IBM Verse Citrix on iOS devices has the ability to be managed by XenMobile Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use XenMobile Device Management, then you can skip this article and you should use the IBM Verse iOS app instead (
https://itunes.apple.com/us/app/ibm-verse/id949952976).
Minimum requirements
The following components are required at the specified minimum levels.
- MDX wrapped IBM Verse Citrix iOS application, version 9.3.9 or later (available from Apple iTunes app store https://itunes.apple.com/us/app/ibm-verse-for-citrix/id981964830)
- MDX configuration file for IBM Verse Citrix iOS application (available from Citrix Ready site)
- IBM Traveler Server, version 9.0.1.4 (or later - see IBM Traveler maintenance site for latest recommended Traveler server version)
- Secure Hub iOS application, v10.4.10 (or later)
- XenMobile App Controller server, v10.0 (or later)
Managed Application Management (MAM)
IBM Verse Citrix can operate in two different modes: "managed", where XenMobile Device Management is in use and manages application security, and "unmanaged", where an organization does not use XenMobile (or does not use it for managing applications). When an organization decides to deploy XenMobile, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has XenMobile Device Management deployed and begins to use IBM Verse Citrix. The simplest approach for managing the IBM Verse Citrix application is to first install the Worx Home client on the managed device and set up the security policies on the XenMobile Device Manager and App Controller servers. When IBM Verse Citrix starts, it will detect that Worx Home is installed and configured, and will change its behavior accordingly.
If an organization deploys XenMobile after IBM Verse Citrix is already in use, then it will need to be reinstalled from the Worx Home application Store.
Administration
Mobile applications are administered online by the XenMobile App Controller. Users, groups, devices, files,and deployments are administered online by the XenMobile Device Manager. For more information on either console, refer to the Citrix Product eDocumenation regarding the XenMobile App Controller and the XenMobile Device Manager.
Key features of XenMobile for IBM Verse Citrix on iOS
When a third party application, such as IBM Verse Citrix, incorporates the XenMobile SDK libraries, the following security features can be enabled.
- Authenticate users before accessing managed applications
- App-level tunneling for secure access to corporate data without the need for a device VPN
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checking for jail broken devices)
- Restrict copy and paste functionality
- Restrict open-in controls to a set of white-listed applications
- Receive alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security postures
Data sharing controls
The data leak prevention settings are described in the XenMobile eDocumentation. These policies can be applied to IBM Verse Citrix by enabling Policies in the App Restrictions settings of the XenMobile App Controller.
The Document Exchange settings in the App Interaction policy are similar to IBM Traveler server administration functions. For example, IBM Traveler 9.0.1.4 allows administrators to specify a list of apps that should be allowed to open attachments. The XenMobile App Controller includes similar capabilities. When using IBM Verse Citrix in a XenMobile environment, the app follows a simple rule when deciding which policy to follow: the IBM Verse policy is ignored and the application behavior is dictated by the XenMobile policies.
Data security
In a XenMobile environment, managed apps like IBM Verse Citrix are notified by XenMobile when the application data needs to be restricted or erased.
This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this occurs, IBM Verse Citrix, like any other XenMobile managed application, will block the application UI and present the user with a message (determined by the administrator or XenMobile) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse Citrix and all local data will be erased.
Server security policies
Most IBM Verse Citrix iOS security policies are now managed by XenMobile. In the cases where a security policy is still set at the IBM Traveler server for iOS devices, but the same policy can be managed by XenMobile, then the IBM Verse Citrix iOS application ignores the policy setting from the IBM Traveler server.
The following table shows the iOS security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse Citrix iOS application or ignored. A few settings are honored by the IBM Verse Citrix iOS application, as XenMobile does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.
IBM Traveler policy | IBM Verse Citrix for iOS behavior |
Require device password | Ignored – managed by XenMobile |
Device password - type | Ignored – managed by XenMobile |
Device password - autolock timeout | Ignored – managed by XenMobile |
Device password - expiration period | Ignored – managed by XenMobile |
Device password - history count | Ignored – managed by XenMobile |
Device password - wrong passwords before wiping device | Ignored – managed by XenMobile |
Device password - prohibit unencrypted devices | Ignored – managed by XenMobile |
Replace application password | Ignored – managed by XenMobile |
Application Password - wipe after X failed attempts | Ignored – managed by XenMobile |
Application Password - auto lock period | Ignored – managed by XenMobile |
Disable Local password storage | Ignored – managed by XenMobile |
Prohibit Copy to clipboard | Ignored – managed by XenMobile |
Prohibit download of attachments | Honored |
Allow only approved applications to access attachments | Ignored – managed by XenMobile |
Prohibit Camera | Ignored – managed by XenMobile |
Require external domain validation | Honored |
Prohibit Devices incapable of security enablement | Honored |
IBM Verse for Citrix Configuration MDX Policies
When configuring IBM Verse for Citrix on the Xenmobile App Controller you will see an additional section titled "IBM Notes Traveler Settings" with the following two policies:
- IBM Notes Traveler server address - can be used to prepopulate the server information for users when they are initially configuring IBM Verse for Citrix on their iOS device. The format of the policy value is "https://example.com:8890/traveler". The default value of this policy is empty.
- Allow Load Remote Images - can be used to determine whether the user can modify the Load Remote Images setting in the iOS Verse client. The default value for this setting is true.
Additional Client configuration of a managed app can be defined and applied on the iOS device using a data dictionary. The dictionary can be defined in the Policy Information section under the Device Policies for the iOS platform in the Configure section of XenMobile. The Identifier for IBM Verse for Citrix should be com.ibm.lotus.travelerCitrix and the format of the dictionary content should be as follows:
<dict>
<key>com.ibm.mobile.mail.serverURL</key>
<string>https://example.con:8890/traveler</string>
<key>com.ibm.mobile.mail.user</key>
<string>username@domain</string>
</dict>
The following keys are supported by the IBM Verse for Citrix app:
| Key | Value | Details |
| com.ibm.mobile.mail.serverURL | The connection URL used to access the IBM Traveler server.
Note: If the IBM Traveler server address is specified in the IBM Traveler Settings section of the Configuration MDX policies mentioned above, this key will be ignored. | This value must be a fully qualified URL, otherwise the parameter will be rejected. For example:
https://traveler.mycompany.com/traveler
In order to use Connections cloud, the URL must be a valid cloud URL containing "collab" and a region code. It is important to ensure that you use the correct region code that matches the IBM Connections Cloud data center that is hosting your company, otherwise unexpected results will occur. For example:
North America: https://traveler.notes.na.collabserv.com/traveler
Europe: https://traveler.notes.ce.collabserv.com/traveler
Asia/Pacific: https://traveler.notes.ap.collabserv.com/traveler |
| com.ibm.mobile.mail.user | The user ID used to access the IBM Traveler server. | XenMobile macros can be used in place of the user name so a single dictionary can be used for a large user base and have user-specific values appear for each targeted user. Please review Macros in XenMobile for more information. |
File Encryption Exclusions MDX Policies
To avoid issues with attachments and inline images on iOS Verse Citrix, please ensure that your "File encryption exclusions" MDX policy setting has the following exclusion for the attachments directory:
\/MPSAttachments\/.*
This exclusion is already included in the default MDX policy, which is publicly available in the Citrix Ready Marketplace. If you need to add the exclusion, then all impacted users must reinstall the Verse Citrix app through their WorxStore for the change to take effect.