Default device preference and security setting values

The default device settings for users come from the IBM Traveler administration database default device settings document. Users can change their device preference settings from their devices, but only an IBM Traveler administrator can change device security settings. A Domino® policy containing IBM Traveler settings (a IBM Traveler Domino® policy) can be used to override the default device settings for individual users, groups, or organizations.

For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.

Note: Settings in tables 1, 2, and 3 do not apply to devices with applications utilizing the Exchange ActiveSync protocol, such as the native applications included on Apple, BlackBerry 10 and Windows Phone and Tablet devices, unless otherwise noted.
Table 1. Default Preferences > Sync settings
Setting Description Default value

Synchronize

Specifies the IBM® Notes® items that should be synced to the IBM Traveler client.

This setting only applies to Exchange ActiveSync devices when the setting is locked either in the IBM Traveler default settings or a Domino® Policy.

All of the following are selected by default: Email, Calendar, ToDo, Contacts, and Journal.

  • On IBM Verse for Android, if either mail or Calendar are selected, both mail and Calendar both sync.
  • IBM Verse for iOS always syncs Email, Calendar and Contacts.

Schedule

Define peak synchronization schedule and modes of synchronization to use for peak and off-peak hours.

The following options are selected by default:
  • Peak sync type: Always connected
  • Off-peak sync type: Always connected
  • Monday, Tuesday, Wednesday, Thursday, Friday
  • Peak start time: 8:00
  • Peak end time: 17:00

Disable sync when battery low

Select to prevent the IBM Traveler client from making non-user requested connections to the server while the battery is low.

Enabled by default.

Connect when roaming

Select to allow the IBM Traveler client to operate as normal, regardless of whether or not the device is on a roaming network. Otherwise the client will be prevented from making non-user requested connections to the server while the device is roaming.

Disabled by default.

For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.

Table 2. Default Preferences > Filter Settings
Setting Description Default value

Email Body Truncation

Enables email body truncation. Characters beyond the default character value in the email body are truncated from the email body.

Enabled and 5000 characters

Maximum email Attachment Size Allowed - Administrator
Deprecated Specify the maximum combined size of all attachments in a document that can be synced to a device. This size is an administrator setting that Notes® client users cannot change.
Note: This setting only applies to the deprecated Windows Mobile and Symbian OS based Nokia devices. The IBM Traveler server no longer requires an artificial limit to be placed on attachment size for other devices.

4000 KB

Email Attachments

Enables automatic syncing of file attachments to the mobile device. For Android devices, this setting also controls the automatic syncing of embedded email images. For Apple devices, this setting has no impact. In order to disable attachments on Apple devices, you must set the Email Attachment Size to '0' kb.

Disabled

Email Attachment Size

Automatically download file attachments smaller than this size. For Android devices, this setting also applies to embedded email images.

100 KB

Email Date Filter

Enables filtering email by the number of days specified.

Enabled and 5 days

Filter Limit

Administrative setting that enforces a maximum mail filter window for users that either disable the mail filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices.

Unlimited

High Importance Only

Select High Importance Only to synchronize only high importance emails.

Disabled

Calendar Date Filter Past Events

Enables filtering of past calendar events by the length of time specified.

Enabled and 1 week

Filter Limit

Administrative setting that enforces a maximum past event filter window for users that either disable the past event filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices.

Unlimited

Calendar Date Filter Future Events

Enables filtering of future calendar events by the length of time specified.

Enabled and 3 months

Filter Limit

Administrative setting that enforces a maximum future event filter window for users that either disable the past event filter or select a value greater than this limit from their IBM Traveler client. This setting applies to Exchange ActiveSync devices.

Unlimited

Journal Date Filter

Enables filtering of journal dates by the length of time specified. Note that no supported clients sync journal entries.

Enabled and 1 week

Filter Limit

Administrative setting that enforces a maximum journal filter window for users that either disable the journal filter or select a value greater than this limit from their IBM Traveler client.

Unlimited

ToDo Status

Enables display of only to do items with a status of incomplete

Enabled

Once a device has registered with the server and has received settings from the device profile, the device preferences cannot be changed by an administrator unless the settings are locked either in the default device preferences or a IBM Traveler policy. If the administrator changes the value of a locked setting, then this change is synced to the mobile device immediately. A mobile device user cannot change setting values from the device for settings that are locked by a policy. Unlike device preferences, any security setting changes made by the administrator are synced to the mobile device.

For the settings listed in the following table, select Lock value on device to prevent modification of the setting from a IBM Traveler client. Any settings without this option are always handled as locked.

Table 3. Default Preferences > Device Settings
Setting Description Default value

Device logging

Turns device client logging on or off.

Off

Device Log File Size Maximum

Sets the maximum log file size.

2000 KB

Always bcc myself

For Android based devices, select to automatically add responder's mail address to the bcc list.

Disabled
Table 4. Default Preferences > Security Settings > Android
Setting Description Default value

Require device password

Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Require alphanumeric value, Minimum password length, Auto lock period (maximum), Wrong passwords before wiping

The Violation Action you select for this option applies to all sub-settings (except for Wrong passwords before wiping device - if you enable Wrong passwords before wiping device, then the violation action for Require device password must be Enforce).

The default violation action is Report.

Disabled

Password type
Sets the password type from the following options:
  • Unrestricted
  • Numeric
  • Alphabetic
  • Alphanumeric
  • Complex (OS 3+ only)
Note: IBM Traveler lists the order of password types (top-to-bottom) as weakest to strongest. Unrestricted is the weakest, and allows any type of password, including fingerprint and pattern. Note that if you select Unrestricted as the Password type, then the Password length setting is no longer applicable.

Disabled

Minimum password length

Smallest number of password characters allowed. Range is 4-64.

4

Auto lock period (maximum)

Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

30 minutes

Password expiration period (OS 3+ only)

Number of days after which the device password must be changed. Range is 0-730 days.

0 days

Password history count (OS 3+ only)

The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

0

Wrong passwords before wiping device

Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

Disabled and 7 incorrect password attempts

Prohibit unencrypted devices (OS 3+ only)

Select to only allow devices that are encrypted to sync with the IBM Traveler server.

Disabled

Require application password

Select to require users to enter their IBM Verse password to access their IBM Verse client application and its data. This option must be selected to use any of these subsettings: Wrong passwords before wiping application data, Auto lock period|default

Disabled
Wrong passwords before wiping application data Enables the device application to wipe the HCL Verse client application configuration and data after the selected number of consecutive failed application password attempts occur. Disabled and 7 incorrect password attempts
Auto lock period (maximum) Number of minutes after which the HCL Verse application automatically locks when not in use. Range is 1-60 minutes 30 minutes

Disable local password storage

Selecting this option will prevent the IBM Traveler password from being saved in application storage. Enabling this option will require the user to enter their IBM Traveler password whenever the IBM Traveler application service restarts, including at phone startup. IBM Traveler will not synchronize data until the password is entered.

Disabled

Prohibit copy to clipboard

Select to disable the ability to copy IBM Traveler data to the device clipboard.

Disabled

Prohibit export of attachments to file system

Select to disable the ability to export attachments from IBM Traveler mail to the device's file system.

Disabled

Prohibit camera (OS 4+ only)

Select to disable any cameras on the device. This policy is only available on Android 4.0 devices and above.

Disabled

Require external mail domain validation

Enables a warning message requiring users to confirm that external mail addresses are correct when mail composed on the device is addressed to a user in a domain that is not included in the "Internal mail domains" list.

Disabled

Prohibit export of calendar to OS

Determines whether IBM Traveler can share its calendar information with the device OS.

Enabled
Prohibit export of contacts to OS

Determines whether IBM Traveler can share its contacts with the device OS.

Disabled

Prohibit devices incapable of security enablement

Prevents all devices which do not have the required security features from syncing with the IBM Traveler server. If set to disabled, all devices, with and without security features, can sync data.

IBM Traveler uses the Device Administrator feature added in Android 2.2. In order to enable this feature, the end user must agree to enable the device administrator on the device.

Android devices on which the end user has not enabled the device administrator profile for IBM Verse mobile client will not be allowed.

Disabled

Prohibit download of attachments

When enabled, devices will not be able to download attachments from all IBM Verse Mobile applications when they sync with the IBM Traveler server.

Disabled

Allow only approved applications to access attachments

Selecting this option enforces that attachments synced to the device can only be viewed by applications that are defined in the Approved Application list.

Disabled

Prohibit use of untrusted certificates

When enabled, devices using untrusted certificates will not be able to sync with IBM Traveler.

Disabled

Require Mobile Application Management

When enabled, the IBM Verse for Android client must be managed by a Mobile Application Management (MAM) provider to be able to sync with the IBM Traveler Server.

Disabled
Note: For Apple device security settings, the only possible Violation Action is Enforce.
Table 5. Default Preferences > Security Settings > Apple > Apple Mail
Setting Description Default value

Require device password

Enables requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum password length, Minimum number of complex characters, Auto lock period (maximum), Password expiration period, Password history, Wrong passwords before wiping device, Prohibit unencrypted devices.

The Violation Action of Enforce applies to all sub-settings for this field.

Disabled

Prohibit ascending, descending and repeating sequences

Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

Disabled

Require alphanumeric value

When enabled, both alphabetic characters and numbers are required in the password.

