Default device preference and security setting values
The default device settings for users come from the IBM Traveler administration database default device settings document. Users can change their device preference settings from their devices, but only an IBM Traveler administrator can change device security settings. A Domino® policy containing IBM Traveler settings (a IBM Traveler Domino® policy) can be used to override the default device settings for individual users, groups, or organizations.
For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.
Setting | Description | Default value |
---|---|---|
Synchronize |
Specifies the IBM® Notes® items that should be synced to the IBM Traveler client. This setting only applies to Exchange ActiveSync devices when the setting is locked either in the IBM Traveler default settings or a Domino® Policy. |
All of the following are selected by default: Email, Calendar, ToDo, Contacts, and Journal.
|
Schedule |
Define peak synchronization schedule and modes of synchronization to use for peak and off-peak hours. |
The following options are selected by default:
|
Disable sync when battery low |
Select to prevent the IBM Traveler client from making non-user requested connections to the server while the battery is low. |
Enabled by default. |
Connect when roaming |
Select to allow the IBM Traveler client to operate as normal, regardless of whether or not the device is on a roaming network. Otherwise the client will be prevented from making non-user requested connections to the server while the device is roaming. |
Disabled by default. |
For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.
Setting | Description | Default value |
---|---|---|
Email Body Truncation |
Enables email body truncation. Characters beyond the default character value in the email body are truncated from the email body. |
Enabled and 5000 characters |
Maximum email Attachment Size Allowed - Administrator |
Specify the maximum combined size of all attachments in a document that can be synced to a
device. This size is an administrator setting that Notes®
client users cannot change. Note: This setting only applies to the deprecated Windows Mobile and
Symbian OS based Nokia devices. The IBM Traveler server no longer requires an artificial limit to be
placed on attachment size for other devices. |
4000 KB |
Email Attachments |
Enables automatic syncing of file attachments to the mobile device. For Android devices, this setting also controls the automatic syncing of embedded email images. For Apple devices, this setting has no impact. In order to disable attachments on Apple devices, you must set the Email Attachment Size to '0' kb. |
Disabled |
Email Attachment Size |
Automatically download file attachments smaller than this size. For Android devices, this setting also applies to embedded email images. |
100 KB |
Email Date Filter |
Enables filtering email by the number of days specified. |
Enabled and 5 days |
Filter Limit |
Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices. |
Unlimited |
High Importance Only |
Select High Importance Only to synchronize only high importance emails. |
Disabled |
Calendar Date Filter Past Events |
Enables filtering of past calendar events by the length of time specified. |
Enabled and 1 week |
Filter Limit |
Administrative setting that enforces a maximum past event filter window for users that either disable the past event filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices. |
Unlimited |
Calendar Date Filter Future Events |
Enables filtering of future calendar events by the length of time specified. |
Enabled and 3 months |
Filter Limit |
Administrative setting that enforces a maximum future event filter window for users that either disable the past event filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices. |
Unlimited |
Journal Date Filter |
Enables filtering of journal dates by the length of time specified. |
Enabled and 1 week |
Filter Limit |
Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their IBM Traveler client. |
Unlimited |
ToDo Status |
Enables display of only to do items with a status of incomplete |
Enabled |
Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked either in the default device preferences or a IBM Traveler policy. If the administrator changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.
For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.
Setting | Description | Default value |
---|---|---|
Device logging |
Turns device client logging on or off. |
Off |
Device Log File Size Maximum |
Sets the maximum log file size. |
2000 KB |
Always bcc myself |
For Android based devices, select to automatically add responder's mail address to the bcc list. |
Disabled |
Setting | Description | Default value |
---|---|---|
Require device password |
Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Require alphanumeric value, Minimum password length, Auto lock period (maximum), Wrong passwords before wiping The Violation Action you select for this option applies to all sub-settings (except for Wrong passwords before wiping device - if you enable Wrong passwords before wiping device, then the violation action for Require device password must be Enforce). The default violation action is Report. |
Disabled |
Password type |
Sets the password type from the following options:
Note: IBM Traveler lists the order of password types (top-to-bottom) as weakest to strongest.
