BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 04-01-2011, 09:42 AM   #1 (permalink)
New Member
 
Join Date: Apr 2011
Model: N/A
PIN: N/A
Carrier: Several
Posts: 4
Post Thanks: 0
Thanked 1 Time in 1 Post
Question Former employee can still access corporate mail via BlackBerry?

Please Login to Remove!

Blackberry and BES noob here… I hope you can help.

Am I correct in saying that (deep breath): If “Joe” keeps his (BES-activated) BlackBerry when he leaves the organization and neither his BES account nor Exchange mailbox are suspended/removed, he retains access to corporate mail, even if his Active Directory account is disabled and the corporate SIM is replaced with a personal SIM (with BlackBerry data plan)?

If so,
  • Where can I find this documented (by BlackBerry or a highly-credible source) in plain, non-technical terms (so that I can convince management to spend money to close the gap), and
  • How does your organization manage this risk?

Assume for the sake of discussion that:
  • Joe owns his BlackBerry so we can’t force him to give it back
  • We won’t prevent employees from using personal handsets to access corporate mail while they’re employed

It seems we need to improve our BES account management processes, preferably by integrating the BES with our corporate identity management system. However, if there are any simple solutions out there (e.g. force BES to check if Active Directory account is enabled before allowing access), please let me know. We manage AD account suspension fairly well – it’s just the BES accounts that fall through the gap.

Many thanks for your help.

Lunk
Offline  
The Following User Says Thank You to BBLunk For This Useful Post:
Nico57 (04-02-2011)
Old 04-01-2011, 10:16 AM   #2 (permalink)
New Member
 
jsconyers's Avatar
 
Join Date: Jul 2007
Location: In a van down by the river.
Model: NOTE2
OS: 4.1
PIN: <- Where do I find this?
Carrier: Sprint
Posts: 15,071
Post Thanks: 139
Thanked 140 Times in 121 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Why don't you delete the user from the BES. At that point he will no longer receive anything from the device.

There are plenty of threads around that discuss personal devices on a corporate server. Many times, the company has the user sign a waiver of sorts stating that upon resignation/termination the company has the right to wipe the device. In BES 5.0.3 (when released) it will only wipe the corporate data, not the personal.

Also, if the personal SIM is only provisioned for BIS access and not BES, the user wouldn't get email from the BES.
__________________
The difference between stupidity and genius is that genius has its limits.
When you take things for granted, the things you are granted, get taken.
Even a mosquito doesn't get a pat on the back until it starts to work.
Too many people miss the silver lining because they're expecting gold.
[BES 5.0.3 / GroupWise 2012 HP2]
Offline  
Old 04-01-2011, 10:27 AM   #3 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Good grief man... why don't you just disable the handheld and erase all data; wait 10 minutes and then remove him from the BES? There's no cost involved to delete users.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 04-01-2011, 10:28 AM   #4 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,754
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

If they sign the waiver also put a IT timer policy on it so device self wipes after X days of no contact.

This will ensure it gets wiped if they remove the SIM or change dataplans
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Online  
Old 04-01-2011, 11:03 AM   #5 (permalink)
New Member
 
Join Date: Apr 2011
Model: N/A
PIN: N/A
Carrier: Several
Posts: 4
Post Thanks: 0
Thanked 1 Time in 1 Post
Default Re: Former employee can still access corporate mail via BlackBerry?

Thanks for the replies.

jsconyers: I agree that deletion of the BES account is the best approach. However, before asking for money to improve and automate processes, I would like to confirm that this is a real risk and that there are no simpler (cheaper) options.

Darth: We have 100,000 users in 350 sites worldwide. Our problem is that the BES administrator in London has no idea when Joe in Scotland leaves the organization, let alone an employee in Pakistan. Currently, we rely on Joe's line manager to raise a helpdesk ticket to request BES account deletion. Often, Joe's manager doesn't even know that Joe had a BlackBerry with corporate access, let alone that he must raise a helpdesk ticket. There are things we can do to the corporate identity management system to either automatically delete the account when Joe's employment status changes, or at least notify the BES administrator by email to take action. Unfortunately, changes to the identity management system take weeks of development, testing, change control etc - and expensive resources.

Knotty: Thanks - I'll look into this.

Any other ideas? I'd also appreciate any reference to BB documentation that articulates this particular risk.

Thanks again.
Lunk
Offline  
Old 04-01-2011, 11:16 AM   #6 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,754
Post Thanks: 274
Thanked 296 Times in 280 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Run a report of last contact time, report it to HR and remove the users from BES after 14 days unless HR says on vacation etc
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Online  
Old 04-01-2011, 01:08 PM   #7 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
Originally Posted by knottyrope View Post
Run a report of last contact time, report it to HR and remove the users from BES after 14 days unless HR says on vacation etc
I believe the problem is that they former employee is still accessing corporate data on a regular basis when they should not be.

@BBLunk - This is a HR problem, not a BES Admin problem. HR needs to be more diligent in notifying IT when a staff member is separated from the company. Then ALL access can be discontinued.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 04-01-2011, 01:13 PM   #8 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: iPh6
Carrier: AT&T
Posts: 27,813
Post Thanks: 33
Thanked 442 Times in 382 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

THANK YOU! Solving HR problems with technology will never solve the underlying problem. If you have 100,000 employees and no termination process that is uniformly followed, you have a much bigger problem than BES administration.

Last edited by NJBlackBerry : 04-01-2011 at 01:15 PM.
Offline  
Old 04-01-2011, 01:14 PM   #9 (permalink)
New Member
 
jsconyers's Avatar
 
Join Date: Jul 2007
Location: In a van down by the river.
Model: NOTE2
OS: 4.1
PIN: <- Where do I find this?
Carrier: Sprint
Posts: 15,071
Post Thanks: 139
Thanked 140 Times in 121 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
Originally Posted by DarthBBerry View Post
@BBLunk - This is a HR problem, not a BES Admin problem. HR needs to be more diligent in notifying IT when a staff member is separated from the company. Then ALL access can be discontinued.
I agree with this. The easiest way to fix this would be to include this step in your company's current termination procedure. At my organization, we have a procedure we follow when a user leaves, and in that procedure, there is a section about mobile devices, company owned or personal, what server are they on? Were they removed from the server? etc.

If this is implemented, then your IT staff should be made aware that the user left almost immediately.
__________________
The difference between stupidity and genius is that genius has its limits.
When you take things for granted, the things you are granted, get taken.
Even a mosquito doesn't get a pat on the back until it starts to work.
Too many people miss the silver lining because they're expecting gold.
[BES 5.0.3 / GroupWise 2012 HP2]
Offline  
Old 04-01-2011, 01:33 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2007
Location: Courbevoie, France
Model: SGS3
OS: CM 10.2
Carrier: SFR
Posts: 59
Post Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

I know nothing about Exchange (let alone BES for Exchange), but I'm quite surprised to hear that a deleted account can still access enterprise resources!
Definitely looks like a huge security breach to me.

Now I need to check how BES for Domino does with this situation...

I guess the safest/cheapest way to deal with this would be to run a script that matches your BB users list against the AD, and removes extra BES accounts.
There's a BES User Admin Tool in the resource kit that should come handy here.

But really, I think you should report this to RIM.
__________________
400 BB users | BES 4.1.7 | Traveler 9.0 | Domino 8.5
Offline  
Old 04-01-2011, 01:36 PM   #11 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: iPh6
Carrier: AT&T
Posts: 27,813
Post Thanks: 33
Thanked 442 Times in 382 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

No one has actually stated that you still get e-mail once the AD account is disabled.
Offline  
Old 04-01-2011, 01:37 PM   #12 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
Originally Posted by Nico57 View Post
I know nothing about Exchange (let alone BES for Exchange), but I'm quite surprised to hear that a deleted account can still access enterprise resources!
Where did you hear this?
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 04-01-2011, 01:42 PM   #13 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: iPh6
Carrier: AT&T
Posts: 27,813
Post Thanks: 33
Thanked 442 Times in 382 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Read the first thread. Assumptions and guessing. Wrapped around a lack of institutional controls.
Offline  
Old 04-01-2011, 01:55 PM   #14 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
Originally Posted by Nico57 View Post
Now I need to check how BES for Domino does with this situation...

I guess the safest/cheapest way to deal with this would be to run a script that matches your BB users list against the AD, and removes extra BES accounts.
There's a BES User Admin Tool in the resource kit that should come handy here.

But really, I think you should report this to RIM.
You're still using technology to cover for the lack of communication from HR. You bet your @ss that HR notifies payroll to stop their paycheck. Why not the account access as well?

And what will reporting this to RIM do? They aren't going to do anything. Any ol' JSanders can call up RIM and say, "Hi RIM, can you please block the services on Juwaack's BlackBerry? She's too blonde and dingy to have one."
C'mon man....

Yes, that was a triple dig in one post. It's good to be the king...
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0

Last edited by DarthBBerry : 04-01-2011 at 01:56 PM.
Offline  
Old 04-01-2011, 02:35 PM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2007
Location: Courbevoie, France
Model: SGS3
OS: CM 10.2
Carrier: SFR
Posts: 59
Post Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

OK, let's not digress, please.
This is not about what HR is supposed to do or not; this is about how different pieces of your IT infrastructure interact.

To put it simply, whenever I want to add a new user on my BES, he needs to have a Domino account first.
There's no way I can enable a BB device on my BES without a Domino account.
I'd say that user authentication in BES builds on Domino's.

Now when I delete the underlying Domino account, I'd expect any access rights granted through it to be revoked as well !
BES simply does away with this, and still allows access to internal resources: global address book, network access through the BlackBerry router, and probably more.
That's definitely NOT how the standard administrator would expected it to behave.

BTW, yes, BES for Domino is indeed affected by the same problem.
__________________
400 BB users | BES 4.1.7 | Traveler 9.0 | Domino 8.5
Offline  
Old 04-01-2011, 03:01 PM   #16 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

When you remove a person from Domino, their access to BES gets removed even if their entry is not removed from the server. Even though they are still added into BES, they e-mail address cannot be authenticated any longer.

Quote:
Originally Posted by Nico57 View Post
OK, let's not digress, please.
This is not about what HR is supposed to do or not; this is about how different pieces of your IT infrastructure interact.

To put it simply, whenever I want to add a new user on my BES, he needs to have a Domino account first.
There's no way I can enable a BB device on my BES without a Domino account.
I'd say that user authentication in BES builds on Domino's.

Now when I delete the underlying Domino account, I'd expect any access rights granted through it to be revoked as well !
BES simply does away with this, and still allows access to internal resources: global address book, network access through the BlackBerry router, and probably more.
That's definitely NOT how the standard administrator would expected it to behave.

BTW, yes, BES for Domino is indeed affected by the same problem.
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 04-01-2011, 07:19 PM   #17 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2007
Location: Courbevoie, France
Model: SGS3
OS: CM 10.2
Carrier: SFR
Posts: 59
Post Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
Originally Posted by DarthBBerry View Post
When you remove a person from Domino, their access to BES gets removed even if their entry is not removed from the server. Even though they are still added into BES, they e-mail address cannot be authenticated any longer.
Again, I can testify that's NOT what is happening here (tested on both BES 4.1.7 MR3 on Domino 7.0.4 FP2 and BES Express 5.0.2 on Domino 8.5.2 FP2).

On a BlackBerry 9000 device, activated with a Domino account which has since been deleted (from every address book replica), I can still:
  • lookup for names
  • lookup people's availability, and send them a meeting request
  • send e-mail, both inside and outside the company
  • access intranet web servers

I can do pretty much anything a regular BES user can do !... except receive e-mail, of course.

Whenever the Domino account of a BES user is terminated, the only clue about it in BlackBerry Manager (v4) seems to be that user's "last forward time" skipping away.
Since I happen to also be the main Domino administrator (and thus know about deleted accounts), and I routinely check the last forward times in BB Manager, and not that many BB users left our company over the last years, I think I managed to track every such case within a few days after Domino user deletion.
But it never occurred to me that BES was so light on checking user access!

Now that we're moving to BES Express 5.0 and want to delegate user management to regional administrators, if none is taking special care, we may end-up with deleted but still active BB users rotting up for months...
__________________
400 BB users | BES 4.1.7 | Traveler 9.0 | Domino 8.5
Offline  
Old 04-04-2011, 05:27 AM   #18 (permalink)
New Member
 
Join Date: Apr 2011
Model: N/A
PIN: N/A
Carrier: Several
Posts: 4
Post Thanks: 0
Thanked 1 Time in 1 Post
Default Re: Former employee can still access corporate mail via BlackBerry?

Thanks again for all the input! Nothing like a good debate for a Monday morning.

Although there are differing views here, I think they're all valid...

First, I agree that HR should play a role here; and in our organization, they do. HR triggers are sent to the identity management system (IMS) and drive automated provisioning and deprovisioning workflows. But the IMS is only integrated with a subset of our apps/services and BES isn't one of them. Asking HR to contact the BES team or raise helpdesk tickets is a non-starter. If HR is to be a trigger for BES account removal, then linking BES account administration to the IMS workflows is the answer. Unfortunately, this costs money as per my first post. The money will only be spent if the risk can be validated - hence this thread.

I also agree with Nico's argument that BES security in this regard could be better. In our environment, if disabling an Active Directory user account prevents access to email via PC, Outlook Web Access, iPhone, Android, Windows Phone etc, why doesn't disabling the AD account also prevent access via BB? Why can't the BES check the status of the AD account before allowing mail synchronization? (I'm assuming here that it can't - please tell me if it can!)

The general consensus appears to be that if BES accounts are not appropriately managed, an individual will retain access to corporate mail as long as they retain their BB phone - even if the AD account is disabled and the user changes SIM. Is there any official documentation to support this, or has anyone confirmed this in an AD/Exchange environment?

One thing that's still unclear to me is this... Our BES architect tells me that BB's authenticate to the BES using a BB pin and encrypted key. He wasn't sure if both the BB pin and the key are tied to the device, or if swapping the SIM changes the BB pin (and thus require re-activation of the device to gain access to corporate mail). Any ideas?

Assuming that a user can retain access to corporate mail even if the SIM is changed, it seems that improved BES account management is the only solution. I think we have 3 options for this:

1. Have the IMS automatically disable BES accounts based on HR triggers (expensive)
2. Have the IMS email the BES administrator based on HR triggers (cheaper)
3. Create a daily/weekly script (cheapest) to either:
a. Disable/enable BES accounts based on the status of AD user accounts, or
b. Set/Remove deny permissions on mailboxes to prevent BES mailbox access based on the status of AD user accounts.

There were suggestions to remove access based on inactivity. Although we already do that, I don't think it addresses the risk of someone actively (and frequently) abusing their access to corporate mail after they've left the organization.

Regards,
Lunk
Offline  
Old 04-04-2011, 05:32 AM   #19 (permalink)
Grumpy Moderator
 
NJBlackBerry's Avatar
 
Join Date: Aug 2004
Location: Somewhere in the swamps of Jersey
Model: iPh6
Carrier: AT&T
Posts: 27,813
Post Thanks: 33
Thanked 442 Times in 382 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

Quote:
The general consensus appears to be that if BES accounts are not appropriately managed, an individual will retain access to corporate mail as long as they retain their BB phone - even if the AD account is disabled and the user changes SIM. Is there any official documentation to support this, or has anyone confirmed this in an AD/Exchange environment?
I don't agree with that "consensus" (and didn't see it posted anywhere). I believe if the account is disabled in AD, the e-mail to the BB is also disabled.

Quote:
Our BES architect tells me that BB's authenticate to the BES using a BB pin and encrypted key. He wasn't sure if both the BB pin and the key are tied to the device, or if swapping the SIM changes the BB pin (and thus require re-activation of the device to gain access to corporate mail). Any ideas?
The PIN is unique to the BlackBerry and can't be modified, changed or copied to another device. The SIM doesn't really matter.
Offline  
Old 04-04-2011, 05:54 AM   #20 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default Re: Former employee can still access corporate mail via BlackBerry?

For all the e-mail/calendar and PIM sync, BES is using MAPI calls. So if it sends out a request for a user that is disabled or deleted on Exchange it should not get a valid answer back, otherwise there is a bug in Exchange.

Our experience is, if a user is disabled or deleted in AD/Exchange, you will see a lot of error messages in the BES log, but the user will not get any e-mails anymore. I don't know about address lookups, never tried that.

It would be cool, if BES could at least notify administrators if a user has been deleted in AD, so they could check and delete the user on BES as well.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads for: Former employee can still access corporate mail via BlackBerry?
Thread Thread Starter Forum Replies Last Post
Knowledge Sharing - Perform basic troubleshooting steps for Novell GroupWise noname BES Admin Corner 1 01-12-2010 06:33 AM
Initialize problem with BES and GroupeWise dupere BES Admin Corner 2 07-02-2008 02:09 PM
New to BES admin , need help with messages. bigwig BES Admin Corner 5 10-17-2007 10:59 AM
First post thought I'd make it helpful mazzel General 8100 Series Discussion - Pearl 1 05-30-2007 03:45 PM
The Hosted BES FAQ - Cheap BES/MDS - Wireless Outlook sync! Mark Rejhon BlackBerry Network 81 03-29-2007 05:29 AM





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.