If your organization does not use XenMobile Device Management, then you can skip this article. IBM Verse will continue to run normally in environments that are not managed by XenMobile.
The following components are required at the specified minimum levels.
Managed Application Management (MAM)
- MDX wrapped IBM Verse Android application, version 184.108.40.206 (available upon request from IBM)
- IBM Traveler Server, version 8.5.3 Upgrade Pack 2 (see IBM Traveler maintenance site for latest recommended Traveler server version)
- Worx Home Android application, v10.0.3
- XenMobile Device Manager server, v10.0 (or patched v9.0)
- XenMobile App Controller server, v10.0 (or patched v9.0)
- Android 4.x and 5.x devices
- Verse widgets not supported
IBM Verse can operate in two different modes: "managed", where XenMobile Device Management is in use and manages application security, and "unmanaged", where an organization does not use XenMobile (or does not use it for managing applications). When an organization decides to deploy XenMobile, or remove it from their environment, applications must somehow discover and switch to the new mode.
One typical case occurs when an organization has XenMobile Device Management deployed and begins to use IBM Verse. The simplest approach for managing the IBM Verse application is to first install the Worx Home client on the managed device and set up the security policies on the XenMobile Device Manager and App Controller servers. When IBM Verse starts, it will detect that Worx Home is installed and configured, and will change its behavior accordingly.
If an organization deploys XenMobile after IBM Verse is already in use, then it will need to be reinstalled from the Worx Home application Store. In either case, you can tell if IBM Verse is in managed mode by looking the "About" screen. If there is a "Managing Agent" section, then IBM Verse is in managed mode. If there is not, then it is in unmanaged mode.
Mobile applications are administered online by the XenMobile App Controller. Users, groups, devices, files,and deployments are administered online by the XenMobile Device Manager. For more information on either console, refer to the Citrix Product eDocumenation regarding the XenMobile App Controller and the XenMobile Device Manager.
Key features of XenMobile for IBM Verse on Android
When a 3rd party application such as IBM Verse incorporates the XenMobile SDK libraries, the following security features can be enabled.
- Authenticate users before accessing managed applications
- App-level tunneling for secure access to corporate data without the need for a device VPN
- Set a timeout for single sign-on login across your managed applications
- Enforce device compliance checks (for example, checking for jail broken devices)
- Restrict copy and paste functionality
- Restrict open-in controls to a set of white-listed applications
- Receive alerts of compliance violations
- Automatically deliver and update policies remotely to the application container based on user and device security postures
There are several limitations to consider when using XenMobile on IBM Verse for Android devices.
Behavioral differences when IBM Verse is in managed mode
- Android 6.x (Marshmallow) devices are not currently supported.
- The App Controller's copy and paste restriction is applied to both managed and unmanaged applications.
- Cannot export files to a /storage/ directory on the device.
- XenMobile's Network Access for IBM Verse should be set to Unrestricted, as Full VPN tunnel and Secure browse modes are not supported.
When IBM Verse is in managed mode, the application behaves differently in a few important ways.
Data sharing controls
- Does not check for application updates on the IBM Traveler server
- Does not register itself as a device administrator
- Does not honor the application password setting from the IBM Traveler server
- Does not show the following menu entries:
- Tools > Uninstall
- Tools > Check for updates
The data leak prevention settings are described in the XenMobile eDocumentation. These policies can be applied to IBM Verse by enabling Policies in the App Restrictions settings of the XenMobile App Controller.
The Document Exchange settings in the App Interaction policy are similar to IBM Traveler server administration functions. For example, IBM Traveler 220.127.116.11 allows administrators to specify a list of apps that should be allowed to open attachments. The XenMobile App Controler includes similar capabilities. When IBM Verse is in a managed mode in the XenMobile environment, they follow a simple rule when deciding which policy to follow: the IBM Verse policy is ignored and the application behavior is dictated by the XenMobile policies.
In a XenMobile environment, managed apps like IBM Verse are notified by XenMobile when the application data needs to be restricted or erased.
This may happen because the device has been lost, has gone out of compliance by resetting the passcode or installing a forbidden app, or the user has left the company. When this occurs, IBM Verse, like any other XenMobile managed application, will block the application UI and present the user with a message (determined by the administrator or XenMobile) why the app is no longer available. Additionally, if required by the policy, the accounts used by IBM Verse and all local data will be erased.
Server security policies
Most IBM Verse for Android security policies are now managed by XenMobile. In the cases where a security policy is still set at the IBM Traveler server for Android devices, but the same policy can be managed by XenMobile, then the IBM Verse for Android application ignores the policy setting from the IBM Traveler server.
The following table shows the Android security policies that can be set by the IBM Traveler server, and whether they are honored by the IBM Verse for Android application or ignored. A few settings are honored by the IBM Verse for Android application, as XenMobile does not yet support these capabilities or the capabilities are specific to IBM Verse application behavior.
Configure the App Controller to allow Citrix managed Verse to join an IBM meeting
|IBM Traveler policy||IBM Verse for Android behavior|
|Require device password ||Ignored – managed by XenMobile |
|Device password - type ||Ignored – managed by XenMobile |
|Device password - minimum length ||Ignored – managed by XenMobile |
|Device password - autolock timeout ||Ignored – managed by XenMobile |
|Device password - expiration period ||Ignored – managed by XenMobile |
|Device password - history count ||Ignored – managed by XenMobile |
|Device password - wrong passwords before wiping device ||Ignored – managed by XenMobile |
|Device password - prohibit unencrypted devices ||Ignored – managed by XenMobile |
|Require Application password ||Ignored – managed by XenMobile |
|Application Password - wipe after X failed attempts ||Ignored – managed by XenMobile |
|Application Password - auto lock period ||Ignored – managed by XenMobile |
|Disable Local password storage ||Ignored – managed by XenMobile |
|Prohibit Copy to clipboard ||Ignored – managed by XenMobile |
|Prohibit Export of attachments to File System ||Honored |
|Prohibit download of attachments ||Honored |
|Allow only approved applications to access attachments ||Ignored – managed by XenMobile |
|Prohibit Camera ||Ignored – managed by XenMobile |
|Require external domain validation ||Honored |
|Prohibit Devices incapable of security enablement ||Honored |
Add the following intents to Open-in exclusions (App Controller > Verse app > Policies > App interaction > Open-in exclusions):
Traveler Server Configuration MDX Policies
When configuring IBM Verse for Citrix on the Xenmobile App Controller you will see an additional section titled "IBM Notes Travler Settings" with one policy "IBM Notes Traveler server address" that can be used to prepopulate the server information for users when they are initially configuring IBM Verse for Citrix on their Android device. The format of the policy value is "https://example.com:8890/traveler
". The default value of this policy is empty.