Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > IBM Verse > Using MaaS360 with IBM Verse for Android devices
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Best Practices for Maintaining IBM Traveler
A look at IBM Traveler at how it operates in the real world.

IBM Cloud - Simple Form authentication for mobile apps
IT administrators can use form based authentication for IBM Enterprise Social mobile applications with IBM Connections Cloud.

Using XenMobile with IBM Verse Citrix for iOS devices
IBM Verse Citrix on iOS devices has the ability to be managed by XenMobile Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.

Using MobileIron AppConnect with IBM Verse for iOS Devices
The IBM Verse app for iOS supports application management using MobileIron AppConnect Mobile Application Management features. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.

Using MaaS360 with IBM Verse for Android devices
The IBM Verse application for Android has the ability to be managed by MaaS360 Mobile Device Management. This article describes the MaaS360 application management capabilities available for enablement, and how to take advantage of them, when using the Verse for Android application in a MaaS360 ...
Community articleUsing MaaS360 with IBM Verse for Android devices
Added by ~Ted Dwoveluploplen | Edited by ~Ted Dwoveluploplen on May 1, 2017 | Version 5
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Fiberlink, MaaS360, android
The IBM Verse application for Android has the ability to be managed by MaaS360 Mobile Device Management. This article describes the MaaS360 application management capabilities available for enablement, and how to take advantage of them, when using the Verse for Android application in a MaaS360 mobile application managed environment.

If your organization does not use MaaS360 Mobile Device Management, this article is not applicable to your deployment. IBM Verse for Android will continue to run normally, as a non-MaaS360 managed application.

Minimum requirements
The following components are required at the specified minimum levels.
  • MaaS360 MDM for Android v5.0 application, and/or MaaS360 MDM for Samsung v5.0 application
  • IBM Notes Traveler Server, version 8.5.3 Upgrade Pack 2
  • IBM Verse Android application version 9.0.1.2
Optionally, if your organization plans to leverage the MaaS360 File Viewer and/or the MaaS360 Browser with IBM Verse they will also need to be deployed to your Android devices as well. These are available in the Google Play Store.

Managed Application Management (MAM)
IBM Verse can operate in two different modes: managed, where MaaS360 Device Management is in use and manages application security, and unmanaged, where an organization does not use MaaS360 (or does not use it for managing applications). When an organization decides to deploy MaaS360, or remove it from their devices, applications must somehow discover this has occurred and switch to the new mode.

One typical case occurs when an organization has MaaS360 Device Management deployed and begins to use IBM Verse. The simplest approach for managing the Verse application is to first install the MaaS360 client on the managed device and set up the security policies and personas on the MaaS360 server. When IBM Verse starts, it will detect that MaaS360 is installed and configured, and will change its behavior accordingly.

If an organization deploys MaaS360 after IBM Verse is already in use, then the next time the application starts it will detect MaaS360 and change to managed mode. In either case, you can tell if IBM Verse is in managed by opening the "About" screen. If this screen contains a "Managing Agent" section, then IBM Verse is in managed mode. If there is not, then it is in unmanaged mode.

Administration
The Policies, Users, and Devices managed by MaaS360 server are administered online at http://portal.fiberlink.com See the MaaS360 MDM Admin Guide for more details on how to use this web-based console.

Key features of MaasS360 for IBM Verse on Android

The following MaaS360 application management security features can be enabled when running IBM Verse for Android in a MaaS360 application managed environment:
  • Authenticate users before accessing managed applications
  • App-level tunneling for secure access to corporate data without needing a device VPN
  • Set a timeout for single sign-on login across your managed applications
  • Enforce device compliance checks (for example, checks for jail broken devices)
  • Restrict copy and paste, as well as local and cloud data backups, for managed applications
  • Restrict open-in controls to a set of white-listed applications, including the MaaS360 File Viewer
  • Receive real-time alerts of compliance violations
  • Automatically deliver and update policies remotely to the application container based on user and device security posts

Current limitations
IBM Verse has not yet integrated MaaS360's application management support for:
  • File import restrictions
  • App-level tunneling for communications with the IBM Notes Traveler server
  • MaaS360 File Editor
  • Storing documents in the MaaS360 Secure Document Store

Behavioral differences when IBM Verse is in MaaS360 managed mode
When IBM Verse is in MaaS360 managed mode, the application will change from its default IBM Notes Traveler Server managed behavior in the following ways:
  • Will not check for application updates on the IBM Notes Traveler server
  • Will not register as an Android Device Administrator
  • Will not honor the application password setting from the IBM Notes Traveler server
  • Will not show the following menu entries:
    • Tools/uninstall
    • Tools/check for updates
    • Security
 
Data sharing controls
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to IBM Verse by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.

The Restrict File Export settings in the persona are similar to functions available in IBM Notes Traveler server administration. For example, IBM Notes Traveler 9.0.0.1 allows administrators to specify a list of apps that should be allowed to open attachments. The MaaS360 persona includes the same capability. When IBM Verse is in a managed mode in MaaS360 managed devices, they follow a simple rule when deciding which policy to follow -- the IBM Verse policy is ignored and the application behavior is dictated by the MaaS360 persona policy.