Unrestricted is the weakest, and allows any type of password, including
fingerprint and pattern. Note that if you select Unrestricted as the
Password type, then the Password length setting is no
longer applicable. |
Disabled |
Minimum password length |
Smallest number of password characters allowed. Range is 4-64. |
4 |
Auto lock period (maximum) |
Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes. |
30 minutes |
Allow only approved applications to access attachments |
Selecting this option enforces that attachments synced to the device can only be viewed by applications that are defined in the Approved Application list. |
Disabled |
Password expiration period (OS 3+ only) |
Number of days after which the device password must be changed. Range is 0-730 days. |
0 days |
Password history count (OS 3+ only) |
The number of unique passwords required before reuse of a password is allowed. Range is 0-50. |
0 |
Wrong passwords before wiping device |
Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur. |
Disabled and 7 incorrect password attempts |
Prohibit unencrypted devices (OS 3+ only) |
Select to only allow devices that are encrypted to sync with the IBM Traveler server. |
Disabled |
Require application password |
Select to require users to enter their IBM Traveler password to access their IBM Traveler client application and its data. |
Disabled |
Disable local password storage |
Selecting this option will prevent the IBM Traveler password from being saved in application storage. Enabling this option will require the user to enter their IBM Traveler password whenever the IBM Traveler application service restarts, including at phone startup. IBM Traveler will not synchronize data until the password is entered. |
Disabled |
Prohibit copy to clipboard |
Select to disable the ability to copy IBM Traveler data to the device clipboard. |
Disabled |
Prohibit export of attachments to file system |
Select to disable the ability to export attachments from IBM Traveler mail to the device's file system. |
Disabled |
Prohibit camera (OS 4+ only) |
Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above. |
Disabled |
Require external mail domain validation |
Enables a warning message requiring users to confirm that external mail addresses are correct when mail composed on the device is addressed to a user in a domain that is not included in the "Internal mail domains" list. |
Disabled |
Prohibit export of calendar to OS |
Determines whether IBM Traveler can share its calendar information with the device OS. |
Enabled |
Prohibit export of contacts to OS |
Determines whether IBM Traveler can share its contacts with the device OS. |
Disabled |
Prohibit devices incapable of security enablement |
Prevents all devices which do not have the required security features from syncing with the IBM Traveler server. If set to disabled, all devices, with and without security features, can sync data. IBM Traveler uses the Device Administrator feature added in Android 2.2. In order to enable this feature, the end user must agree to enable the device administrator on the device. If this checkbox is checked, Android devices with an OS version less than 2.2 will not allowed. In addition, Android OS 2.2 devices where the end user has not enabled the device administrator profile for IBM® Traveler will not be allowed. |
Disabled |
Prohibit download of attachments |
When enabled, devices will not be able to download attachments from all IBM Traveler applications when they sync with the IBM Traveler server. |
Disabled |
Prohibit use of untrusted certificates |
When enabled, devices using untrusted certificates will not be able to sync with IBM Traveler. |
Disabled |
Setting | Description | Default value |
---|---|---|
Require device password |
Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices. The Violation Action of Enforce applies to all sub-settings for this field. |
Disabled |
Prohibit ascending, descending and repeating sequences |
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters. |
Disabled |
Require alphanumeric value |
When enabled, both alphabetic characters and numbers are required in the password. |
Disabled |
Minimum password length |
Smallest number of password characters allowed. Range is 4-16. |
4 |
Minimum number of complex characters |
Smallest number of non-alphanumeric characters required. Range is 0-4 characters. |
0 |
Allow only approved applications and built-in viewers to access attachments |
Selecting this option enforces that attachments synced to the device can only be viewed by built-in viewers using IBM Traveler Companion or the IBM Traveler To Do application. Additional mobile applications are allowed to open attachments synced by IBM Traveler only if they are defined in the Approved Application list. |
Disabled |
Auto lock period (maximum) |
Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes. |
30 minutes |
Password expiration period |
Number of days after which the device password must be changed. Range is 0-730 days. |
90 days |
Password history |
The number of unique passwords required before reuse of a password is allowed. Range is 0-50. |
0 |
Wrong passwords before wiping device |
Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur. |
Disabled and 7 incorrect password attempts |
Prohibit unencrypted devices |
When enabled, only devices that support onboard data encryption are allowed to sync with the IBM Traveler server. |
Disabled |
Prohibit camera |
Disables the camera on the device. |
Disabled |
Prohibit devices incapable of security enablement |
Prohibit devices incapable of security enablement. Prevents all devices which do not have the required security features from syncing with the IBM Traveler server. If set to "disabled", all devices, with and without security features, can sync data. However, as many of the security features as possible will still be enforced on every device. The security features that a device includes depends on the version of the Exchange ActiveSync protocol that the device has implemented. Apple OS 2 devices implement Exchange ActiveSync 2.5. Apple OS 3 and iOS4 devices implement Exchange ActiveSync 12.1. Other, non-supported Exchange ActiveSync devices may have implemented Exchange ActiveSync 12.0. Exchange ActiveSync 2.5 does not include "Prohibit unencrypted devices", "Prohibit camera", "Minimum number of complex characters", "Prohibit ascending, descending and repeating sequences", "Password expiration period", or "Password history count". Exchange ActiveSync 12.0 does not include "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters". Exchange ActiveSync 12.1 includes all of the settings available through IBM Traveler. A device is considered "unsecured" if any of the security features it does not include are enabled in the security policy. |
Disabled |
Prohibit download of attachments |
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server. |
Disabled |
Setting | Description | Default value |
---|---|---|
Require application password |
Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for: Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field. |
Disabled |
Password type |
Sets the password type from the following options:
|
Disabled |
Minimum letters |
Smallest number of alphabetic characters allowed. Range is 0-64. |
0 |
Minimum non-letters |
Smallest number of non-alphabetic characters allowed. Range is 0-64. |
0 |
Minimum uppercase |
Smallest number of uppercase characters allowed. Range is 0-64. |
0 |
Minimum lowercase |
Smallest number of lowercase characters allowed. Range is 0-64. |
0 |
Minimum numeric |
Smallest number of numeric characters allowed. Range is 0-64. |
0 |
Minimum symbols |
Smallest number of symbol characters allowed. Range is 0-64. |
0 |
Minimum password length |
Smallest number of password characters allowed. Range is 4-64. |
4 |
Auto lock period (maximum) |
Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes. |
30 minutes |
Password expiration period |
Number of days after which the device password must be changed. Range is 0-730 days. |
0 days |
Password history count |
The number of unique passwords required before reuse of a password is allowed. Range is 0-50. |
0 |
Wrong passwords before wiping device |
Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur. |
Disabled and 7 incorrect password attempts |
Prohibit ascending, descending, and repeating sequences |
Select to prohibit the use of ascending, descending, and repeating sequences |
Disabled |
Allow Touch ID |
When enabled, and if the iOS device supports fingerprint recognition, users can unlock the IBM Verse application using Touch ID without having to enter their IBM Verse application password. |
Disabled |
Prohibit export of contacts to OS |
Determines whether IBM Verse application can share its contacts with the device OS. |
Disabled |
Prohibit copy to clipboard |
Select to disable the ability to copy IBM Verse application data to the device clipboard. |
Disabled |
Prohibit export of attachments |
Select to disable the ability to export attachments from IBM Verse application. |
Disabled |
Prohibit download of attachments |
When enabled, devices will not be able to download attachments from the IBM Verse application when they sync with the IBM Traveler server. |
Disabled |
Setting | Description | Default value |
---|---|---|
Require device password |
Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field. |
Disabled |
Prohibit ascending, descending and repeating sequences |
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters. |
Disabled |
Require alphanumeric value |
When enabled, both alphabetic characters and numbers are required in the password. |
Disabled |
Minimum number of complex characters |
Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4. |
2 |
Minimum password length |
Smallest number of password characters allowed. Range is 4-16. |
4 |
Auto lock period (maximum) |
The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes. |
30 minutes |
Password expiration period |
The number of days after which the device password must be changed. Range is 0-730 days. |
90 days |
Password history |
The number of unique passwords required before reuse of a password is allowed. Range is 0-50. |
0 |
Wrong passwords before wiping device |
Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur. |
Disabled and 7 incorrect password attempts |
Prohibit unencrypted devices |
When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server. |
Disabled |
Prohibit download of attachments |
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server. |
Disabled |
Setting | Description | Default value |
---|---|---|
Require device password |
Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments. The Violation Action of Enforce applies to all sub-settings for this field. |
Disabled |
Prohibit ascending, descending and repeating sequences |
Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters. |
Disabled |
Require alphanumeric value |
When enabled, both alphabetic characters and numbers are required in the password. |
Disabled |
Minimum number of complex characters |
Smallest number of non-alphanumeric characters required. Range is 1-4 characters. |
2 |
Minimum password length |
Smallest number of password characters allowed. Range is 4-16. |
4 |
Auto lock period (maximum) |
The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes. |
30 minutes |
Password expiration period |
The number of days after which the device password must be changed. Range is 0-730 days. |
90 days |
Password history |
The number of unique passwords required before reuse of a password is allowed. Range is 0-50. |
0 |
Wrong passwords before wiping device |
Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur. |
Disabled and 7 incorrect password attempts |
Prohibit unencrypted devices |
When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server. |
Disabled |
Prohibit download of attachments |
When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server. |
Disabled |
Setting | Description |
---|---|
Report |
If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the IBM Traveler server. The mobile device user is notified on the IBM Traveler status screen with a security lock icon and a message. |
Disable Synchronization |
If the setting is not compliant, the violation is reported to the IBM Traveler server and any further syncing with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation. |
Enforce |
The IBM Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and syncing is disabled on the mobile device until the violation is corrected. |
Setting | Description | Default value |
---|---|---|
Include users |
The names of users or groups to which the default device preference settings apply. |
Blank, which means all users. To specify all members of a branch of a hierarchical name tree, use an asterisk (*) followed by a forward slash and certifier name, for example, */Sales/Acme. |
Exclude users |
The names of users or groups to which the default device preference settings do not apply. |
Blank, which means no users. Use an asterisk (*) to indicate all users. To specify all members of a branch of a hierarchical name tree, use an asterisk followed by a forward slash and certifier name, for example, */Sales/Acme. |
Setting | Description | Default value |
---|---|---|
Require approval for device access |
Selecting this setting will make all new devices able to register, but not sync data with IBM Traveler. The device will be in a locked state until approved by the Administrator. |
Deselected |
Number of devices to allow per user before approval is required |
This setting allows the Administrator to
auto approve a given number of devices per user. The number refers
to registered devices per user and is not time sensitive. For example
if set to |
1 |
Optional: Addresses to notify when approval action is pending |
This allows an Administrator to be notified
when an approval action is required. The notification would include
the User ID, Device ID, Device Type, and date of registration. The
notification list can include users, groups and Mail-In DBs. The registering
user will always receive a notification when a device registers and
requires approval. The e-mail copy sent to the administrator includes
a link to |
Blank, which means no addresses |