IBM Verse Citrix on iOS devices has the ability to be managed by XenMobile Device Management. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use XenMobile Device Management, then you can skip this article and you should use the IBM Verse iOS app instead (https://itunes.apple.com/us/app/ibm-verse/id949952976?mt=8
The following components are required at the specified minimum levels.
Managed Application Management (MAM)
- MDX wrapped IBM Verse Citrix iOS application, version 9.2.0 (available from Apple Store)
- MDX configuration file for IBM Verse Citrix iOS application (available from Citrix Ready site)
- IBM Traveler Server, version 184.108.40.206 (see IBM Traveler maintenance site for latest recommended Traveler server version)
- Worx Home iOS application, v10.0.7
- XenMobile Device Manager server, v9.0
- XenMobile App Controller server, v9.0
- iOS 8.0 or greater
IBM Verse Citrix can operate in two different modes: "managed", where XenMobile Device Management is in use and manages application security, and "unmanaged", where an organization does not use XenMobile (or does not use it for managing applications). When an organization decides to deploy XenMobile, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has XenMobile Device Management deployed and begins to use IBM Verse Citrix. The simplest approach for managing the IBM Verse Citrix application is to first install the Worx Home client on the managed device and set up the security policies on the XenMobile Device Manager and App Controller servers. When IBM Verse Citrix starts, it will detect that Worx Home is installed and configured, and will change its behavior accordingly.
If an organization deploys XenMobile after IBM Verse Citrix is already in use, then it will need to be reinstalled from the Worx Home application Store.
Mobile applications are administered online by the XenMobile App Controller. Users, groups, devices, files,and deployments are administered online by the XenMobile Device Manager. For more information on either console, refer to the Citrix Product eDocumenation regarding the XenMobile App Controller and the XenMobile Device Manager.
Key features of XenMobile for IBM Verse Citrix on iOS
When a third party application, such as IBM Verse Citrix, incorporates the XenMobile SDK libraries, the following security features can be enabled.
Behavioral differences when IBM Verse is in managed mode
- Authenticate users before accessing managed applications
- App-level tunneling for secure access to corporate data without the need for a device VPN
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checking for jail broken devices)
- Restrict copy and paste functionality
- Restrict open-in controls to a set of white-listed applications
- Receive alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security postures
When IBM Verse is in managed mode, the application behaves differently in that it does not honor the application password setting from the IBM Traveler server.
Data sharing controls
The data leak prevention settings are described in the XenMobile eDocumentation. These policies can be applied to IBM Verse Citrix by enabling Policies in the App Restrictions settings of the XenMobile App Controller.
The Document Exchange settings in the App Interaction policy are similar to IBM Traveler server administration functions. For example, IBM Traveler 220.127.116.11 allows administrators to specify a list of apps that should be allowed to open attachments. The XenMobile App Controller includes similar capabilities. When using IBM Verse Citrix in a XenMobile environment, the app follows a simple rule when deciding which policy to follow: the IBM Verse policy is ignored and the application behavior is dictated by the XenMobile policies.
In a XenMobile environment, managed apps like IBM Verse Citrix are notified by XenMobile when the application data needs to be restricted or erased.
This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this occurs, IBM Verse Citrix, like any other XenMobile managed application, will block the application UI and present the user with a message (determined by the administrator or XenMobile) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse Citrix and all local data will be erased.
Server security policies
Most IBM Verse Citrix iOS security policies are now managed by XenMobile. In the cases where a security policy is still set at the IBM Traveler server for iOS devices, but the same policy can be managed by XenMobile, then the IBM Verse Citrix iOS application ignores the policy setting from the IBM Traveler server.
The following table shows the iOS security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse Citrix iOS application or ignored. A few settings are honored by the IBM Verse Citrix iOS application, as XenMobile does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.
Traveler Server Configuration MDX Policies
|IBM Traveler policy||IBM Verse for Android behavior|
|Require device password||Ignored – managed by XenMobile|
|Device password - type||Ignored – managed by XenMobile|
|Device password - autolock timeout||Ignored – managed by XenMobile|
|Device password - expiration period||Ignored – managed by XenMobile|
|Device password - history count||Ignored – managed by XenMobile|
|Device password - wrong passwords before wiping device||Ignored – managed by XenMobile|
|Device password - prohibit unencrypted devices||Ignored – managed by XenMobile|
|Require Application password||Ignored – managed by XenMobile|
|Application Password - wipe after X failed attempts||Ignored – managed by XenMobile|
|Application Password - auto lock period||Ignored – managed by XenMobile|
|Disable Local password storage||Ignored – managed by XenMobile|
|Prohibit Copy to clipboard||Ignored – managed by XenMobile|
|Prohibit Export of attachments to File System||Honored|
|Prohibit download of attachments||Honored|
|Allow only approved applications to access attachments||Ignored – managed by XenMobile|
|Prohibit Camera||Ignored – managed by XenMobile|
|Require external domain validation||Honored|
|Prohibit Devices incapable of security enablement||Honored|
When configuring IBM Verse for Citrix on the Xenmobile App Controller you will see an additional section titled "IBM Notes Traveler Settings" with one policy "IBM Notes Traveler server address" that can be used to prepopulate the server information for users when they are initially configuring IBM Verse for Citrix on their iOS device. The format of the policy value is "https://example.com:8890/traveler
". The default value of this policy is empty.