Restricting access by device category

An administrator can restrict access to devices that do not support device security using IBM Traveler or devices by their user agent value.

The setting Prohibit devices incapable of security enablement can be enacted by device category to prevent devices that do not support security enablement from syncing with IBM Traveler. Security enablement includes the ability of IBM® Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® IBM® Traveler policy settings document (described in Creating an IBM Traveler policy settings document).

The meaning of 'Prohibit devices....' differs by device category:
  • Apple Mail Whether an Apple device is secured or unsecured is determined by the level of the Exchange ActiveSync protocol it uses and whether any of the enabled security settings are not supported by that protocol level.

    Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".

    Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".

    For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the IBM® Traveler server.

  • Android: Enabling Prohibit devices incapable of security enablement prevents Android devices meeting the following criteria from syncing with the IBM Traveler server:
    • Devices with Android OS level less than 2.2
    • Devices where the user has not enabled the Device Administrator when prompted

When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the administration application device security view and device document Access field.

The following expressions in the IBM Traveler notes.ini file define which devices can be restricted from syncing with IBM Traveler by user agent value or Exchange ActiveSync protocol level:
  • You can use simplified flags in the notes.ini for the various device types supported by IBM Traveler, to determine which ones can sync. Examples include:
    Table 1.
    notes.ini value Description

    NTS_USER_AGENT_ALLOWED_ANDROID=true

    IBM Verse for Android or IBM Notes Traveler for Android.

    NTS_USER_AGENT_ALLOWED_APPLE=true

    Apple iOS built in mail client.

    NTS_USER_AGENT_ALLOWED_BB=true

    BlackBerry 10 built in mail client.

    NTS_USER_AGENT_ALLOWED_IBM_APPLE=true

    IBM Verse for iOS.

    Note: Applies to IBM Traveler 9.0.1.3 and later servers only.

    NTS_USER_AGENT_ALLOWED_MAAS360_ANDROID=true

    MaaS360 Secure Mail client on Android.

    Note: Applies to IBM Traveler 9.0.1.3 and later servers only.

    NTS_USER_AGENT_ALLOWED_MAAS360_APPLE=true

    MaaS360 Secure Mail client on Apple iOS.

    Note: Applies to IBM Traveler 9.0.1.3 and later servers only.

    NTS_USER_AGENT_ALLOWED_MAAS360_WINPHONE=true

    MaaS360 Secure Mail client on Microsoft Windows Phone.

    Note: Applies to IBM Traveler 9.0.1.3 and later servers only.

    NTS_USER_AGENT_ALLOWED_NOKIA=true

    IBM Lotus Notes Traveler for Nokia.

    NTS_USER_AGENT_ALLOWED_WM=true

    IBM Lotus Notes Traveler for Windows Mobile.

    NTS_USER_AGENT_ALLOWED_WINPHONE=true

    Microsoft Windows Phone built in mail client, all OS levels.

    NTS_USER_AGENT_ALLOWED_WINPHONE_10=true

    Microsoft Windows Phone 10 built in mail client.
    Note: For Windows 10 Mobile devices, the first check will be run against NTS_USER_AGENT_ALLOWED_WINPHONE, as that applies to all Windows Phone devices (including Windows 10 Mobile). If that check passes, then NTS_USER_AGENT_ALLOWED_WINPHONE_10 is checked next. This means Windows 10 Mobile devices must pass both checks.

    NTS_USER_AGENT_ALLOWED_WINPC=true

    Microsoft Windows Pro Tablet built in mail client.

    NTS_USER_AGENT_ALLOWED_WINTABLET_RT=true

    Microsoft Windows RT Tablet built in mail client.

