Android for Work and IBM Verse for Android Devices
This article highlights the Android for Work (AFW) integration features that are included with the IBM Verse for Android app, and how to take advantage of it in your deployment.
Organizations using Android for Work to manage their mobile applications are now able to deploy Android for Work application management capabilities with IBM Verse for Android, including the ability to provision application configuration settings, and enforce Android for Work security policies. This Android for Work capability is built directly into the base version of IBM Verse for Android that is delivered to mobile devices using Google Play and can be activated by following the instructions in this article.
The following components are required at the specified minimum levels.
- IBM Connections Cloud or IBM Traveler server 22.214.171.124 (or later). To take advantage of the MAM Required policy, enforcing access to an on-premises Traveler Server only through an MDM managed application, IBM Traveler server 126.96.36.199 is required.
- An Enterprise Mobility Manager (EMM) capable of managing Android for Work profiles (for example, Google, MaaS360, MobileIron, Citrix or AirWatch).
- The Device Policy Controller (DPC) of the Android for Work provider installed on the mobile device.
- An Android for Work capable device which is any device running Android Lollipop (5.1+) or higher. There are some Android 5.0 devices that are Android for Work capable, but not all do.
Be sure to check with your EMM provider to determine any minimum requirements they have for required components to support Android For Work.
Binding Android for Work to an EMM
Your EMM must be configured to enable Android for Work and recognize Android for Work users. The following URL provides an overview for configuring a third party EMM provider for Android for Work: https://support.google.com/work/android/answer/6174046.
Some of the steps for enabling an EMM administrator console for Android for Work vary from provider to provider and we recommend that you consult your EMM documentation on exactly how the EMM manages AFW devices.
Making Apps available for Android for Work
Once an EMM is bound to Android for Work for a domain, the Google administrator for the domain can navigate to Google Play for Work and approve the apps to be used by users. Once the apps are approved in Google Play, they must be added to the EMM administration console.
Managing IBM Verse for Android using Android for Work
The following sections describe how to enable Android for Work application management of the IBM Verse for Android application in your environment.
Use App-specific configuration settings to automate the setup of IBM Verse for Android on managed devices.
The configuration settings are specified by updating the IBM Verse for Work app custom settings using the EMM administration console.
There are two types of custom Verse app settings that are configured using Android for Work: enforced or locked settings, and preferences.
Settings that have a corresponding “Lock” option are considered preferences. If you enable the lock option for this preference, then it will be enforced. If you do not enable the lock option, it will be used as the default value, but the mobile app user will be able to adjust that setting using the Verse app if they wish. If there is a setting that does not have a corresponding lock option, then by providing a value for that setting it will be enforced and cannot be changed.
For example, the setting called Server URL allows an administrator to provide the exact hostname and connection URL which the managed Verse app will use to connect to its IBM Traveler server. If a value is provided for Server URL, it is considered locked and cannot be changed at the Verse app by a mobile user. The setting called Mail: Remove Mail older than is a preference that can be provided as a default value. You can change this to any suggested value in the list and when a mobile user installs the app for the first time on a new device, they will receive the value you have set as the default. If you want to enforce that the mobile user receives that value AND cannot change it to any other value, enable the setting called Lock Remove Mail older than.
Note: Any setting that is not locked will be applied if not already set for the application. When a value is already stored in the mobile app, it is assumed the initial configuration was applied or the user has changed the value to one he wishes to use and will not be overridden. Any setting that is locked will be enforced.
Note: Settings can be also configured at the Traveler server. The MDM settings will take precedence unless a server setting is locked. If a server specified setting is locked it will take precedence and the MDM setting will be ignored as well as the user will not be able to modify the setting. It is recommended that all Android for Work settings be managed through the EMM and not through the Traveler server.
Some of the settings that can be configured are:
|Configuration: Server Type||My Company’s Traveler Server||Choose “My Company’s Traveler Server” if connecting to an on premises server, otherwise select IBM Connections Cloud.|
|Configuration: Server URL||none||Provide the hostname or a fully qualified URL to your company's Traveler server. Only provide this value if using My Company's Server as the server type.
|Configuration: Traveler User ID||none||The User ID used to access the IBM Traveler server.|
|Configuration: Password||none||The IBM Traveler password for the User ID.|
|Configuration: Authentication Domain(Cloud)||none||An alternate domain for authenticating with the IBM Cloud.|
|Logging: Enable logging||off||Set to on to enable more verbose app diagnostic logging.|
|Logging: Log size (in K)||2000||Maximum log size in KB before the logs wrap.|
|Logging: Problem Report.Auto report||true||Whether any problems that occur on the device are automatically sent to the server.|
|Configuration: Applications to sync||Mail and Calendar and People||Define which applications are synced with data from the server|
|Mail: Truncate mail to||2K||Download each email up to the specified truncation size.|
|Mail: Auto download inline images up to||0||Automatically download images within email up to the specified size.|
|Mail: Auto download attachments up to||0||Automatically download email attachments up to the specified size|
|Mail: Remove mail older than||5 Days||Remove mail from the app when it’s older than the specified duration.|
|Calendar: Show past events||1 Day||Show events that have passed in the calendar for the specified time.|
|Calendar: Show upcoming events||1 Week||Show calendar future events up to the specified duration.|
|People: Export Verse Contacts||Enabled||Whether Verse contacts are added to the device contacts list (if not blocked by Android for Work policies)|
|Todo: Sync incomplete only||false||Whether only incomplete to dos are synced to the device from the server|
|Sync: Peak sync type||Real-time||How often data should be synced to the device for peak times|
|Sync: Off-peak sync type||Real-time||How often data should be synced to the device for off-peak times|
|Sync: Peak days||Monday, Tuesday, Wednesday, Thursday, Friday||Which days of the week include peak sync time periods.|
|Sync: Peak start time||480||Number of minutes past midnight to the start of peak time.|
|Sync: Peak end time||1020||Number of minutes past midnight to the end of peak time.|
Data at Rest Security
When devices are configured for Android for Work, device encryption is required. Before a work profile can be created, encryption must be enabled. All data at rest and managed by applications is encrypted.
Remote App and Data Wipe
In an Android for Work environment, there can be situations when a device must have the enterprise data associated with the Verse app wiped. This may happen because the device has been lost, the device is no longer compliant with your security policies or perhaps the user has left the company and should no longer have access to this data. If any of these occur, the Android for Work administrator can choose to wipe just the Android for Work apps and data from the device. This will remove the Android for Work work profile and all data associated with the Android for Work apps. Any Android for Work apps are also removed. Apps installed in the personal profile will remain. The wipe of the work profile is performed from the EMM administration console you’re using to manage your Android for Work environment.
Note: Even when the device is managed by Android for Work, the IBM Traveler server retains the ability to wipe Traveler data.
In order to grant IBM Verse access to a Traveler server deployed within a company intranet topology, the IBM Verse application must be configured to point to the server URL of an edge proxy, such as IBM Mobile Connect or a per-app VPN must be used. When using a per-app VPN, the VPN application must be an approved Android for Work application and deployed within the work profile.
Preventing Data Leaks
With Android for Work, data can be copied and pasted between applications within the Work profile since they have been approved by the company Android for Work administrator. Similarly, the screen capture capability is controlled through the EMM administration console for all applications managed within the work profile. Attachments and files can be shared with other applications with the work profile since those applications are also approved and managed.
Starting with Android 7, app passcodes can be configured for the work profile so when an Android for Work application is launched, the passcode must be entered. This capability is dependent on your specific EMM provider support.
Updating the Android for Work enabled version of IBM Verse for Android on mobile devices
As with all Android for Work enabled applications, updates to the secure applications are managed through the Google Play for Work app store. If there are permission changes, the administrator (Google account binding the EMM to Android for Work) must review and accept the permissions for the upgrade to take place through the EMM.
Behavioral differences when using the Android for Work managed version of IBM Verse for Android
The Android for Work enabled version of the IBM Verse for Android application behaves differently in some areas when compared to the standard version. The differences are summarized here:
Server Security policies
In general, most IBM Verse for Android security policies are now managed through the Configuration settings when editing the app in the EMM admin console. In the cases where a security policy is still set at the IBM Traveler server for Android devices but the same policy can be managed by Android for Work restrictions, then the IBM Verse for Android application ignores the policy setting from the IBM Traveler server unless that setting is locked by the Traveler server. When a Traveler server setting is locked, that value will take precedence and be enforced by the IBM Verse application. It is recommended that when Android for Work is used to manage IBM Verse, that all configuration settings be applied through the EMM administrator console and not through the Traveler server.
User interface changes
There are several changes to the user interface for this version of IBM Verse for Android:
- The managing agent identifier that is visible on the About screen will have the Android for Work badge (briefcase) applied.
- The IBM Verse application requests configuration from EMM to use in the initial configuration wizard.
- The Android Device Administrator for IBM Verse is no longer required.
- The user will be prevented from modifying the following configuration settings in the Verse configuration wizard when they are provided by the EMM app specific configuration:
- Server URL
- User ID
- The menu item 'Tools > Uninstall' has been removed. To uninstall IBM Verse, use the Android application manager accessed through Android Settings.
- The menu item 'Tools > Security' has been removed. All security compliance is managed by the EMM in this environment.
Original publication date