In this tip, session speakers Bill Wimer and Paul miller detail the out-of-the-box security features for IBM Notes Traveler around connecting devices, restricting access, remote data wipes, device security policies (iOS, Android, Windows Phone, BlackBerry 10, etc.), and attachment security for iOS and Android.

1. © 2014 IBM Corporation
ID611: Mobile Security Roundup
Bill Wimer, IBM Senior Technical Staff
Paul Miller, IBM Notes Traveler & IMC Development Manager

2. 22
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied
on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The
actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
Please Note

3. 66
Out of the box security features

4. 7
Notes Traveler – Connecting Devices
 Data in motion is encrypted
− All device clients support SSL
connections
− Notes Traveler server can enforce that
and SSL connection is required
 Administrator can block devices of a
specific type or class (
https://ibm.biz/BdRZSi )
 Administrator can require that devices must
be pre-approved before they can sync
data

5. 8
Notes Traveler – Restricting Access
 Only users that are authorized to use this server can
connect devices to the server

6. 9
Notes Traveler – Restricting Access
 Require devices to connect
from a specific IP address or
range of addresses

7. 10
Notes Traveler – Restricting Access
 Administrator can explicitly deny access to specific
devices

8. 11
Notes Traveler – Remote data wipe
 Performed by administrator
(admin console) or device owner
(self service user page)
 Option to erase just Notes
Traveler data or reset the
device to factory settings
 Once wiped, administrator (or
user) must clear wipe command

9. 12
Notes Traveler - Device security policies
 Notes Traveler Administrator can define basic device security policies using the Notes
Traveler administration console (https://traveler_host/LotusTraveler.nsf)
− If policies change, they are pushed to the devices
− Device enforces policies, locks out the application if device is not compliant
 Security capabilities vary slightly by device type

10. 13
Notes Traveler – Apple iOS security policies
 Most settings
enforced using
Apple EAS account
 Settings apply to
entire device, not
just PIM account

11. 14
Notes Traveler – Windows Phone/RT/Pro security policies
 Most settings
enforced using EAS
account
 Settings apply to
entire device, not
just PIM account

12. 15
Notes Traveler – BB10 security policies
 Most settings enforced
using EAS account
 Settings only apply if
device is not managed
via BES 10
 Use BES 10 policies to
separate work and
personal data

13. 16
Notes Traveler – Android security policies
 Notes Traveler client
installs Android Device
Administrator account
 Supports both device
wide policies and Notes
Traveler application only
policies

14. 17
Notes Traveler – Attachment security policies
 Problem
− Attachment file data can be “opened in” untrusted or unapproved 3rd party
applications
− Business no longer able to control access to the file data
− Could be uploaded to Dropbox or other cloud based service
− Shared with editors that allow “save as” to the SD Card
 Solution
− Notes Traveler Attachment Security Policies
− IBM Notes Traveler Clients and Administration updated for 9.0.0.1
− Policy is administered via Notes Traveler web based administration
− Clients Supported
 Apple iOS using Traveler Companion
 Notes Traveler for Android (9.0.0.1+ version)

15. 18
Notes Traveler – Attachment security policies
 Administrator defines attachment handling policies
− View only option for files where the platform supports embedded viewing (iOS)
− Define which applications are allowed to consume attachments (Approved
Applications)
 Notes Traveler clients modified to recognize attachment policies and limit attachment
sharing
 Advantages
− Can be used out of the box with a small amount of definition needed by the
administrator
− No additional software or hardware requirements (no separate MDM solution needed)
− No application wrapping, app vendor integration or testing of wrapped applications
required
− Able to leverage built-in viewer technology on iOS

16. 19
 Traveler administrator enables a policy to only
allow built-in viewers or approved applications to
access attachments
Notes Traveler – Attachment security policies
Android
Apple iOS

17. 20
 Notes Traveler clients
enforce that attachments
can only be shared with
applications in this list
 Changes to Approved
Application list are
pushed to clients
 Notes Traveler administrator defines list of Approved Applications for attachment handling
 If no applications are defined, only built-in viewers are allowed (where supported)
Notes Traveler – Attachment security policies

18. 21
 User clicks on attachment in email. If Approved Applications are installed, user selects
which application to use to view the file.
 Only viewers defined by the administrator as an Approved Application are considered for file
handling.
 Allows for disconnected viewing/handling of attachments
 3rd party viewer unless open document format (Lotus Symphony)
Notes Traveler – Attachment security for Android

19. 22
 No file attachments are present in the Apple
iOS mailbox
 Built-in viewing scenario
 File data never leaves Companion
Traveler Companion AppApple iOS Email App
Supported document types
 Microsoft Office documents
 Rich Text Format (RTF)
documents
 PDF files
 Images
Attachment security for iOS  iWork documents
 Text files
 Comma-separated
value (csv) files

20. 23
 Traveler Companion using Approved Applications
− Open In menu will display all possible apps, as there is no way to suppress
individual apps from the list
− If user selects an app that is not approved, Open In operation fails with message
− Apps defined using Approved Applications use Open In normally
Long
Press
Attachment security for iOS

21. 6161
© Copyright IBM Corporation 2014. All rights reserved.
 U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 IBM, the IBM logo, ibm.com, Domino and Notes are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If
these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law
trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
MobileIron is a trademark of MobileIron, LLC.
Airwatch is a trademark of Skysocket, LLC.
Fiberlink is a trademark of Fiberlink Communications Corporation.
Other company, product, or service names may be trademarks or service marks of others.
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.
Acknowledgements and Disclaimers