A closer look at BlackBerry Secure Work Space

By Simon Sage on 8 Aug 2013 03:08 pm EDT

BlackBerry’s app sandbox for BES-connected iPhone and Android devices just went live this summer, and as a follow-up to Talk Mobile Security week, we thought it would be worth getting our hands on the solution and trying it out.

For those unfamiliar, Secure Work Spaces provides a container so that iOS and Android users can securely access corporate calendar, contacts, notes, tasks, intranet browser, documents, and e-mail. It manages to access this content behind the firewall without having to set up a VPN. Much like Balance on a BB10 device, you can’t copy enterprise data out of that container and into personal accounts.  IT administrators can remotely manage this space through the same BES console that’s used to handle BlackBerry devices - this includes deploying other apps that have been tweaked with the secure wrapper.

BlackBerry Secure Workspace for Android

Android and iOS versions of the Secure Work Space are a little different, namely in that the Android version offers quite a few more functions. On both versions, you install apps directly from Google Play or App Store respectively, punch in server address, username, and password information sent from your administrator, and you're just about good to go. Once everything’s installed and set up, Android users map their home button to Secure Work Spaces, which takes them to a new launcher. From there, they can switch back to the personal side either through a stickied toggle in the notification tray, or through one of two home screen widgets. You’ll find all the important apps you need, and if your administrator has pushed any more out, you’ll get a notification to snag those as well. 

One of the core apps you pick up on the personal side will show which apps are required as a part of your company's device policy, as well as other details about you can and can't do on your phone. You'll also be able to get shorcuts to secure mail, messages, and calls on the personal side. Work Space notifications can show up in Android even when the space is closed, which is pretty important for time-sensitive messages. You can get to work content even faster with a dedicated home screen and related widgets. Administrators can lock out plug-ins from being installed in the Work Space browser, which may be a necessity for the security-conscious.

BlackBerry Secure Workspace

IT administrators can access all of the usual stuff from the web console. They can reset passwords, lock devices, register new ones, roll out apps, and tweak policies. Multiple devices show up as separate tabs for each user, along with visible alerts for any policy breaches. In terms of the end-user, there are a few hiccups. For one, the prominently-featured Messaging app indeed lets you send out text messages, but any incoming messages go to the personal side. This makes two-way texting exclusively through Secure Work Spaces pretty much impossible. You’ll occasionally have your tasks interrupted with error messages that you can’t connect to the server. The secure media app has a heck of a time recognizing audio files (despite playing video and images just fine). There are some neat tricks, though. Android blocks you from taking screenshots, for example. On iOS, it will detect if your device is jailbroken and and can block activation. 

That's about it. If you need more information about Secure Work Spaces, hit up BlackBerry's data sheet. Any BES admins using Secure Work Spaces yet? Are there a lot of Android and iOS users at your work who should be BES-managed?

Big ups to our buddy Craig Johnston for hooking us up with a BES testing area.

Reader comments

A closer look at BlackBerry Secure Work Space


Too bad it is inaccessible to the average user. This really annoys me, and I could definitely benefit from the work personal separation, especially if I could set it on a schedule

Tested this and this increases BlackBerry value manifold with its security offerings as compared to Mobile Iron, Good etc., We Rock the Enterprise world!!!

Posted via CB10

Hi Simon,

Thanks for the video! Super interested in this and trying to get our IT to adopt it.

When using SWS, does it feel like the native OS it's on, or do you get more of a "BlackBerry 10" feel? Also, does it exactly emulate Work Space in Balance, or is it missing any functionality?


It feels exactly like Android - I'm sure they used some source code to make it that way, though it might be a bit older. As for Balance, I know you can't copy and paste data from one side to the other. I have a sneaking suspicion that admins can have a bit more access to the Android personal side in terms of remote wipe, but I might be wrong. 


A comparison with other MDM providers would be really interesting and helpful. It is my view that SWS is key to BlackBerry's future. Handset profits will remain skinny into the future and so BES installs are key as BES will be the source of ongoing high margin service revenue. In a heterogeneous handset world, BES will only get installed if it can manage iOS and Android and manage them better than the competition. I know it is early days with SWS, but this product should be superior to the competition because they can lever the NOCs.

This is all theory on my part. Some real world answer would be most helpful. Thanks for your review here. -Sam.

This is awesome work by bbrry... making rapid progress onto bringing out new apps and bes10 software to other platforms... I'm still waiting for BBM yo go live on other platforms....

Sent by Bbry Z10

Strictly bb at our work. Still os7 but they will be changed in the near future!

Love my Z10! ( sorry just felt like saying that )

Posted via CB10

There are so many legacy BlackBerry phones still in corporate use today. Few companies have upgraded as it is a major cost and companies, especially larger ones will adventually. We just had 2 service personal from xerox in the office recently. They all sport the legacy devices. They hope they get upgraded to the new bb10 soon. It will take time but this platform will succeed!

Where's my FULL BRIDGE Mr. Heins? Please return it!

BES didn't work with iOS or Android...ever until now.

Companies had to have two parallel solutions: BES and MDM/Container (like AirWatch or MobileIron)

As a consumer - no BlackBerry(s) at work apart from the odd legacy device floating around - I wish things like balance could be transitioned over for consumer use.

I would love being able to have profiles for the phone, and secure sections that could be locked off.

These advancements are fantastic - but the financial institutions, that consult me, are apathetic to BlackBerry and not a one is interested - these features should be attractive... I don't know what it is. probably ignorance or simply getting a better deal (or free) devices and infrastructure elsewhere.

That said, good on BlackBerry for moving forward. Some good news stories today!

Posted via CB10 on my BlackBerry Q10

The company I work at was exclusively BlackBerry, but went BYOD a while ago. However we are implementing BES10. It's been unfortunately slow, so while I do have a Z10, it's just a WiFi device as I refuse to pay for two data plans. I am told it will be "soon"...

Posted via CB10

Does anyone know if this provides a similar functionality for Android/iOS that comes with "Blackberry Work Drives" for the BB10? In other words, is there a "Work Drives" app that can be installed on Android/iOS once a device is activated on the BES10 server?

Simon ... EXCELLENT JOURNALISM as always! A shinning light to CrackBerry staff. Keep up the good work.

Craig ... big shouts to the web BES10 administration setup.

Is that a Z30 in the picture? I know it's a long shot, but it sort of looks like it given the position of the camera and the speaker.

Posted via CB10

BES10 looks like the only solution for company's, major corp's, government etc. BES10 paired with BlackBerry 10 devices is not only awesome, its the best hands down.
"November 8, 2012"
"Pacific Crest Securities analyst reckons RIM’s BlackBerry 10 will be dead on arrival" REALLY??? LOL

We've had BES 10 in for a while now and I was asked to do a BYOD proof of concept in July.

So, I duly updated to 10.1.1 and tested the BES 10 BYOD offering alongside Good and DME.

On the IOS it works pretty well and ticks all the boxes except work drives. The Android experience (which supports work drives) was a bit of a nightmare to be honest.

However, even though I love BlackBerry and have been using it for years we won't be using BlackBerry BYOD. The main reason... it needs a very invasive MDM profile to loaded onto a device. our users don't want ANY type of MDM profile on their personal device...so Good is probably going to prevail this time.

However I'm expecting BES 10 to mature and now they are offering free licenses with every V10 device purchased we will have a chance to continue playing & developing it as we continue to expand the v10 estate.

So...watch this space!!

Posted via CB10

although I have to agree with the SWS being intrusive but you absolutely do not need the SWS to manage IOS and Android. The non SWS portion for non BB device are usually suffice for a lot of companies. I haven't tried the latest version of GOOD since we dumped it in 2007. How is it now?

@ Trippin: >> but you absolutely do not need the SWS to manage IOS and Android

How does one manage iOS and Android via a BES10 w/o SWS? Confused....

in the UDS part of bes 10.x you can manage certain things via policy with out SWS. that why bbry offeres 2 type of licenses for UDS android/ios devices. the regular client and the sws. . of course the sws cost more.

Apologies for the ignorance, but what does SWS give you that UDS does not?

Also, and I asked this elsewhere but I think it gets to the point: a mate of mine is offering iOS and BB10 to employees. iOS will be secured by Good. BB10 is straight ActiveSync to the server. Two questions: what does this say about the "iissues" with BES10? And what does this say about the deficiencies of iOS? The former because apparently it was not worth the hassle/cost of installing BES10 and the latter question because iOS is not sufficiently secure to connect straight to the server and requires Good (at $200/yr) to complete the solution?

Thanks for your feedback here

the BES10.1 UDS w/o sws still offers security and policies. depending on the compliance you configure, if your ios or android device is not up to compliance, it's detected and the admin can take action. it'll also detect rooted android or jail broken IOS devices. the big difference between is that sws acts as blackberry balance. SWS is basically an option for UDS. IMO it is still cheaper than good to have bes10 with the cheaper cals vs. good. at least the last time I did a comparison. also, at least with bes10 you can manage both devices.

Trippin' -- Thanks much. I am not quite sure how UDS can secure email without a containerized email app. I understand how you can manage an iOS/Android app with UDS. But how does one get secure email? Or is that done straight via ActiveSync encryption?

I appreciate all your guys feedback. Thanks & Best --Sam.

So... your users want to use their own devices but basically want no restrictions? Ideally yea but... either get a BB10 phone or deal with the fact that to be secure it has to be restrictive.

Posted via CB10

So you allow users to have all sensitive data on their phones without any restrictions or protection? Wow, I wouldn't like to be a customer of that company.

Posted via CB10

Why was SWS on Android a "bit of a nightmare"?

Could you clarify the differences between Good and BES when it comes to "invasive MDM profiles"?

