Hi, I am not a BES expert.
Basically I have to deal with an ordinary BES architecture (BES talks to MS Exchange Server).

Now I did some tests and I am a bit confused about the results.

Basically there are 10 people with Blackberry devices, each one has an Exchange/Outlook Mail account.
Everything works fine - the Blackberry Push service delivers all emails instantly to the Blackberry device.

Now, every Outlook account is of-course password-protected. I assume BES needs this Password to access the Exchange account. OK?
Something really strange is happening now. The password was changed by Exchange Server admin. The admin did not change anything in the BES settings, so BES basically should not know about the new password.

However, it BES still sends new emails to the Blackberry device, even though the Exchange Server account password was changed. BES should actually not be able to access the Exchange account.

Have you heard about this phenomenon?
Or am I just not well-informed? If so, why?
I just have read that Outlook/Exchange automatically redirects all incoming mails to BES? So this mechanism probably has to be deactivated? Yes, No?

Our Mobile Carrier is Vodafone DE. Yes, we are talking about Enterprise Enterprise Blackberrys (not the Prosumer version).

The password has nothing to do with it... the BESAdmin account has rights to the user's mailbox.

Welcome to the forums lizzievan!

Here is an overview of how message flow works:

1. Email arrives on Exchange
2. Exchange sends a UDP packet to the BES to notify of new mail
3. BES uses MAPI and permissions to access the Exchange Server and that users mailbox
4. BES checks Global and Client side rules/filters
5. Message encrypted and compressed and sent to the RIM network
6. RIM network checks where the PIN of the BB was last active and the message is sent to that area/cell tower
7. Message is delivered to the BB where is decompressed and decrypted

At no point will a users password effect the BESAdmins access to a users mailbox, it's all based off of permissions.

Hope that clarifies things for you a little more.

Just as has been told.
The issue with this is that you can disable and change the password on a user account in Active Directory, and they can still use the Blackberry to send and receive email.

You need to be sure to go into the BES when you terminate a user account and perform at least one of the following:

Wipe Handheld - watch status to be sure it is sent and received before performing the rest.
Disable Redirection.
Delete the account.

You MUST wipe the handheld if you are a publicly traded company. (SOX Compliance)

Otherwise any one the above will prevent them from accessing the email account.

There are many ways to accomplish the same goal, but gone are the days when you can just change a user's Active Directory password and think they can no longer gain access.

Spydertech