This document highlights the MobileIron® integration features that have been added to the IBM Verse client for Android, and how to take advantage of them in your deployment.
Organizations using MobileIron to manage their mobile applications are now able to take advantage of MobileIron application management capabilities with the IBM Verse client for Android, including the ability to provision application configuration settings, manage access through the MobileIron Sentry, and enforce MobileIron application specific security polices.
The following components are required at the specified minimum levels.
- IBM Traveler Server, version 8.5.3 Upgrade Pack 2 (or later)
- MobileIron AppConnect enabled version of IBM Verse for Android
- Mobile device running Android 4.0 or later
IBM Verse and IBM Notes Traveler
- MobileIron Core version 5.7 or later
- MobileIron Sentry version 4.7 or later
- MobileIron Mobile@Work client version 5.7.x or later for the Android device
- MobileIron Secure Apps 5.7 or later (Secure Apps Manager, ThinkFree Viewer, and FileManager)
IBM Verse replaces the IBM Notes Traveler app for Android devices running Android 4.0 and higher. This app uses the same bundle identifier as the old IBM Notes Traveler app, so if a device already had IBM Notes Traveler installed and the device is running Android 4.0 or higher, an app upgrade will occur automatically. The old IBM Notes Traveler app will automatically be renamed to IBM Verse during the upgrade.
For older Android 2.x and 3.x devices, you must continue to use the older IBM Notes Traveler app. If you do not already have the older version of the app, it is called IBM Notes Traveler for Android and is available for download from MobileIron at https://support.mobileiron.com/mi/androidappconnect3rdpartyapps/current/
. If there are Android 2.x and Android 3.x devices in your existing deployment using IBM Notes Traveler, be careful to create separate MobileIron labels for the different OS levels and apply these labels to the existing devices. Then after uploading the Verse app to the MobileIron enterprise app store, assign Verse to the OS 4.x label that you created, so that this app will only be distributed to devices that are using the OS 4.x label.
The older IBM Notes Traveler application can continue to be used on any level of mobile devices, but any new fixes or updates will be made to the IBM Verse application. Customers are encouraged to upgrade to the latest IBM Verse client as soon as possible.
MobileIron Features Available for IBM Verse for Android
MobileIron has developed a mobile device and mobile application management solution which allows third party applications to integrate with their security capabilities using a library called AppConnect. For Android devices, mobile applications that are wrapped with this AppConnect library can then be managed by MobileIron policies and security controls. IBM has developed and an AppConnect enabled version of the IBM Verse for Android application. This application takes advantage of the security features offered by the AppConnect library in environments where MobileIron is deployed.
The MobileIron AppConnect version of IBM Verse for Android provides the following new capabilities:
- Application provisioning: Automatically configure user accounts with the correct IBM Traveler server and user names, so that no manual client configuration is required, other than users supplying their IBM Verse password.
- Access through Sentry: Establish security rich, authorized connections to the IBM Traveler server using the MobileIron Sentry, which are then managed by the MobileIron Core. Connections between IBM Verse and the Sentry are secured using digital certificates that are unique for each mobile device. Using the MobileIron Sentry is optional for IBM Verse, but often desirable as this is used by the IBM Verse app to access the IBM Traveler servers located on company premises.
- Application security enforcement: MobileIron administrators can enforce application security policies within the IBM Verse for Android application:
- On device secure application access: Enforce application level authentication using a common MobileIron passcode shared among all AppConnect enabled applications on the device, preventing access to IBM Verse data when the device is not compliant or when the user is no longer authorized, according to the policies in effect on the MobileIron server.
- Data sharing controls and security: Enforce that IBM Verse data, most notably file attachments, can only be shared with other AppConnect enabled applications.
- Screen capture: Enforce screen capture controls specified by the MobileIron administrator.
- Media Player and Photo Gallery: Prohibit or allow access to the Android Media Player and Photo Gallery from IBM Verse for Android.
IBM Verse widgets are not available for use. Widgets are not supported by the MobileIron AppConnect library.
Operations from the phone dialer (add contact, etc.) cannot select the IBM Verse app.
Enabling MobileIron Features
The following sections describe how to enable MobileIron application management of the IBM Verse for Android application in your MobileIron environment.
Uploading IBM Verse for Android to the MobileIron enterprise app store
Before configuring any settings or policies for the IBM Verse for Android application, you must first add the AppConnect enabled version of IBM Verse to the MobileIron enterprise app storefront for your business. See the MobileIron administration guide for more information. Creating application settings and policies requires that this upload step be completed first. The latest AppConnect enabled version of IBM Verse for Android is available for download from MobileIron.
Secure Network Access
The MobileIron Core and Sentry provide secure, authorized access to the IBM Traveler server for Mail, Calendar, Contacts, and To Do. MobileIron restricts unauthorized apps from accessing the IBM Traveler server using the MobileIron AppTunnel feature. All data sync and communication between the IBM Verse for Android application and the IBM Traveler server is performed over this tunnel. These connections are only allowed by the MobileIron Sentry if this device, application and user meet the security compliance policies established by the MobileIron administrator for your business. Note that using the MobileIron Sentry is optional and it is possible to use the AppConnect version of IBM Verse for Android without using the MobileIron Sentry. IBM Verse for Android will only use the MobileIron Sentry AppTunnel connection if it is configured with the appropriate routing rules. However, if the MobileIron Sentry is used, then the MobileIron AppTunnel feature must be enabled in order for IBM Verse to connect though it. The IBM Verse for Android application uses SyncML for its synchronization protocol, which requires AppTunnel enablement if the Sentry is used.
To set up the secure network tunneling capabilities provided by MobileIron, the administrator must first create an AppConnect App Configuration in the MobileIron administration console for the IBM Verse for Android application. The administrator needs to supply the following information:
- The URL and port of the IBM Traveler server being managed by MobileIron
- The address of the MobileIron Sentry
When creating the App Configuration, enter a name and description for the configuration and select the IBM Verse application from the Application selector. Note that the IBM Verse application cannot be selected until it is uploaded and added to your enterprise app storefront. In the AppTunnel section of the configuration, use the IBM Traveler server address for the URL wildcard, omitting, in any path, parts labeled /traveler
. You may use a wildcard, but it is unnecessary, as IBM Verse for Android application does not communicate to anything except the IBM Traveler server. For example, if you have deployed an IBM Traveler server at https://traveler.acme.com/traveler
, enter traveler.acme.com
. Note that this is the hostname or your IBM Traveler server on your internal network. This address is generally not accessible from outside of your network and an externally accessible address is not required. You must also supply the port in the designated column as well as the MobileIron Sentry address in the Sentry column. If your Traveler server is using a secure port with SSL or TLS, the default port number of 443 should be used.
If IBM Mobile Connect (IMC) is used as part of your deployment infrastructure, ensure the IMC server(s) being used include IMC server APAR IV47940. This APAR is a prerequisite, as it resolves an issue with IMC failing to read and deliver certain transaction responses with IBM Verse (most notably that sending an email with an attachment with the Verse application halts syncing) in a MobileIron managed environment.
Use the App-specific configuration parameters to automate the setup of IBM Verse for Android on managed devices.
The configuration parameters are specified as a series of keys and values, both of which are strings. These keys and values are optional but are recommended to ensure an error free deployment. If they are not provided, end users will be prompted to enter the missing information. Note that if these settings are modified after initial deployment, the updated settings are distributed to any client using these settings and IBM Verse for Android honors the updated values. The supported configuration parameters are:
Data Sharing Controls
|com.ibm.mobile.mail.Server||The fully qualified URL used to access the IBM Traveler server. For example:|
|This value must be a fully qualified URL that starts with either "http" (for a non-SSL connection) or "https" (for an SSL connection). The URL must end with "/traveler".|
If this value is not a fully qualified URL, then the Server value will appear blank on the Verse for Android connection screen.
Setting this value is recommended to make deployment easier.
|com.ibm.mobile.mail.Userid||The User ID used to access the IBM Traveler server. ||Use the MobileIron setting $USERID$to specify the MobileIron User ID, if your IBM Traveler User ID is the same. |
Setting this value is recommended to make deployment easier.
|com.ibm.mobile.mail.Password||The IBM Traveler password for the User ID.||This key is not commonly used. If set, then this would typically be $PASSWORD$. |
NOTE: This setting is not recommended, as it overwrites the device settings whenever the application is updated on the Core and passwords are often changed by each user individually.
|com.ibm.mobile.mail.AllowOverride||true or false||The default is false. When false, end users cannot change any setting supplied by the AppConnect settings. To allow users to modify these values, set this property to true.|
|com.ibm.mobile.mail.RejectUntrustedCertificates||false (default) allow the user to see and accept untrusted SSL certificates|
true block connections with untrusted SSL certificates
Data leak prevention settings are described in the MobileIron administration documentation. These policies can be applied to IBM Verse for Android by creating an AppConnect Container Policy for the application, or by setting global policies for all AppConnect apps.
Some settings in the Container Policy (namely, Allow Open In
) are similar to functions available in IBM Traveler server administration. For example, IBM Notes Traveler 126.96.36.199 and later allows administrators to specify a list of apps that should be allowed to open attachments. The MobileIron Container Policy includes a similar capability and the MobileIron managed version of IBM Verse always honors the MobileIron policy instead of the policy configured at the IBM Traveler server. For files, the only supported setting for sharing is to restrict file sharing to other AppConnect enabled applications. MobileIron provides distribution of an AppConnect enabled file data viewer, called ThinkFree Office, which can be used to view file attachments.
In a MobileIron environment, AppConnect enabled applications such as IBM Verse for Android are notified by MobileIron when the application data needs to be restricted or erased. This may happen because the device has been lost, has gone out of security compliance, a forbidden app has been installed, or the user has left the company. When this happens, IBM Verse for Android blocks the application and displays a message (determined by the administrator or Mobile@Work) to the user to explain why they are blocked. Also, if the policy requires it, all local data owned by the application is erased.
Updating the AppConnect enabled version of IBM Verse for Android on mobile devices
As with all MobileIron AppConnect enabled applications, updates to the secure applications are controlled by the administrator and are made available to the mobile device via the Mobile@Work
application. Updates do not come from the Google Play store or from the IBM Traveler server. When using MobileIron, only install the AppConnect enabled version, that is downloaded and installed using Mobile@Work
Behavioral differences when using the AppConnect enabled version of IBM Verse for Android
The AppConnect enabled version of the IBM Verse for Android application behaves differently in some areas when compared to the standard version. This allows IBM Verse to take full advantage of the security features made available by MobileIron and provides a better end user and administrator experience. The differences are summarized here:
Server Security policies
In general, most IBM Verse for Android security policies are now managed by MobileIron. In the cases where a security policy is still set at the IBM Traveler server for Android devices but the same policy can be managed by MobileIron, then the IBM Verse for Android application ignores the policy setting from the IBM Traveler server. The following table shows the Android security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse for Android application or ignored. A few settings are honored by the IBM Verse for Android application, as MobileIron does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.
User interface changes
|IBM Traveler Policy||IBM Verse for Android Behavior |
|Require device password||Ignored – managed by MobileIron|
|Device password - type||ignored – managed by MobileIron|
|Device password - minimum length||ignored – managed by MobileIron|
|Device password - autolock timeout||ignored – managed by MobileIron|
|Device password - expiration period||ignored – managed by MobileIron|
|Device password - history count||ignored – managed by MobileIron|
|Device password - wrong passwords before wiping device||ignored – managed by MobileIron|
|Device password - prohibit unencrypted devices||ignored – managed by MobileIron|
|Require Application password||ignored – managed by MobileIron|
|Application Password - wipe after X failed attempts||ignored – managed by MobileIron|
|Application Password - auto lock period||ignored – managed by MobileIron|
|Disable Local password storage||ignored|
|Prohibit Copy to clipboard||honored|
|Prohibit Export of attachments to File System||honored|
|Prohibit download of attachments||honored|
|Allow only approved applications to access attachments ||ignored – managed by MobileIron, only supports sharing attachment data with other AppConnect enabled applications.|
|Prohibit Camera||ignored – managed by MobileIron|
|Require external domain validation||honored|
|Prohibit Devices incapable of security enablement||Ignored – all AppConnect enabled versions of the IBM Verse for Android application are considered capable of security enablement.|
There are several changes to the user interface for the AppConnect version of IBM Verse for Android:
Internal behavior changes
- The device identifier that is visible on the About screen contains the text “com.mobileIron”.
- The IBM Verse application requests configuration from MobileIron to use in the initial configuration wizard.
- The Android Device Administrator for IBM Verse is no longer required.
- Configuration settings that are provided by MobileIron are unavailable for update using the IBM Verse configuration wizard when App-Specific configuration is provided, and:
- Contains the “ServerUrl” parameter
- Does not contain the “AllowOverride” parameter, or the “AllowOverride” parameter is provided and set to “true”.
- When applicable, these settings are visible but grayed out. They include:
- The setting 'Application Updates > Ask before download' has been disabled. In this environment, Mobile@Work manages all application updates.
- The menu item 'Tools > Uninstall' has been removed. To uninstall IBM Verse, use the Android application manager accessed through Android Settings.
- The menu item 'Tools > Security' has been removed. All security compliance is managed by MobileIron in this environment. Review the Mobile@Work application to view any security compliance information.
- The menu item 'Tools > Check for Update' has been removed. In this environment, all application updates are performed by MobileIron. Review the Mobile@Workapplication to determine if there are updates available for the IBM Verse application.
There are internal changes to be aware of when running the AppConnect enabled version of IBM Verse for Android:
- The IBM Verse application does not doubly encrypt its data; all data stored or accessed by IBM Verse in this environment is encrypted by the MobileIron secure container.
- The IBM Verse application does not check the IBM Traveler server for updates to itself. All program updates are managed by MobileIron and accessed using the Mobile@Work application on the device.
|Date:||Notes Traveler Changes||MobileIron Changes|
|October 6, 2015||IBM Verse 188.8.131.52 build |
File name: IBMVerse_184.108.40.206_201509301310_Ace220.127.116.11.apk
Major Release content update to version 18.104.22.168
-See IBM Verse for Android Fixes by Release for a list of fixes included in this release.
|August 28, 2015||IBM Verse 22.214.171.124 build 201508191619|
File name: IBMVerse_126.96.36.199_201508191619_Ace188.8.131.52.apk
Minor fix release. See IBM Verse for Android Fixes by Release for a list of fixes included in this release.
|June 18, 2015||IBM Verse 184.108.40.206 build 201506151926|
File name: IBMVerse_220.127.116.11_201506151926_Ace18.104.22.168.apk
Major Release content update to version 22.214.171.124
- IBM Traveler has been renamed to IBM Verse
- Supports Android 4.0 and higher devices
- Support for Needs Action
- Material Design interface changes
|November 25,2014||IBM Traveler build 126.96.36.199 201411210833|
File name: IBMNotesTraveler_188.8.131.52_201411210833-184.108.40.206.52-27.p.apk
Major Release content update to version 220.127.116.11
- SmartCloud choice before login
- Fixes and performance improvements
** Note: This version will be the last version available for Android 2.x and 3.x devices.
|October 17,2014||IBM Traveler build 18.104.22.168 201410101259|
File name: NotesTraveler_9012_20141010-1259_mobileiron.aligned.p.apk
Major Release content update to version 22.214.171.124
- Create contact from dialer
- Reply without history/attachments
- Performance improvements in contacts app
|August 7, 2014||IBM Traveler build: 126.96.36.199 201408041714|
File name: IBMNotesTraveler-ACe_188.8.131.52_201408041714-184.108.40.206.43-101.p.apk
Major release content update to version 220.127.116.11
- New gesture driven interface, including: action bar, navigation drawer, persona pictures, revised multi-select, right to left swipe on individual e-mails in inbox, mail response indicator
- New IBM Notes Traveler Contacts app, including: ability to export Traveler contacts (setting), show local device contacts (setting)
- View other calendars (color coded) within the Traveler calendar views (Show Local Calendar setting)
- Create Calendar events from e-mail (auto populates subject, description, attendees)
- Edit e-mail history when replying (Respond Inline)
- Improved experience for phone users, with no hard menu button (action bar)
- Improved Status screen with icons to launch Mail, Calendar, Contacts, and ToDo
|April 17, 2014||Traveler build: 18.104.22.168 201404021602|
LO79465 -UNABLE TO VIEW PERSONAL FOLDERS ON TRAVELER ANDROID WITH OS 4.X
LO79714 -LED NOTIFICATION NOT WORKING FOR TRAVELER ON SOME 4.X ANDROID OS VERSIONS
LO79754 -UNCOMMON FILE EXTENSIONS DO NOT LAUNCH FROM TRAVELER
LO79747 -EMAIL ADDRESS IN INCORRECT WHEN USING REPLY ALL FROM ANDROID TRAVELER
LO79796 -OUT OF OFFICE BODY FIELD IS TOO SMALL ON ANDROID WHEN EDITING LARGE BODY MESSAGE
|Secure Application Manager: 22.214.171.124.8|
File Name: SecureAppsManager-126.96.36.199.9p.apk
- CE-1830 -Battery Draining Issue - V5.9 traveler
- CE-2147 -AppConnect wrapped version of Notes Traveler for Android as high CPU drain
- LP-3563 -LNT isn't syncing with server via tunneling after 30 mins
- LP-3421 -Negative file size exception seen by customers