"Provisioning" personal Blackberry's on BES?
 

Hello again,

Potentially simple question. For all the people that use Blackberry's with a personal data\voice plan, what do I and what do they need to do if they want to be connected to a corporate BES?

It is almost certain that my company will only want to control the Email side of things and leave the individuals to maintain their own Internet connections etc.

What I want to do is be able to activate their Blackberry's wirelessly without having to touch the device manually (if we have to manually "play" with devices it will be very complicated).

I will need to create a BES account for these users and associate it wth their corporate Email, and I also assume would need to associate this BES account with their actual Blackberry? (Serial number, phone number etc?). I have read through the activation process and I understand it, but will this process work from a practical perspective irrespective of whether we own\manage the Blackberry's or whether they do? If it comes to "us" having to rebuild\wipe devices it's not something we have as yet considered.

Effectively, we want to just provide the Blackberry Email service and potentially Sharepoint access, we dont want to have to manage Blackberry devices.

Any thoughts?
Tom

That's what you consider a "potentially simple question"? ;-)

I read through that a few times and I'm still not entirely clear what you're trying to do, or what YOUR role is in the process.
Are you the BES administrator, or just an end user?

Are the end-users going to be responsible for getting a BES capable data plan for their devices? Do they understand this will be a higher monthly cost that what they're accustomed to paying?

Do the end-users understand their devices will have an IT Policy installed which can be used to control every aspect of the device?

Do the end-users understand their web browsing, text messages, pin messages and phone call logs are now able to be logged by the BES administrator without their knowing?

My point is that allowing personally owned devices to be activated on a corporate BES is far from simple. It's quite complex actually. There's privacy and security concerns that make this very involved.

In my opinion, the simplest (and my recommended) solution for you would be to disallow the use of personally owned BlackBerry devices on a corporate BES.

If the users have the ability to access their email via OWA, then just instruct them to integrate their OWA account into their BlackBerry using BIS. SInce you seem to be concerned mostly with email, then BES might not be what you need anyway. BIS should do just fine.

There seems to be a mixed bag on this subject out there. Some companies allow it, some say no personal devices on the BES.

As for you actually doing it, it's pretty straightforward. As long as the person has called their carrier and changed their BB data plan to a BES plan, then you can activate them on the BES.

Before you do this, however, I strongly recommend you come up with a policy/form/whatever you want to call it about how you will or won't support these devices. Thing like:

• Are you going to force these devices to have the same IT Policy as the other devices, including an enforced password?
• Will you support their device if they need to upgrade the OS?
• Will you support their device if they download a 3rd party application that causes issues with it?
• When they leave the company, will you issue a 'wipe' command from from the BES to remove all company data?

You should really nail this down and make people sign it before you go this direction. Just my 2 cents.

Also give this a read - might be something else to share with your users:

What does BES see; what can be tracked/logged? - Port3101.org : Your BES Connection

Dang you, Penguin...you type faster then me ;-)

Many thanks for the replies lads

My involvement will be purely technical in that I am the Exchange\VM\SQL\ISA guys along with another 2 and we have designed and installed this large environment (50000 users +) over the past 8 months (Since I started). The powers that be want a BES service as added incentive to get all users from all currently seperate Email environments to migrate onto our central service (We are effectively an outsourced Email and collaboration service, but not really outsourced ;-)

Effectively I am being tasked with designing a BES solution and implementing it but I want to know more about the pitfalls that I may come across considering our environment, before I start to discuss the options with management.

Security and Privacy are massive concerns amongst our userbase so i am preparing myself for the questions I may get asked.

We want the Email functionality that BES allows over BIS from a security point of view (I.E shared credentials are frowned upon ala BIS I believe). It may be in my discussions that we will touch on the issues that having a personal BB on BES brings, and I want to be able to influence any policies we employ hence the questions.

I actually did think it would be complicated but I fear that the management will allow personal BES's to be connected :-(

So, if we do go with BES and allow personal BB's to connect, I take it their could well be substantial admin overhead to contend with, unless we catgorically state we wont support handheld? In the latter case then, is it actually a practical solution to say we only provide a service, but not any handheld support?

Hopefully I'm not confusing things here, I'm kinda starting to confuse myself while reading up on this. The technical stuff isn't the issue, it's what service to offer that I find difficult because we have to be accomodating to get people onto our environment.

Personal BES's huh... LOL Surely you meant personal BB's.

You are!!! Interesting how you and 2 other guys built a 50000+ environment... and are JUST now thinking about mobile email. You have a LOT of reading, server buying, design layout ahead of you but in the end you will have the happiest most effective, secure and productive workforce possible.

as far as i know, in order to use the BES, your voice/data plan must be in the Corporate group. those users with voice/data with blackberry plan that is not associated with the corporate group will not be able to activated using BES. as a BES admin, ive tested out on a few of my users. it seems like telco restrict the individual blackberry users from using BES without their consent..

so what i did was, i called up our telco account manager, and ask him to add that particular users to the Corporate group. and the provision went smoothly.. but of course, i told my account manager it was for testing purposes :)

Hey BESAdmin

I already have a mockup design in place and my VM environment will provide everything I need for this BES implementation. I have confirmed this morning that most things will be personal BB's on the environment. I asked why the powers that be are using BES in that case and they have suggested it is because they "promised" it some time ago and it provides secure access to email with synchronisation. They are very particular about having the most "secure" systems.

We already have people connecting via IMAP, POP, OWA you name it on their various mobile devices. But everything is in place to build a BES environment for BB users, all I am trying to get my head around is how we are expected to support a system where all we are doing is providing a BES Email service, but for no corporate Blackberry's

Weird. I'll figure it out eventually.