The IBM Verse app for iOS supports application management using MobileIron AppConnect Mobile Application Management features. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use MobileIron AppConnect Mobile Device Management solution, then this article is not applicable to your deployment. IBM Verse for iOS will continue to run normally, as a non-managed application or managed by another solution.
Minimum requirements
The following components are required at the specified minimum levels.
- Mobile@Work for iOS version 6.3 (or later)
- MobileIron Standalone Sentry version 6.1 (or later)
- IBM Traveler Server, version 9.0.1.4 (or later - see IBM Traveler maintenance site for latest recommended Traveler server version)
- IBM Verse app for iOS version 9.2 (or later)
Mobile Application Management (MAM)
The IBM Verse app for iOS can operate in two different modes:
- Managed - MobileIron Mobile Application Management is detected and AppConnect global policies, AppConnect app policies and AppConnect config settings are in effect that provide application management policies for the application.
- Unmanaged - MobileIron Mobile@Work is not installed or deployed as a device or application management profile.
The IBM Verse app for iOS dynamically detects which environment is present and adjusts its security behavior based on these modes. If an organization deploys MobileIron Mobile@Work on a mobile device after the IBM Verse app is already in use, then the next time IBM Verse starts it will detect Mobile@Work is present and switch to its managed mode. Note that the IBM Verse app for iOS is available from Apple iTunes here
https://itunes.apple.com/us/app/ibm-verse/id949952976. This one app supports both MobileIron and unmanaged mode – there is no unique MobileIron only version of IBM Verse.
MobileIron Features Available for IBM Verse for iOS
IBM Verse for iOS includes the MobileIron AppConnect SDK which allows it to take advantage of the security features offered by the AppConnect library in environments where MobileIron is deployed. These features include:
· Application provisioning: Automatically configure user accounts with the correct IBM Traveler server and user names, so that no manual client configuration is required, other than users supplying their IBM Verse password.
· Access through Sentry: Establish security rich, authorized connections to the IBM Traveler server using the MobileIron Sentry, which are then managed by the MobileIron Core. Connections between IBM Verse and the Sentry are secured using digital certificates that are unique for each mobile device. Using the MobileIron Sentry is optional for IBM Verse, but often desirable as this is used by the IBM Verse app to access the IBM Traveler servers located on company premises.
· Application security enforcement: MobileIron administrators can enforce application security policies within the IBM Verse for iOS application:
· On device secure application access: Enforce application level authentication using a common MobileIron passcode shared among all AppConnect enabled applications on the device, preventing access to IBM Verse data when the device is not compliant or when the user is no longer authorized, according to the policies in effect on the MobileIron server.
· Data sharing controls and security: Enforce that IBM Verse data, most notably file attachments, can only be shared with other AppConnect enabled applications. Restrict copy and paste operations with the app clipboard.
· Data sharing controls
Data leak prevention settings are specified in the AppConnect container policy. In this policy, you can specify whether your app is allowed to share documents with other apps and paste data from Verse outside the application.
· Data security
In a MobileIron managed device, managed apps like IBM Verse are notified by MobileIron Core when application data must be restricted or erased. This may occur for a variety of reasons, including:
· The device has been lost or stolen and either the user or administrator issues an application data wipe
· The device is no longer secure (for example has been jail broken)
· The application passcode is entered incorrectly on multiple consecutive tries
In these cases, IBM Verse, like any other MobileIron managed application, will block the application user interface and present the user with a message (determined by the administrator or MobileIron policy) describing why the app is no longer available. Additionally, if required by the policy, all data local to the IBM Verse app will be erased.
Enabling MobileIron Features
The following sections describe how to enable MobileIron application management of the IBM Verse for iOS application in your MobileIron environment.
Administration
All AppConnect policies, users, and devices are managed using the MobileIron Admin Portal. When defining AppConnect Policy and Config profiles, use the bundle identifier com.ibm.lotus.traveler to correlate the policy or config with the IBM Verse for iOS app.
Secure Network Access
The MobileIron Core and Sentry provide secure, authorized access to the IBM Traveler server for Mail, Calendar and Contacts. MobileIron restricts unauthorized apps from accessing the IBM Traveler server using the MobileIron AppTunnel feature. All data sync and communication between the IBM Verse for iOS application and the IBM Traveler server is performed over this tunnel. These connections are only allowed by the MobileIron Sentry if this device, application and user meet the security compliance policies established by the MobileIron administrator for your business. Note that using the MobileIron Sentry is optional and it is possible to use the AppConnect version of IBM Verse for iOS without using the MobileIron Sentry. IBM Verse for iOS will only use the MobileIron Sentry AppTunnel connection if it is configured with the appropriate routing rules. However, if the MobileIron Sentry is used, then the MobileIron AppTunnel feature must be enabled in order for IBM Verse to connect though it. The IBM Verse for iOS application uses SyncML for its synchronization protocol, which requires AppTunnel enablement if the Sentry is used.
