3+ only)
    Note: IBM Traveler lists the order of password types (top-to-bottom) as weakest to strongest. Unrestricted is the weakest, and allows any type of password, including fingerprint and pattern. Note that if you select Unrestricted as the Password type, then the Password length setting is no longer applicable.

    Disabled

    Require alphanumeric value

    Require password to contain at least one alphabetic and one numeric character.

    Disabled

    Minimum password length

    Minimum number of characters for the password.

    4

    Auto lock period (maximum)

    Specifies the maximum setting for device inactivity time until the device locks due to inactivity.

    30 minutes

    Password history count (OS 3+ only)

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Prohibit unencrypted devices (OS 3+ only)

    Select to only allow devices that are encrypted to sync with the IBM Traveler server.

    Disabled

    Password expiration period (OS 3+ only)

    Number of days after which the device password must be changed. Range is 0-730 days.

    0 days

    Disable local password storage

    Selecting this option will prevent the IBM Traveler password from being saved in application storage. Enabling this option will require the user to enter their IBM Traveler password whenever the IBM Traveler application service restarts, including at phone startup. IBM Traveler will not synchronize data until the password is entered.

    Disabled

    Wrong passwords before wiping device

    Enables wiping of the device after a specified number of incorrect passwords are entered.

    Disabled and 7 incorrect password attempts

    Prohibit copy to clipboard

    Select to disable the ability to copy IBM Traveler data to the device clipboard.

    Disabled

    Prohibit export of attachments to file system

    Select to disable the ability to export attachments from IBM Traveler mail to the device's file system.

    Disabled

    Prohibit camera (OS 4+ only)

    Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above.

    Disabled

    Require external domain validation

    Enables a warning message when sending mail to a user from a IBM Traveler client (Android only) not in a domain listed in the internal mail domains list. This option must be selected to use any of these sub-settings: Internal mail domains, Custom warning message, and Confirmation behavior.

    Disabled

    Internal mail domains

    List of domains that do not require a confirmation warning message on the device when sending a mail. An "*" can be used as a wildcard. Separate entries with a "," or a ":"

    (blank)

    Custom warning message

    By default, the IBM Traveler client will present the message "This mail contains external recipients." along with the external addresses to be confirmed. You can define a different message here; any message entered will not be translated and will be used regardless of the device's language.

    (blank)

    Confirmation behavior

    Select "Notify" to present the user with a list of mail addresses with domains not included in the "Internal mail domains" list. The user can either continue sending the mail to all addresses or cancel.

    Select "Confirm each external recipient" to present the user with a checkbox list of mail addresses with domains not included in the "Internal mail domains" list. The user can select the intended addresses and continue sending the mail to only the selected addresses or cancel.

    Confirm each external recipient

    Prohibit download of attachments

    When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

    Disabled

    Prohibit devices incapable of security enablement

    Prevents devices which cannot support remote wipe or security profiles from syncing with the IBM Traveler server.

    Disabled

    Note: For Windows Phone device security settings, the only possible Violation Action is Enforce. Settings defined here may also apply to Windows RT devices. See the IBM Traveler product documentation for important details about behavior regarding security policies on Windows RT.
    Table 7. Default Preferences > Security Settings > Windows Phone
    Setting Description Default value

    Require device password

    Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum number of complex characters

    Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4.

    2

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Auto lock period (maximum)

    The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    The number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit unencrypted devices

    When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

    Disabled

    Note: For BlackBerry device security settings, the only possible Violation Action is Enforce.
    Table 8. Default Preferences > Security Settings > BlackBerry
    Setting Description Default value

    Require device password

    Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

    The Violation Action of Enforce applies to all sub-settings for this field.

    Disabled

    Prohibit ascending, descending and repeating sequences

    Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

    Disabled

    Require alphanumeric value

    When enabled, both alphabetic characters and numbers are required in the password.

    Disabled

    Minimum number of complex characters

    Smallest number of non-alphanumeric characters required. Range is 1-4 characters.

    2

    Minimum password length

    Smallest number of password characters allowed. Range is 4-16.

    4

    Auto lock period (maximum)

    The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

    30 minutes

    Password expiration period

    The number of days after which the device password must be changed. Range is 0-730 days.

    90 days

    Password history

    The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

    0

    Wrong passwords before wiping device

    Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

    Disabled and 7 incorrect password attempts

    Prohibit unencrypted devices

    When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.

    Disabled

    Prohibit download of attachments

    When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

    Disabled

    Note: Each of the security settings have a violation action that must be configured. If the local device security setting does not match the security policy, the violation action runs on the device.
    Table 9. Violation action settings
    Setting Description

    Report

    If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the IBM Traveler server. The mobile device user is notified on the IBM Traveler status screen with a security lock icon and a message.

    Disable Synchronization

    If the setting is not compliant, the violation is reported to the IBM Traveler server and any further syncing or data exchange with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation.

    Enforce

    The IBM Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and the mobile device user and syncing is disabled until the violation is corrected.

    Table 10. Device Access
    Setting Description Default value

    Require approval for device access

    Selecting this setting will make all new devices able to register, but not sync data with IBM Traveler. The device will be in a locked state until approved by the Administrator.

    Deselected

    Number of devices to allow per user before approval is required

    This setting allows the Administrator to auto approve a given number of devices per user. The number refers to registered devices per user and is not time sensitive. For example if set to 1, the first device to register for a user will not require approval, but any new devices will. Completely deleting a device from the database and security record removes it from being considered in this calculation.

    1

    Optional: Addresses to notify when approval action is pending

    This allows an Administrator to be notified when an approval action is required. The notification would include the User ID, Device ID, Device Type, and date of registration. The notification list can include users, groups and Mail-In DBs. The registering user will always receive a notification when a device registers and requires approval. The e-mail copy sent to the administrator includes a link to LotusTraveler.nsf.

    Blank, which means no addresses

  9. Click the Comments tab, and specify or modify comments regarding this policy settings document.
  10. Click the Administrator tab, and enter or select the owners and administrators of this document.
  11. Click Save and Close.
  12. Add the settings document to either an existing or new policy document. For more information about policies, see the Policies topic in the latest Domino® Administrator section of this information center.
    Note: The policy change is not pushed to affected user mail databases immediately. The admin process task performs this push operation periodically, every six hours by default. To update immediately, run the Domino® Console command tell adminp process traveler on the mail servers that are hosting users affected by the new policy.

Results

When a mobile device registers for the first time with the IBM Traveler server, the device settings match those from the administrator-defined policy. If no policy has been defined for the user, then the Default device preference and security setting values are used. After registration is complete, the mobile device settings are saved in the mail database of the user as a device profile. If the user later registers a new device, then its default settings come from the current effective policy, if any. Those settings are saved to unique device profiles in the mail database for the user.

Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked. If the policy administrator locks a setting or changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.

Note: Any settings not included in the Domino® policy (either because the Domino® policy template is downlevel or the Don't set value option has been selected for the How to apply setting in the Domino® Policy) get their value from those defined in the Default device preference and security setting values. For example, scheduled sync, filter limits, and new Android security settings.
Note: IBM Traveler defined device security settings apply to Apple devices. However, the device preference settings (Sync settings, filter settings, and device settings) do not apply to Apple devices.