The Traveler Companion and ToDo apps on iOS have the ability to integrate into a MobileIron environment. This article describes the capabilities provided by this integration and how to take advantage of them in your deployment.
If your organization does not use MobileIron, you can skip this article. Companion and ToDo will continue to run normally in environments that are not managed by MobileIron.
Minimum Requirements
The following components are required at the specified minimum levels.
- MobileIron VSP, version 5.6.2
- MobileIron Sentry, version 4.6
- IBM Notes Traveler Server, version 8.5.3 Upgrade Pack 2
- Traveler Companion, version 9.0.0.1 (Available in the Apple iOS App Store)
- Traveler ToDo, version 9.0.0.1 (Available in the Apple iOS App Store)
Managed Application Management
As described above, Companion and ToDo can operate in two different modes:
managed, where MobileIron is in use and manages app security, and
unmanaged, where an organization does not use MobileIron (or does not use it for managing apps). When an organization decides to deploy MobileIron, or remove it from their environment, the apps must somehow discover and switch to the new mode.
One typical case occurs when an organization has MobileIron deployed and begins to use IBM Notes Traveler. Or perhaps IBM Notes Traveler is already deployed, but the Companion and ToDo apps are not in use. The simplest approach for managing the IBM Notes Traveler apps is to first install Mobile@Work on the managed devices and set up the App Configurations and Container Policies on the MobileIron server. (More on these below.) Then Companion and/or ToDo can be installed on the devices. When these applications are started up for the first time after installation, they will automatically detect that they are running in a MobileIron environment and will activate using managed mode.
If an organization deploys MobileIron after Traveler Companion or ToDo are already in use, then the apps will already be running in unmanaged mode. To force them to switch to managed mode, install Mobile@Work on the devices and set up the App Configurations and Container Policies, then reboot the devices. When Companion and ToDo are launched for the first time after reboot, they will detect the newly added Mobile@Work app and switch to managed mode.
Finally, if you should decide to remove MobileIron from your environment and switch Companion or ToDo from managed to unmanaged, you will need to delete the apps and reinstall them after removing the Mobile@Work app from the device. Simply removing the Mobile@Work app from the device will appear to the managed apps as a security violation and the user will be prevented from accessing the IBM Notes data in Companion and ToDo.
MobileIron Features in Companion and ToDo
In MobileIron deployments, the 9.0.0.1 versions of the Traveler Companion and ToDo apps add the ability to:
- Establish secure, authorized connections to the IBM Notes Traveler server using the MobileIron sentry which are managed by the MobileIron VSP.
- Automatically configure user accounts so that no manual setup is required.
- Enforce printing and data-sharing controls specified by the MobileIron administrator.
- Prevent access to IBM Notes data when the device is not compliant or when the user is no longer authorized, according to the policies in effect on the MobileIron server.
These features and how to enable them are covered in the following sections.
Secure Network Access
The MobileIron VSP provides secure, authorized access to the IBM Notes Traveler server for Mail, Calendar and Contacts. For more detailed information on this support, consult the MobileIron VSP administration documentation, as this is beyond the scope of this document. However, it is worth noting that the MobileIron VSP restricts unauthorized apps from accessing the IBM Notes Traveler server, which, in the past, has effectively prevented users from using Companion and ToDo. The 9.0.0.1 versions of Companion and ToDo solve this problem by integrating with the Mobile@Work app provided by MobileIron. This integration allows Companion and ToDo to use a secure network tunnel provided by the MobileIron Sentry, ensuring the same authenticated access to the IBM Notes Traveler server used by the ActiveSync account on the device. This is accomplished using the MobileIron AppTunnel feature.
To set up Companion and/or ToDo to use the secure network tunneling capabilities provided by MobileIron, the administrator must first create an AppConnect App Configuration in the MobileIron administration console for each app; that is, one for Companion and one for ToDo. The administrator will need the following information:
- the application identifier for Companion (com.ibm.lotus.travelercompanion)
- the application identifier for ToDo (com.ibm.lotus.notes.todo)
- the URL and port of the IBM Notes Traveler server being managed by MobileIron
- the address of the MobileIron Sentry
When creating the App Configuration, enter a name and description for the config and add the appropriate application identifier. In the AppTunnel section, use the IBM Notes Traveler server address for the URL wildcard, omitting any path like
/traveler or
/servlet/traveler. You may use a wildcard here, but this isn't necessary since neither Companion nor ToDo will try to communicate with anything other than the IBM Notes Traveler server. For example, if you have an IBM Notes Traveler server at
https://traveler.acme.com/traveler, enter
traveler.acme.com or
*.acme.com. You must also enter the port in the designated column and enter the MobileIron sentry address in the Sentry column.
App-specific Configuration
Use the App-specific Configuration parameters to automate the setup of Companion and ToDo on managed devices. You may pre-populate one or two accounts on the device, depending on the device's ActiveSync configuration.
The configuration parameters are specified as a series of keys and values, both of which are strings. The parameters are optional, but if they are not supplied, users will have to setup Companion and ToDo manually. The parameters Companion and ToDo recognize are as follows:
Key | Value | Details |
server | | required if user key is also provided. See note below about also setting the Notes Traveler External URL value at the Notes Traveler server. |
user | IBM Notes Traveler user name, typically the mail address, which you can specify using $EMAIL$ | required if server key is also provided |
email | Preferred mail address, typically $EMAIL$ | optional, and only used by Companion to populate the mail address setting, which may be different from the user name |
user2 | User name of second IBM Notes Traveler user, if applicable. If a second ActiveSync account is set up on the device, the user name can be specified here using $USER_CUSTOM1$ | optional |
email2 | The mail address of the second IBM Notes Traveler user, if applicable. Should also use $USER_CUSTOM1$ | optional, and only used by Companion to populate the mail address setting for the second user account |
canAddAccount | 1 or 0, depending on whether the user should be allowed to add additional accounts manually. | optional -- if this key is not specified, the default behavior is to prevent the user from adding accounts manually |
The parameters do not necessarily have to be set before running the apps for the first time, although this is usually preferable. Companion and ToDo will check in with the Mobile@Work app periodically (at a time interval specified by the administrator), and when they detect the new parameters, will immediately update the account information they use to connect to the IBM Notes Traveler server.
If your organization manages both apps, then the app config parameters for both Companion and ToDo should match. This is because the accounts on the device are shared between both apps. If the configuration parameters do not match, then both apps will continually update the account list by undoing the changes made by the other app.
Note - It is recommended that the Notes Traveler external server URL setting match the value of the server key in the above table. Typically both of these values should point directly to the Notes Traveler server (in the standalone environment) or to the IP Sprayer host used in a Notes Traveler HA Pool. The Notes Traveler external server URL is set on the Notes Traveler server's Domino server document in the Notes Traveler tab. The field is called
External Server URL. If these fields do not match, then each time a user opens a Domino encrypted mail link with Traveler Companion, they will be prompted to add a new Notes Traveler server configuration.
Printing and Data Sharing Controls
The printing and data leak prevention settings are described in the MobileIron administration documentation. These policies can all be applied to Companion and ToDo by creating an AppConnect Container Policy for each app, or by setting global policies for all AppConnect apps. When specifying an app-specific policy, you must include the application signature, which is com.ibm.lotus.travelercompanion for Companion and com.ibm.lotus.notes.todo for ToDo. Please note that the Copy/Paste setting does not affect Companion because it already does not allow users to copy text from an encrypted mail and paste it to another application. Also, some options in the Container Policy do not apply to iOS apps, like prohibiting screen capture.
Some settings in the Container Policy (namely,
Allow Print and
Allow Open In) are similar to functions available in IBM Notes Traveler server administration. For example, IBM Notes Traveler 9.0.0.1 allows administrators to specify a list of apps that should be allowed to open attachments. The MobileIron Container Policy includes the same capability. When Companion and ToDo are run in a managed mode in the MobileIron environment, they follow a simple rule when deciding which policy to follow -- the IBM Notes Traveler policy is ignored and the application behavior is dictated by the MobileIron policy.
Attachment Security Considerations
Mail attachments are a particularly interesting area for Mobile Application Management. In fact, MobileIron and IBM Notes Traveler 9.0.0.1 both offer administrative controls to help prevent the inadvertent leaking of secure attachments to uncontrolled and potentially unsecured locations. Depending on your needs, you may decide to use either the MobileIron or the IBM Notes Traveler controls exclusively, or allow them to work in conjunction with each other.
MobileIron accomplishes mail attachment security by routing all attachments to its Mobile@Work app. This is a feature known as MobileIron email attachment control and it uses the Docs@Work feature available in the Apple iOS version of the Mobile@Work app. When MobileIron is configured for this mode, the MobileIron sentry encrypts all mail attachments in a way that can only be decrypted by the MobileIron app, where the attachment can be viewed, providing it is a common file type, like JPEG or PDF. See the MobileIron documentation for more information on this feature.
IBM Notes Traveler's solution is similar, in that mail attachments are routed to another app, namely Companion. However, the original message does not actually contain any attachment, encrypted or otherwise, but rather a link to the actual message containing the attachment(s). This link opens the message with its attachments in Companion, which can also preview certain common file types, but also uses the IBM Notes Traveler policy to determine which apps are approved to open attachments. For example, the administrator may allow the IBM Symphony viewer to open Open Office documents.
When Companion is managed in a MobileIron environment, you may decide to allow IBM Notes Traveler to route mail attachments through Companion. In this case, because the MobileIron App Container Policy is in effect, Companion retrieves the list of approved apps from the
Allow Open In setting in the Container Policy, rather than the IBM Notes Traveler policy.
Data Security
In a MobileIron environment, AppConnect apps like Companion and ToDo are notified by Mobile@Work when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this happens, Companion and ToDo, like any other AppConnect app, will block the application UI and present the user with a message (determined by the administrator or Mobile@Work) why the app is no longer available. Additionally, if required by the policy, the accounts used by Companion and ToDo and all local data will be erased.
For more information on MobileIron, refer to the documentation or the
MobileIron website.