To set up the secure network tunneling capabilities provided by MobileIron, the administrator must first create an AppConnect App Configuration in the MobileIron administration console for the IBM Verse for iOS application. The administrator needs to supply the following information:
· The URL and port of the IBM Traveler server being managed by MobileIron
· The address of the MobileIron Sentry
When creating the App Configuration, enter a name and description for the configuration and select the IBM Verse application from the Application selector. Note that the IBM Verse application cannot be selected until it is uploaded and added to your enterprise app storefront. In the AppTunnel section of the configuration, use the IBM Traveler server address for the URL wildcard, omitting, in any path, parts labeled /traveler or /servlet/traveler. You may use a wildcard, but it is unnecessary, as IBM Verse for iOS application does not communicate to anything except the IBM Traveler server. For example, if you have an IBM Traveler server at https://traveler.acme.com/traveler, enter traveler.acme.com or *.acme.com. Note that this is the hostname or your IBM Traveler server on your internal network. This address is generally not accessible from outside of your network and an externally accessible address is not required. You must also supply the port in the designated column as well as the MobileIron Sentry address in the Sentry column. If your Traveler server is using a secure port with SSL or TLS, the default port number of 443 should be used.
If IBM Mobile Connect (IMC) is used as part of your deployment infrastructure, ensure the IMC server(s) being used include IMC server APAR IV47940. This APAR is a prerequisite, as it resolves an issue with IMC failing to read and deliver certain transaction responses with IBM Verse (most notably that sending an email with an attachment with the Verse application halts syncing) in a MobileIron managed environment.
Server security policies
IBM Traveler has a number of security policies that can be enforced by the IBM Verse for iOS app even when it is not managed by MobileIron. However, when IBM Verse is managed by MobileIron, most of the security policies that can be defined at the IBM Traveler server are ignored in favor of a similar policy that can be defined in the security policy on the MobileIron Core. In the cases where a security policy is still set at the IBM Notes Traveler server for iOS devices, but the same policy can be managed by MobileIron, the IBM Verse app for iOS will ignore the policy setting from the IBM Traveler server.
The following table shows the IBM Verse app for iOS security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse application for iOS when managed by MobileIron or ignored in favor of honoring the MobileIron policy.
Notes Traveler Policy | IBM Verse Behavior |
Require application password | Ignored – managed by MobileIron |
Application password - type | Ignored – managed by MobileIron |
Application password - minimum length | Ignored – managed by MobileIron |
Application password - auto lock period | Ignored – managed by MobileIron |
Application password - expiration period | Ignored – managed by MobileIron |
Application password - history count | Ignored – managed by MobileIron |
Application password - wrong passwords before wiping device | Ignored – managed by MobileIron |
Application password - prohibit ascending, descending and repeating sequences | Ignored – managed by MobileIron |
Application password - allow touch ID | Ignored – managed by MobileIron |
Prohibit copy to clipboard | Ignored – managed by MobileIron |
Prohibit export of attachments | Ignored – managed by MobileIron |
Prohibit download of attachments | Honored |
Using the MobileIron Web@Work Browser from within IBM Verse
Email messages and calendar events contained with the IBM Verse mobile app will often contain http or https web links. Starting with IBM Verse for iOS version 9.2.4, IBM Verse can be configured so that pressing on one of these web links will automatically launch the MobileIron Web@Work browser rather than the native Safari Browser. The MobileIron Web@Work browser provides a secure tunnel capability into your company intranet, allowing access of internal company web sites from mobile devices. It also provides a secure container which will honor the MobileIron security policies, preventing data from company web sites from potentially leaking out to unauthorized systems. The MobileIron administrator can enable this capability using IBM Verse configuration policies that are applied using custom configuration.
The following new configuration keys are now supported by IBM Verse for iOS:
Key | Value | Details |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | true or false | Set to false to completely disable the use of the MobileIron Web@Work Browser. Set to true to use the MobileIron browser. Default is false. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the MobileIron Web@Work browser will be used. If not, the native Safari browser is launched. See below for examples. |
Example scenarios:
1) I want to use the MobileIron Web@Work browser for all web URLs contained within Verse email messages.
