[BlueBerry2007]

Quote:

Originally Posted by Aroc

3. It gets wiped, that's what the device does by default! If I can activate it wirelessly, great. We'll try that. We're a Lotus shop and we do all of the PIM data (mail/calendar/contacts/tasks/memos) and handheld settings wirelessly in BES.
--
I'm actually glad to be rid of Desktop Manager. Nearly 85-90% of my BB headaches (and these are few and far between) are due to Desktop Manager. Doing everything OTA (even with increased traffic due to the Synchronizer service and Messaging Agents).

So when a Blackberry is remotely wiped and activated, do you then tell the user go into your Notes client to Synchronize Address book? This is not always possible. They may not have a laptop or internet access. And what is one of the questions they always ask when we replace a Blackberry? "My contacts we all be there and intact right?"

[BlueBerry2007]

Quote:

Originally Posted by penguin3107

That's only one way to do it.

You could always replicate the user's personal address book on a schedule to the Domino server, and point the user's BES profile to use the server copy of the address book.
Then there is absolutely no end-user intervention or action required at all.
Very simple.

Interesting I'll have to take a look at this. My mind is stuck on replicating from server to local cause that's how we mainly use it--and not local to server.

[penguin3107]

Quote:

Originally Posted by BlueBerry2007

So when a Blackberry is remotely wiped and activated, do you then tell the user go into your Notes client to Synchronize Address book?

NO... you don't need to do that.
As I mentioned earlier... with Notes, you have a replica of the user's personal address book on the Domino server.
The BES profile for the user can point to the server replica, and it will wirelessly sync with that.
The user doesn't need to do anything at all.
They DON'T need to choose 'Actions / Sync Address Book' in the Lotus Notes client.

Additionally, if you don't delete the user's BES profile, then the wireless backup will handle ALL PIM data repopulation when the new device is reactivated. Again, the end-user doesn't need to do anything other than start the EA on the new handheld.

[BlueBerry2007]

Quote:

Originally Posted by penguin3107

I wholeheartedly disagree with this.
Security is the responsibility of the IT department, and should never be put in the hands of the end-user.
Especially when you're talking about a BlackBerry device on a corporate BES.

An unprotected BlackBerry device on a BES has access to the INTERNAL corporate network through MDS.
As a result of a lost BlackBerry, you're not just losing the data on the device itself... you're also opening a door to your network. That's a risk that many are not willing to take. Please keep that in mind when making your decisions about enabling password policies.

If only in a dreamworld we can put more of the responsibility on the user.

That's a very good point! I hadn't even make that connection yet ... and I was just helping a user yesterday get her Blackberry Browser working by enabling MDS Connection and Collaboration Service for her account in Blackberry Manager--so she could access internal information from her Blackberry. In that regards, it's quite scary the corporate data an unauthorized user could have access to.

[ladydi]

Quote:

Originally Posted by Jadey

Ahem. With all due respect - when Domino is configured properly and as per best practices, then everything syncs OTA without hassle.

The Domino vs. Exchange battle could go on for ever, but in terms of BlackBerry, Domino works as well as anything else with BES if you set it up right.

No offense taken I was being snarky considering I only know Exchange. From the threads that I have read, it does seem that Exchange is quite a bit simpler to manage and perhaps it isn't as robust as Domino for that simplicity.

[Jadey]

Quote:

Originally Posted by BlueBerry2007

In order for the personal address book (residing locally on the computer) to replicate to the user's home mail server, in Notes client the user has to select the Inbox > go to the Actions menu > and select Synchronize Address Book.

The same thing also has to be done if they make changes to contacts on the handheld and want that synch'ed up with their personal address book.

This is what I meant by not having them trained to do wireless synch.

Sorry but that is just not accurate. What version of notes are you running?

Just edit their "office" location document so that whenever notes is connected to the LAN it replicates on a schedule. Then going forward, use setup profiles to ensure that replication is enabled on the Office location for all new installations. I set my users to replicate every day of the week, every five minutes. The 5 mins timing can be adjusted as per network load.
Reference the server copy of the PAB on BES.
Do the same for the journal DB (replicate to home server, reference in BES, include on replication page in notes client).

That way, any changes made to the PAB/Journal/mail/calendar/to do on BES push back to the server copy, and as soon as the laptop is on the LAN, the replication schedule kicks in and pulls down the changes. And vice versa.
No manual user intervention required, and everything stays in-line.

