Restricting access by device category

An administrator can restrict access to devices that do not support device security using HCL Traveler or devices by their device type or user agent values.

Device Security

The setting Prohibit devices incapable of security enablement can be enacted by device category to prevent devices that do not support security enablement from syncing with HCL Traveler. Security enablement includes the ability of HCL Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® HCL Traveler policy settings document (described in Creating an HCL Traveler policy settings document).

The meaning of 'Prohibit devices....' differs by device category:
  • Apple Mail Whether an Apple device is secured or unsecured is determined by the level of the Exchange ActiveSync protocol it uses and whether any of the enabled security settings are not supported by that protocol level.

    Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".

    Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".

    For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the HCL Traveler server.

  • Android: Enabling Prohibit devices incapable of security enablement prevents Android devices meeting the following criteria from syncing with the HCL Traveler server:
    • Devices with Android OS level less than 2.2
    • Devices where the user has not enabled the Device Administrator when prompted

When a device is unable to sync with the server due to Prohibit device incapable of security enablement, a status of "403 (Forbidden)" is returned to the device. Also, the value "Prohibit" appears in the administration application device security view and device document Access field.

HTTP User-Agent

The simplest way to restrict device access is using the NTS_USER_AGENT_ALLOWED notes.ini settings for each device type. There is a notes.ini for each known device type, NTS_USER_AGENT_ALLOWED_OTHER for all devices that don't fall into one of the known device types, and NTS_USER_AGENT_ALLOWED_REGEX as an additional check for additional granularity if needed (default is check that allows everything).

Here are some examples:
  • NTS_USER_AGENT_ALLOWED_ANDROID=true, NTS_USER_AGENT_ALLOWED_IBM_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the HCL Verse clients.
  • NTS_USER_AGENT_ALLOWED_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the built-in Apple clients.
  • NTS_USER_AGENT_ALLOWED_ANDROID=true, NTS_USER_AGENT_ALLOWED_IBM_APPLE=true, NTS_USER_AGENT_ALLOWED_APPLE=true, NTS_USER_AGENT_ALLOWED_REGEX=.* (all the default values) and all other NTS_USER_AGENT_ALLOWED_ notes.ini's changed to false, allows only the HCL Verse and built-in Apple clients.
  • NTS_USER_AGENT_ALLOWED_OTHER=false and all other NTS_USER_AGENT_ALLOWED_ notes.ini's left as their default values, allows only known client types.
However, if you need more granular control, you may use the NTS_USER_AGENT_ALLOWED_REGEX to control access based on the HTTP User-Agent header of the requests.
  • The following tables list user agents for supported clients. The HCL Verse for Apple user agent changes based on the client build. The Apple Mail client user agent is based on the hardware plus the OS level.
    Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the HCL Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.log
    Note: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.
Table 1. HCL Verse for Android user agents
Release User agent
HCL Verse for Android Lotus Traveler Android 12.0.22
Note: Starting with HCL Verse for Android 12.0.0, the user agent string includes the matching client software level. Earlier versions supplied the same user agent string of "Lotus Traveler Android 9.0", regardless of the actual client software level.
Table 2. Apple Mail, HCL Verse, HCL Traveler Companion and HCL Traveler To Do user agents
Device User agent
HCL Verse for iPhone Traveler-iOS-iPhone/12.0.18.2023050420
HCL Verse for iPad Traveler-iOS-iPad/12.0.18.2023050420
Apple iPhone (OS 16) Apple-iPhone13C4/2006.66
Apple iPad (OS 15) Apple-iPad5C4/1908.349
HCL Traveler Companion TravelerCompanion/12.0.5.2023032109 CFNetwork/1408.0.4 Darwin/22.6.0
HCL Traveler To Do for iPad TravelerToDo-iPad/12.0.5.2023032109
HCL Traveler To Do for iPhone TravelerToDo-iPhone/12.0.5.2023032109
Table 3. Windows Phone user agents
Device User agent
Windows 10 Mobile MSFT-WIN-4/10.0.10581
Windows Phone 8.0 MSFT-WP/8.0
Windows Phone 7.8 MSFT-WP/7.10.8853
Windows Phone 7.5 MSFT-WP/7.10.8773
HCL Traveler Companion 1.1.0 TravelerCompanion WP/1.1.0
Table 4. Windows RT user agents
Device User agent
Windows RT WindowsMail/16.4.4406.1205
Table 5. BlackBerry Traveler user agents
Device User agent
Z10 RIM-Z10-STL100-1/10.0.10.261
Blackberry 10.x BLACKBERRY-Z10-STL100-1/10.0.10.261
The following user agents are only supported by the HCL Traveler for Microsoft Outlook (HTMO) product.
Table 6. HCL Traveler for Microsoft Outlook user agents
Device User agent
MS Outlook IMSMO1.0.0

HCL Traveler does not explicitly support the IBM Maas360 clients. The following user agents are provided as a reference only.

Table 7. MaaS360 user agents
Device User agent
Android/4.1-EAS-1.3 MaaS360 on Android
Apple-iPhone MaaS360 on Apple
Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.
HCL Traveler does not explicitly support the VMWare Workspace ONE Boxer clients. The following user agents are provided as a reference only.
Table 8. Boxer user agents
Device User agent
Apple-iPhone Apple-iPhone/1701.878/AirWatch BoxerManaged; (iOS 13.1.3) Version 5.12.0/4747
Android AirWatch Boxer (HTC Desire 10 lifestyle; Android 6.0.1) Version 5.10.0.1/1112
HCL Traveler does not explicitly support the Citrix Secure Mail (WorxMail) clients. The following user agents are provided as a reference only.
Table 9. WorxMail user agents
Device User agent
Lenovo Laptop Apple-iPhone WorxMail/19.5.5-29 (LENOVOLENOVOTBX704L; 7.1.1)
The following table shows known user agents of devices not supported by HCL Traveler. This list is not exhaustive.
Note: These values are subject to change by the application provider at any time.
Table 10. Unsupported user agents
Device User agent
Touchdown application Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD
Blackberry Work Connect BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android/4.4.4 BLACKBERRY-WorkConnect/3.0
OpenPeak OP/4.2
AT&T Toggle Toggle/3.0
Microsoft Outlook Mobile (iOS and Android) Outlook-iOS-Android/1.0
There are many possible examples where different User-Agent portions are combined. Here are a few:
  • Apple - all Apple devices are allowed to sync, but no other devices.
  • Apple-iPhone/7 - only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).
  • Lotus Traveler Android - Only Android devices are allowed to sync.
  • NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$ - This blocks Toggle and Outlook Mobile, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.

Microsoft Exchange ActiveSync Protocol

If the devices are syncing using the Microsoft Exchange ActiveSync Protocol (not used by the Verse iOS, Verse Android or HCL Traveler for Microsoft Outlook clients), you may be able to restrict older devices by removing support for older protocol levels leaving only the newer protocol levels which the older devices do not support. The supported EAS protocol versions are controlled via the NTS_AS_PROTOCOL_VERSIONS notes.ini. The server supports 2.5, 12.0, 12.1, 14.0, 14.1, 16.0, and 16.1.

Apple OS 2.x devices only support AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support 12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1 while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not contain spaces. For example:
NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1,16.0,16.1