: April 17, 2014 -- Scroll to the end for details.
This document highlights the new MobileIron® integration features that have been added to the IBM Notes® Traveler client for Android, and how to take advantage of them in your deployment.
Organizations using MobileIron to manage their mobile applications are now able to take advantage of MobileIron application management capabilities with the IBM Notes Traveler client for Android, including the ability to provision application configuration settings, manage access through MobileIron Sentry, and enforce MobileIron application specific security polices.
The following components are required at the specified minimum levels.
IBM Notes Traveler:
- Notes Traveler Server, version 8.5.3 Upgrade Pack 2 (or later)
- MobileIron AppConnect enabled version of IBM Notes Traveler for Android
MobileIron Features Available for IBM Notes Traveler for Android
- MobileIron VSP version 5.7 or later
- MobileIron Sentry version 4.7 or later
- MobileIron Mobile@Work client version 5.7.x or later for the Android device
- MobileIron Secure Apps 5.7 or later (Secure Apps Manager, ThinkFree Viewer, and FileManager)
MobileIron has developed a mobile device and mobile application management solution which allows third party applications to integrate with their security capabilities using a library called AppConnect. For Android devices, mobile applications that are wrapped with this AppConnect library can then be managed by MobileIron policies and security controls. IBM Notes Traveler is providing an AppConnect enabled version of IBM Notes Traveler for Android application. This application takes advantage of the security features offered by the AppConnect library in environments where MobileIron is deployed.
The MobileIron AppConnect version of IBM Notes Traveler for Android provides the following new capabilities:
- Application provisioning: Automatically configure user accounts with IBM Notes Traveler for Android server and and user names, so that no manual client configuration is required, other than users supplying their IBM Notes Traveler password.
- Access through Sentry: Establish security rich, authorized connections to the IBM Notes Traveler server using the MobileIron Sentry, and managed by the MobileIron VSP. Connections between IBM Notes Traveler and the Sentry are secured using digital certificates that are unique for each mobile device.
- Application security enforcement: MobileIron administrators can now enforce application security policies on the IBM Notes Traveler for Android application:
- On device secure application access: Enforce application level authentication using a common MobileIron passcode shared among all AppConnect enabled applications on the device, preventing access to IBM Notes Traveler data when the device is not compliant or when the user is no longer authorized, according to the policies in effect on the MobileIron server.
- Data sharing controls and security: Enforce that IBM Notes Traveler data, most notably file attachments, can only be shared with other AppConnect enabled applications.
- Screen capture: Enforce screen capture controls specified by the MobileIron administrator.
- Media Player and Photo Gallery: Prohibit or allow access to the Android Media Player and Photo Gallery from IBM Notes Traveler for Android.
IBM Notes Traveler widgets are not available for use. Widgets are not yet supported by the MobileIron AppConnect library.
Enabling MobileIron Features
The following sections describe how to enable MobileIron application management of the IBM Notes Traveler for Android application in your MobileIron environment.
Uploading IBM Notes Traveler for Android to the MobileIron enterprise app store
Before configuring any settings or policies for the IBM Notes Traveler for Android application, you must first add the AppConnect enabled version of IBM Notes Traveler to the MobileIron enterprise app storefront for your business. See the MobileIron administration guide for more information. Creating application settings and policies requires that this upload step be completed first. The latest AppConnect enabled version of IBM Notes Traveler for Android is available for download from MobileIron.
Secure Network Access
The MobileIron VSP and Sentry provide secure, authorized access to the IBM Notes Traveler server for Mail, Calendar, Contacts, and ToDo. MobileIron restricts unauthorized apps from accessing the IBM Notes Traveler server using the MobileIron AppTunnel feature. All data sync and communication between the IBM Notes Traveler for Android application and the IBM Notes Traveler server is performed over this tunnel. These connections are only allowed by the MobileIron Sentry if this device, application and user meet the security compliance policies established by the MobileIron administrator for your business.
To set up the secure network tunneling capabilities provided by MobileIron, the administrator must first create an AppConnect App Configuration in the MobileIron administration console for the IBM Notes Traveler for Android application. The administrator needs to supply the following information:
- The URL and port of the Notes Traveler server being managed by MobileIron
- The address of the MobileIron Sentry
When creating the App Configuration, enter a name and description for the configuration and select the IBM Notes Traveler application from the Application selector. Note that the IBM Notes Traveler application cannot be selected until it is uploaded and added to your enterprise app storefront. In the AppTunnel section of the configuration, use the IBM Notes Traveler server address for the URL wildcard, omitting, in any path, parts labeled /traveler
. You may use a wildcard, but it is unnecessary, as IBM Notes Traveler for Android application does not communicate to anything except the IBM Notes Traveler server. For example, if you have an IBM Notes Traveler server at https://traveler.acme.com/traveler
, enter traveler.acme.com
. You must also supply the port in the designated column as well as the MobileIron Sentry address in the Sentry column.
