[Sith_Apprentice]

And suspending service doesnt mean crap on a GSM device. All they have to do is unlock it, pop a new SIM in and they can use it all they want.

[John Clark]

In the end, all that is lost is the device if there was a password on it. Just depends on how sensitive the data is.

[AlanM]

Darth, you can bank on the fact that enabling passwords on your devices will increase your BB calls. (if I had a dollar for every password reset request we got a day....) It's a worthwhile price to pay for a little security. We get some complaints, but hey, that's security for you. Our policy is to allow 5 attempts not the default 10 and the device locks every 15 minutes whether you are using it or not. (can't even count the number of times I get a user that can't enter their password correctly, only to find that the BB is requesting them to type "blackberry" first). I wish we got notified as soon as 12 hours after someone losing their BB. Sometimes a user will wait a week to let us know. By that time the BBs battery may have run down. (contemplating suggesting that we add wipe on battery drain option).

All in all the password is your friend on the BB. (as is JL_CMDR).

[Jadey]

Quote:

Originally Posted by DarthBBerry

Not wanting to put them down... but most of my users arent smart enough to figure that out. If it's not in the box, then it doesnt exist for them.

Never underestimate users. They sometimes know more than they let on!

[Jadey]

It's not just data on BBs that need consideration for protection. If you are running enterprise collaboration services (sametime, office messenger or whatever it is called) and/or MDS then the person who stole/found the BB has 2 routes into your network. Last thing you need is someone playing with what data they can get in/out via the BB.

The other major problem for me is identity theft - if someone steals the CEOs BB, the last thing I need is them sending an email to his PA saying "could you fax the next quarter results network to an analyst at +1 303 xxx" etc - in 12 hours you can lose shed loads of data, and it doesn't have to be on the BB - how many people/PAs/other managers would actually query an email from the CEO?

So I lock after a period of inactivity. I also lock after a period of continuous use - if someone deliberately steals the CEOs BB, last thing I need is them keeping it alive for ages by key presses. I can't trust my users to IMMEDIATELY notice someone lifting their device from them in an airport - also, minus the BB, how do they call me if there is no phone nearby? It's all just too risky.

[CanuckBB]

Quote:

Originally Posted by penguin3107

You should really consider enforcing password use on your devices, and set the timeout to a short duration.
It's your responsibility as a BES Administrator.

Actually, it's my responsibility to implement/enforce corporate policy. I can suggest the need for passwords, but if the idea is rejected by those in a higher pay grade, there's nothing I can do.

[wunderbar]

Quote:

Originally Posted by CanuckBB

Actually, it's my responsibility to implement/enforce corporate policy. I can suggest the need for passwords, but if the idea is rejected by those in a higher pay grade, there's nothing I can do.

This.

While I am the administrator, I cannot go above corporate policy, and I cannot just on a whim put a policy in that would affect users without approval. When I first got put into the BB admin role, we did not enforce passwords on our BB's. It took 7 months, but between myself and my IT manager we were able to convince the management team that we need a policy in place to protect the data on the the blackberries. We even had to make some compromises, there is no lock after constant use, but it does lock after 10 minutes of non use.

[juwaack68]

Sounds like I got lucky. When we first started rolling them out and only had 20, I told my manager we needed to have an IT Policy with a password. He said ok, and off I went. At that time, it was all executive management that had the devices (including the company owner) and not once did they complain about the passwords.

I now use that to my advantage when people complain - if the owner of the company doesn't complain, why should they?

[John Clark]

having the device lock while I'm using it would be quite annoying, though.

[wunderbar]

Quote:

Originally Posted by juwaack68

Sounds like I got lucky. When we first started rolling them out and only had 20, I told my manager we needed to have an IT Policy with a password. He said ok, and off I went. At that time, it was all executive management that had the devices (including the company owner) and not once did they complain about the passwords.

I now use that to my advantage when people complain - if the owner of the company doesn't complain, why should they?

Ya, I use that argument now myself. Our company president, after about a day of the policy going in place, decided that that policy was a really good idea, and couldn't' believe that they said no before. It really wasn't as obtrusive as he thought it would be, and he decided it was probably the best idea I could have come up with.

I now tell anyone who complains about it to go talk to the president about it if they don't like it

[Gray_Berry]

When the device is entered incorrect password more than 10x, it will be wiped out. All data on the device will be lost and the user will have to enter a new device password after the wipe process is complete.

Can a BES Admin recover the device password to avoid the wipe out? Yes. with BES 4.1.5, you can issue a new device password and the user won't be prompted to enter the old password (which he/she already forgot). This will work even the Content Protection is enabled in the IT policy.

Hope this helps.

[TreeDude]

Hmm... You guys are making me think I should bring this up to my manager. We currently have no password policy. But then again, up until just a few months ago we were on BES 2.2. I am not even sure that was doable on that. Since I replaced the guy who was admin of the last BES (he did not set it up though, so he didn't know much) I got the great task of upgrading and managing it (with no experience mind you).

But things are great now and I am learning more and more. I set a basic policy on my own berry. Seems ok. Considering 17 of my users are executives, I think maybe passwords are a good idea.

[Jadey]

Quote:

Originally Posted by Gray_Berry

When the device is entered incorrect password more than 10x, it will be wiped out.

Small point, but this number is not always 10. It is whatever is in the policy - and half that value if duress notifications are enabled.

[kerry6]

Quote:

Originally Posted by wunderbar

This.

While I am the administrator, I cannot go above corporate policy, and I cannot just on a whim put a policy in that would affect users without approval. When I first got put into the BB admin role, we did not enforce passwords on our BB's. It took 7 months, but between myself and my IT manager we were able to convince the management team that we need a policy in place to protect the data on the the blackberries. We even had to make some compromises, there is no lock after constant use, but it does lock after 10 minutes of non use.

We have a password policy that matches our IS Security Policy. But set to wipe after 7 incorrect attempts. this works good for me, but you will allways have those NEW users, that will question the password policy when they first receive their devices, and try to make a stink. when you send them to corporate security to justify their wanted change they mostly have second thoughts. better to work the policy out when planning the environment, before deploying your first device.