Also, when wireless sych is properly setup on BES, even if a user does a synch in Desktop Manager it tells them that wireless synch is enabled and so DTop Manager will not attempt to synch these DBs. Hurrah. No further need for DTop Manager.

[Jadey]

Quote:

Originally Posted by penguin3107

I wholeheartedly disagree with this.
Security is the responsibility of the IT department, and should never be put in the hands of the end-user.
Especially when you're talking about a BlackBerry device on a corporate BES.

Agreed 100%

Fundamentally most end users don't understand IT Security. My CEO was moaning about the password policy, and said something like "there is only limited info in my emails"

I pointed out a theoretical situation whereby someone targets him and deliberately steals his BB. They then send a message to his PA (not hard to work out her name from the many emails on the BB about flights being rearranged etc) saying "an analyst needs the unreleased Q3 results, can you fax them to +1 303 xxx xxxx"
The PA would almost definitely do it ASAP, it's a request from the CEO right?
Wrong. Identity fraud is becoming big business in IT. I would love all my users to read "The Art of Deception" by Kevin Mitnick to understand how easy and widespread this is, but they won't take the time to read it. So it's down to IT to understand all risks, and protect end users from themselves.

At the end of the day, if financial or patent or important information is leaked, Execs will not hold their hands up and say "yeah that was my bad, should have learned more about IT Security" - they will blame us for leaving them "unprotected"

It is annoying, but that's the way it is.

[Aroc]

Quote:

Originally Posted by BlueBerry2007

So when a Blackberry is remotely wiped and activated, do you then tell the user go into your Notes client to Synchronize Address book? This is not always possible. They may not have a laptop or internet access.

We replicate local address book (name.nsf) to their home/mail server at mail\(username)_ab.nsf. It is automatically replicated on schedule every 60 minutes for some BB users and every 10 minutes for a couple (ditto for email). Most other databases I replicate locally every 360 minutes. The user is aware of this happening for the most part. We train our users to understand the replication model (especially those who may still need to utilize 56k analog lines from time to time).

I don't quite understand what you mean by "may not have a laptop." Do you mean a "laptop with them" or "a laptop at all?" all of my BB users are mobile users who have notebook computers. most should have them in the field. For me SOP for a BB wipe, would be "I'll address this when you get to the office" or "you need to get ahold of some local IT support." We can certainly try to do OTA EA from another continent, and it may work. Then again, it may not. It's sort of a risk when traveling. I can't load a ghost/sysprep image on a notebook that is on the road. (at least not without local IT support to cooperate with me over the phone). It's sort of a similar case.

To get back to the point, if the user has a wiped BB, and doesn't have a notebook computer with them (I'm assuming with Desktop manager and some PIM data, like Notes address book) or PIM data and settings aren't being replicated/stored/backed up server-side to do a OTA EA -- then yes, they are probably SOL in the field until they return to the office.

We are getting better at making the technology more accessible, but there are limitations. I'm just hoping that we are picking all of the "low hanging fruit."

Quote:

And what is one of the questions they always ask when we replace a Blackberry? "My contacts we all be there and intact right?"

The last few I've done on BES 4.1 have pull over all settings wirelessly OTA when doing an EA. For the one case where I needed to purge the user's BES profile and state DB, I cheated by using Desktop Manager. I performed a full backup, factory wiped the device, restored the backup (minus messages and service books), then performed EA wirelessly. Granted I have a little more testing to verify I can support this, but I seems like I can restore everything when a user switches devices (and use DM as an ace-in-the-hole when I need to punt).

[tduffy]

Quote:

Originally Posted by BlueBerry2007

What I mean by security?

• Known procedures or steps taken when a Blackberry is reported misplaced or stolen (i.e., misplaced = Blackberry is recoverable, stolen = Blackberry is not recoverable).
  
• BES policy that enforces use of a password on Blackberries.
  
  Or, do you not use a BES policy, but instead use a corporate policy (i.e., you leave it up to the user to set a password on their device and they are the ones responsible for the data on it).
  
• What do you do when a user decides to incorrectly type in their password 10 times (for whatever reason), wiping their handheld, and they are at a remote location?
  
  I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).
  
• What about a user who forgot their password and they are in a remote location with NO wireless coverage? What do you do you here? Do you pretty much inform that they are SOL? You can't really do that with execs, officers, or higher ups.
  
  Or, do you inform from the get go, if you are in a non-coverage location and forget your password, we can not reset your password.
  
• Speaking of reseting Blackberry passwords, how do you confirm that who's calling in to reset their password, is who they say they are?

Just want to hear how others implement security in their environment.

I am a network admin in the financial services industry. Security and content protection are a requirment and is enforce regardless of whatever disadvantages exist due to it being enabled.

To answer your questions:

1. procedure for lost/stolen berries is to do a remote wipe of the device and call verizon to suspend service but we rest assured that no data has been compromised due to passwords and content protection.

2. password policy is enforced by our IT policy. it requires 8 characters and to be changed every 90 days.

3 and 4. if a user enters their password wrong too many times and the device wipes itself, I instruct them through a wireless activation. if they are in a location with no service, they are told to that they need to get to one before i can help them regardless if they are execs or higher ups.

5. I have a small deployment of berries(20 users currently). I personally know all of them. I verify it is them by recognizing their voice.

[Snyder81]

We are very close to the same, forcing both content protection and passwords. We disable MDS for all but a few users but once we get SecurID two-factor authentication working, we will allow MDS access from the handheld. There is far too much corporate data at risk to allow access to the internal network through the handheld without some additional authentication mechanism. I can't believe it when I hear some companies don't require passwords on handhelds AND allow internal network access through MDS. These things are equivalent to little desktops and carry many of the same risks. Security is not an option, it's a requirement.

Edit: To answer the question about user verification, our Help Desk is required to either dial the individual back at a listed phone number (company directory). If user is remote or on a cell phone, we require a known third party to verify the person's voice via conference call. It only takes a couple minutes to find someone the person works with and is a very effective way to establish positive ID.

Quote:

Originally Posted by tduffy

I am a network admin in the financial services industry. Security and content protection are a requirment and is enforce regardless of whatever disadvantages exist due to it being enabled.

To answer your questions:

1. procedure for lost/stolen berries is to do a remote wipe of the device and call verizon to suspend service but we rest assured that no data has been compromised due to passwords and content protection.

2. password policy is enforced by our IT policy. it requires 8 characters and to be changed every 90 days.

3 and 4. if a user enters their password wrong too many times and the device wipes itself, I instruct them through a wireless activation. if they are in a location with no service, they are told to that they need to get to one before i can help them regardless if they are execs or higher ups.

5. I have a small deployment of berries(20 users currently). I personally know all of them. I verify it is them by recognizing their voice.

[storm]

Quote:

Originally Posted by MarkF

Slightly off topic from what I've read but after enforcing encryption (content protection), you can no longer reset passwords.

Anyone here enforcing content protection? Any gotchyas? Other than losing the password reset capability, I've noticed entering in the device unlock password on the model 7290 must be done at a much slower pace or the device starts clocking.

tks
Mark

We've had content encryption enabled for a couple of years now due to an audit finding. Not being able to reset passwords was a bit of a painpoint for users at the beginning, but after a couple of months, it was no longer an issue - users either got better at remembering their passwords or stopped complaining about the 'iron fist' of technology forcing them to be compliant. Either way, tickets dropped off significantly.

Wiping the device does take much longer (an hour +, depending on the memory of the device) because the wipe clears and overwrites the memory a number of times to ensure all data is cleared. Time consuming, but very secure.

The place where we got the most complaints is the inability for users to see who is calling them when a device is locked. When content encryption is NOT enabled but a device is locked and the user receives a call from someone in his/her address book, the name of the caller is displayed on the Blackberry (cell-phone style caller ID). However, when content encryption IS enabled and the device is locked, the Blackberry displays the phone number but NOT the name of the caller (regardless of whether the caller is in the Blackberry's address book). This is because the address book is encrypted and can't be read by the phone application when a call is ringing through to the locked Blackberry. When the BB is unlocked, the name of the caller will appear because the address book is not encrypted when the device is unlocked. You can get around this issue in later versions of the handheld code and setting appropriate BES IT Policies by allowing the user to content protect all of the data on the Blackberry EXCEPT the address book. In those cases, a locked BB would display the name of the caller if the caller is in the BB's address book. This creates a security issue, particularly if a device is set to allow calls when locked:

If the BB is set to allow calls when locked and the address book is not encrypted, an individual can place a call from a locked device and then have full access to the address book. Depending on the data your user's keep in the address book, the nefarious user may end up with a significant amount of contact information and/or customer info. With California's Senate Bill 1386 (there may now be similar laws in other states), companies that lose customer data must contact affected customers. If you can't identify the affected customers, all customers must be contacted. That's a PR nightmare. Not to mention any sensitive corp info or personal info people might keep in the address book (exec home addresses and phone numbers, for example). (If the BB is set to allow calls when locked but the address book is encrypted, the 'finder' of the device can eat away at cell minutes and rack up hefty charges until the line is cancelled, but that's much less of a headache than potentially leaking private corporate and customer data to the public.

Our user's don't really love for the content encryption, but most do accept it and understand the need for it. With the audit finding, we're able to hold strong to keeping it in place (from the techno-geek standpoint, it is a security necessity), and once we explaing the need for it, *most* of the *****ing subsides. Users that have received devices since encryption was enabled don't know the difference, so we don't get many complaints from them.

[BlueBerry2007]

Quote:

Originally Posted by Snyder81

Edit: To answer the question about user verification, our Help Desk is required to either dial the individual back at a listed phone number (company directory). If user is remote or on a cell phone, we require a known third party to verify the person's voice via conference call. It only takes a couple minutes to find someone the person works with and is a very effective way to establish positive ID.

Interesting methods! What if it's an internal user who has a BB that is not theirs but they pass the verification step where Help Desk is required to dial the individual back?

[BlueBerry2007]

Quote:

Originally Posted by storm

We've had content encryption enabled for a couple of years now due to an audit finding.

You must have some good auditors. What led them to propose that you should encrypt your BB's data?

Quote:

Depending on the data your user's keep in the address book, the nefarious user may end up with a significant amount of contact information and/or customer info. With California's Senate Bill 1386 (there may now be similar laws in other states), companies that lose customer data must contact affected customers. If you can't identify the affected customers, all customers must be contacted. That's a PR nightmare. Not to mention any sensitive corp info or personal info people might keep in the address book (exec home addresses and phone numbers, for example).

What type of company are you? I google'd the California law and it mentions unauthorized access to first/last name of customers AND another of their data like social security #, credit/debit card account #, etc. I can't think of too many reasons why our employees should have our customer's personal information--not to say that the potential couldn't be there. But, since you have your BB's encrypted I guess you're off the hook.

Quote:

Our user's don't really love for the content encryption, but most do accept it and understand the need for it. With the audit finding, we're able to hold strong to keeping it in place (from the techno-geek standpoint, it is a security necessity), and once we explaing the need for it, *most* of the *****ing subsides. Users that have received devices since encryption was enabled don't know the difference, so we don't get many complaints from them.

This is what I think too. Since security is currently not in place there's going to be complaints if it does get implemented. "Change" it can be a bit difficult to deal with I suppose. But then you think if someone who's never had the BB before don't know the difference and probably wouldn't complain, why can't these others just go with it.

[storm]

Quote:

Originally Posted by BlueBerry2007

You must have some good auditors. What led them to propose that you should encrypt your BB's data?

What type of company are you? I google'd the California law and it mentions unauthorized access to first/last name of customers AND another of their data like social security #, credit/debit card account #, etc. I can't think of too many reasons why our employees should have our customer's personal information--not to say that the potential couldn't be there. But, since you have your BB's encrypted I guess you're off the hook.

I work for a financial company. Due to the nature of the business, many of the external-facing employees have authorized regular access to customer personal data (brokerage account info, loan applications, etc.).

For this particular audit finding, auditors were federal, not internal. We were working toward implementing data encryption on all laptops a few years back when the auditors started looking at our mobile/handheld device envrionment. Since handhelds are more easily and more often lost/misplaced than laptops, they felt the need to require the same encryption on the handheld devices. It required an excelerated move to 4.0 (the worst part was getting all of the handhelds upgraded to the 4.0 software), but from a security standpoint, well worth the work.

BB users shouldn't have customer data on their devices, but that doesn't mean they don't. They're explicitly told (on a regular basis as a BB user, an annual basis via training, and via written policy) not to keep any sensitive customer data on their blackberries (delete any emails from customers that might contain sensitive data, no sensitive customer info in contacts/tasks/memo, etc.). However, there's no way to stop users from actually keeping that data on the devices. Since we can't control the data, we've implemented a number of the security features to ensure all data (customer and company) is secure on the device. I can't afford to rely on the users following the written policies - we all know that doesn't happen.

[tduffy]

Just a side note, i would hope that any auditor that is auditing IT in the financial services industry would be good enough to find and verify that institutions in this industry are encrypting their mobile devices! It's kinda their job!

[BlueBerry2007]

Quote:

Originally Posted by tduffy

Just a side note, i would hope that any auditor that is auditing IT in the financial services industry would be good enough to find and verify that institutions in this industry are encrypting their mobile devices! It's kinda their job!

Perhaps even the financial department of any company if the dept. uses mobile devices.

[thunderck]

Quote:

Originally Posted by Jadey

Ahem. With all due respect - when Domino is configured properly and as per best practices, then everything syncs OTA without hassle.

The Domino vs. Exchange battle could go on for ever, but in terms of BlackBerry, Domino works as well as anything else with BES if you set it up right.

RIM is now working closer with Domino than Exchange. Refer to a recent webcast.

My companies BB user env has no desktop software. Everything is OTA with no gotchas. I say that not to dich Exchange but to say that Domino can be a clean env as well.

Big fan of Security policies. We also use application policies with ota delivery.

[thunderck]

Quote:

Originally Posted by BlueBerry2007

What I mean by security?

I guess you'd re-activate the Blackberry wirelessly ... but just wondering, cause we use Lotus Notes, and a user's address book is local on their PC, we currently have them trained to synch. up their address book by using desktop manager and usb cable. (I know it can be done wirelessly but most haven't been trained to do so).

If you use Domino 6.5.4 with an iNotes mail template users can sync their locale address book to their iNotes template from the Notes client. (Not using Blackberry Desktop Software)

(While looking at mailbox click Actions --> Synchronize Address Book. Once this is done the address are now on the mail server and BES can sync them up to the BB ota!) You have to have the user log into iNotes once and sync once before Ent Activation for the setting to be auto updated in the BES database. You can do it manually by double clicking the user in BB manager and selecting PIM. At the very bottom is the address book settings.

Not using BB Desktop Software has saved us lots of support calls!

[silver_2000]

Quote:

Originally Posted by Jadey

Sorry but that is just not accurate. What version of notes are you running?

Just edit their "office" location document so that whenever notes is connected to the LAN it replicates on a schedule. Then going forward, use setup profiles to ensure that replication is enabled on the Office location for all new installations. I set my users to replicate every day of the week, every five minutes. The 5 mins timing can be adjusted as per network load.
Reference the server copy of the PAB on BES.
Do the same for the journal DB (replicate to home server, reference in BES, include on replication page in notes client).

That way, any changes made to the PAB/Journal/mail/calendar/to do on BES push back to the server copy, and as soon as the laptop is on the LAN, the replication schedule kicks in and pulls down the changes. And vice versa.
No manual user intervention required, and everything stays in-line.

Also, when wireless sych is properly setup on BES, even if a user does a synch in Desktop Manager it tells them that wireless synch is enabled and so DTop Manager will not attempt to synch these DBs. Hurrah. No further need for DTop Manager.

Im confused as to why you are promoting a hack that puts a copy of the local address book on the server - ( which is RIFE with potential problems ) vs the supported way of simply following the posters suggestion of syncing the local names into a hidden view in the mail file for inotes access.

When the replacement BB is activated the addresses in that hidden view will be automatically sent to the BB

Since most people dont update their address book daily this supported method works well

My $0.02

Doug

[penguin3107]

Quote:

Originally Posted by silver_2000

Im confused as to why you are promoting a hack that puts a copy of the local address book on the server - ( which is RIFE with potential problems ) vs the supported way of simply following the posters suggestion of syncing the local names into a hidden view in the mail file for inotes access.

When the replacement BB is activated the addresses in that hidden view will be automatically sent to the BB

Since most people dont update their address book daily this supported method works well

My $0.02

Doug

A hack!?
It's far from a hack. Ever hear of Domino Roaming profiles?

Your $0.02 says that you haven't had much experience in Domino administration.

While your preferred method is valid and supported by RIM, it's certainly not the only support method.