Hi,
I'm the Exchange administrator for a company. Until recently, management has turned a blind eye to mobile devices. If they pretend it doesn't exist, then it can't be a problem, right?
Riiiiight. So we have users with Blackberries, Treo's, etc. etc.. You name it, one of our users out there probably has one. Although most of these devices were purchased by the company, no one at the company has any idea who has a mobile and what it is. (Purchasing "assumed" the end user would contact the IT department whenever they requested a mobile phone so they didn't bother to track what was purchased, when and by whom.) Our PC Techs have a vague idea because they were often called upon to help users set up their phones. But we do have some users who are techie enough that they didn't need help setting up their phone. Plus, the PC Techs were also asked to set up phones which were (unknown to the PC Tech) not owned by the company. So we have no idea how many, what brand, who has one and which ones are company owned or user owned. (Arrgh..
)
Out of the blue, management has suddenly decided that all those unknown "rogue" mobile devices out there pose a security risk.
(Gasp! No! Really? A security risk? With saved passwords and all that? What a surprise.) After much begging by the IT department, management has decided to allow us to standardize on one mobile solution. We chose Blackberries. So I need to find a way to stop ALL mobile devices from accessing email
except Blackberries that are set up to use Enterprise Activation. If possible, we would also like to continue to allow Web Outlook. (Note: Web Outlook is set up to only allow HTTPS connections. So, by itself, it's not a security risk. But if we have to kill it to block rogue mobiles or to block users who were dumb enough to allow IE to automatically save their password, then that's what we'll do.)
Now, here are my questions:
1 - Looking at my Exchange server's web logs, I can tell that a number of our users have Blackberries out there because the IP address of the host that's used to view the user's mailbox resolves to Blackberry.com. As a test, I disabled Webmail for just my account. When I try to logon to Outlook through the web from a regular web browser, the server says No-way, webmail for my account has been disabled by the system administrator. However, if I have a Blackberry and it's configured my email settings but not with Enterprise Activation, it has no trouble whatsoever receiving messages. I can tell not only because the messages are on my Blackberry but I can also see my user name in the Exchange server's web logs with a result code of "200" (ie, webpage displayed successfully). Does anyone have any suggestions on how I can
stop rogue Blackberries from successfully retrieving messages using webmail yet still allow webmail?
2 - If I have to completely disable Web Outlook in order to stop the rogue mobiles from accessing messages using Web Outlook, what affect will that have on Blackberries that are set up to use Enterprise Activation?
Here is what we have:
- Exchange 2007 with Service Pack 1 and Post Service Pack 1 Rollup 2. I don't know if it matters but POP3 is disabled.
- Blackberry Enterprise Server 4.1 with Service Pack 6 and Maintenance Release 1
Unfortunately, I cannot tell you what model Blackberries our user have (from this point forward, new requests will be filled by Blackberry Curves). I don't know if the model makes much of a difference.
PS: My apologies if this is posted multiple times. My company's junkware web filtering server gave me an error message when I tried to post this message the first time. I checked the forums and didn't see the message so I'm trying to post it again.