Restricting access by device category

An administrator can restrict access to devices that do not support device security using IBM Traveler or devices by their user agent value.

The setting Prohibit devices incapable of security enablement can be enacted by device category (Windows™ Mobile, Nokia, or Apple) to prevent devices that do not support security enablement from syncing with IBM Traveler. Security enablement includes the ability of IBM® Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® IBM® Traveler policy settings document (described in Creating an IBM Traveler policy settings document).

The meaning of 'Prohibit devices....' differs by device category:

Window Mobile: Enabling Prohibit devices incapable of security enablement prevents Windows™ Mobile devices running a IBM Traveler client before IBM Traveler 8.5 from syncing with the IBM Traveler server. Clients before 8.5 do not support remote wipe or the IBM® Traveler device security settings.
Nokia: Enabling Prohibit devices incapable of security enablement prevents Nokia devices meeting the following criteria from syncing with the IBM® Traveler server:
- Nokia devices running a IBM Traveler client before IBM Traveler 8.5.1
- Nokia devices that do not support the Nokia security application
- Nokia devices that do support the Nokia security application but do not have it installed
Apple: Whether an Apple device is secured or unsecured is determined by the level of the Exchange ActiveSync protocol it uses and whether any of the enabled security settings are not supported by that protocol level.
Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the IBM® Traveler server.
Android: Enabling Prohibit devices incapable of security enablement prevents Android devices meeting the following criteria from syncing with the IBM Traveler server:
- Devices with Android OS level less that 2.2
- Devices where the user has not enabled the Device Administrator when prompted

When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the LotusTraveler.nsf device security view and device document Access field.

The following expressions in the IBM Traveler notes.ini file define which devices can be restricted from syncing with IBM Traveler by user agent value or Exchange ActiveSync protocol level:

You can use simplified flags in the notes.ini for the various device types supported by IBM Traveler, to determine which ones can sync. Examples include:

Table 1.
notes.ini value	Description
NTS_USER_AGENT_ALLOWED_ANDROID=true	IBM Verse for Android or IBM Notes Traveler for Android.
NTS_USER_AGENT_ALLOWED_APPLE=true	Apple iOS built in mail client.
NTS_USER_AGENT_ALLOWED_BB=true	BlackBerry 10 built in mail client.
NTS_USER_AGENT_ALLOWED_IBM_APPLE=true	IBM Verse for iOS. Note: Applies to IBM Traveler 9.0.1.3 and later servers only.
NTS_USER_AGENT_ALLOWED_MAAS360_ANDROID=true	MaaS360 Secure Mail client on Android. Note: Applies to IBM Traveler 9.0.1.3 and later servers only.
NTS_USER_AGENT_ALLOWED_MAAS360_APPLE=true	MaaS360 Secure Mail client on Apple iOS. Note: Applies to IBM Traveler 9.0.1.3 and later servers only.
NTS_USER_AGENT_ALLOWED_MAAS360_WINPHONE=true	MaaS360 Secure Mail client on Microsoft Windows Phone. Note: Applies to IBM Traveler 9.0.1.3 and later servers only.
NTS_USER_AGENT_ALLOWED_NOKIA=true	IBM Lotus Notes Traveler for Nokia.
NTS_USER_AGENT_ALLOWED_WM=true	IBM Lotus Notes Traveler for Windows Mobile.
NTS_USER_AGENT_ALLOWED_WINPHONE=true	Microsoft Windows Phone built in mail client, all OS levels.
NTS_USER_AGENT_ALLOWED_WINPHONE_10=true	Microsoft Windows Phone 10 built in mail client. Note: For Windows 10 Mobile devices, the first check will be run against `NTS_USER_AGENT_ALLOWED_WINPHONE`, as that applies to all Windows Phone devices (including Windows 10 Mobile). If that check passes, then `NTS_USER_AGENT_ALLOWED_WINPHONE_10` is checked next. This means Windows 10 Mobile devices must pass both checks.
NTS_USER_AGENT_ALLOWED_WINPC=true	Microsoft Windows Pro Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_WINTABLET_RT=true	Microsoft Windows RT Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_REGEX=.*	Used for finer grained control based on user agents of connecting client agents.

Note: IBM supported devices use on their own specific notes.ini values, listed above. Everything else is governed by NTS_USER_AGENT_ALLOWED_REGEX. NTS_USER_AGENT_ALLOWED_REGEX is checked after the device types defined above, and is used only if the command doesn't correspond to one of the known device types. NTS_USER_AGENT_ALLOWED_REGEX is the regular expression for

User-Agent
HTTP

headers that are allowed to sync data. The default is ".*", which allows all devices to sync.

NTS_USER_AGENT_ALLOWED_REGEX=.*

The following tables list user agents by device for 8.5.3, 8.5.2, and pre-8.5.2 IBM Traveler clients. Windows Mobile® and Nokia user agents change with each new IBM Traveler release. Apple, however, updates their user agent values with each OS update. As a result, there are many more variations of Apple user agents than for Windows Mobile® or Nokia.

Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the IBM Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.log

Note: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.