Data security
In a MaaS360 managed device, managed apps like IBM Verse are notified by MaaS360 when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this happens, IBM Verse, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse and all local data will be erased.

Server security policies
In general, most IBM Verse for Android security policies are now managed by MaaS360. In the cases where a security policy is still set at the IBM Notes Traveler server for Android devices, but the same policy can be managed by MaaS360, then the IBM Verse for Android application ignores the policy setting from the IBM Notes Traveler server.

The following table shows the Android security policies that can be set by the IBM Verse server, and whether they are honored by the IBM Verse for Android application or ignored. A few settings are honored by the IBM Verse for Android application, as MaaS360 does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.

Notes Traveler PolicyIBM Verse for Android Behavior
Require device passwordIgnored – managed by MaaS360
Device password - typeIgnored – managed by MaaS360
Device password - minimum lengthIgnored – managed by MaaS360
Device password - autolock timeoutIgnored – managed by MaaS360
Device password - expiration periodIgnored – managed by MaaS360
Device password - history countIgnored – managed by MaaS360
Device password - wrong passwords before wiping deviceIgnored – managed by MaaS360
Device password - prohibit unencrypted devicesIgnored – managed by MaaS360
Require application passwordIgnored – managed by MaaS360
Application password - wipe after X failed attemptsIgnored – managed by MaaS360
Application password - auto lock periodIgnored – managed by MaaS360
Disable local password storageIgnored – managed by MaaS360
Prohibit copy to clipboardIgnored – managed by MaaS360
Prohibit export of attachments to file systemIgnored – managed by MaaS360
Prohibit download of attachmentsHonored
Allow only approved applications to access attachmentsIgnored – managed by MaaS360
Prohibit cameraIgnored – managed by MaaS360
Require external domain validationHonored
Prohibit Devices incapable of security enablementHonored

Application specific configuration
Use the App-specific configuration parameters to automate the setup of IBM Verse for Android on managed devices.

The configuration parameters are specified as a series of keys and values, both of which are strings. The parameters are optional, but if they are not supplied, users need to setup IBM Verse for Android manually. Note that if these settings are modified after initial deployment, the updated settings are distributed to any client using these settings and IBM Verse for Android honors the updated values. The supported parameters are:

KeyValueDetails
com.ibm.mobile.mail.serverURLThe fully qualified URL used to access the IBM Notes Traveler server.This value must be a fully qualified URL that starts with either "http" (for a non-SSL connection) or "https" (for an SSL connection). The URL must end with "/traveler".

If this value is not a fully qualified URL, then the Server value will appear blank on the IBM Verse for Android connection screen.

In order to use Connections cloud, the URL must be a valid cloud URL containing "collab" and a region code. It is important to ensure that you use the correct region code that matches the IBM Connections Cloud data center that is hosting your company, otherwise unexpected results will occur. For example:

North America: https://traveler.notes.na.collabserv.com/traveler
Europe: https://traveler.notes.ce.collabserv.com/traveler
Asia/Pacific: https://traveler.notes.ap.collabserv.com/traveler
com.ibm.mobile.mail.userThe user ID used to access the IBM Notes Traveler server.Use the MaaS360 setting %user% to specify the MaaS360 user ID or %email% to use the MaaS360 email address.
com.ibm.mobile.mail.RejectUntrustedCertificates"false" (default) - allows the user to see and accept untrusted SSL certificates

"true" - blocks connections with untrusted SSL certificates
prohibitScreenOverlay"false" (default) - allows other applications to draw over Verse

"true" - prevents other applications from drawing over Verse		This setting can be used to prevent screen overlay applications from drawing over IBM Verse. If set to true, it disables all touch events for the Verse application when a screen overlay application is running on the device.

Note: When set to true, you can only disable this setting by changing the value to false. Removing it from the list of application configuration settings will not disable it.

Example MaaS360 Application Configuration file contents:

com.ibm.mobile.mail.user=%email%
com.ibm.mobile.mail.serverURL=https://yourserver.com/traveler

Please note that the MaaS360 server requires these entries to be included as a file with the "txt" extension and will not replace any variables if the file does not end in "txt".

IBM Fiberlink MaaS360 Cloud Extender Support

The IBM Fiberlink MaaS360 mobile device management product now includes support for monitoring, reporting and enforcing access restrictions to the IBM Traveler server for the IBM Verse application and other supported IBM Traveler clients. This support is provided for both on premises based IBM Traveler servers and devices and Verse mobile apps using the IBM SmartCloud Traveler service. The MaaS360 Cloud Extender component is now capable of connecting to IBM Traveler servers either on your company premises or within the IBM SmartCloud. The MaaS360 Cloud Extender is capable of discovering which Traveler devices are in use for a customer, automatically approving apps and devices that are allowed to sync with IBM Traveler and the ability to automatically block or wipe the data from those devices if they are compromised or are no longer compliant with a customer’s security policies. Note that for companies that are using IBM SmartCloud Traveler, this feature is currently limited to companies with 25,000 devices or less. Contact your IBM MaaS360 sales representative for more details on enabling this capability for your company.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (5)May 1, 2017, 2:29:20 PM~Ted Dwoveluploplen  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility