The IBM Verse app for iOS supports application management using Fiberlink MaaS360's Mobile Application Management features. This article describes the capabilities provided by this environment and how to take advantage of them in your deployment.
If your organization does not use Fiberlink's MaaS360 Mobile Device Management solution, then this article is not applicable to your deployment. IBM Verse for iOS will continue to run normally, as a non-managed application.
Minimum requirements
The following components are required at the specified minimum levels:
- Fiberlink MaaS360 app version 2.75 (or later)
- IBM Traveler Server, version 9.0.1.4 (or later)
- IBM Verse app for iOS version 9.1.1 (or later)
Mobile Application Management (MAM)
The IBM Verse app for iOS can operate in two different modes:
- Managed - MaaS360 Mobile Application Management is detected and persona policies are in effect that provide application management policies for the application.
- Unmanaged - MaaS360 is not installed or deployed as a device or application management profile, or it is installed but the IBM Verse application is not white listed as a managed application.
The IBM Verse app for iOS dynamically detects which environment is present and adjusts its security behavior based on these modes. If an organization deploys MaaS360 on a mobile device after IBM Verse is already in use, then the next time IBM Verse starts it will detect MaaS360 is present and switch to its managed mode.
Administration
All MaaS360 application and device security policies are configured and deployed using the MaaS360 administration portal. Please review MaaS360 Mobile Application Management for more information.
Key features of IBM Verse for iOS when managed by MaaS360
The following MaaS360 application management security features can be enabled when running IBM Verse for iOS in a MaaS360 managed application environment:
- Authenticate users before accessing managed applications
- App tunneling for secure access to corporate data when using IBM Mobile Connect's MaaS360 integration feature
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checks for jail broken devices)
- Restrict copy and paste for managed applications
- Restrict open-in controls to a set of white-listed applications and/or file extensions
- Receive alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security posts
Current limitations
IBM Verse does not have support for the following MaaS360 capabilities:
- File import restrictions
- MaaS360 Enterprise Gateway
- MaaS360 File Editor
- Storing documents in the MaaS360 Secure Document Store
Data sharing controls
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to IBM Verse by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.
Data security
In a MaaS360 managed device, managed apps like IBM Verse are notified by MaaS360 when application data must be restricted or erased. This may occur for a variety of reasons, including:
- The device has been lost or stolen and either the user or administrator issues an application data wipe
- The device has a geo-fencing policy and it has moved outside of the fenced area
- The application passcode is entered incorrectly too many times
In these cases, IBM Verse, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) describing why the app is no longer available. Additionally, if required by the policy, all data local to the IBM Verse app will be erased.
Server security policies
IBM Traveler has a number of security polices that can be enforced by the IBM Verse for iOS app even when it is not managed by MaaS360. However, when IBM Verse is managed by MaaS360, most of the security polcies that can be defined at the IBM Traveler server are ignored in favor of a similar policy that can be defined in the MaaS360 security policy. In the cases where a security policy is still set at the IBM Notes Traveler server for iOS devices, but the same policy can be managed by MaaS360, the IBM Verse app for iOS will ignore the policy setting from the IBM Traveler server.
The following table shows the IBM Verse app for iOS security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse application for iOS when managed by MaaS360 or ignored in favor of honoring the MaaS360 policy.
Notes Traveler Policy | IBM Verse Behavior |
Require application password | Ignored – managed by MaaS360 |
Application password - type | Ignored – managed by MaaS360 |
Application password - minimum length | Ignored – managed by MaaS360 |
Application password - auto lock period | Ignored – managed by MaaS360 |
Application password - expiration period | Ignored – managed by MaaS360 |
Application password - history count | Ignored – managed by MaaS360 |
Application password - wrong passwords before wiping device | Ignored – managed by MaaS360 |
Application password - prohibit ascending, descending and repeating sequences | Ignored – managed by MaaS360 |
Application password - allow touch ID | Ignored – managed by MaaS360 |
Prohibit copy to clipboard | Ignored – managed by MaaS360 |
Prohibit export of attachments | Ignored – managed by MaaS360 |
Prohibit download of attachments | Honored |
Using the MaaS360 Secure Browser from within IBM Verse
Email messages and calendar events contained with the IBM Verse mobile app will often contain http or https web links. Starting with IBM Verse for iOS version 9.2.4, pressing on one of these web links will automatically launch the MaaS360 Secure Browser rather than the native Safari Browser. The MaaS360 Secure browser provides a secure tunnel capability into your company intranet, allowing access of internal company web sites from mobile devices. It also provides a secure container which will honor the MaaS360 security policies, preventing data from company web sites from potentially leaking out to unauthorized systems. If the IBM Verse app is managed by MaaS360, and the MaaS360 Secure Browser is enabled by the MaaS360 administrator, then by default, pressing on one of the web links will automatically launch the MaaS360 Secure Browser. This behavior can be modified by providing additional browser policies to the IBM Verse app using custom configuration.