I am sure work drives will be rolled out on iOS sometime soon.

'Preciate your feedback. Thanks - Sam.

We are all in on BES10 as the Secure Work Space for iOS was a difference maker in our final MDM decision, and 3 year road map.

Posted via CB on a Q10

@martindub -- How do you find performance w/ iOS? How is battery life? How laggy is email delivery? Have you used competing container apps? If so, how do they compare? Thanks -Sam.

I just started my first business, this will definitely be the Enterprise Server I use, will I need to pay for it, I plan to manage it myself in the beginning .... how much will it set me back?

App Store not App World :p

I'm guessing more functions on Android due it being more open to what developers are allowed to do on the OS?

Posted via CB10

I'm dome watching these videos on Crackberry, the people talk to fast and it's too hard to follow all the swiping motions. It's the same way on Youtube, and if they make a mistake they go back and reswipe something else and so right now it's a confusing muddled mess in my head. Like an ice cream headache with out the ice cream.
So, here's a suggestion: Eliminate the people talking and just show us the functions as in those leaked tutorial videos the other day, it simply showed a green arrow and was easy to follow. Keep It Simple Stupid as they say.

I didn't say that we won't have security on the mobile device. I said they didn't want an intrusive MDM profile loading and there is NO WAY to deploy the app without the MDM, I got that information from BlackBerry themselves when testing.

Good deploys a secure APP without the requirement of any MDM profiles (as does DME). They both use a sandbox approach to secure mobile email. The company has control over the data in the APP and nothing else.

The Blackberry solution when tested was lethargic compared to both the others as well as needing the heavy MDM profile
In short it didn't compare well against the other two being tested.

To answer question about Good, it has grown up in the last 12 months and is a decent product now... but I'm hoping that as BlackBerry matures that we will be using BES10 in the future.

In my opinion deploying MDM profiles with the ability to wipe a device or take personal data off the device is a law suit just waiting to happen.

Posted via CB10

Thanks for your reply.

First, what is wrong from a u/x perspective, with a "MDM profile" on your phone? I have never had one so I wouldn't know. But how does this cramp your style, so to speak.

You say Good is pretty good. The reviews belie this. See here: https://play.google.com/store/apps/details?id=com.good.android.gfe&hl=en iOS reviews not that much better. Example: "My blackberry was better It could only do what this app does but it did it reliably. The sync is quite often off and this app takes no advantage of any feature my hardware has to offer. Come on Good skip the Bad and hook on to the nextgen app quality." Are these people just griping? Others have told me first hand that they can't stand good. Logs you out all the time. Notifications laggy. Big battery suck. Yes, no?

I understand SWS is early stages and rough at edges, but I would think that the potential here is substantial if only because BB does not require a VPN and the NOCs handle IP allocation, etc. Shouldn't this, at least theoretically, be better for battery usage and crisper email delivery?

Maybe I am groping, but any light shed most appreciated. Thanks very much. -Sam


An MDM profile from a company has the 'potential ' to allow the company to delete personal data from a users phone. In addition to this it could 'potentially ' allow the company to snoop on their employees by pulling off GPS logs, browsing history, phone records, etc.

Good also uses a NOC which handles the connections to the mobile devices almost identical to BlackBerry... in fact it only uses a single server like the BES.

We had the latest version if Good and it performed perfectly. BlackBerry didn't.


Posted via CB10


Thanks for this.

BB has told me that they can't touch the personal side. Are they lying?

And not to pick an argument, but rather to reconcile the disparate views I am hearing, Good's NOCs do not have the same functionality as BB's NOCs do. As I understand it (expert at table 4, please!!??), BB's NOCs handle IP address allocation issues whereas Good's NOCs use the mobile provider IP stack. This means a handset on Good must be constantly negotiating with the NOCs while BB can maintain an "always on" state and go to sleep until a message comes in. This, in turn means Good logs you out to preserve battery life and when email comes in, you don't get a notification. I have heard this from two different people in two different orgs. Yes? No?

I have no doubt that Good has a more polished product -- they've been at it more a lot longer. I am more interested in the potential. We've seen how far BB10 has come since 10.0 to 10.2. Apply this trajectory to SWS and where are they?

Again, look at the user feedback. No one seems happy with **any** of the MDM solutions. I would like to think this is BB market to lose.

Thanks again --Sam.

Anyone notice that BlackBerry has removed it from the Google Play marketplace? the only "Blackberry" apps available there now are fake BBM apps.

Hi everybody!
I'm new here at CrackBerry. First of all I wanna congrat CB for this great platform an the up to date BlackBerry news we all get everyday here and on other social networks.

We use BlackBerry since the beginning in our company. I've implemented bes10 one month ago and are still testing out the new amazing Z10. God, I love this phone!!! But we want also to integrate iOS and Android devices with the secure work space. Does anybody know when Lotus Domino will be supported? I've heard it will be anytime in November this year.

Greatings from austria.