The IBM Verse application for Android has the ability to be managed by MaaS360 Mobile Device Management. This article describes the MaaS360 application management capabilities available for enablement, and how to take advantage of them, when using the Verse for Android application in a MaaS360 mobile application managed environment.
If your organization does not use MaaS360 Mobile Device Management, this article is not applicable to your deployment. IBM Verse for Android will continue to run normally, as a non-MaaS360 managed application.
The following components are required at the specified minimum levels.
- MaaS360 MDM for Android v5.0 application, and/or MaaS360 MDM for Samsung v5.0 application
- IBM Notes Traveler Server, version 8.5.3 Upgrade Pack 2
- IBM Verse Android application version 22.214.171.124
Optionally, if your organization plans to leverage the MaaS360 File Viewer and/or the MaaS360 Browser with IBM Verse they will also need to be deployed to your Android devices as well. These are available in the Google Play Store.
Managed Application Management (MAM)
IBM Verse can operate in two different modes: managed, where MaaS360 Device Management is in use and manages application security, and unmanaged, where an organization does not use MaaS360 (or does not use it for managing applications). When an organization decides to deploy MaaS360, or remove it from their devices, applications must somehow discover this has occurred and switch to the new mode.
One typical case occurs when an organization has MaaS360 Device Management deployed and begins to use IBM Verse. The simplest approach for managing the Verse application is to first install the MaaS360 client on the managed device and set up the security policies and personas on the MaaS360 server. When IBM Verse starts, it will detect that MaaS360 is installed and configured, and will change its behavior accordingly.
If an organization deploys MaaS360 after IBM Verse is already in use, then the next time the application starts it will detect MaaS360 and change to managed mode. In either case, you can tell if IBM Verse is in managed by opening the "About" screen. If this screen contains a "Managing Agent" section, then IBM Verse is in managed mode. If there is not, then it is in unmanaged mode.
The Policies, Users, and Devices managed by MaaS360 server are administered online at http://portal.fiberlink.com
See the MaaS360 MDM Admin Guide
for more details on how to use this web-based console.
Key features of MaasS360 for IBM Verse on Android
The following MaaS360 application management security features can be enabled when running IBM Verse for Android in a MaaS360 application managed environment:
- Authenticate users before accessing managed applications
- App-level tunneling for secure access to corporate data without needing a device VPN
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checks for jail broken devices)
- Restrict copy and paste, as well as local and cloud data backups, for managed applications
- Restrict open-in controls to a set of white-listed applications, including the MaaS360 File Viewer
- Receive real-time alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security posts
IBM Verse has not yet integrated MaaS360's application management support for:
Behavioral differences when IBM Verse is in MaaS360 managed mode
- File import restrictions
- App-level tunneling for communications with the IBM Notes Traveler server
- MaaS360 File Editor
- Storing documents in the MaaS360 Secure Document Store
When IBM Verse is in MaaS360 managed mode, the application will change from its default IBM Notes Traveler Server managed behavior in the following ways:
Data sharing controls
- Will not check for application updates on the IBM Notes Traveler server
- Will not register as an Android Device Administrator
- Will not honor the application password setting from the IBM Notes Traveler server
- Will not show the following menu entries:
- Tools/check for updates
The data leak prevention settings are described in the MaaS360 administration documentation. These policies can all be applied to IBM Verse by enabling Data Protection Policies in the Security settings of the MaaS360 persona assigned to the device.
The Restrict File Export settings in the persona are similar to functions available in IBM Notes Traveler server administration. For example, IBM Notes Traveler 126.96.36.199 allows administrators to specify a list of apps that should be allowed to open attachments. The MaaS360 persona includes the same capability. When IBM Verse is in a managed mode in MaaS360 managed devices, they follow a simple rule when deciding which policy to follow -- the IBM Verse policy is ignored and the application behavior is dictated by the MaaS360 persona policy.
In a MaaS360 managed device, managed apps like IBM Verse are notified by MaaS360 when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this happens, IBM Verse, like any other MaaS360 managed application, will block the application UI and present the user with a message (determined by the administrator or MaaS360) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse and all local data will be erased.
Server security policies
In general, most IBM Verse for Android security policies are now managed by MaaS360. In the cases where a security policy is still set at the IBM Notes Traveler server for Android devices, but the same policy can be managed by MaaS360, then the IBM Verse for Android application ignores the policy setting from the IBM Notes Traveler server.
The following table shows the Android security policies that can be set by the IBM Verse server, and whether they are honored by the IBM Verse for Android application or ignored. A few settings are honored by the IBM Verse for Android application, as MaaS360 does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.
Application specific configuration
|Notes Traveler Policy||IBM Verse for Android Behavior|
|Require device password||Ignored – managed by MaaS360|
|Device password - type||Ignored – managed by MaaS360|
|Device password - minimum length||Ignored – managed by MaaS360|
|Device password - autolock timeout||Ignored – managed by MaaS360|
|Device password - expiration period||Ignored – managed by MaaS360|
|Device password - history count||Ignored – managed by MaaS360|
|Device password - wrong passwords before wiping device||Ignored – managed by MaaS360|
|Device password - prohibit unencrypted devices||Ignored – managed by MaaS360|
|Require application password||Ignored – managed by MaaS360|
|Application password - wipe after X failed attempts||Ignored – managed by MaaS360|
|Application password - auto lock period||Ignored – managed by MaaS360|
|Disable local password storage||Ignored – managed by MaaS360|
|Prohibit copy to clipboard||Ignored – managed by MaaS360|
|Prohibit export of attachments to file system||Ignored – managed by MaaS360|
|Prohibit download of attachments||Honored|
|Allow only approved applications to access attachments||Ignored – managed by MaaS360|
|Prohibit camera||Ignored – managed by MaaS360|
|Require external domain validation||Honored|
|Prohibit Devices incapable of security enablement||Honored|
Use the App-specific configuration parameters to automate the setup of IBM Verse for Android on managed devices.
The configuration parameters are specified as a series of keys and values, both of which are strings. The parameters are optional, but if they are not supplied, users need to setup IBM Verse for Android manually. Note that if these settings are modified after initial deployment, the updated settings are distributed to any client using these settings and IBM Verse for Android honors the updated values. The supported parameters are:
|com.ibm.mobile.mail.serverURL||The fully qualified URL used to access the IBM Notes Traveler server.||This value must be a fully qualified URL that starts with either "http" (for a non-SSL connection) or "https" (for an SSL connection). The URL must end with "/traveler".|
If this value is not a fully qualified URL, then the Server value will appear blank on the IBM Verse for Android connection screen.
In order to use Connections cloud, the URL must be a valid cloud URL containing "collab" and a region code. It is important to ensure that you use the correct region code that matches the IBM Connections Cloud data center that is hosting your company, otherwise unexpected results will occur. For example:
North America: https://traveler.notes.na.collabserv.com/traveler
|com.ibm.mobile.mail.user||The user ID used to access the IBM Notes Traveler server.||Use the MaaS360 setting %user% to specify the MaaS360 user ID or %email% to use the MaaS360 email address.|
|com.ibm.mobile.mail.RejectUntrustedCertificates||false (default) allow the user to see and accept untrusted SSL certificates|
true block connections with untrusted SSL certificates
Example MaaS360 Application Configuration file contents:
Please note that the MaaS360 server requires these entries to be included as a file with the "txt" extension and will not replace any variables if the file does not end in "txt".
IBM Fiberlink MaaS360 Cloud Extender Support
The IBM Fiberlink MaaS360 mobile device management product now includes support for monitoring, reporting and enforcing access restrictions to the IBM Traveler server for the IBM Verse application and other supported IBM Traveler clients. This support is provided for both on premises based IBM Traveler servers and devices and Verse mobile apps using the IBM SmartCloud Traveler service. The MaaS360 Cloud Extender component is now capable of connecting to IBM Traveler servers either on your company premises or within the IBM SmartCloud. The MaaS360 Cloud Extender is capable of discovering which Traveler devices are in use for a customer, automatically approving apps and devices that are allowed to sync with IBM Traveler and the ability to automatically block or wipe the data from those devices if they are compromised or are no longer compliant with a customer’s security policies. Note that for companies that are using IBM SmartCloud Traveler, this feature is currently limited to companies with 25,000 devices or less. Contact your IBM MaaS360 sales representative for more details on enabling this capability for your company.