fighting for truth, justice, and a kick-butt lotus notes experience.

Prohibit Outlook for iOS and Android to use Traveler

 Februar 1 2015 12:47:25 PM
Last week Microsoft released an Outlook app for iOS and Android. The App itself is beautiful and we can see some good ideas IBM will ship with IBM Verse, too.

But from the enterprise security perspective the Microsoft Outlook app is a total nightmare. Microsoft is storing the user credentials on their own servers and is caching all transferred Mails on their servers. A Microsoft server reads, caches and monitors your mail file and transfers the data to the device. I think this is a no go! Details can be found here: Warning – Microsofts Outlook App for iOS breaks your company security

You as an administrator may not want, that your users can use the Outlook app against your enterprise IBM Notes Traveler system.

So how can you block the Outlook App?

Traveler provides the possibility to control, which client types can access your Traveler server. This is based on the HTTP User Agent and the transferred OS-Type, which the client application sends with every HTTP request.

The User Agent of the MS Outlook app or better the Microsoft server monitoring your mail file is: Outlook-iOS-Android

You can control the allowed User Agents by notes.ini. If you are using IBM Notes Traveler 9.0.1 this User Agents will be allowed by default:

NTS_USER_AGENT_ALLOWED_ANDROID = true
NTS_USER_AGENT_ALLOWED_APPLE = true
NTS_USER_AGENT_ALLOWED_BB = true
NTS_USER_AGENT_ALLOWED_NOKIA = true
NTS_USER_AGENT_ALLOWED_OUTLOOK = true
NTS_USER_AGENT_ALLOWED_WINPC = true
NTS_USER_AGENT_ALLOWED_WINPHONE = true
NTS_USER_AGENT_ALLOWED_WINTABLET_RT = true
NTS_USER_AGENT_ALLOWED_WM = true  
NTS_USER_AGENT_ALLOWED_REGEX = .*

If you don’t find these entries in your notes.ini, then you are using the default settings.
You can check your current settings with the console command tell traveler config

The easiest solution would be to set


NTS_USER_AGENT_ALLOWED_REGEX =^((?!Outlook-iOS-Android).)*$


This would prevent devices or better apps using the Outlook-iOS-Android User Agent, but allows all the others.

After adding or changing your notes.ini entries you will have to restart your Traveler server.

That's it!

For your information:
To set NTS_USER_AGENT_ALLOWED_OUTLOOK to "false" will not work in this case, because the User-Agent "Outlook-iOS-Android" contains "Android" and will handle it as an Android device and not as an Outlook device.
So the only way, will be to define a matching Regex via NTS_USER_AGENT_ALLOWED_REGEX and block the User Agent there.

But you should have one in mind. Using the NTS_USER_AGENT settings will block the not matching devices and no data will be transferred to the device. But you will mab be find a Device Document in your LotusTraveler.nsf, which will look like the entry for my Test 2 Account:


Image:Prohibit Outlook for iOS and Android to use Traveler

If you query the user status via Domino Console: tell traveler user Test 2 Account
You may see a device like this one:

Image:Prohibit Outlook for iOS and Android to use Traveler

If you are running a Reverse Proxy or HTTP Gateway in front of your Traveler system, you can and should try to block the User Agent already there, too.

Or use our product midpoints traveler.rules which accomplishes the same (and more).

Updated version of this post -  03.02.3015: Correcting NTS_USER_AGENT settings. Thanks to Robert S. Sielken from IBM pointing me to an error in the first version of this post.

 

Kommentare

1Thorsten  03/08/2015 12:29:34 AM  Prohibit Outlook for iOS and Android to use Traveler

It seems you know quite a lot about Notes Traveller and Outlook. For a project I have to connect to a Domino Server to work with my customers email. This works fine with iNotes, but this is inconvenient. It also works fine from my iOS devices with the traveler servlet and native Mail, Calendar etc.

On my notebook i am unsing Outlook 2013. All I get is a POP3 download of my mails. I can't synch nor send nor use the domino calendar.

If iOS works, why does Outlook not ? Any ideas ?

Thanks

Thos

2Detlev Poettgen  03/08/2015 10:13:16 AM  Prohibit Outlook for iOS and Android to use Traveler

Die aktuelle Traveler Version 9.0.1 unterstützt den Zugriff per Desktop Outlook experimental. Dies muß explizit vom Domino / Traveler Administrator freigeschaltet werden.

IBM plant eine offizielle Unterstützung hierfür gegen Ende 2015.

3Andreas  08/17/2015 11:26:27 AM  Prohibit Outlook for iOS and Android to use Traveler

Hallo Detlev,

kannst du mir bitte sagen welche Einstellungen in Domino/Traveler vorgenommen werden müssen.

Vielen Dank!

4Fredrik Norling  12/03/2015 10:06:06 AM  Prohibit Outlook for iOS and Android to use Traveler

Hi,

I've used the Mail client in Win 10 and that one works to synk with traveler but if I try Outlook I get an error about user agent. Have you tried this ?

/Fredrik

5Detlev Poettgen  12/03/2015 7:22:19 PM  Prohibit Outlook for iOS and Android to use Traveler

Hi Fredrik,

never tested Traveler against Outlook for desktop, because it is not supported. As you may know there will be Hawthorn for this use case.

Kind Regards

Detlev

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive