Creating an IBM Traveler policy settings document
Use the IBM Traveler policy settings document to define device preferences and security settings for syncing Domino® user mail database data with their mobile devices. IBM Traveler syncs mail, calendar, and address book data in real time, and on select devices such as Windows™ Mobile and Nokia, it also supports the synchronization of to-do and journal data.
About this task
To create a IBM Traveler policy settings document, follow these steps:
Procedure
- Make sure that you have Editor access to the IBM® Domino® directory
and one of these roles:
- PolicyCreator role to create a settings document
- PolicyModifier role to modify a settings document
- From the Domino® Administrator client, click the People & Groups tab, and then open the Settings view.
- Click Add Settings, and choose IBM® Traveler.
- On the Basic tab, assign a name to the policy settings document and add a description.
- Complete these fields on the Preferences > Sync tab:
Important: The following settings do not apply to Apple devices.
Table 1. Sync preferences Field Action Synchronize
Specify one or more PIM types to sync with the device: Email, calendar, to-do, contacts, or journal.
- For Windows™ Mobile devices, if either email or calendar are selected, both email and calendar sync.
- For Nokia devices, if either calendar or to-do are selected, both calendar and to-do sync.
- Complete these fields on the Preferences > Filter
Settings tab:Important: The following settings do not apply to Apple devices.
Table 2. Filter Settings preferences Field Action Email Body Truncation
Click to enable the email body truncation filter. When enabled, you can select the maximum number of email characters, in thousands of characters, to sync to the device. Specify how many characters from the body of the email are synced to the device before the email is truncated.
Maximum email Attachment Size Allowed - Administrator
Specify the maximum combined size of all attachments in a document, in KB, that can be synced to a device. This administrator setting is one that IBM® Notes® client users cannot change, and this setting is always locked.Note: This setting only applies to the deprecated Windows Mobile and Symbian OS based Nokia devices. The IBM Traveler server no longer requires an artificial limit to be placed on attachment size for other devices.Email Attachments
Click to enable attachments to sync with the device.
Email Attachment Size
Select the total combined size of attachments in a document, in KB, allowed to sync with the device. The value you specify cannot exceed the value in the Maximum Email Attachment Size Allowed - Administrator field.
Email Date Filter
Click to enable the email data filter, and select the number of days to keep a mail message on the device. If the filter is not enabled, all messages are synced.
Filter Limit
Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their IBM Traveler client.
Email Importance
Click to enable syncing for mail messages of high importance only.
Calendar Date Filter - Past Events/Future Events
Specify the date ranges of calendar events to sync. A repeating event is included when any of its instances are within a date range. All dates from a repeating entry display on the device calendar. When all instances of a calendar event fall outside the past event date range, it is removed from the device. Specify a date range for past events and one for future events as described below.
- Past Events -- click to enable the filter for past events. Select the length of time (how far into the past), calendar entries are to be synced. When the filter is not enabled, all past events sync.
- Future Events -- click to enable the filter for future events. Select the length of time (how far into the future), calendar entries are to be synced. When the filter is not enabled, all future events will sync.
Filter Limit
Administrative setting that enforces a maximum past/future event filter window for users that either disable the past/future event filter or select a value greater than this limit from their IBM Traveler client.
Journal Date Filter
Click to enable the journal date filter, and select the amount of time to keep a journal entry on the device. Entries are removed from the device when their modified date is older than the filter range.
Filter Limit
Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their IBM Traveler client.
ToDo Status
Select Incomplete Status Only to sync only to-dos that have a status of Incomplete.
- Complete these fields on the Preferences - Device
Settings tab:Important: The following settings do not apply to Apple devices.
Table 3. Device Settings preferences Field Action Device Logging
Select On to enable device logging, or select Off to disable device logging.
Maximum Device Log File Size
Specify the maximum size, in KB, of the log file.
- From the Preferences - Security Settings tab,
select the tab for your device (Windows™ Mobile,
Nokia, or Apple), and configure its settings:Note: If your Domino® directory template is version 8.5.2 or earlier, you will not see the tab used to define the security settings for Android devices. The user interface will be delivered in a future template version. However, for this situation, IBM Traveler is designed to pick up the security settings that have been defined for Apple devices in this Traveler Settings document and to apply those settings to Android devices. Note that Android devices only support a subset of the security policy features that Apple devices support. See Table 6 under the topic Default device preference and security setting values for a complete list of the Android device security policy capabilities.Note: For Apple device security settings, the only possible Violation Action is Enforce.
Table 4. Apple Security Settings Setting Description Default value Require device password
Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices.
The Violation Action of Enforce applies to all sub-settings for this field.
Disabled
Prohibit ascending, descending and repeating sequences
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered three or more consecutive numbers or characters.
Disabled
Require alphanumeric value
When enabled, both alphabetic characters and numbers are required in the password.
Disabled
Minimum password length
Smallest number of password characters allowed. Range is 4-16.
4
Minimum number of complex characters
Smallest number of non-alphanumeric characters required. Range is 0-4 characters.
0
Auto lock period (maximum)
Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.
30 minutes
Password expiration period
Number of days after which the device password must be changed. Range is 0-730 days.
90 days
Password history
The number of unique passwords required before reuse of a password is allowed. Range is 0-50.
3
Wrong passwords before wiping device
Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.
Disabled
Prohibit unencrypted devices
When enabled, only devices that support onboard data encryption are allowed to sync with the IBM Traveler server.
Disabled
Prohibit camera
Disables the camera on the device.
Disabled
Prohibit devices incapable of security enablement
Prevents devices which cannot support remote wipe or security profiles from syncing with the IBM Traveler server. If left disabled, any devices without security support can sync data.
An Apple device is considered secured or unsecured by the level of the Exchange ActiveSync protocol it uses, and whether any of the enabled security settings are not supported by that protocol level. Protocol 2.5 level does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
Disabled
Prohibit download of attachments
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.
Disabled
Table 5. Default Preferences > Security Settings > IBM Verse Setting Description Default value Require application password
Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for: Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments.
The Violation Action of Enforce applies to all sub-settings for this field.
Disabled
Password type
Sets the password type from the following options:- Numeric
- Alphabetic
- Alphanumeric
- Complex
- Server
Disabled
Minimum letters
Smallest number of alphabetic characters allowed. Range is 0-64.
0
Minimum non-letters
Smallest number of non-alphabetic characters allowed. Range is 0-64.
0
Minimum uppercase
Smallest number of uppercase characters allowed. Range is 0-64.
0
Minimum lowercase
Smallest number of lowercase characters allowed. Range is 0-64.
0
Minimum numeric
Smallest number of numeric characters allowed. Range is 0-64.
0
Minimum symbols
Smallest number of symbol characters allowed. Range is 0-64.
0
Minimum password length
Smallest number of password characters allowed. Range is 4-64.
4
Auto lock period (maximum)
Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.
30 minutes
Password expiration period
Number of days after which the device password must be changed. Range is 0-730 days.
0 days
Password history count
The number of unique passwords required before reuse of a password is allowed. Range is 0-50.
0
Wrong passwords before wiping device
Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.
Disabled and 7 incorrect password attempts
Prohibit ascending, descending, and repeating sequences
Select to prohibit the use of ascending, descending, and repeating sequences
Disabled
Allow Touch ID
When enabled, and if the iOS device supports fingerprint recognition, users can unlock the IBM Verse application using Touch ID without having to enter their IBM Verse application password.
Disabled
Prohibit export of contacts to OS
Determines whether IBM Verse application can share its contacts with the device OS.
Disabled
Prohibit copy to clipboard
Select to disable the ability to copy IBM Verse application data to the device clipboard.
Disabled
Prohibit export of attachments
Select to disable the ability to export attachments from IBM Verse application.
Disabled
Prohibit download of attachments
When enabled, devices will not be able to download attachments from the IBM Verse application when they sync with the IBM Traveler server.
Disabled
Table 6. Android Security Settings Setting Description Default value Require device password
Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Require alphanumeric value, Minimum password length, Auto lock period, and Wrong passwords before wiping device.
Disabled
Password type
Sets the password type from the following options:- Unrestricted
- Numeric
- Alphabetic
- Alphanumeric
- Complex (OS 3+ only)
Note: IBM Traveler lists the order of password types (top-to-bottom) as weakest to strongest. Unrestricted is the weakest, and allows any type of password, including fingerprint and pattern. Note that if you select Unrestricted as the Password type, then the Password length setting is no longer applicable.Disabled
Require alphanumeric value
Require password to contain at least one alphabetic and one numeric character.
Disabled
Minimum password length
Minimum number of characters for the password.
4
Auto lock period (maximum)
Specifies the maximum setting for device inactivity time until the device locks due to inactivity.
30 minutes
Password history count (OS 3+ only)
The number of unique passwords required before reuse of a password is allowed. Range is 0-50.
0
Prohibit unencrypted devices (OS 3+ only)
Select to only allow devices that are encrypted to sync with the IBM Traveler server.
Disabled
Password expiration period (OS 3+ only)
Number of days after which the device password must be changed. Range is 0-730 days.
0 days
Disable local password storage
Selecting this option will prevent the IBM Traveler password from being saved in application storage. Enabling this option will require the user to enter their IBM Traveler password whenever the IBM Traveler application service restarts, including at phone startup. IBM Traveler will not synchronize data until the password is entered.
Disabled
Wrong passwords before wiping device
Enables wiping of the device after a specified number of incorrect passwords are entered.
Disabled and 7 incorrect password attempts
Prohibit copy to clipboard
Select to disable the ability to copy IBM Traveler data to the device clipboard.
Disabled
Prohibit export of attachments to file system
Select to disable the ability to export attachments from IBM Traveler mail to the device's file system.
Disabled
Prohibit camera (OS 4+ only)
Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above.
Disabled
Require external domain validation
Enables a warning message when sending mail to a user from a IBM Traveler client (Android only) not in a domain listed in the internal mail domains list. This option must be selected to use any of these sub-settings: Internal mail domains, Custom warning message, and Confirmation behavior.
Disabled
Internal mail domains
List of domains that do not require a confirmation warning message on the device when sending a mail. An "*" can be used as a wildcard. Separate entries with a "," or a ":"
(blank)
Custom warning message
By default, the IBM Traveler client will present the message "This mail contains external recipients." along with the external addresses to be confirmed. You can define a different message here; any message entered will not be translated and will be used regardless of the device's language.
(blank)
Confirmation behavior
Select "Notify" to present the user with a list of mail addresses with domains not included in the "Internal mail domains" list. The user can either continue sending the mail to all addresses or cancel.
Select "Confirm each external recipient" to present the user with a checkbox list of mail addresses with domains not included in the "Internal mail domains" list. The user can select the intended addresses and continue sending the mail to only the selected addresses or cancel.
Confirm each external recipient
Prohibit download of attachments
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.
Disabled
Prohibit devices incapable of security enablement
Prevents devices which cannot support remote wipe or security profiles from syncing with the IBM Traveler server.
Disabled
Note: For Windows™ Phone device security settings, the only possible Violation Action is Enforce. Settings defined here may also apply to Windows™ RT devices. See the IBM Traveler product documentation for important details about behavior regarding security policies on Windows™ RT.Table 7. Default Preferences > Security Settings > Windows™ Phone Setting Description Default value Require device password
Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.
The Violation Action of Enforce applies to all sub-settings for this field.
Disabled
Prohibit ascending, descending and repeating sequences
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.
Disabled
Require alphanumeric value
When enabled, both alphabetic characters and numbers are required in the password.
Disabled
Minimum number of complex characters
Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4.
2
Minimum password length
Smallest number of password characters allowed. Range is 4-16.
4
Auto lock period (maximum)
The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.
30 minutes
Password expiration period
The number of days after which the device password must be changed. Range is 0-730 days.
90 days
Password history
The number of unique passwords required before reuse of a password is allowed. Range is 0-50.
0
Wrong passwords before wiping device
Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.
Disabled and 7 incorrect password attempts
Prohibit unencrypted devices
When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.
Disabled
Prohibit download of attachments
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.
Disabled
Note: For BlackBerry device security settings, the only possible Violation Action is Enforce.Table 8. Default Preferences > Security Settings > BlackBerry Setting Description Default value Require device password
Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.
The Violation Action of Enforce applies to all sub-settings for this field.
Disabled
Prohibit ascending, descending and repeating sequences
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.
Disabled
Require alphanumeric value
When enabled, both alphabetic characters and numbers are required in the password.
Disabled
Minimum number of complex characters
Smallest number of non-alphanumeric characters required. Range is 1-4 characters.
2
Minimum password length
Smallest number of password characters allowed. Range is 4-16.
4
Auto lock period (maximum)
The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.
30 minutes
Password expiration period
The number of days after which the device password must be changed. Range is 0-730 days.
90 days
Password history
The number of unique passwords required before reuse of a password is allowed. Range is 0-50.
0
Wrong passwords before wiping device
Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.
Disabled and 7 incorrect password attempts
Prohibit unencrypted devices
When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.
Disabled
Prohibit download of attachments
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.
Disabled
Note: Each of the security settings have a violation action that must be configured. If the local device security setting does not match the security policy, the violation action runs on the device.Table 9. Violation action settings Setting Description Report
If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the IBM Traveler server. The mobile device user is notified on the IBM Traveler status screen with a security lock icon and a message.
Disable Synchronization
If the setting is not compliant, the violation is reported to the IBM Traveler server and any further syncing or data exchange with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation.
Enforce
The IBM Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and the mobile device user and syncing is disabled until the violation is corrected.
Table 10. Device Access Setting Description Default value Require approval for device access
Selecting this setting will make all new devices able to register, but not sync data with IBM Traveler. The device will be in a locked state until approved by the Administrator.
Deselected
Number of devices to allow per user before approval is required
This setting allows the Administrator to auto approve a given number of devices per user. The number refers to registered devices per user and is not time sensitive. For example if set to
1
, the first device to register for a user will not require approval, but any new devices will. Completely deleting a device from the database and security record removes it from being considered in this calculation.1
Optional: Addresses to notify when approval action is pending
This allows an Administrator to be notified when an approval action is required. The notification would include the User ID, Device ID, Device Type, and date of registration. The notification list can include users, groups and Mail-In DBs. The registering user will always receive a notification when a device registers and requires approval. The e-mail copy sent to the administrator includes a link to
LotusTraveler.nsf
.Blank, which means no addresses
- Click the Comments tab, and specify or modify comments regarding this policy settings document.
- Click the Administrator tab, and enter or select the owners and administrators of this document.
- Click Save and Close.
- Add the settings document to either an existing or new
policy document. For more information about policies, see the Policies
topic in the latest Domino® Administrator
section of this information center.Note: The policy change is not pushed to affected user mail databases immediately. The admin process task performs this push operation periodically, every six hours by default. To update immediately, run the Domino® Console command tell adminp process traveler on the mail servers that are hosting users affected by the new policy.
Results
When a mobile device registers for the first time with the IBM Traveler server, the device settings match those from the administrator-defined policy. If no policy has been defined for the user, then the Default device preference and security setting values are used. After registration is complete, the mobile device settings are saved in the mail database of the user as a device profile. If the user later registers a new device, then its default settings come from the current effective policy, if any. Those settings are saved to unique device profiles in the mail database for the user.
Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked. If the policy administrator locks a setting or changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.