The IBM Verse app for iOS supports application management using Fiberlink MaaS360's Mobile Application Management features. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use Fiberlink's MaaS360 Mobile Device Management solution, then this article is not applicable to your deployment. IBM Verse for iOS will continue to run normally, as a non-managed application.
Minimum requirements
The following components are required at the specified minimum levels:
- Fiberlink MaaS360 app version 2.75 (or later)
- IBM Traveler Server, version 9.0.1.4 (or later - see IBM Traveler maintenance site for latest recommended Traveler server version)
- IBM Verse app for iOS version 9.1.1 (or later)
Mobile Application Management (MAM)
The IBM Verse app for iOS can operate in two different modes:
- Managed - MaaS360 Mobile Application Management is detected and persona policies are in effect that provide application management policies for the application.
- Unmanaged - MaaS360 is not installed or deployed as a device or application management profile, or it is installed but the IBM Verse application is not white listed as a managed application.
The IBM Verse app for iOS dynamically detects which environment is present and adjusts its security behavior based on these modes. If an organization deploys MaaS360 on a mobile device after IBM Verse is already in use, then the next time IBM Verse starts it will detect MaaS360 is present and switch to its managed mode.
Administration
All MaaS360 application and device security policies are configured and deployed using the MaaS360 administration portal. Please review MaaS360 Mobile Application Management for more information.
Key features of IBM Verse for iOS when managed by MaaS360
The following MaaS360 application management security features can be enabled when running IBM Verse for iOS in a MaaS360 managed application environment:
- Authenticate users before accessing managed applications
- App tunneling for secure access to corporate data when using IBM Mobile Connect's MaaS360 integration feature
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checks for jail broken devices)
- Restrict copy and paste for managed applications
- Restrict open-in controls to a set of white-listed applications and/or file extensions
- Receive alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security posts
Current limitations
IBM Verse does not have support for the following MaaS360 capabilities:
- File import restrictions
- MaaS360 Enterprise Gateway
- MaaS360 File Editor
- Storing documents in the MaaS360 Secure Document Store
Data sharing controls
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to IBM Verse by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.
Data security
In a MaaS360 managed device, managed apps like IBM Verse are notified by MaaS360 when application data must be restricted or erased. This may occur for a variety of reasons, including:
- The device has been lost or stolen and either the user or administrator issues an application data wipe
- The device has a geo-fencing policy and it has moved outside of the fenced area
- The application passcode is entered incorrectly too many times
In these cases, IBM Verse, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) describing why the app is no longer available. Additionally, if required by the policy, all data local to the IBM Verse app will be erased.
Server security policies
IBM Traveler has a number of security polices that can be enforced by the IBM Verse for iOS app even when it is not managed by MaaS360. However, when IBM Verse is managed by MaaS360, most of the security polcies that can be defined at the IBM Traveler server are ignored in favor of a similar policy that can be defined in the MaaS360 security policy. In the cases where a security policy is still set at the IBM Notes Traveler server for iOS devices, but the same policy can be managed by MaaS360, the IBM Verse app for iOS will ignore the policy setting from the IBM Traveler server.
The following table shows the IBM Verse app for iOS security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse application for iOS when managed by MaaS360 or ignored in favor of honoring the MaaS360 policy.
