Restricting access by device category
An administrator can restrict access to devices that do not support device security using IBM Traveler or devices by their user agent value.
The setting Prohibit devices incapable of security enablement can be enacted by device category (Windows™ Mobile, Nokia, or Apple) to prevent devices that do not support security enablement from syncing with IBM Traveler. Security enablement includes the ability of IBM® Traveler to remotely wipe a device, as well as the ability to enforce usage of a device password. This setting is defined in both the Default device preference and security setting values and the Domino® IBM® Traveler policy settings document (described in Creating an IBM Traveler policy settings document).
- Window Mobile: Enabling Prohibit devices incapable of security enablement prevents Windows™ Mobile devices running a IBM Traveler client before IBM Traveler 8.5 from syncing with the IBM Traveler server. Clients before 8.5 do not support remote wipe or the IBM® Traveler device security settings.
- Nokia: Enabling Prohibit devices incapable of security
enablement prevents Nokia devices meeting the following criteria
from syncing with the IBM® Traveler
server:
- Nokia devices running a IBM Traveler client before IBM Traveler 8.5.1
- Nokia devices that do not support the Nokia security application
- Nokia devices that do support the Nokia security application but do not have it installed
- Apple: Whether an Apple device is secured or unsecured
is determined by the level of the Exchange ActiveSync protocol it
uses and whether any of the enabled security settings are not supported
by that protocol level.
Protocol level 2.5 does not support "Prohibit unencrypted devices", "Prohibit ascending, descending and repeating sequences", "Password expiration period", "Password history", "Prohibit camera", or "Minimum number of complex characters".
Protocol 12.0 level does not support "Prohibit unencrypted devices", "Prohibit camera", or "Minimum number of complex characters".
For example, if you enable Require device password and Prohibit unencrypted devices then only an Apple device using Exchange ActiveSync 12.1 or later would be able to sync with the IBM® Traveler server.
- Android: Enabling Prohibit devices incapable of security enablement prevents
Android devices meeting the following criteria from syncing with the IBM Traveler server:
- Devices with Android OS level less that 2.2
- Devices where the user has not enabled the Device Administrator when prompted
When a device is unable to sync with the server due to Prohibit
device incapable of security enablement, a status of "403 (Forbidden)"
is returned to the device. Also, the value "Prohibit" appears in the LotusTraveler.nsf
device
security view and device document Access field.
notes.ini
file define which
devices can be restricted from syncing with IBM Traveler by user agent value or Exchange ActiveSync
protocol level: - You can use simplified flags in the
notes.ini
for the various device types supported by IBM Traveler, to determine which ones can sync. Examples include:Table 1. notes.ini value Description NTS_USER_AGENT_ALLOWED_ANDROID=true
IBM Verse for Android or IBM Notes Traveler for Android.
NTS_USER_AGENT_ALLOWED_APPLE=true
Apple iOS built in mail client.
NTS_USER_AGENT_ALLOWED_BB=true
BlackBerry 10 built in mail client.
NTS_USER_AGENT_ALLOWED_IBM_APPLE=true
IBM Verse for iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_ANDROID=true
MaaS360 Secure Mail client on Android.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_APPLE=true
MaaS360 Secure Mail client on Apple iOS.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_MAAS360_WINPHONE=true
MaaS360 Secure Mail client on Microsoft Windows Phone.
Note: Applies to IBM Traveler 9.0.1.3 and later servers only.NTS_USER_AGENT_ALLOWED_NOKIA=true
IBM Lotus Notes Traveler for Nokia.
NTS_USER_AGENT_ALLOWED_WM=true
IBM Lotus Notes Traveler for Windows Mobile.
NTS_USER_AGENT_ALLOWED_WINPHONE=true
Microsoft Windows Phone built in mail client, all OS levels.
NTS_USER_AGENT_ALLOWED_WINPHONE_10=true
Microsoft Windows Phone 10 built in mail client.Note: For Windows 10 Mobile devices, the first check will be run againstNTS_USER_AGENT_ALLOWED_WINPHONE
, as that applies to all Windows Phone devices (including Windows 10 Mobile). If that check passes, thenNTS_USER_AGENT_ALLOWED_WINPHONE_10
is checked next. This means Windows 10 Mobile devices must pass both checks.NTS_USER_AGENT_ALLOWED_WINPC=true
Microsoft Windows Pro Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_WINTABLET_RT=true
Microsoft Windows RT Tablet built in mail client.
NTS_USER_AGENT_ALLOWED_REGEX=.*
Used for finer grained control based on user agents of connecting client agents.
Note: IBM supported devices use on their own specificnotes.ini
values, listed above. Everything else is governed byNTS_USER_AGENT_ALLOWED_REGEX
.NTS_USER_AGENT_ALLOWED_REGEX
is checked after the device types defined above, and is used only if the command doesn't correspond to one of the known device types.NTS_USER_AGENT_ALLOWED_REGEX
is the regular expression forUser-Agent HTTP
headers that are allowed to sync data. The default is ".*
", which allows all devices to sync.NTS_USER_AGENT_ALLOWED_REGEX=.*
The following tables list user agents by device for 8.5.3, 8.5.2, and pre-8.5.2 IBM Traveler clients. Windows Mobile® and Nokia user agents change with each new IBM Traveler release. Apple, however, updates their user agent values with each OS update. As a result, there are many more variations of Apple user agents than for Windows Mobile® or Nokia.Note: Some examples of known Apple user agents are presented in these tables, but this is not a comprehensive list. One method to determine the exact user agent that a device is using for synchronization is to review the IBM Traveler usage log file after a new device synchronizes with the server. The file can be found here: <Domino Data Directory>\IBM_TECHNICAL_SUPPORT\traveler\logs\NTSUsage_DATE_TIME.logNote: Some of the build numbers in the following tables are examples and may change over time as software versions on the device are updated.Table 2. Android IBM Traveler user agents Release User agent IBM Traveler 9.0.0 Lotus Traveler Android 9.0
Lotus Notes® Traveler 8.5.3 Lotus Traveler Android 8.5.3
Lotus Notes® Traveler 8.5.2 Lotus Traveler Android 8.5.2.1
Table 3. Apple IBM Traveler user agents Device User agent IBM Verse for iPhone Traveler-iOS-iPhone/9.1.2.20150514
IBM Verse for iPad Traveler-iOS-iPad/9.2.0.20150616
Apple iPhone (OS 9) Apple-iPhone7C2/1301.344
Apple iPhone (OS 8) Apple-iPhone7C2/1202.466
Apple iPhone (OS 7.1) Apple-iPhone6C2/1104.169
Apple iPhone (OS 7) Apple-iPhone4C1/1104.257
Apple iPhone (OS 6) Apple-iPhone5C2/1001.525
Apple iPhone (OS 5) Apple-iPhone3C3/902.206
Apple iPhone (OS 4) Apple-iPhone2C1/801.306
Apple iPhone (OS 3.1.2) Apple-iPhone/704.11
Apple iPhone (OS 3.0) Apple-iPhone/701.341
Apple iPhone (OS 2) Apple-iPhone/508.11
Apple iPad (OS 9) Apple-iPad4C2/1301.344
Apple iPad (OS 8) Apple-iPad4C2/1201.405
Apple iPad (OS 7.1) Apple-iPad4C1/1104.167
Apple iPad (OS 7) Apple-iPad4C1/1104.201
Apple iPad (OS 6) Apple-iPad3C1/1001.523
Apple iPad (OS 3) Apple-iPad/702.367
Apple iPod (OS 2) Apple-iPod/508.110001
Traveler Companion TravelerCompanion/2.0.2 CFNetwork/485.12.7 Darwin/10.4.0
Traveler To Do TravelerToDo/8.5.4.201210312104 CFNetwork/548.1.4 Darwin/11.0.
0Table 4. Nokia Series 60 and Symbian^3 IBM Traveler user agents Release User agent Lotus Notes® Traveler 8.5.3 Lotus Notes Traveler Nokia 8.5.3.0
Lotus Notes® Traveler 8.5.2 Lotus Notes Traveler Nokia 8.5.2.0
Lotus Notes® Traveler pre-8.5.2 SyncML HTTP Client
Table 5. Windows™ Mobile IBM Traveler user agents Release User agent Lotus Notes® Traveler 8.5.3 Lotus Notes Traveler WM 8.5.3.0
Lotus Notes® Traveler 8.5.2 Lotus Notes Traveler WM 8.5.2.0
Lotus Notes® Traveler pre-8.5.2 IBM SyncML Client
Table 6. Windows™ Phone IBM Traveler user agents Device User agent Windows™ 10 Mobile MSFT-WIN-4/10.0.10581
Windows™ Phone 8.0 MSFT-WP/8.0
Windows™ Phone 7.8 MSFT-WP/7.10.8853
Windows™ Phone 7.5 MSFT-WP/7.10.8773
IBM Traveler Companion 1.1.0 TravelerCompanion WP/1.1.0
Table 7. Windows™ RT IBM Traveler user agents Device User agent Windows™ RT WindowsMail/16.4.4406.1205
Table 8. BlackBerry 10 IBM Traveler user agents Device User agent Z10 RIM-Z10-STL100-1/10.0.10.261
Blackberry 10.x BLACKBERRY-Z10-STL100-1/10.0.10.261
Table 9. MaaS360 IBM Traveler user agents Device User agent Android/4.1-EAS-1.3 MaaS360 on Android
Apple-iPhone MaaS360 on Apple
Note: This agent is very generic. As a result, if you choose to block this, you may also block other aspects of your system.The following user agents are only supported by the IBM Mail Service for Microsoft Outlook (IMSMO) product. This solution is limited availability. Please contact your sales representative for more information.Table 10. Microsoft Outlook user agents Device User agent MS Outlook 2013 Outlook/15.0 (15.0.4505.1002; MSI; x64)
MS Outlook 2013 IBMMailAddin/901.2013.828.122
The following table shows known user agents of devices not supported by IBM Traveler.Note: These values are subject to change by the application provider at any time.Table 11. Unsupported user agents Device User agent Touchdown application Apple-TouchDown(MSRPC)/8.4.00086/ENCRYPTDEVICE,ENCRYPTSD
Blackberry Work Connect BLACKBERRY-WorkConnect:BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android:Android/4.4.3 BLACKBERRY-WorkConnect/3.0
Blackberry Work Connect Android/4.4.4 BLACKBERRY-WorkConnect/3.0
OpenPeak OP/4.2
AT&T Toggle Toggle/3.0
Microsoft Outlook Web App (OWA) Outlook-iOS-Android/1.0
There are many possible examples where different User-Agent portions are combined. Here are a few:-
Apple
- all Apple devices are allowed to sync, but no other devices. (IBM SyncML Client)|(IBM Traveler WM)
- All Windows Mobile devices (old and new) are allowed to sync, but no other devices.(Nokia SyncML HTTP Client)|(IBM Traveler Nokia)
- All Nokia devices (old and new) are allowed to sync, but no other devices.Lotus Notes Traveler * 8.5.2
- Only 8.5.2 Windows Mobile® and Nokia clients are allowed to sync, but not Apple devices.(Apple)|(Lotus Notes Traveler WM)
- Only Apple and 8.5.2 Windows Mobile® clients are allowed to sync, but not Nokia devices.Apple-iPhone/7
- only Apple iPhones (not iPods or iPads) using OS 3 are allowed to sync (Windows Mobile® and Nokia devices are not allowed either).IBM Traveler Android
- Only Android devices are allowed to sync.NTS_USER_AGENT_ALLOWED_REGEX=^((?!((Toggle)|(Outlook-iOS-Android))).)*$
- This blocks Toggle and OWA, all others allowed. Note that this only blocks certain devices. A more secure setup would be to only allow the explicit devices you want to be allowed. This way, it is not necessary to update this portion each time you find a new device you want to block.
-
NTS_AS_PROTOCOL_VERSIONS
- specifies the Exchange ActiveSync Protocol versions that the server supports. The server supports 2.5, 12.0, and 12.1. Apple OS 2.x devices only support AS 2.5, thus if you want those devices to be allowed you must include 2.5 in this list. If you would like to block Apple OS 2.x devices, you may remove 2.5 from this list. Apple OS 3.x devices support 12.1, so you should always include that version in the list. Non-Apple devices may not support 12.1 while supporting 12.0, which is between 2.5 and 12.1. These values are comma-separated and must not contain spaces. For example:NTS_AS_PROTOCOL_VERSIONS=2.5,12.0,12.1,14.0,14.1