fighting for truth, justice, and a kick-butt lotus notes experience.

Prohibit Outlook for iOS and Android to use Traveler

 Februar 1 2015 12:47:25 PM
Last week Microsoft released an Outlook app for iOS and Android. The App itself is beautiful and we can see some good ideas IBM will ship with IBM Verse, too.

But from the enterprise security perspective the Microsoft Outlook app is a total nightmare. Microsoft is storing the user credentials on their own servers and is caching all transferred Mails on their servers. A Microsoft server reads, caches and monitors your mail file and transfers the data to the device. I think this is a no go! Details can be found here: Warning – Microsofts Outlook App for iOS breaks your company security

You as an administrator may not want, that your users can use the Outlook app against your enterprise IBM Notes Traveler system.

So how can you block the Outlook App?

Traveler provides the possibility to control, which client types can access your Traveler server. This is based on the HTTP User Agent and the transferred OS-Type, which the client application sends with every HTTP request.

The User Agent of the MS Outlook app or better the Microsoft server monitoring your mail file is: Outlook-iOS-Android

You can control the allowed User Agents by notes.ini. If you are using IBM Notes Traveler 9.0.1 this User Agents will be allowed by default:

NTS_USER_AGENT_ALLOWED_ANDROID = true
NTS_USER_AGENT_ALLOWED_APPLE = true
NTS_USER_AGENT_ALLOWED_BB = true
NTS_USER_AGENT_ALLOWED_NOKIA = true
NTS_USER_AGENT_ALLOWED_OUTLOOK = true
NTS_USER_AGENT_ALLOWED_WINPC = true
NTS_USER_AGENT_ALLOWED_WINPHONE = true
NTS_USER_AGENT_ALLOWED_WINTABLET_RT = true
NTS_USER_AGENT_ALLOWED_WM = true  
NTS_USER_AGENT_ALLOWED_REGEX = .*

If you don’t find these entries in your notes.ini, then you are using the default settings.
You can check your current settings with the console command tell traveler config

The easiest solution would be to set


NTS_USER_AGENT_ALLOWED_REGEX =^((?!Outlook-iOS-Android).)*$


This would prevent devices or better apps using the Outlook-iOS-Android User Agent, but allows all the others.

After adding or changing your notes.ini entries you will have to restart your Traveler server.

That's it!

For your information:
To set NTS_USER_AGENT_ALLOWED_OUTLOOK to "false" will not work in this case, because the User-Agent "Outlook-iOS-Android" contains "Android" and will handle it as an Android device and not as an Outlook device.
So the only way, will be to define a matching Regex via NTS_USER_AGENT_ALLOWED_REGEX and block the User Agent there.

But you should have one in mind. Using the NTS_USER_AGENT settings will block the not matching devices and no data will be transferred to the device. But you will mab be find a Device Document in your LotusTraveler.nsf, which will look like the entry for my Test 2 Account:


Image:Prohibit Outlook for iOS and Android to use Traveler

If you query the user status via Domino Console: tell traveler user Test 2 Account
You may see a device like this one:

Image:Prohibit Outlook for iOS and Android to use Traveler

If you are running a Reverse Proxy or HTTP Gateway in front of your Traveler system, you can and should try to block the User Agent already there, too.

Or use our product midpoints traveler.rules which accomplishes the same (and more).

Updated version of this post -  03.02.3015: Correcting NTS_USER_AGENT settings. Thanks to Robert S. Sielken from IBM pointing me to an error in the first version of this post.

 

Archive