If IBM Mobile Connect (IMC) is used as part of your deployment infrastructure, ensure the IMC server(s) being used include IMC server APAR IV47940. This APAR is a prerequisite, as it resolves an issue with IMC failing to read and deliver certain transaction responses with IBM Notes Traveler (most notably that sending an email with an attachment with the Notes Traveler application halts syncing) in a MobileIron managed environment.
Use the App-specific configuration parameters to automate the setup of IBM Notes Traveler for Android on managed devices.
The configuration parameters are specified as a series of keys and values, both of which are strings. The parameters are optional, but if they are not supplied, users need to setup IBM Notes Traveler for Android manually. Note that if these settings are modified after initial deployment, the updated settings are distributed to any client using these settings and IBM Notes Traveler for Android honors the updated values. The supported parameters are:
Data Sharing Controls
|Server||The fully qualified URL used to access the Notes Traveler server. For example:|
|This value must be a fully qualified URL that starts with either "http" (for a non-SSL connection) or "https" (for an SSL connection). The URL must end with "/traveler".|
If this value is not a fully qualified URL, then the Server value will appear blank on the Notes Traveler for Android connection screen.
|Userid||The user ID used to access the Notes Traveler server. ||Use the MobileIron setting $USERID$to specify the MobileIron user ID, if your Notes Traveler userid is the same. |
|Password||The Notes Traveler password for the Userid.||This key is not commonly used. If set, then this would typically be $PASSWORD$. |
NOTE: This setting is not recommended, as it overwrites the device settings whenever the application is updated on the VSP and passwords are often changed by each user individually.
|AllowOverride||true or false||The default is false. When false, end users cannot change any setting supplied by the AppConnect settings. To allow users to modify these values, set this property to true.|
Data leak prevention settings are described in the MobileIron administration documentation. These policies can be applied to IBM Notes Traveler for Android by creating an AppConnect Container Policy for the application, or by setting global policies for all AppConnect apps.
Some settings in the Container Policy (namely, Allow Open In
) are similar to functions available in IBM Notes Traveler server administration. For example, IBM Notes Traveler 22.214.171.124 and later allows administrators to specify a list of apps that should be allowed to open attachments. The MobileIron Container Policy includes a similar capability and the MobileIron managed version of IBM Notes Traveler always honors the MobileIron policy instead of the policy configured at the IBM Notes Traveler server. For files, the only supported setting for sharing is to restrict file sharing to other AppConnect enabled applications. MobileIron provides distribution of an AppConnect enabled file data viewer, called ThinkFree Office, that can be used to view file attachments.
In a MobileIron environment, AppConnect enabled applications such as IBM Notes Traveler for Android are notified by MobileIron when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of security compliance, a forbidden app has been installed, or the user has left the company. When this happens, IBM Notes Traveler for Android blocks the application and displays a message (determined by the administrator or Mobile@Work) to the user to explain why they are blocked. Also, if the policy requires it, all local data owned by the application is erased.
Updating the AppConnect enabled version of IBM Notes Traveler for Android on mobile devices
As with all MobileIron AppConnect enabled applications, updates to the secure applications are controlled by the administrator and are made available to the mobile device via the Mobile@Work
application. Updates do not come from the Google Play store or from the IBM Notes Traveler server. When using MobileIron, only install the AppConnect enabled version, that is downloaded and installed using Mobile@Work
Behavioral differences when using the AppConnect enabled version of IBM Notes Traveler for Android
The AppConnect enabled version of the IBM Notes Traveler for Android application behaves differently in some areas when compared to the standard version. This allows IBM Notes Traveler to take full advantage of the security features made available by MobileIron and provides a better end user and administrator experience. The differences are summarized here:
Server Security policies
In general, most IBM Notes Traveler for Android security policies are now managed by MobileIron. In the cases where a security policy is still set at the IBM Notes Traveler server for Android devices but the same policy can be managed by MobileIron, then the IBM Notes Traveler for Android application ignores the policy setting from the IBM Notes Traveler server. The following table shows the Android security policies that can be set by the IBM Notes Traveler server, and whether they are honored by the IBM Notes Traveler for Android application or ignored. A few settings are honored by the IBM Notes Traveler for Android application, as MobileIron does not yet support these capabilities or the capabilities are specific to IBM Notes Traveler application behavior.
User interface changes
|Notes Traveler Policy||IBM Notes Traveler for Android Behavior |
|Require device password||Ignored – managed by MobileIron|
|Device password - type||ignored – managed by MobileIron|
|Device password - minimum length||ignored – managed by MobileIron|
|Device password - autolock timeout||ignored – managed by MobileIron|
|Device password - expiration period||ignored – managed by MobileIron|
|Device password - history count||ignored – managed by MobileIron|
|Device password - wrong passwords before wiping device||ignored – managed by MobileIron|
|Device password - prohibit unencrypted devices||ignored – managed by MobileIron|
|Require Application password||ignored – managed by MobileIron|
|Application Password - wipe after X failed attempts||ignored – managed by MobileIron|
|Application Password - auto lock period||ignored – managed by MobileIron|
|Disable Local password storage||ignored|
|Prohibit Copy to clipboard||honored|
|Prohibit Export of attachments to File System||honored|
|Prohibit download of attachments||honored|
|Allow only approved applications to access attachments ||ignored – managed by MobileIron, only supports sharing attachment data with other AppConnect enabled applications.|
|Prohibit Camera||ignored – managed by MobileIron|
|Require external domain validation||honored|
|Prohibit Devices incapable of security enablement||Ignored – all AppConnect enabled versions of the IBM Notes Traveler for Android application are considered capable of security enablement.|
There are several changes to the user interface for the AppConnect version of IBM Notes Traveler for Android:
Internal behavior changes
- The device identifier that is visible on the About screen contains the text “com.mobileIron”.
- The IBM Notes Traveler application requests configuration from MobileIron to use in the initial configuration wizard.
- The Android Device Administrator for IBM Notes Traveler is no longer required.
- Configuration settings that are provided by MobileIron are unavailable for update using the IBM Notes Traveler configuration wizard when App-Specific configuration is provided, and:
- it contains the “ServerUrl” parameter
- it does not contain the “AllowOverride” parameter, or the “AllowOverride” parameter is provided and set to “true”.
- When applicable, these settings are visible but grayed out. They include:
- The setting 'Application Updates > Ask before download' has been disabled. In this environment, Mobile@Work manages all application updates.
- The menu item 'Tools > Uninstall' has been removed. To uninstall IBM Notes Traveler, use the Android application manager accessed through Android Settings.
- The menu item 'Tools > Security' has been removed. All security compliance is managed by MobileIron in this environment. Review the Mobile@Work application to view any security compliance information.
- The menu item 'Tools > Check for Update' has been removed. In this environment, all application updates are performed by MobileIron. Review the Mobile@Workapplication to determine if there are updates available for the IBM Notes Traveler application.
There are internal changes to be aware of when running the AppConnect enabled version of IBM Notes Traveler for Android:
- The IBM Notes Traveler application does not doubly encrypt its data; all data stored or accessed by IBM Notes Traveler in this environment is encrypted by the MobileIron secure container.
- The IBM Notes Traveler application does not check the IBM Notes Traveler server for updates to itself. All program updates are managed by MobileIron and accessed using the Mobile@Work application on the device.
|Date:||Notes Traveler Changes||MobileIron Changes|
|April 17, 2014||Traveler build: 126.96.36.199 201404021602|
LO79465 -UNABLE TO VIEW PERSONAL FOLDERS ON TRAVELER ANDROID WITH OS 4.X
LO79714 -LED NOTIFICATION NOT WORKING FOR TRAVELER ON SOME 4.X ANDROID OS VERSIONS
LO79754 -UNCOMMON FILE EXTENSIONS DO NOT LAUNCH FROM TRAVELER
LO79747 -EMAIL ADDRESS IN INCORRECT WHEN USING REPLY ALL FROM ANDROID TRAVELER
LO79796 -OUT OF OFFICE BODY FIELD IS TOO SMALL ON ANDROID WHEN EDITING LARGE BODY MESSAGE
|Secure Application Manager: 188.8.131.52.8|
File Name: SecureAppsManager-184.108.40.206.9p.apk
- CE-1830 -Battery Draining Issue - V5.9 traveler
- CE-2147 -AppConnect wrapped version of Notes Traveler for Android as high CPU drain
- LP-3563 -LNT isn't syncing with server via tunneling after 30 mins
- LP-3421 -Negative file size exception seen by customers