Disabled

Minimum password length

Smallest number of password characters allowed. Range is 4-16.

4

Minimum number of complex characters

Smallest number of non-alphanumeric characters required. Range is 0-4 characters.

0

Allow only approved applications and built-in viewers to access attachments

Selecting this option enforces that attachments synced to the device can only be viewed by built-in viewers using IBM Traveler Companion or the IBM Traveler To Do application. Additional mobile applications are allowed to open attachments synced by IBM Traveler only if they are defined in the Approved Application list.

Disabled

Auto lock period (maximum)

Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

30 minutes

Password expiration period

Number of days after which the device password must be changed. Range is 0-730 days.

90 days

Password history

The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

0

Wrong passwords before wiping device

Enables device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

Disabled and 7 incorrect password attempts

Prohibit unencrypted devices

When enabled, only devices that support onboard data encryption are allowed to sync with the IBM Traveler server.

Disabled

Prohibit camera

Disables the camera on the device.

Disabled

Prohibit devices incapable of security enablement

Prohibit devices incapable of security enablement.

Prevents all devices which do not have the required security features from syncing with the IBM Traveler server. If set to "disabled", all devices, with and without security features, can sync data. However, as many of the security features as possible will still be enforced on every device.

The security features that a device includes depends on the version of the Exchange ActiveSync protocol that the device has implemented. Supported Apple iOS devices support all the settings available through IBM Traveler.

A device is considered "unsecured" if any of the security features it does not include are enabled in the security policy.

Disabled

Prohibit download of attachments

When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

Disabled
Note: For IBM Verse for iOS device security settings, the only possible Violation Action is Enforce and it cannot be changed.
Table 6. Default Preferences > Security Settings > Apple > IBM Verse
Setting Description Default value

Require application password

Enables the requirement to have an application password. This option must be selected to use any of these sub-settings except for:  Prohibit export of contacts to OS, Prohibit copy to clipboard, Prohibit export of attachments to file system and Prohibit download of attachments.

The Violation Action of Enforce applies to all sub-settings for this field.

Disabled

Password type
Sets the password type from the following options:
  • Numeric
  • Alphabetic
  • Alphanumeric
  • Complex
  • Server

Disabled

Minimum letters

Smallest number of alphabetic characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum non-letters

Smallest number of non-alphabetic characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum uppercase

Smallest number of uppercase characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum lowercase

Smallest number of lowercase characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum numeric

Smallest number of numeric characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum symbols

Smallest number of symbol characters allowed. Range is 0-64. (For Complex password type only)

0

Minimum password length

Smallest number of password characters allowed. Range is 4-64.

4

Auto lock period (maximum)

Number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

30 minutes

Password expiration period

Number of days after which the device password must be changed. Range is 0-730 days.

0 days

Password history count

The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

0

Wrong passwords before wiping application data

Enables device application to wipe the Verse application configuration and data after the selected number of consecutive failed application password login attempts occur.

Disabled and 7 incorrect password attempts

Prohibit ascending, descending, and repeating sequences

Select to prohibit the use of  ascending, descending, and repeating sequences

Disabled

Allow Touch ID

When enabled, and if the iOS device supports fingerprint recognition, users can unlock the IBM Verse application using Touch ID without having to enter their IBM Verse application password.

Disabled

Prohibit export of contacts to OS

Determines whether IBM Verse application can share its contacts with the device OS.

Disabled

Prohibit copy to clipboard

Select to disable the ability to copy IBM Verse application data to the device clipboard.

Disabled

Prohibit export of attachments

Select to disable the ability to export attachments from IBM Verse application.

Disabled

Prohibit download of attachments

When enabled, devices will not be able to download attachments from the IBM Verse application when they sync with the IBM Traveler server.

Disabled

Require Mobile Application Management

When enabled, device must be managed by a Mobile Application Management (MAM) provider to be able to sync mail with the IBM Traveler Server.

Disabled
Note: For Windows Phone device security settings, the only possible Violation Action is Enforce. Settings defined here may also apply to Windows RT and Tablet devices. See Known limitations and restrictions section of the user documentation for more details about security policies with these devices.
Table 7. Default Preferences > Security Settings > Windows Phone
Setting Description Default value

Require device password

Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

The Violation Action of Enforce applies to all sub-settings for this field.

Disabled

Prohibit ascending, descending and repeating sequences

Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

Disabled

Require alphanumeric value

When enabled, both alphabetic characters and numbers are required in the password.

Disabled

Minimum number of complex characters

Specifies the required level of complexity of the device password. For the default value of 2, a password with both upper case and lower case alphabetical characters would be sufficient, as would a password with lower case alphabetical characters and numbers. For password enforcement with a combination of upper case alphabetical characters, lower case alphabetical characters, numbers and non-alpha numeric characters the required value should be set to 4. Range is 1-4.

2

Minimum password length

Smallest number of password characters allowed. Range is 4-16.

4

Auto lock period (maximum)

The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

30 minutes

Password expiration period

The number of days after which the device password must be changed. Range is 0-730 days.

90 days

Password history

The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

0

Wrong passwords before wiping device

Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

Disabled and 7 incorrect password attempts

Prohibit unencrypted devices

When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.

Disabled

Prohibit download of attachments

When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

Disabled
Note: For BlackBerry device security settings, the only possible Violation Action is Enforce.
Table 8. Default Preferences > Security Settings > BlackBerry
Setting Description Default value

Require device password

Enables the requirement that devices have screen lock passwords. This option must be selected to use any of these sub-settings: Prohibit ascending, descending and repeating sequences, Require alphanumeric value, Minimum number of complex characters, Minimum password length, Auto lock period (maximum), Password expiration period, Password history count, Wrong passwords before wiping device, Prohibit unencrypted devices and Prohibit download of attachments.

The Violation Action of Enforce applies to all sub-settings for this field.

Disabled

Prohibit ascending, descending and repeating sequences

Prohibits the use of ascending, descending and repeating sequences. A sequence is considered 3 or more consecutive numbers or characters.

Disabled

Require alphanumeric value

When enabled, both alphabetic characters and numbers are required in the password.

Disabled

Minimum number of complex characters

Smallest number of non-alphanumeric characters required. Range is 1-4 characters.

2

Minimum password length

Smallest number of password characters allowed. Range is 4-16.

4

Auto lock period (maximum)

The number of minutes before device automatically locks when it is not being used. Range is 1-60 minutes.

30 minutes

Password expiration period

The number of days after which the device password must be changed. Range is 0-730 days.

90 days

Password history

The number of unique passwords required before reuse of a password is allowed. Range is 0-50.

0

Wrong passwords before wiping device

Enables a device to hard reset itself after the selected number of consecutive failed device password login attempts occur.

Disabled and 7 incorrect password attempts

Prohibit unencrypted devices

When enabled, only devices that support on-board data encryption are allowed to sync with the IBM Traveler server.

Disabled

Prohibit download of attachments

When enabled, devices will not be able to download attachments from IBM Traveler applications when they sync with the IBM Traveler server.

Disabled
Note: Several of these settings have a violation action that must be configured. The violation action executes on the device if the local device security setting does not match the security policy. The default violation action is Report.
Table 9. Violation action settings
Setting Description

Report

If the setting is not compliant, the violation is reported to Domino® Domain Monitor (DDM) on the IBM Traveler server. The mobile device user is notified on the IBM Traveler status screen with a security lock icon and a message.

Disable Synchronization

If the setting is not compliant, the violation is reported to the IBM Traveler server and any further syncing with the server is disabled. Syncing can be re-enabled only by fixing the security policy violation.

Enforce

The IBM Traveler client forces the setting on the device to match the setting in the security policy. For settings such as the device password, the mobile device user is prompted to enter a password for the device. If at any time the settings are detected to be non-compliant, the violation is reported to DDM on the server and syncing is disabled on the mobile device until the violation is corrected.
Table 10. Default Assignment settings
Setting Description Default value

Include users

The names of users or groups to which the default device preference settings apply.

Blank, which means all users.

To specify all members of a branch of a hierarchical name tree, use an asterisk (*) followed by a forward slash and certifier name, for example, */Sales/Acme.

Exclude users

The names of users or groups to which the default device preference settings do not apply.

Blank, which means no users.

Use an asterisk (*) to indicate all users. To specify all members of a branch of a hierarchical name tree, use an asterisk followed by a forward slash and certifier name, for example, */Sales/Acme.
Table 11. Default Preferences > Device Access
Setting Description Default value

Require approval for device access

Selecting this setting will make all new devices able to register, but not sync data with IBM Traveler. The device will be in a locked state until approved by the Administrator.

Deselected

Number of devices to allow per user before approval is required

This setting allows the Administrator to auto approve a given number of devices per user. The number refers to registered devices per user and is not time sensitive. For example if set to 1, the first device to register for a user will not require approval, but any new devices will. Completely deleting a device from the database and security record removes it from being considered in this calculation.

1

Optional: Addresses to notify when approval action is pending

This allows an Administrator to be notified when an approval action is required. The notification would include the User ID, Device ID, Device Type, and date of registration. The notification list can include users, groups and Mail-In DBs. The registering user will always receive a notification when a device registers and requires approval. The e-mail copy sent to the administrator includes a link to LotusTraveler.nsf.

Blank, which means no addresses