    NTS_USER_AGENT_ALLOWED_REGEX=.*

    Used for finer grained control based on user agents of connecting client agents.
    Note: IBM supported devices use on their own specific notes.ini values, listed above. Everything else is governed by NTS_USER_AGENT_ALLOWED_REGEX. NTS_USER_AGENT_ALLOWED_REGEX is checked after the device types defined above, and is used only if the command doesn't correspond to one of the known device types. NTS_USER_AGENT_ALLOWED_REGEX is the regular expression for User-Agent HTTP headers that are allowed to sync data. The default is ".*", which allows all devices to sync. 
    NTS_USER_AGENT_ALLOWED_REGEX=.*

    The following tables list user agents for supported clients. The IBM Verse for Apple user agent changes based on the client build. The Apple Mail client user agent is based on the hardware plus the OS level.

    Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the IBM Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.log
    Note: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.
    Table 2. IBM Verse for Android user agents
    Release User agent
    IBM Verse for Android Lotus Traveler Android 10.0
    Table 3. Apple Mail, IBM Verse, IBM Traveler Companion and IBM Traveler To Do user agents
    Device User agent
    IBM Verse for iPhone Traveler-iOS-iPhone/9.5.1.2018081415
    IBM Verse for iPad Traveler-iOS-iPad/9.5.0.2018070911
    Apple iPhone (OS 9) Apple-iPhone7C2/1301.344
    Apple iPhone (OS 8) Apple-iPhone7C2/1202.466
    IBM Traveler Companion TravelerCompanion/9.1.3.2017111715 CFNetwork/902.2 Darwin/17.7.0
    IBM Traveler To Do for iPad TravelerToDo-iPad/9.1.2.20180813150
    IBM Traveler To Do for iPhone TravelerToDo-iPhone/9.1.2.2018081315
    Table 4. Windows Phone user agents
    Device User agent
    Windows 10 Mobile MSFT-WIN-4/10.0.10581
    Windows Phone 8.0 MSFT-WP/8.0
    Windows Phone 7.8 MSFT-WP/7.10.8853
    Windows Phone 7.5 MSFT-WP/7.10.8773
    IBM Traveler Companion 1.1.0 TravelerCompanion WP/1.1.0
    Table 5. Windows RT user agents
    Device User agent
    Windows RT WindowsMail/16.4.4406.1205
    Table 6. BlackBerry Traveler user agents
    Device User agent
    Z10 RIM-Z10-STL100-1/10.0.10.261
    Blackberry 10.x BLACKBERRY-Z10-STL100-1/10.0.10.261
    IBM Traveler does not explicitly support the IBM Maas360 clients. The following user agents are provided as a reference only.
    Table 7. MaaS360 user agents
    Device User agent
    Android/4.1-EAS-1.3 MaaS360 on Android
    Apple-iPhone MaaS360 on Apple
    Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.
    The following user agents are only supported by the IBM Mail Service for Microsoft Outlook (IMSMO) product.
    Table 8. IBM mail for Microsoft Outlook user agents
    Device User agent
    MS Outlook IMSMO1.0.0
    The following table shows known user agents of devices not supported by IBM Traveler. This list is not exhaustive.
    Note: These values are subject to change by the application provider at any time.
    Table 9. Unsupported user agents
    Device User agent
    Touchdown application Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD
    Blackberry Work Connect BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0
    Blackberry Work Connect Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0
    Blackberry Work Connect Android/4.4.4 BLACKBERRY-WorkConnect/3.0
    OpenPeak OP/4.2
    AT&T Toggle Toggle/3.0
    Microsoft Outlook Web App (OWA) Outlook-iOS-Android/1.0
    There are many possible examples where different User-Agent portions are combined. Here are a few:
    • Apple - all Apple devices are allowed to sync, but no other devices.
    • Apple-iPhone/7 - only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).
    • IBM Traveler Android - Only Android devices are allowed to sync.
    • NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$ - This blocks Toggle and OWA, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.
  • NTS_AS_PROTOCOL_VERSIONS - specifies the Exchange ActiveSync Protocol versions that the server supports. The server supports 2.5, 12.0, and 12.1. Apple OS 2.x devices only support AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support 12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1 while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not contain spaces. For example: 
    NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1