BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-06-2010, 11:11 AM   #1 (permalink)
New Member
 
Join Date: Aug 2010
Location: Los Angeles
Model: 9850
PIN: N/A
Carrier: Sprint
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Question default IT policy best practices

Please Login to Remove!

Hi I am a new BES admin who has inherited a system and I would like to change some info in our default policy (like password requirements and attempts before the device will wipe itself etc..). I do know how to do this and have created a test policy that works exactly how I want it to but have come across a dilemma.
Everyone says it is best practice not to make any changes to the default IT policy and to apply a policy to a group. What I would like to know is why? If I am only planning on having limited changes that I would like to be Default to all devices on our network it seems to me that it would be best to use the default as I want to ensure these policy setting are applied to all devices that connected to our servers. if I was to change the default I would also make a backup of it first
I’ve been searching around the web trying to find an explanation to this question but have had a hard time finding it typical answers are “its best practice to” but there never seems to be a why

sorry a little long winded

any info would be greatly appreciated
Offline  
Old 08-06-2010, 11:39 AM   #2 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2009
Location: Ft. Bragg
Model: 9000
OS: 4.6.0.304
PIN: N/A
Carrier: ATT
Posts: 67
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

My opinion on it -

At this point in time it is "Your" server, and you can do what you please, set it up how you want, configure it the way that helps with you. HOWEVER, think if the admin before you changed everything in the default policy. That wouldn't be that hard to go back and change, but it is time consuming and annoying. When it takes little to no effort to just Copy the default one, and then make your changes.

What BES version are you running? Groups changed ALOT between 4.1 and 5.0 and they also added child groups and Roles. I imagine the responses you will get about groups will vary depending on your version.
Offline  
Old 08-06-2010, 12:09 PM   #3 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

Moved to BES Admin forum.

Different BES Admins have different thoughts on this, and after discussing with some I made a copy of the Default policy and called it 'Blank'. I then made the Default Policy very restrictive and have it populate the Owner field with "Your device has the wrong IT Policy - please contact the Helpdesk to have it changed to the correct policy".

Why? Because we have a Helpdesk of 18 different people who add/remove users and assign policies. They forget to change the policy from the Default when setting up new users, and that used to mean that people 'got away with' not having the any security on their devices. Therefore they now get an even more restrict policy, and call to get the less restrictive one.

I'd rather someone have too much security then not enough.
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 08-06-2010, 12:28 PM   #4 (permalink)
New Member
 
Join Date: Aug 2010
Location: Los Angeles
Model: 9850
PIN: N/A
Carrier: Sprint
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

thanks for the move (i must have missed the Admin Forum)
to add i am Running 5.01 MR3 currently but will probably update to 5.02 in Production within the next few months (currently running a on a test environment)
i would like to use grouping to do this as looking down the road from a managability stand point it make sense but it also makes sens to ensure ALL users attached get the policy (it is just a slightly altered basic password policy). my boss posed the question of why not just edit the default policy and the problem i have is both sides make sense

we have about 2000 users and there are a about 10-15 help desk people with rights to add/remove and a few other basic options. i do have some concern about making sure they all users are groups as people may be busy and miss adding them, but it is easy enough to pull info regulary (say on a weekly basis) of people not on the right policy or assign someone to do so and theh properly group them.
Offline  
Old 09-03-2010, 06:54 AM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2009
Location: Ft. Bragg
Model: 9000
OS: 4.6.0.304
PIN: N/A
Carrier: ATT
Posts: 67
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I like that idea of restricting the default policy. I have that problem sometimes that I will find a few users still in the default polidy with no group...... I just shake my head wondering "What is so hard about just adding the user to a group".
Offline  
Old 09-03-2010, 08:03 AM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
cyclmpc's Avatar
 
Join Date: Nov 2008
Location: DC
Model: 9800
OS: 6.0.0.141
PIN: N/A
Carrier: ATT
Posts: 217
Post Thanks: 2
Thanked 2 Times in 2 Posts
Default

Skeptik

It will depend on your environment. As you say, it isn't too hard to go through your users to list and see who has the correct policy applied to them. It seems in your case, having a user with the incorrect policy is not too big a deal. You just change them.

In my case, I'm not prepared to put my tail on the line because a Help Desk person did not live up to their duties. I can not go to my management and say, "sorry, the user got the wrong policy because the Help Desk did not do their job". It is just an excuse. I do not worry about things that I cannot control, but for the things I can control, I sure get upset when I do not do the things in my power to prevent it from happening.

It's just a way to look at things. As juwaak68 said, I also prefer to sit on the side of too much vs. not enough.
__________________
I'm actually lost...
Offline  
Old 09-03-2010, 08:05 AM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2005
Model: 9330
Carrier: Verizon
Posts: 75
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

OK - going to chime in on this one...
So, we enforce a password policy at my firm. And, there were instances where BES admins were forgetting to apply the password policy when activating users..
Finally I was like, forget this... and I applied the password policy to the default.
Now, I know this isn't BEST PRACTICES... but now, it can't be forgotten..
I sleep better, and all is right in the world...
__________________
BES: 5.0.2, SQL 2005 (remote)/ WIN2K8,R2 / EXCHANGE 2010, RTM+RU4
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.