Table 2. Android IBM Traveler user agents
Release	User agent
IBM Traveler 9.0.0	`Lotus Traveler Android 9.0`
Lotus Notes® Traveler 8.5.3	`Lotus Traveler Android 8.5.3`
Lotus Notes® Traveler 8.5.2	`Lotus Traveler Android 8.5.2.1`

Table 3. Apple IBM Traveler user agents
Device	User agent
IBM Verse for iPhone	`Traveler-iOS-iPhone/9.1.2.20150514`
IBM Verse for iPad	`Traveler-iOS-iPad/9.2.0.20150616`
Apple iPhone (OS 9)	`Apple-iPhone7C2/1301.344`
Apple iPhone (OS 8)	`Apple-iPhone7C2/1202.466`
Apple iPhone (OS 7.1)	`Apple-iPhone6C2/1104.169`
Apple iPhone (OS 7)	`Apple-iPhone4C1/1104.257`
Apple iPhone (OS 6)	`Apple-iPhone5C2/1001.525`
Apple iPhone (OS 5)	`Apple-iPhone3C3/902.206`
Apple iPhone (OS 4)	`Apple-iPhone2C1/801.306`
Apple iPhone (OS 3.1.2)	`Apple-iPhone/704.11`
Apple iPhone (OS 3.0)	`Apple-iPhone/701.341`
Apple iPhone (OS 2)	`Apple-iPhone/508.11`
Apple iPad (OS 9)	`Apple-iPad4C2/1301.344`
Apple iPad (OS 8)	`Apple-iPad4C2/1201.405`
Apple iPad (OS 7.1)	`Apple-iPad4C1/1104.167`
Apple iPad (OS 7)	`Apple-iPad4C1/1104.201`
Apple iPad (OS 6)	`Apple-iPad3C1/1001.523`
Apple iPad (OS 3)	`Apple-iPad/702.367`
Apple iPod (OS 2)	`Apple-iPod/508.110001`
Traveler Companion	`TravelerCompanion/2.0.2 CFNetwork/485.12.7 Darwin/10.4.0`
Traveler To Do	`TravelerToDo/8.5.4.201210312104 CFNetwork/548.1.4 Darwin/11.0.`0

Table 4. Nokia Series 60 and Symbian^3 IBM Traveler user agents
Release	User agent
Lotus Notes® Traveler 8.5.3	`Lotus Notes Traveler Nokia 8.5.3.0`
Lotus Notes® Traveler 8.5.2	`Lotus Notes Traveler Nokia 8.5.2.0`
Lotus Notes® Traveler pre-8.5.2	`SyncML HTTP Client`

Table 5. Windows™ Mobile IBM Traveler user agents
Release	User agent
Lotus Notes® Traveler 8.5.3	`Lotus Notes Traveler WM 8.5.3.0`
Lotus Notes® Traveler 8.5.2	`Lotus Notes Traveler WM 8.5.2.0`
Lotus Notes® Traveler pre-8.5.2	`IBM SyncML Client`

Table 6. Windows™ Phone IBM Traveler user agents
Device	User agent
Windows™ 10 Mobile	`MSFT-WIN-4/10.0.10581`
Windows™ Phone 8.0	`MSFT-WP/8.0`
Windows™ Phone 7.8	`MSFT-WP/7.10.8853`
Windows™ Phone 7.5	`MSFT-WP/7.10.8773`
IBM Traveler Companion 1.1.0	`TravelerCompanion WP/1.1.0`

Table 7. Windows™ RT IBM Traveler user agents
Device	User agent
Windows™ RT	`WindowsMail/16.4.4406.1205`

Table 8. BlackBerry 10 IBM Traveler user agents
Device	User agent
Z10	`RIM-Z10-STL100-1/10.0.10.261`
Blackberry 10.x	`BLACKBERRY-Z10-STL100-1/10.0.10.261`

Table 9. MaaS360 IBM Traveler user agents
Device	User agent
Android/4.1-EAS-1.3	`MaaS360 on Android`
Apple-iPhone	`MaaS360 on Apple` Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.

The following user agents are only supported by the IBM Mail Service for Microsoft Outlook (IMSMO) product. This solution is limited availability. Please contact your sales representative for more information.

Table 10. Microsoft Outlook user agents
Device	User agent
MS Outlook 2013	`Outlook/15.0 (15.0.4505.1002; MSI; x64)`
MS Outlook 2013	`IBMMailAddin/901.2013.828.122`

The following table shows known user agents of devices not supported by IBM Traveler.

Note: These values are subject to change by the application provider at any time.

Table 11. Unsupported user agents
Device	User agent
Touchdown application	`Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD`
Blackberry Work Connect	`BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0`
Blackberry Work Connect	`Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0`
Blackberry Work Connect	`Android/4.4.4 BLACKBERRY-WorkConnect/3.0`
OpenPeak	`OP/4.2`
AT&T Toggle	`Toggle/3.0`
Microsoft Outlook Web App (OWA)	`Outlook-iOS-Android/1.0`

There are many possible examples where different User-Agent portions are combined. Here are a few:

Apple - all Apple devices are allowed to sync, but no other devices.
(IBM SyncML Client)|(IBM Traveler WM) - All Windows Mobile devices (old and new) are allowed to sync, but no other devices.
(Nokia SyncML HTTP Client)|(IBM Traveler Nokia) - All Nokia devices (old and new) are allowed to sync, but no other devices.
Lotus Notes Traveler * 8.5.2 - Only 8.5.2 Windows Mobile® and Nokia clients are allowed to sync, but not Apple devices.
(Apple)|(Lotus Notes Traveler WM) - Only Apple and 8.5.2 Windows Mobile® clients are allowed to sync, but not Nokia devices.
Apple-iPhone/7 - only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).
IBM Traveler Android - Only Android devices are allowed to sync.
NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$ - This blocks Toggle and OWA, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.

NTS_AS_PROTOCOL_VERSIONS - specifies the Exchange ActiveSync Protocol versions that the server supports. The server supports 2.5, 12.0, and 12.1. Apple OS 2.x devices only support AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support 12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1 while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not contain spaces. For example:
```
NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1 
```