Notes Traveler Policy | IBM Verse Behavior |
Require application password | Ignored – managed by MaaS360 |
Application password - type | Ignored – managed by MaaS360 |
Application password - minimum length | Ignored – managed by MaaS360 |
Application password - auto lock period | Ignored – managed by MaaS360 |
Application password - expiration period | Ignored – managed by MaaS360 |
Application password - history count | Ignored – managed by MaaS360 |
Application password - wrong passwords before wiping device | Ignored – managed by MaaS360 |
Application password - prohibit ascending, descending and repeating sequences | Ignored – managed by MaaS360 |
Application password - allow touch ID | Ignored – managed by MaaS360 |
Prohibit copy to clipboard | Ignored – managed by MaaS360 |
Prohibit export of attachments | Ignored – managed by MaaS360 |
Prohibit download of attachments | Honored |
IBM Fiberlink MaaS360 Cloud Extender Support
The IBM Fiberlink MaaS360 mobile device management product now includes support for monitoring, reporting and enforcing access restrictions to the IBM Traveler server for the IBM Verse application and other supported IBM Traveler clients. This support is provided for both on premises based IBM Traveler servers and devices and Verse mobile apps using the IBM SmartCloud Traveler service. The MaaS360 Cloud Extender component is now capable of connecting to IBM Traveler servers either on your company premises or within the IBM SmartCloud. The MaaS360 Cloud Extender is capable of discovering which Traveler devices are in use for a customer, automatically approving apps and devices that are allowed to sync with IBM Traveler and the ability to automatically block or wipe the data from those devices if they are compromised or are no longer compliant with a customer’s security policies. Note that for companies that are using IBM SmartCloud Traveler, this feature is currently limited to companies with 25,000 devices or less. Contact your IBM MaaS360 sales representative for more details on enabling this capability for your company.
Using the MaaS360 Secure Browser from within IBM Verse
Email messages and calendar events contained with the IBM Verse mobile app will often contain http or https web links. Starting with IBM Verse for iOS version 9.2.4, pressing on one of these web links will automatically launch the MaaS360 Secure Browser rather than the native Safari Browser. The MaaS360 Secure browser provides a secure tunnel capability into your company intranet, allowing access of internal company web sites from mobile devices. It also provides a secure container which will honor the MaaS360 security policies, preventing data from company web sites from potentially leaking out to unauthorized systems. If the IBM Verse app is managed by MaaS360, and the MaaS360 Secure Browser is enabled by the MaaS360 administrator, then by default, pressing on one of the web links will automatically launch the MaaS360 Secure Browser. This behavior can be modified by providing additional browser policies to the IBM Verse app using custom configuration.
The following new configuration keys are now supported by IBM Verse for iOS:
Key | Value | Details |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | true or false | Set to false to completely disable the use of the MaaS360 Secure Browser. Set to true to use Secure Browser. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the Secure Browser will be used. If not, the native Safari browser is launched. See below for examples. |
Example scenarios:
1) I want to use the MaaS360 Secure Browser for all web URLs contained within Verse email messages.
Action: You must enable the MaaS360 Secure Browser within the MaaS360 security policy. If the browser is enabled and deployed to the device, then it will be used for all web links pressed within the Verse app. There is no additional Verse configuration that is required. Optionally, you could also set the configuration key com.ibm.mobile.mail.useSecureBrowser=true and deploy this configuration key to the Verse app. But this step is not required for this behavior.
2) I want to use the MaaS360 Secure Browser as a standalone app, and not use it to resolve any web links that I click from within Verse.
Action: You will need to set the configuration key com.ibm.mobile.mail.useSecureBrowser=false and deploy this configuration key to the Verse app.
3) I want to use the MaaS360 Secure Browser when using Verse to open any link with my company's domain name, "mycompany.com", but I want web sites from any other domain to use the native iOS browser.
Action: Set the following configuration keys within the Verse configuration profile and deploy this profile to the Verse app.
com.ibm.mobile.mail.useSecureBrowser=true
com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com
There are many variations possible by specifying a regular expression to determine which domains should be opened using MaaS360 Secure Browser.
Match anything using the mycompany.com or greenwell.com domain: com.ibm.mobile.mail.secureBrowserPattern=.*.(mycompany|greenwell).com
Match anything using the mycompany.com or greenwell.org domain: com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com|.*.greenwell.org
Match anything using the mycompany.com domain except for a couple of specific websites within this domain, site1.mycompany.com and site2.mycompany.com: com.ibm.mobile.mail.secureBrowserPattern=(?!site1.mycompany.com)(?!site2.mycompany.com)(.*.mycompany.com)
Note that the "match anything" or wildcard expression should be specified as ".*" and not simply '*'.
Managed Configuration
You can provide configuration parameters to automate the setup of IBM Verse on managed devices. There are two methods that are supported for providing the configuration when using MaaS360.
1 - From the MaaS360 Persona Policy, under Workplace Apps and the Configurations tab, enable Configure Apps. This opens up the options to enter in the IBM Verse for iOS Application name and then provide a configuration file with the appropriate configuration values. Use a text editor to create this file using the configuration Key names listed below. Each line of the file would be in the format key=value. Make sure to save your configuration file with the ".txt" extension. The MaaS360 administration portal requires these entries to be saved into a file with the file extension ".txt". If the filename does not have this extension, then dynamic substitutions for variables such as %user% and %email% will not occur. Using this method will enforce that the configuration values are set regardless of how your application is installed (either from iTunes or from the MaaS360 Enterprise Application catalog).
2 - From the MaaS360 APPS view in the administration portal, after your have added IBM Verse for iOS to the app catalog, select IBM Verse from the list and then select View. Select More -> Edit App Configuration Parameters. You are presented with a dialog which allows you to add or remove configuration parameter names and values. Use the configuration parameters from the table below. These parameters are applied to the IBM Verse for iOS application when it is installed using the MaaS360 app catalog.
The configuration parameters are specified as a series of keys and values, all of which are strings. The parameters are optional, and if they are not provided, IBM Verse will choose the default value, or if a default value is not applicable, it will prompt the user for the value. Note that if these settings are modified after their initial deployment, the updated settings are distributed to any managed client and IBM Verse will honor the updated values. The supported parameters are:
Key | Value | Details |
com.ibm.mobile.mail.serverURL
or
com.ibm.mobile.serverURL | The connection URL used to access the IBM Traveler server. | |
com.ibm.mobile.mail.user
or
com.ibm.mobile.user | The user ID used to access the IBM Traveler server. | Use the MaaS360 substitution variable %user% to specify the MaaS360 user ID or %email% to use the MaaS360 mail address. |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | true or false | Set to false to completely disable the use of the MaaS360 Secure Browser. Set to true to use Secure Browser. |
com.ibm.mobile.mail.disableShareMenu or com.ibm.mobile.disableShareMenu | True or false | When set to true, the Verse app will not display the context menu that contains the Share option to prevent potential data leakage. In addition, attachment preview is also disabled to prevent use of the Share menu in that context. If this parm is not specified it will default to false and the Share options and attachment preview will remain available. This configuration parameter is supported with Verse version 9.3.3 and later. |
| com.ibm.mobile.mail.allowLoadRemoteImages | True or false | When set to true, the Verse app will surface the Load Remote Images setting initially in the Off state and the user can set to their preference. When set to false, the setting will be hidden and remote images will never be loaded. If this parameter is not specified, it will default to true.
This configuration parameter is supported with Verse version 9.3.5 and later. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the Secure Browser will be used. If not, the native Safari browser is launched. |
Example MaaS360 Application Configuration file contents:
Enforcing a device passcode
The Verse application takes advantage of the iOS data protection feature for its data encryption. Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with the device passcode. Therefore, in order to enable iOS data protection, the device must be secured with a passcode. Customers who deploy MaaS360 to manage mobile devices can enforce a password policy using an MDM profile. However, some customers use MaaS360 in SPS mode where select applications are managed, but not the device. Starting with Verse for iOS version 9.3.3, a new configuration parameter is available for SPS customers that will ensure a device passcode is set before allowing the user to login with the Verse application. The following new configuration key is now supported by IBM Verse for iOS:
Key | Value | Details |
com.ibm.mobile.mail.
RequireDevicePasscode or
com.ibm.mobile.
RequireDevicePasscode | True or false. | When set to true, the Verse app will check to ensure a device passcode is set before a user is allowed to login and sync PIM data. If this parameter is not specified it will default to false and no check for a passcode will be performed. This configuration parameter is supported with Verse version 9.3.3 and later. |