The following new configuration keys are now supported by IBM Verse for iOS:
| Key | Value | Details |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | true or false | Set to false to completely disable the use of the MaaS360 Secure Browser. Set to true to use Secure Browser. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the Secure Browser will be used. If not, the native Safari browser is launched. See below for examples. |
Example scenarios:
1) I want to use the MaaS360 Secure Browser for all web URLs contained within Verse email messages.
Action: You must enable the MaaS360 Secure Browser within the MaaS360 security policy. If the browser is enabled and deployed to the device, then it will be used for all web links pressed within the Verse app. There is no additional Verse configuration that is required. Optionally, you could also set the configuration key com.ibm.mobile.mail.useSecureBrowser=true and deploy this configuration key to the Verse app. But this step is not required for this behavior.
2) I want to use the MaaS360 Secure Browser as a standalone app, and not use it to resolve any web links that I click from within Verse.
Action: You will need to set the configuration key com.ibm.mobile.mail.useSecureBrowser=false and deploy this configuration key to the Verse app.
3) I want to use the MaaS360 Secure Browser when using Verse to open any link with my company's domain name, "mycompany.com", but I want web sites from any other domain to use the native iOS browser.
Action: Set the following configuration keys within the Verse configuration profile and deploy this profile to the Verse app.
com.ibm.mobile.mail.useSecureBrowser=true
com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com
There are many variations possible by specifying a regular expression to determine which domains should be opened using MaaS360 Secure Browser.
Match anything using the mycompany.com or greenwell.com domain: com.ibm.mobile.mail.secureBrowserPattern=.*.(mycompany|greenwell).com
Match anything using the mycompany.com or greenwell.org domain: com.ibm.mobile.mail.secureBrowserPattern=.*.mycompany.com|.*.greenwell.org
Match anything using the mycompany.com domain except for a couple of specific websites within this domain, site1.mycompany.com and site2.mycompany.com: com.ibm.mobile.mail.secureBrowserPattern=(?!site1.mycompany.com)(?!site2.mycompany.com)(.*.mycompany.com)
Note that the "match anything" or wildcard expression should be specified as ".*" and not simply '*'.
Managed Configuration
You can provide configuration parameters to automate the setup of IBM Verse on managed devices. There are two methods that are supported for providing the configuration when using MaaS360.
1 - From the MaaS360 Persona Policy, under
Workplace Apps and the
Configurations tab, enable
Configure Apps. This opens up the options to enter in the IBM Verse for iOS Application name and then provide a configuration file with the appropriate configuration values. Use a text editor to create this file using the configuration Key names listed below. Each line of the file would be in the format key=value. Make sure to save your configuration file with the ".txt" extension. The MaaS360 administration portal requires these entries to be saved into a file with the file extension ".txt". If the filename does not have this extension, then dynamic substitutions for variables such as %user% and %email% will not occur. Using this method will enforce that the configuration values are set regardless of how your application is installed (either from iTunes or from the MaaS360 Enterprise Application catalog).
2 - From the MaaS360 APPS view in the administration portal, after your have added IBM Verse for iOS to the app catalog, select IBM Verse from the list and then select View. Select More -> Edit App Configuration Parameters. You are presented with a dialog which allows you to add or remove configuration parameter names and values. Use the configuration parameters from the table below. These parameters are applied to the IBM Verse for iOS application when it is installed using the MaaS360 app catalog.
The configuration parameters are specified as a series of keys and values, all of which are strings. The parameters are optional, and if they are not provided, IBM Verse will choose the default value, or if a default value is not applicable, it will prompt the user for the value. Note that if these settings are modified after their initial deployment, the updated settings are distributed to any managed client and IBM Verse will honor the updated values. The supported parameters are:
Key | Value | Details |
com.ibm.mobile.mail.serverURL
or
com.ibm.mobile.serverURL | The connection URL used to access the IBM Traveler server. | |
com.ibm.mobile.mail.user
or
com.ibm.mobile.user | The user ID used to access the IBM Traveler server. | Use the MaaS360 substitution variable %user% to specify the MaaS360 user ID or %email% to use the MaaS360 mail address. |
com.ibm.mobile.mail.useSecureBrowser
or
com.ibm.mobile.useSecureBrowser | true or false | Set to false to completely disable the use of the MaaS360 Secure Browser. Set to true to use Secure Browser. |
com.ibm.mobile.mail.secureBrowserPattern
or
com.ibm.mobile.secureBrowserPattern | hostname regular expression pattern | If useSecureBrowser is true and this secureBrowserPattern expression is set, then Verse will compare the hostname of the web link that was pressed to this regular expression pattern. If the hostname matches this expression, then the Secure Browser will be used. If not, the native Safari browser is launched. |
Example MaaS360 Application Configuration file contents:
com.ibm.mobile.mail.user=%email%
com.ibm.mobile.mail.serverURL=https://traveler.mycompany.com/traveler