If you have Apple users that were installed (especially iPads) on traveler 8.5.1 and you migrate to 8.5.2 take special care to not select any security policy until the devices security policies become fully compliant . There are problems with them running an older version of Active Synch that may cause the device to be banned from traveler.
Here is a discussion thread that may save time or prevent you from setting up new policy resrictions.
Thanks to Robert S Sielken for the response to my thread.
There have been a couple of PMRs on this same issue.
The issue is that the "Prohibit devices incapable of security enablement" has been checked. The existing devices are only using ActiveSync 2.5 and cannot support all of the security settings because many of them are only in ActiveSync 12.1. The devices get "banned" and cannot log into the system to switch to AS 12.1 and get the banned removed.
Allowing the existing devices that got banned back into the system can be done in at least 3 ways, but APAR LO55130 is definitely the easiest. To get the APAR, you will have to open a PMR and L2 can provide the APAR fix once it is available (it is still being internally tested).
Here are three different sets of steps for the Admin to use depending on how the Admin wants to allow banned devices back into Traveler:
A. Server with APAR LO55130 - Device power off and power on.
1. Tell the device users to reboot their device(s). Reboot means power completely off by holding the power button and sliding it off and then power on with the power button (not just turning the screen off and on) . Without powering off and back on, the device will continue to use the old security protocol instead of the new protocol which is needed. Traveler tells the device to switch to the new protocol, but the Apple device ignores that request and continues to use the old protocol until the device is rebooted.
B. Current server (no APAR LO55130) - Clean up and reinstall the device accounts (Apple profile or manual) as needed..
1. On the device, remove the account (Apple profile or manual).
2. On the server, "tell traveler delete ".
3. On the server, "tell traveler security delete ".
4. On the device, reinstall the account.
C. Current server (no APAR LO55130) - Turn off "Prohibit devices incapable of security enablement" until all the devices have upgraded.
1. Shutdown Traveler (tell traveler shutdown)
2. Open the Default Settings or Policy definition and uncheck "Prohibit devices incapable of security enablement".
3. Start Traveler (load traveler). When Traveler loads, it will prime sync each device and remove the banned flags allowing the devices to access the system.
4. Tell the device users to reboot their device(s). Reboot means power completely off by holding the power button and sliding it off and then power on with the power button (not just turning the screen off and on) .
5. After the device has rebooted and synced with the server, it needs to do another configuration with the server. To do this, issue "tell traveler push flagsadd serviceability configGet " for each device in the server console.
6. The device will do the configuration steps when it next syncs or connects to push.
7. Confirm the device is fully compliant by looking in LotusTraveler.nsf or running the show tell command (tell traveler show ). In LotusTraveler.nsf, you are looking for the value in the Security Policy column in the Device Security view. In the show tell command output, you are looking for the Security Policy Status value. If the value is "Compliant - limited", the device has not upgraded yet. If the value is "Compliant", then the device is upgraded.
8. Once all of the devices are upgraded (Compliant instead of Compliant - limited), turn "Prohibit devices incapable of security enablement" back on.
Note: any new devices will start with the full settings, so these steps are only necessary for existing devices.
Feedback response number RSSN89RNX9 created by Robert S Sielken on 09/29/2010