fighting for truth, justice, and a kick-butt lotus notes experience.

New iOS 12 MDM feature to control access to contacts by third-party apps

 14 August 2018 14:53:29
Starting with iOS 11.3 in the spring of this year Apple already created the possibility to control which third party apps (keyword: WhatsApp) can access the managed company contacts of the ActiveSync account via MDM restrictions.
This was done via the Managed OpenIn restrictions. These can be used to control whether an unmanaged app can access the content of a managed app or account.

See also my blog post: ios-11.3-update-regarding-contact-containisation.htm

Apple released an updated Configuration Profiles documentation yesterday, which contains two new restrictions, among other iOS 12 extensions, that allows additional control to access contacts, when Managed OpenIn restrictions are being set to false.


Optional. If set to true, managed apps can write contacts to unmanaged contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
A payload that sets this to true must be installed via MDM
Availability: Available only in iOS 12.0 and later.



Optional. Supervised only. If set to true, unmanaged apps can read from managed contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
A payload that sets this to true must be installed via MDM.
Availability: Available only in iOS 12.0 and later.


16. OpenUserGroup-Westfalen Stammtisch am 29.08.18 in Bielefeld

 7 August 2018 15:41:41
Bitte schon einmal Vormerken:

Image:16. OpenUserGroup-Westfalen Stammtisch am 29.08.18 in Bielefeld

Der 16. OpenUserGroup | Westfalen Stammtisch findet am Mittwoch, den 29.08.18 in Bielefeld statt.

Neben dem "networken" und der Diskussion aktueller Themen in gemütlicher Runde bei einem guten Essen und Kaltengetränken wird ein kurzer Impulsvortrag rund um die IBM und HCL Collaboration & Social Produktfamilie gehalten.

Start ist um 18:00 Uhr:

Aktuelle News aus der IBM und HCL Welt:

- Notes Domino v10 – New Features
- Domino Apps on iPad – HCL Nomad
- HCL Factory Tour und DNUG Review
- Gemeinsame Diskussion  

Weiter Details zum Stammtisch, der Lokation und der Agenda findet ihr hier: OpenUserGroup | Westfalen

Neue Mitglieder sind gerne Willkommen. Bitte einfach bei mir melden oder kurz das Kontaktformular ausfüllen: OpenUserGroup | Westfalen - Kontakt

PS: Wie immer:  Die Veranstaltung selbst ist Kostenfrei - Die verzehrten Speisen und Getränke zahlt jeder Teilnehmer aber selbst.

midpoints LE4D 2.0 – some hints

 30 März 2018 12:31:29
On March, 28th, we released Let's Encrypt 4 Domino aka LE4D . If you are running LE4D v1.x, you must update to v2.0.

Certificate renewal will no longer work with v1.x because of some changes Let's Encrypt made on their Let’s Encrypt API endpoint.

If you are new to Let's Encrypt 4 Domino  you can get it here:

Here are some additional hints to get v2.0 working:

Settings documents are disabled after design update to v2.0

In v2.0, we added a new feature to toggle the status of setings documents.

Image:midpoints LE4D 2.0 – some hints

All new settings are disabled by default. You have to enable them prior to run the agent.

Error: No trusted certificates found

You might see the following error message on the Domino console:
29.03.2018 08:21:39   Agent Manager: Agent  error: Caused by:
29.03.2018 08:21:39   Agent Manager: Agent  error: No trusted certificate found

29.03.2018 08:21:39   Agent Manager: Agent  error:         at

This happens most likely after you have applied a Domino FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.

To fix this problem, you have to import the needed certificates again.

The certificates can be found here

You should import the ISRG Root X1 CA and the two Intermediate certs:

ISRG Root X1 (self-signed)

    ◦        Let’s Encrypt Authority X3 (IdenTrust cross-signed)

    ◦        Let’s Encrypt Authority X3 (Signed by ISRG Root X1)

An “HowTo” about importing the certs can be found here:

Error: Order’s status (“invalid”) was not pending

You might see the following error message on the Domino console:
28/03/2018 22:51:58   Agent Manager: Agent  error:         at Source)
28/03/2018 22:51:58   Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending

28/03/2018 22:51:58   Agent Manager: Agent printing: LE4D  – finished!

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal.
To do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 enabled or forward port 80 to 443, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.

Announcing - Lets Encrypt for Domino v2.0 - Just Do SSL

 28 März 2018 18:07:34
We are pleased to announce today the new version 2.0 of Let's Encrypt 4 Domino aka LE4D

Image:Announcing - Lets Encrypt for Domino v2.0 - Just Do SSL


If you are already using LE4D, be sure to update to the new version 2.0.  
Starting March, 16th, the renewal of certificates generated with version 1.0 is longer possible due to a changes Let's Encrypt made to their CA-API-infrastructure.

What is new in LE4D 2.0

LE4D 2.0 uses the ACME v2 protocol, based on Java 8, and is supported on Domino 9.0.1 FP8 + on Windows & Linux.
The complete code is now contained in a single Java agent.  
The internal communication between the agent and the XPage in LE4D 1.0, which controlled the certificate generation and renewal, is therefore eliminated.

The support for wildcard certificates is not included in this version, but will be available in the next few weeks.  

How to upgrade to LE4D 2.0

Already existing LE4D users should already received an email from me with the new version.

To upgrade an existing installation simply replace the design of your LE4D application with the new template.
You can delete the data in the LE4D workdir. The data does no longer work with the new ACME v2 protocol.

LE4D has been tested on Domino 9.0.1 FP8, FP9 and FP10 on both, Windows and Linux. There are no known issues.

For further information on how to do a first time setup refer to the documentation. The documentation is part of the zip package.

I made an additional blog post regarding possible issues and how to solve them: midpoints LE4D 2.0 Some Hints

If you have any feedback or suggestion, pls. let us know.

Let' Encrypt !

Saying Goodby to Facebook

 20 März 2018 14:27:27
Facebook is using us.
It is actively giving away our information. It is creating an echo chamber in the name of connection. It surfaces the divisive and destroys the real reason we began using social media in the first place – human connection.

It is a cancer.


I have had a Facebook account since 2009, but I never used it much. I never used WhatsApp.
I have always been sceptical about the company Facebook and did not want to let a company like Facebook participate in my business and especially my private life.
Facebook (Facebook, Messenger, Instagram and WhatsApp) lives off the data and sells the data that I and my "friends" feed it with.

Facebook probably knows more about each user than any other service, agency or organization. Probably more about the user himself than close real persons.  
Facebook knows your habits, where you live, your social environment, with whom you communicate how often, what you like, which websites you visit,...

If you still think after the current events, what is Facebook supposed to do with my last holiday selfie, is naive. Facebook actively uses the data and passes it on to third parties. What can be done with this data is being drastically demonstrated to us.

Today I made the long overdue decision for myself to delete the content as much as I can, clean up my profile and put the account into sleep mode.
You can still find me there, but I will no longer actively "play" there.

If you want to connect with me, you can find me here:

Twitter, Xing, LinkedIn and IBM Watson Workspace

Or just by phone or mail.

New IBM Notes Client Slipstream for macOS High Sierra

 15 März 2018 20:52:13
This week IBM released a new install package of the IBM Notes Client for macOS 10.10.13 aka High Sierra.

Notes 9.0.1 64-bit was released in 2015 and then revised on 9 March 2018 to address an OS X 10.13 install issue.

You can download the client via IBM Passport Advantage. Just search for the Part Number:
Passport Advantage 
Part Number
IBM NOTES 9.0.1 MAC 64 BIT English CNQY7EN  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Simplified Chinese and Traditional Chinese CNQY8ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Japanese and Korean  CNQY9ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT French, Brazilian Portuguese and Spanish CNQZ0ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Italian and German CNQZ1ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Danish and Dutch CNQZ2ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Finnish, Norwegian and Swedish CNQZ3ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Polish and Russian CNQZ4ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Portuguese and Turkish CNQZ5ML  Revised 3/9/2018

After installing the new client you should install the latest Interims Fix( IF14 or greater ) on top.

Let’s Encrypt now supports Wildcard Certificates and LE4D will support it too

 13 März 2018 18:32:57
 Today Let's Encrypt starts to issue official wildcard certificates for free.

Image:Let’s Encrypt now supports Wildcard Certificates and LE4D will support it too

We’re pleased to announce that ACMEv2 and wildcard certificate support is live!
With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.

Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.

Wildcard certificates are only available via ACMEv2. In order to use ACMEv2 for wildcard or non-wildcard certificates you’ll need a client that has been updated to support ACMEv2. It is our intent to transition all clients and subscribers to ACMEv2, though we have not set an end-of-life date for our ACMEv1 API yet.
Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

via Let's Encrypt Community announcement

We already extended our existing midpoints Let's Encrypt 4 Domino (LE4D) client to support the ACMEv2 API.

The plan is to release midpoints Let's Encrypt 4 Domino v2 in the next few weeks, after we will have finished some final tests.

So yes - LE4D v2 will support wildcard certificates!

But you should have one already in mind. To use wildcard certificates - ACMEv2 will do the validation using a DNS-01 challenge. That will require to add a DNS TXT record to your public DNS zone.
A fully automatic solution will not work with all used DNS servers.

But we will explain this in more detail, when we will release LE4D v2. Stay tuned

IBM Traveler available

 7 März 2018 22:53:07
Today IBM released a new Traveler version called (Build: 201803022309_20).

Image:IBM Traveler available

IBM Traveler is a maintenance release that provides APAR fixes for the IBM Traveler server.

IBM Traveler includes a database schema update for MS SQL Server deployments.
It is only necessary to run verifyIndexes.sql to update the schema to latest level. Otherwise no action is required unless upgrading from a version prior to If you use auto schema updates (default behavior) there is no action required.

APAR # Abstract
LO93281 Modify an encrypted event from mobile device may corrupt event body.
LO93380 Support 32 bit Domino 9.0.1 Server.
LO93412 One index may cause performance problems on MS SQL Server.
LO93440 Incorrect default ACL for R6MemoMap.nsf
LO93455 Incorrect error code used for network error.
LO93466 Set $RFSaveInfo field on Reply/Forward from mobile device.
LO93491 Name used for time zone on mobile device does not match value used by Notes Client.
LO93522 Improve handling of very small in-line mime images.
LO93529 Web Administrator interface may show Verse for iOS device as not supporting data wipe.
LO93547 Not authorized message logged during network outage.
LO93596 Device may be missing e-mail if user has another device with a smaller filter window.
LO93599 Handle unexpected list format in notes.ini file.
LO93645 Event may not show on user's device when user was removed then re-invited to the event.
LO93660 Yellow status message displayed for Replicas table missing a Primary Key.
LO93663 Mail in sent folder may be missing content when configured to save with no attachments.
LO93706 Add NTS_JAVA_PARMS_EXT notes.ini parameter to allow for values larger than 256 characters.
LO93709 Attachment with DBCS characters in the file name may not display on mobile device.
LO93720 Update APNS Certificates, new expiration data March 30,2019.

You can download the update as usual on IBM FixCentral.

An IBM Traveler full installation package will be available by March 16, 2018 on Passport Advantage.

iOS 11.3 Contact Containerization - It simply works

 5 März 2018 17:54:11
Last month I published a blog post regarding the new iOS 11.3 Enterprise features. I received a few questions regarding the Contact Containerization:

Second new feature: Contact Containerization

Prevent contacts in managed accounts, like your IBM Traveler mail account, from being used in unmanaged apps like WhatsApp or other accounts.
Contacts now obey existing managed data restrictions.

That will be a huge improvement. Contacts will then finally be part of the managed / unmanaged definition and handling on the device.
You can use the native Apple Mail, Calendar and Contacts app and the unmanaged WhatsApp App for example will not be able to get access to your synced contacts via your managed ActiveSync (Traveler or Exchange) account.

There is no new iOS 11.3 restriction for Contacts in the Configuration Documentation from Apple mentioned. But starting with iOS 11.3 the Contacts will be part of the already existing Managed-Open-In restriction.
As a result you should already be able to test it by your own by using your existing MDM solution and a device already upgraded to iOS 11.3 Beta.

Image:iOS 11.3 Contact Containerization - It simply works

I made same tests this week with the current iOS 11.3 BETA and it works great. I did the tests with our own MDM solution mobile.profiler v7.0, which we released in October 2017.

I installed a managed ActiveSync mail account via MDM. The mail account had only 2 contact entries.

I used the myContacts Backup third party app for testing. When starting the app for the first time, it asks for permissions to access the contacts stored in the Apple native Contacts app.

During the test I installed the app first manually and opened the app. Without any restrictions enforced by the MDM the third party app can access my two contact entries from my ActiveSync account:

Image:iOS 11.3 Contact Containerization - It simply works

Then I pushed a set of restrictions via MDM to the device and enabled the Managed-Open-In control of iOS:

Image:iOS 11.3 Contact Containerization - It simply works

As a result the third party app no longer could access the contacts of my managed ActiveSync account.

After that I deleted the app on the device and pushed & installed the app via MDM as managed.

Image:iOS 11.3 Contact Containerization - It simply works
As a result the now managed third party app can access the contacts of my ActiveSync account.

To sum it up briefly:

With iOS 11.3, Apple finally offers the possibility to control access to contacts of company mail accounts using the native Apple Mail App via Managed Open-In restrictions.

In this way, the native iOS MDM interface can be used, for example, to prevent WhatsApp from accessing the company contacts of the managed ActiveSync account.

Apple Watch durchgespielt #dontbreakthechain

 2 Februar 2018 22:21:01
1.000 Move Goal done!!!

Image:Apple Watch durchgespielt #dontbreakthechain

Sieht so aus als hätte ich die Apple Watch durchgespielt ;-)

Image:Apple Watch durchgespielt #dontbreakthechain


Vielen Dank an vowe für's motivieren!