Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > IBM Verse > Using XenMobile with IBM Verse for Android devices
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Best Practices for Maintaining IBM Traveler
A look at IBM Traveler at how it operates in the real world.

IBM Cloud - Simple Form authentication for mobile apps
IT administrators can use form based authentication for IBM Enterprise Social mobile applications with IBM Connections Cloud.

Using XenMobile with IBM Verse Citrix for iOS devices
IBM Verse Citrix on iOS devices has the ability to be managed by XenMobile Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.

Using MobileIron AppConnect with IBM Verse for iOS Devices
The IBM Verse app for iOS supports application management using MobileIron AppConnect Mobile Application Management features. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.

Using MaaS360 with IBM Verse for Android devices
The IBM Verse application for Android has the ability to be managed by MaaS360 Mobile Device Management. This article describes the MaaS360 application management capabilities available for enablement, and how to take advantage of them, when using the Verse for Android application in a MaaS360 ...
Community articleUsing XenMobile with IBM Verse for Android devices
Added by ~Ted Dwoveluploplen | Edited by ~Isaac Quetkropullen on December 16, 2015 | Version 5
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
IBM Verse on Android devices has the ability to be managed by XenMobile Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
Tags: traveler, xenmobile, android, verse
If your organization does not use XenMobile Device Management, then you can skip this article. IBM Verse will continue to run normally in environments that are not managed by XenMobile.

Minimum requirements
The following components are required at the specified minimum levels.
  • MDX wrapped IBM Verse Android application, version 9.0.1.4 (available upon request from IBM)
  • IBM Traveler Server, version 8.5.3 Upgrade Pack 2 (see IBM Traveler maintenance site for latest recommended Traveler server version)
  • Worx Home Android application, v10.0.3
  • XenMobile Device Manager server, v10.0 (or patched v9.0)
  • XenMobile App Controller server, v10.0 (or patched v9.0)
  • Android 4.x and 5.x devices
  • Verse widgets not supported

Managed Application Management (MAM)
IBM Verse can operate in two different modes: "managed", where XenMobile Device Management is in use and manages application security, and "unmanaged", where an organization does not use XenMobile (or does not use it for managing applications). When an organization decides to deploy XenMobile, or remove it from their environment, applications must somehow discover and switch to the new mode.

One typical case occurs when an organization has XenMobile Device Management deployed and begins to use IBM Verse. The simplest approach for managing the IBM Verse application is to first install the Worx Home client on the managed device and set up the security policies on the XenMobile Device Manager and App Controller servers. When IBM Verse starts, it will detect that Worx Home is installed and configured, and will change its behavior accordingly.

If an organization deploys XenMobile after IBM Verse is already in use, then it will need to be reinstalled from the Worx Home application Store. In either case, you can tell if IBM Verse is in managed mode by looking the "About" screen. If there is a "Managing Agent" section, then IBM Verse is in managed mode. If there is not, then it is in unmanaged mode.

Administration
Mobile applications are administered online by the XenMobile App Controller. Users, groups, devices, files,and deployments are administered online by the XenMobile Device Manager. For more information on either console, refer to the Citrix Product eDocumenation regarding the XenMobile App Controller and the XenMobile Device Manager.

Key features of XenMobile for IBM Verse on Android
When a 3rd party application such as IBM Verse incorporates the XenMobile SDK libraries, the following security features can be enabled.
  • Authenticate users before accessing managed applications
  • App-level tunneling for secure access to corporate data without the need for a device VPN
  • Set a timeout for single sign-on login across your managed applications
  • Enforce device compliance checks (for example, checking for jail broken devices)
  • Restrict copy and paste functionality
  • Restrict open-in controls to a set of white-listed applications
  • Receive alerts of compliance violations
  • Automatically deliver and update policies remotely to the application container based on user and device security postures

Current limitations
There are several limitations to consider when using XenMobile on IBM Verse for Android devices.
  • Android 6.x (Marshmallow) devices are not currently supported.
  • The App Controller's copy and paste restriction is applied to both managed and unmanaged applications.
  • Cannot export files to a /storage/ directory on the device.
  • XenMobile's Network Access for IBM Verse should be set to Unrestricted, as Full VPN tunnel and Secure browse modes are not supported.