Action: You will need to set the configuration key com.ibm.mobile.mail.useSecureBrowser=true and deploy this configuration key to the Verse app.
2) I want to use the MobileIron Web@Work browser as a standalone app, and not use it to resolve any web links that I click from within Verse.
Action: No action needed, since by default the use of the Web@Work browser must be enabled to use it from within Verse. Optionally you could set the configuration key com.ibm.mobile.mail.useSecureBrowser=false and deploy this configuration key to the Verse app.
3) I want to use the MobileIron Web@Work browser when using Verse to open any link with my company's domain name, "mycompany.com", but I want web sites from any other domain to use the native iOS browser.
Action: Set the following configuration keys within the Verse configuration profile and deploy this profile to the Verse app.
com.ibm.mobile.mail.useSecureBrowser=true
com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com
There are many variations possible by specifying a regular expression to determine which domains should be opened using MobileIron Web@Work browser.
Match anything using the mycompany.com or greenwell.com domain: com.ibm.mobile.mail.secureBrowserPattern=.*.(mycompany|greenwell).com
Match anything using the mycompany.com or greenwell.org domain: com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com|.*.greenwell.org
Match anything using the mycompany.com domain except for a couple of specific websites within this domain, site1.mycompany.com and site2.mycompany.com: com.ibm.mobile.mail.secureBrowserPattern=(?!site1.mycompany.com)(?!site2.mycompany.com)(.*.mycompany.com)
Note that the "match anything" or wildcard expression should be specified as ".*" and not simply '*'.
Managed Configuration
You can provide configuration parameters to automate the setup of IBM Verse on managed devices. There are two methods that are supported for providing the configuration when using MobileIron.
1 - From the MobileIron administration portal, under the Policies and Configs section, configuration properties can be defined in the AppConnect->App Configuration profile for IBM Verse. Within the App Configuration profile, there is a section called App specific configuration that accepts key names and values for the app. This is the recommended method to use for applying configuration parameters.
2 - From the MobileIron administration portal, under Policies and Configs section, configuration properties can be defined in the iOS & OS X->Managed App Config profile.
The configuration parameters are specified as a series of keys and values, all of which are strings. The parameters are optional, and if they are not provided, IBM Verse will choose the default value, or if a default value is not applicable, it will prompt the user for the value. Note that if these settings are modified after their initial deployment, the updated settings are distributed to any managed client and IBM Verse will honor the updated values. The supported parameters are:
Key | Value | Details |
com.ibm.mobile.mail.serverURL
or
com.ibm.mobile.serverURL | The connection URL used to access the IBM Traveler server. | This value must be a fully qualified URL, otherwise the parameter will be rejected. For example:
https://traveler.mycompany.com/traveler
In order to use Connections cloud, the URL must be a valid cloud URL containing "collab" and a region code. |
com.ibm.mobile.mail.user
or
com.ibm.mobile.user | The user ID used to access the IBM Traveler server. | Use the MobileIron substitution variable %USERID% to specify the MobileIron user ID or $EMAIL% to use the MobileIron mail address. |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | True or false | Set to false to completely disable the use of the MobileIron Web@Work browser. Set to true to use the MobileIron Web@Work browser. |
com.ibm.mobile.mail.
RequireDevicePasscode or
com.ibm.mobile.
RequireDevicePasscode | True or false | When set to true, the Verse app will check to ensure a device passcode is set before a user is allowed to login and sync PIM data. If this parameter is not specified it will default to false and no check for a passcode will be performed. This configuration parameter is supported with Verse version 9.3.3 and later. |
com.ibm.mobile.mail.disableShareMenu or com.ibm.mobile.disableShareMenu | True or false | When set to true, the Verse app will not display the context menu that contains the Share option to prevent potential data leakage. In addition, attachment preview is also disabled to prevent use of the Share menu in that context. If this parm is not specified it will default to false and the Share options and attachment preview will remain available. This configuration parameter is supported with Verse version 9.3.3 and later. |
| com.ibm.mobile.mail.allowLoadRemoteImages | True or false | When set to true, the Verse app will surface the Load Remote Images setting initially in the Off state and the user can set to their preference. When set to false, the setting will be hidden and remote images will never be loaded. If this parameter is not specified, it will default to true.
This configuration parameter is supported with Verse version 9.3.5 and later. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the Secure Browser will be used. If not, the native Safari browser is launched. |
Example MobileIron Application Configuration values:
Key: com.ibm.mobile.mail.user Value: $USERID$
Key: com.ibm.mobile.mail.serverURL Value: https://traveler.mycompany.com/traveler