[ekrengel]

Is there anyway I can block a user from upgrading the OS on their device? Or will they always be able to do it through their desktop software?

Thanks.

[Thatzmister2u]

Quote:

Originally Posted by ekrengel

Is there anyway I can block a user from upgrading the OS on their device? Or will they always be able to do it through their desktop software?

Thanks.

Sure! Start refusing to send a new EA after they blow their old one away! lol! I will wait for a BES Admin to respond with some real advice.

[ekrengel]

I wish it were that easy...

[zero7404]

staple their fingers to the desk ? that'll keep them from updating their phone

[ekrengel]

Like maybe there is a option to only allow a user to sync with my BES if they have a .416 OS and below...

[Frank Castle]

Unsure why you would want users on the old OS.

Depending on what options you have at your disposal you can enforce no desktop manager on your desktops.

You can enforce the enterprise policy on BES but it doesn't allow you to restrict OS. You could prevent devices with newer OS but with 4.5 out for almost all current models it doesn't help.

Looking through the policies you could enabled - Show Application Loader to FALSE so they can't use DM. It's under Desktop Only items. This would still leave the BlackBerry - Update your Device Software and if they have admin rights they could load the web control. So unsure if you can lock down users that way or restrict USB ports.

[CO_BBTechie]

As was alluded to... you can prevent desktop manager use all together, or just the loader app. If you disable DM use, this would require wireless enterprise activation whenever an OS upgrade was done. As the BES admin, you can choose to deny an activation unless you approve of their OS level. You as the admin must set an activation password and communicate that password to the end user. No password = no BES activation.

[ekrengel]

Thanks for the replies.

It's not that I want them on the old OS, I just want to prevent them from loading an OS that I do not approve of/not supported by the carrier, that is know to be buggy. Also, there is no reason to update the OS if there is nothing wrong with the current one! Unless there are some new features....

I know I can just not give him an activation password...but that is not feasible at the moment. I have to comply.

What we need is a written policy set in place that will underline these points...that way I can enforce it.

I set the application loader to false...we'll see how that goes.

Thanks.

[jsconyers]

I am lucky enough that most of my users don't care enough to upgrade their OS. If they're interested in doing so, they generally ask me before anything. Disabling App Loader should help. However, they don't need desktop manager to load the OS any longer. They can use the loader.exe file that comes with the OS. I am not sure if setting that to false will disable that as well.

[ekrengel]

I think setting the BES application loader to false, and using Group Policy "hash rules" should do the trick

For the hash rules, I'm blocking:

loader.exe
application_loader.dll
BBWebSLLauncher.dll
ApploaderWebSL-Upgrade.msi
DesktopMgr.exe

There is no way around it now, even if you take yourself off the BES or try to use the web upgrade

They would have to take themselves off the domain, or hack the local admin password, which isn't going to happen.

[CO_BBTechie]

Quote:

Originally Posted by ekrengel

I think setting the BES application loader to false, and using Group Policy "hash rules" should do the trick

For the hash rules, I'm blocking:

loader.exe
application_loader.dll
BBWebSLLauncher.dll
ApploaderWebSL-Upgrade.msi
DesktopMgr.exe

There is no way around it now, even if you take yourself off the BES or try to use the web upgrade

They would have to take themselves off the domain, or hack the local admin password, which isn't going to happen.

... or they could remove the IT policy from the device, and then perform the upgrade....

Of course then they would need to re-enterprise activate.

[ekrengel]

Even if they removed the IT policy from the device, I still don't think it would work. The hash rules would block any of the .exe/msi's from running.

[CO_BBTechie]

Quote:

Originally Posted by ekrengel

Even if they removed the IT policy from the device, I still don't think it would work. The hash rules would block any of the .exe/msi's from running.

On their work system yes... but on an unrestricted desktop at home?

[ekrengel]

Yeah...that's where they would get you.

[Frank Castle]

You could always run inventory and send a note to those users that they are on an OS you don't support. Considering the amount of new devices coming out at some poiunt you will have devices with OS 4.5+ so you might want to revisit how often you validate OS versions.