Behavioral differences when IBM Verse is in managed mode
When IBM Verse is in managed mode, the application behaves differently in a few important ways.
  • Does not check for application updates on the IBM Traveler server
  • Does not register itself as a device administrator
  • Does not honor the application password setting from the IBM Traveler server
  • Does not show the following menu entries:
    • Tools > Uninstall
    • Tools > Check for updates
    • Security

Data sharing controls
The data leak prevention settings are described in the XenMobile eDocumentation. These policies can be applied to IBM Verse by enabling Policies in the App Restrictions settings of the XenMobile App Controller.

The Document Exchange settings in the App Interaction policy are similar to IBM Traveler server administration functions. For example, IBM Traveler 9.0.0.1 allows administrators to specify a list of apps that should be allowed to open attachments. The XenMobile App Controler includes similar capabilities. When IBM Verse is in a managed mode in the XenMobile environment, they follow a simple rule when deciding which policy to follow: the IBM Verse policy is ignored and the application behavior is dictated by the XenMobile policies.

Data security
In a XenMobile environment, managed apps like IBM Verse are notified by XenMobile when the application data needs to be restricted or erased.

This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this occurs, IBM Verse, like any other XenMobile managed application, will block the application UI and present the user with a message (determined by the administrator or XenMobile) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse and all local data will be erased.

Server security policies
Most IBM Verse for Android security policies are now managed by XenMobile. In the cases where a security policy is still set at the IBM Traveler server for Android devices, but the same policy can be managed by XenMobile, then the IBM Verse for Android application ignores the policy setting from the IBM Traveler server.

The following table shows the Android security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse for Android application or ignored. A few settings are honored by the IBM Verse for Android application, as XenMobile does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.

IBM Traveler policyIBM Verse for Android behavior
Require device password Ignored – managed by XenMobile
Device password - type Ignored – managed by XenMobile
Device password - minimum length Ignored – managed by XenMobile
Device password - autolock timeout Ignored – managed by XenMobile
Device password - expiration period Ignored – managed by XenMobile
Device password - history count Ignored – managed by XenMobile
Device password - wrong passwords before wiping device Ignored – managed by XenMobile
Device password - prohibit unencrypted devices Ignored – managed by XenMobile
Require Application password Ignored – managed by XenMobile
Application Password - wipe after X failed attempts Ignored – managed by XenMobile
Application Password - auto lock period Ignored – managed by XenMobile
Disable Local password storage Ignored – managed by XenMobile
Prohibit Copy to clipboard Ignored – managed by XenMobile
Prohibit Export of attachments to File System Honored
Prohibit download of attachments Honored
Allow only approved applications to access attachments Ignored – managed by XenMobile
Prohibit Camera Ignored – managed by XenMobile
Require external domain validation Honored
Prohibit Devices incapable of security enablement Honored

Configure the App Controller to allow Citrix managed Verse to join an IBM meeting
Add the following intents to Open-in exclusions (App Controller > Verse app > Policies > App interaction > Open-in exclusions):

{action=android.intent.action.VIEW pathPrefix=/stmeetings/room}
{action=android.intent.action.VIEW pathPrefix=/meetings/join}

Traveler Server Configuration MDX Policies
When configuring IBM Verse for Citrix on the Xenmobile App Controller you will see an additional section titled "IBM Notes Travler Settings" with one policy "IBM Notes Traveler server address" that can be used to prepopulate the server information for users when they are initially configuring IBM Verse for Citrix on their Android device. The format of the policy value is "https://example.com:8890/traveler". The default value of this policy is empty.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (5)Dec 16, 2015, 3:08:50 PM~Isaac Quetkropullen  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility