IBM Traveler and Verse: Device Security and Administration Overview
1. IBM Traveler and Verse: Device Security
and Administration Overview
Devin S. Olson - IBM Champion
Red Pill Now – 07 November 2016
Introduction
There currently seems to be a great deal of confusion about IBM Traveler and Verse with regard to
device security and administration. The necessary overview information is available from IBM, but is
rather dispersed and somewhat difficult to track down in a single concise location. This document will
attempt to answer some of the most common points of confusion and concern for those considering a
Traveler deployment in their Domino environment -without necessarily having IBM Connect or Cloud
solutions in place.
Terminology
IBM Traveler
This is the name of the Domino server add-in that provides non-browser mail services to mobile client
devices (cell phones, tablets, etc.) It is also the old name of the client app used on these client devices.
IBM Verse
This is the name of the IBM product solution which provides access to the suite of IBM Mail, Calendar,
Contacts, and Connections information. It is also the new name of the client app used to access both
the Verse suite stuff and IBM Traveler information. IBM Verse currently requires an IBM Cloud
implementation in order to provide access to the suite information.
IBM VOP (Verse On-Premises)
This is the current term (and likely product name) for the IBM product solution which will provide access
to the same suite if IBM Mail, Calendar, Contacts, and Connections information while allowing the
customer to keep all of their information on premises, within their own network or data center. IBM
has discovered that many of their current and future customers do not want to move their data to the
IBM Cloud; which has prompted the push for this product solution to become a reality as soon as
possible.
2. The important distinction here is that for the rest of this document if I mention IBM Verse I am referring
to the client app which interacts with the IBM Traveler server; not the Verse Cloud or VOP solution.
Security and Administration
Supported Devices
The following devices are supported by IBM Traveler
Apple iOS devices
Android devices
BlackBerry 10
Windows Phone
Windows Surface RT and Pro
Nokia Series 60 w/ Symbian
Windows Mobile
Encryption
Data in Transit
Encryption of data while in transit (to or from the device via HTTPS) is supported for all supported
devices.
SHA-2 / TLS1.2 and Apple iOS devices
With the release of iOS 9, Apple has defaulted to using TLS 1.2 ciphers for secure connections.
This means that the Traveler server or any network component in front of Traveler that will receive such
incoming connections from iOS 9 (or later) devices must be able to support TLS 1.2 ciphers in order for
the device to make a successful connection.
In order to support Apple devices running iOS 9 or later, IBM Traveler version 9.0.1.7 (or later) must be
installed, along with Domino server 9.0.1 Fix Pack 3 Interim Fix 2 (or later). In addition, SHA-2
certificates must be installed on the server.
While other devices will be able to connect to Traveler versions which do not support TLS 1.2 and SHA-1
certificates, the security and encryption cannot be ensured and should be avoided.
It is strongly recommended that all Traveler and public facing Domino environments be upgraded to
support TLS 1.2 with SHA-2 certificates.
Data at Rest
Encryption of the data at rest (on the device itself) is supported with the following caveats:
Apple iOS: Supported with Domino policies or IBM Traveler device preferences and security
settings. Whole devices can be encrypted, and enabled and enforced with the security policies
3. in IBM Traveler. iPhones that do not support hardware encryption can be blocked. iPhone 3GS,
iPhone 4 and above, and the iPad support hardware encryption. First-generation iPhone and
iPhone 3G do not.
Android Devices: The mail body and all attachments are encrypted using AES 256-bit encryption.
This is the case if stored on an SD card or internal phone storage. The rest of the data is stored
unencrypted in phone storage. This is implemented based on the Android application security
model.
Windows Phone: Supported with Windows Phone 8 or higher versions.
BlackBerry 10, Windows Surface RT, Windows Surface Pro: Supported
Nokia Series 60: Only supported on Symbian^3 devices. Enforceable using Domino policies or
IBM Traveler device preferences and security settings. Storage cards can be encrypted.
Windows Mobile: Storage cards can be encrypted. Data in native PIM and mail applications is
not encrypted, except for Domino encrypted mail.
Domino Encrypted Mail
Domino Encrypted Mail, where the mail message is itself encrypted, is supported for all devices except
the Windows Surface RT and Windows Surface Pro, with the following caveats:
Viewing mail and attachments, sending, forwarding, and replying to encrypted mail are all
supported. Encrypted calendar invitations are not supported. Copy / Paste options for
encrypted mail are disabled and not allowed. Encrypted attachments can only be opened in
(detached to) other client applications which have been pre-approved by the Traveler
administrator.
Apple iOS devices require IBM Traveler Companion application (available on the iTunes store) to
manage the users Notes ID encryption keys.
BlackBerry 10 devices require a BES (BlackBerry Enterprise Server) to send encrypted mail from
the device.
Remote Wipe
Should the device become lost or stolen, the ability for an administrator to remotely wipe the IBM
Traveler data store is supported for all devices. The ability for an administrator to remotely wipe the
entire device is also supported, with the following caveats:
Android device wipe required Android 2.2 or higher
BlackBerry 10 devices managed by a BES can have the entire device wiped or only the work
perimeter.
Administration Settings
IBM Traveler provides a set of default device preferences and security settings. These settings should be
reviewed by the Administrator prior to rolling out a Traveler instance for their environment.
4. Traveler Administration Database
The IBM Traveler administration database contains a default device setting document that is initialized
with the default settings. This document contains a variety of system-wide settings which can be
configured by the Administrator. Additionally, it contains several subsets of device-specific settings for
individual device types:
Once this is set up, when an
authorized user connects to the
Traveler server using an authorized
device, a device specific settings
document is created. It is from this
document that the Administrator can
take any necessary security actions
for the specific device, such as
Denying access, Wiping, or Changing
Approval.
5. Domino Policies
For IBM Domino / Traveler releases prior to 8.5.1, these settings were required to be implemented using
Traveler-specific Policy Settings document(s). This is still supported, though no longer required.
Domino policies provide additional flexibility and functionality but are more difficult to use than the
default device settings document in some environments. The advantage of using Domino policies is the
ability to assign different device preferences and security settings by user, group, or organization. The
default settings document does include a mechanism to include or exclude users, groups, and
organizations, but it is much more limited than Domino policies. Users to which the default settings
document does not apply receive the IBM Traveler built-in defaults if they do not have a Domino policy.
These hard-coded defaults are the same as the default settings document. With Domino policies, you
can define different settings for every user. The limited include/exclude support of the default settings
document allows you to have two sets of defaults: those defined in the default settings document, and
the built-in IBM Traveler defaults.
NOTE: If settings and security policies are defined for a user in both a Domino policy and in the IBM
Traveler default settings document, the Domino policy settings are used.
6. Summary
IBM Traveler is very well versed, is fairly easy to configure and deploy, and provides adequate features,
security, and administration capabilities for most environments. Advanced security settings are not
difficult to configure, although the IBM documentation can make it seem more daunting than it really is.
Links / Suggested Reading:
IBM
Using Verse Mobile:
http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/UsingVerseMobile.html
Server Synchronized Settings:
https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/Server_synchronized_settings.html
Verse Offline FAQ:
http://www-01.ibm.com/support/docview.wss?uid=swg21978542
IBM Verse Apple Devices:
http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/iOSVerseNeedtoKNow.html
Planning for Security:
http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/planningforsecurity.html
Assigning Preference and Security Settings:
http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/Pushing_configuration_to_a_device.ht
ml
Apple devices with iOS 9 connectivity Technote:
http://www-01.ibm.com/support/docview.wss?uid=swg21967350
Non-IBM Industry Experts
Darren Duke (Simplified Technology Solutions) - Using IBM Traveler with a proxy:
https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/using-ibm-lotus-traveler-with-a-proxy....food-for-
thought-before-you-do-this.htm
Gabriella Davis (The Turtle Partnership) – Traveler Management, Security and Performance:
www.slideshare.net/gabturtle/ibm-traveler-management-security-and-performance
7. About Devin S. Olson
Who Am I?
Christian
Husband
Father
Biker, Brewer, Friend
What do I do?
Senior Consultant at Red Pill Now
IBM Champion
Notes / Domino consultant since 1995
MCP
PCLP SA/AD R4.6, R5, R6, R7
Beer Snob (Anheuser-Busch Certified Beer Master)
www.redpillnow.com
www.LearningXPages.com
Contact:
devin@redpilldevelopment.com
devin.olson@azlighthouse.com
twitter, skype: @spanky762
facebook: default.xsp