BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 05-14-2009, 01:48 PM   #1 (permalink)
Thumbs Must Hurt
 
RJeffDay's Avatar
 
Join Date: May 2009
Model: 8330
PIN: N/A
Carrier: Verizon - United States
Posts: 73
Post Thanks: 0
Thanked 0 Times in 0 Posts
Question User Terminations

Please Login to Remove!

RUNNING: BES Version 4.1.4 (Bundle 24) working with Lotus Notes.

SUBJECT: User Terminations

When it comes time for an employee with a BB Device to separate from the company, it is standard procedure to place them in the Active Directory ‘Deny Access’ users group. This denies them access to all system resources such as their email and databases. (I know... It's pretty much SOP for all companies)

We have noticed however, that the user can still receive email via their BB device from our Lotus Notes server even though their user ID is in the ‘Deny Access’ folder.

Does anyone know how to resolve this issue or tell me why it happens?

Thank you.
Offline  
Old 05-14-2009, 02:03 PM   #2 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

You don't wipe the user's handheld when they're terminated?
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 05-14-2009, 02:38 PM   #3 (permalink)
Thumbs Must Hurt
 
RJeffDay's Avatar
 
Join Date: May 2009
Model: 8330
PIN: N/A
Carrier: Verizon - United States
Posts: 73
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
You don't wipe the user's handheld when they're terminated?
We are still in the process of developing our procedure because many of these users are using personal devices on our corporate network.

Our consideration is that we do not want to perform a 'wipe and disable' if an individual has a personal device while driving/flying back from a business trip. We're not quite sure what the legal ramifications might be.

That brings up another question: What does a 'Wipe and Disable' actually do to the device? I know it wipes the data, but does it then render the phone useless?

What is the procedure at your company?
Offline  
Old 05-14-2009, 02:44 PM   #4 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by RJeffDay View Post
What is the procedure at your company?
We don't allow personal devices to be activated on our BES. No exceptions.

User gets terminated... device gets security wiped.
Once wipe is completed, service on that wireless number is suspended at the carrier level.

Erase & Disable Handheld deletes all user data from the handheld and essentially breaks the connection to BES. It doesn't actually "disable" the device in any way. You're disabling the BES activation.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 05-14-2009, 02:47 PM   #5 (permalink)
New Member
 
jsconyers's Avatar
 
Join Date: Jul 2007
Location: In a van down by the river.
Model: NOTE2
OS: 4.1
PIN: <- Where do I find this?
Carrier: Sprint
Posts: 15,069
Post Thanks: 138
Thanked 139 Times in 120 Posts
Default

There are a couple of good threads about allowing personal devices on your BES

Allow employees to purchase their own BlackBerries?

Company vs User Owned Devices
__________________
The difference between stupidity and genius is that genius has its limits.
When you take things for granted, the things you are granted, get taken.
Even a mosquito doesn't get a pat on the back until it starts to work.
Too many people miss the silver lining because they're expecting gold.
[BES 5.0.3 / GroupWise 2012 HP2]
Online  
Old 05-14-2009, 06:54 PM   #6 (permalink)
CrackBerry Addict
 
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
Post Thanks: 0
Thanked 8 Times in 8 Posts
Default

Damn, getting canned in mid-air would suck.
Offline  
Old 05-15-2009, 08:06 AM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2009
Model: 8330
PIN: N/A
Carrier: VZW
Posts: 122
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Push an empty IT Policy, then Erase Data and Disable Hanheld.
Offline  
Old 05-15-2009, 09:13 AM   #8 (permalink)
Talking BlackBerry Encyclopedia
 
DavidAdams's Avatar
 
Join Date: Sep 2007
Location: Belfast
Model: NotYe
PIN: N/A
Carrier: O2
Posts: 470
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default

If you just want to stop the device being used until it returns to base why not just set a new password?
__________________
BES, 4.1.7, was SBE now full BES
Domino v7.0.2
Windows Server 2003, standalone
Offline  
Old 05-15-2009, 09:21 AM   #9 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by DavidAdams View Post
If you just want to stop the device being used until it returns to base why not just set a new password?
Because it's probably not being returned. It's a personally owned device as per the OP.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 05-15-2009, 09:57 AM   #10 (permalink)
Talking BlackBerry Encyclopedia
 
DavidAdams's Avatar
 
Join Date: Sep 2007
Location: Belfast
Model: NotYe
PIN: N/A
Carrier: O2
Posts: 470
Post Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
Because it's probably not being returned. It's a personally owned device as per the OP.
i was thinking this would stop its use until the owner gets back and can discuss wiping/removing personal stuff first.
__________________
BES, 4.1.7, was SBE now full BES
Domino v7.0.2
Windows Server 2003, standalone
Offline  
Old 05-15-2009, 10:00 AM   #11 (permalink)
Knows Where the Search Button Is
 
Join Date: Sep 2005
Location: Sacramento, Ca
Model: 8700
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wouldn't removing the user from the Bes work as a solution? They keep their handheld but get nothing from the Bes?
Offline  
Old 05-15-2009, 10:02 AM   #12 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by swinter View Post
Wouldn't removing the user from the Bes work as a solution? They keep their handheld but get nothing from the Bes?
But then they also keep the associated IT Policy and whatever company data is already on the device.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 05-15-2009, 10:59 AM   #13 (permalink)
Thumbs Must Hurt
 
Pinjo's Avatar
 
Join Date: Feb 2008
Location: Ohio
Model: 8330
OS: OSX
Carrier: Verizon
Posts: 149
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

While you are flexible by allowing them access to your service, you need to review the stipulations of providing them such access. Remember, it is not their right to connect to your company BES. It's a balance of allowing them to be productive on their own "time and dime" (I'm thinking of trademarking this), but protecting the company. You really should look at changing your policy to make users aware of your rights and their rights when connecting to a company BES.

Our policy states that it is their responsibility to backup and maintain their personal data on their device (apps, pictures, email, etc.). We also make them aware of the process if they are to be separated from the company. They sign and understand this policy as a stipulation of connecting to our BES.
Offline  
Old 05-15-2009, 01:10 PM   #14 (permalink)
BBF War Game Mod
 
Jadey's Avatar
 
Join Date: Oct 2006
Location: Denver CO
Model: Z10
OS: 10010614
PIN: SEEKRIT innit
Carrier: AT&T
Posts: 4,294
Post Thanks: 9
Thanked 29 Times in 23 Posts
Default

Quote:
Originally Posted by RJeffDay View Post
it is standard procedure to place them in the Active Directory xxx8216;Deny Accessxxx8217; users group. This denies them access to all system resources such as their email and databases. (I know... It's pretty much SOP for all companies)

We have noticed however, that the user can still receive email via their BB device from our Lotus Notes server even though their user ID is in the xxx8216;Deny Accessxxx8217; folder.

Does anyone know how to resolve this issue or tell me why it happens?

Thank you.
Slightly confused. Access lockout in Domino is in the Domino Directory deny access group section. Do you have your Domino Directory integrated with Active Directory? That might explain why you mention AD for a Domino lockout.

Either way, that is not so important. The reason it doesn't stop mail to BB is because BES does not retrieve user mail using the user's Domino ID. It uses the Server ID of the Domino Server hosting that user's BES. As you are not locking out the server ID (BAD IDEA, do not lock out server ID, will stop BES working for all users on that Domino BES instance) it will continue to run.

All that locking out an individual user notes ID will do is stop THAT particular ID accessing the domino servers. It will not stop a different ID (Domino server) with access to the user mailfile from accessing that mailfile. Thus the BES server will just keep on going.
__________________
Jadey : Groupware Infrastructure Architect, Denver CO
If I'm not here, I'm playing World's End on FaceBook. Mob/Mafia Wars are SOO last year

Last edited by Jadey : 05-15-2009 at 01:21 PM.
Offline  
Old 05-15-2009, 01:12 PM   #15 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

I so wish I was notified of terminations. I usually find out a couple of weeks after the person has left the company. *sigh*
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 05-15-2009, 01:19 PM   #16 (permalink)
BBF War Game Mod
 
Jadey's Avatar
 
Join Date: Oct 2006
Location: Denver CO
Model: Z10
OS: 10010614
PIN: SEEKRIT innit
Carrier: AT&T
Posts: 4,294
Post Thanks: 9
Thanked 29 Times in 23 Posts
Default

Quote:
Originally Posted by RJeffDay View Post

Does anyone know how to resolve this issue

Okey dokey. I am assuming that we CAN'T take the following options:

a) Set password and lock device = would stop user being able to use BB AT ALL until they come back to you. Probably not acceptable if personal device on your BES.

b) Erase data and disable handheld - you have ruled this out

c) Deleting user from BES - personally I see no issue with this. It would stop the corporate email updating etc. When the user is back, backup handheld (delete all BES service books first and/or disable wireless rec to allow proper backup), wipe it preferably with factory reset to shift off policy, restore personal user data.

If you still can't do any of those and need to leave the user on the BES server but not active, then just disable wireless PIM synch of company data (address book, memos, etc) and in user account on BES set redirection > message forwarding > redirect to blackberry device to FALSE for that user and set filters > forward messages to blackberry device to FALSE.

I *think* in that case the user might be able to send corp email from BB, but not receive. You'd still have the task of clearing corp data off of BB when you get it, but in the interim it would stop any NEW corp data ending up on BB.
__________________
Jadey : Groupware Infrastructure Architect, Denver CO
If I'm not here, I'm playing World's End on FaceBook. Mob/Mafia Wars are SOO last year
Offline  
Old 05-15-2009, 01:21 PM   #17 (permalink)
CrackBerry Addict
 
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
Post Thanks: 0
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by juwaack68 View Post
I so wish I was notified of terminations. I usually find out a couple of weeks after the person has left the company. *sigh*
Can I take a guess at when you find out about new employees too?
Offline  
Old 05-16-2009, 10:01 AM   #18 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Wirelessly posted (My blond BlackBerry)

Quote:
Originally Posted by TargetIT
Quote:
Originally Posted by juwaack68 View Post
I so wish I was notified of terminations. I usually find out a couple of weeks after the person has left the company. *sigh*
Can I take a guess at when you find out about new employees too?
Rarely since the Helpdesk does all the new BlackBerry user deployments.
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 05-16-2009, 10:34 AM   #19 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

Quote:
Originally Posted by Jadey View Post

a) Set password and lock device = would stop user being able to use BB AT ALL until they come back to you. Probably not acceptable if personal device on your BES.
This option doesn't work too well. If the device is locked it will prompt the user to accept the new password. I haven't found a policy to not prompt the user to accept.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 05-16-2009, 10:37 AM   #20 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

Quote:
Originally Posted by RJeffDay View Post
We have noticed however, that the user can still receive email via their BB device from our Lotus Notes server even though their user ID is in the ‘Deny Access’ folder.
This is because BES has access to the mail file. Best is to either remove the user from BES or disable redirection.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.