News & Rumors

BlackBerry hosting BES10 Secure Work Space webinar on July 30th

News & Rumors

Investment firm workers want their BlackBerry back

News & Rumors

Mexican conglomerate Grupo Salinas deploys BlackBerry 10 and BES10

Enterprise

BlackBerry opens up BB10 to outside MDM platforms

News & Rumors

Government IT contractor SAIC upgrading to BES10

Editorial

Experiencing the BlackBerry Experience: New York

Enterprise

BES 10.2 now available - Brings along BlackBerry Web Services for Universal Device Service

Enterprise

What is Secure Work Space?

Enterprise

BlackBerry issues statement on Air Force switch: 'There is nothing more secure than a BlackBerry'

Enterprise

What is BlackBerry Enterprise Server 10 (BES10)?

Site Stuff

Join me in welcoming back to the team our enterprise mobile expert, Craig Johnston!

Enterprise

BlackBerry knocks Knox in its latest blog post, reminding customers Samsung's vaults have faults

BlackBerry Apps

BBM used by more than 85 percent of BlackBerry Enterprise Server enabled organizations

Carriers

T-Mobile exclusively begins offering cloud-hosted BES10 Servers

BlackBerry Media

BlackBerry announces BES10.2 testing, enhancements and availability

Enterprise

BES 10.2 Gold Candidate released in beta, official release imminent

Enterprise

MAKO Surgical Corporation Deploys BlackBerry Enterprise Service 10 to Manage Mobile Investments

Enterprise

Whirlpool Corporation and BDO Canada deploy BlackBerry 10

BlackBerry OS

ISEC7 offers BlackBerry Readiness Services for BlackBerry 10

BlackBerry Apps

New app for BlackBerry Server admins released

< >

Everything you need to know about BlackBerry Enterprise Server 10

By Craig Johnston on 27 Sep 2013 11:21 am EDT
12
loading...
0
loading...
65
loading...

BlackBerry Enterprise Server (BES) 10.1.1 is Research In Motion’s BlackBerry’s latest version of their enterprise software that provides a single solution for managing and securing BlackBerry PlayBook, BlackBerry 10, iOS, and Android mobile devices.

If you still have older BlackBerry devices running BlackBerry OS seven (7) or older, you will still need to keep and maintain a separate infrastructure of servers as the new BES 10 is only for the devices mentioned above.

BES 10.1.1 is not perfect, and it seems to be a little more complicated to setup than it should be, but it does appear to do what it says it will.  Lets take a look.

Architecture

BES 10.1.1 (or as we’ll call it from now onwards, BES10) is actually three servers in one package, designed to all be installed on one physical (or virtual) server, or setup on separate servers if desired.

There is the BlackBerry Device Service (BDS) that only supports BlackBerry PlayBook and BB10 devices, the Universal Device Service that only supports iOS and Android devices, and the BlackBerry Management Studio, which provides a limited unified management console to both services. In fact in addition to the BlackBerry Management Studio, there are also separate web consoles for the BDS and UDS which means that there are actually three management consoles, or two IT console, and one “helpdesk” console.

Through intense port juggling, BlackBerry has managed to allow all of these services to run on one server so if you want to, you can run BES10 on one server.

In the old BES5 days, all BES5 servers connected to a single SQL database that provided a central storage repository for users, servers, and configurations.  This is known as the BES5 Domain. In fact if you want to learn more about BES5 and how it works, see my previous article on CrackBerry titled “BlackBerry Enterprise Server – What Is It?”.

BES5 also used a proprietary protocol and methodology to synchronize email, contacts, and calendar between your mail server and your BlackBerry.

BES10 does not share that BES5 configuration database and therefore cannot be in the same BlackBerry Domain as BES5 servers. When installing BES10, two new databases are created to support the BDS and UDS services. While you can use the same physical SQL server, these are new and separate databases.

BES10 does not use a proprietary protocol to synchronize email, contacts, and calendar, but rather it acts as a Proxy for the ActiveSync protocol that is built into Microsoft Exchange, and provided by gateways like Lotus Traveler if you are using Lotus Domino/Notes. ActiveSync is designed for mobile device synchronization and is not a burden on Exchange like the old BES5 synchronization process was.

BES10 offers two methods of connecting and managing iOS and Android devices.  The first uses the “classic” Mobile Device Management (MDM) approach that provides IT with complete control over the mobile device, much like BES5 did in the past. The application of IT Policies however is limited to the platform they are being applied to.  iOS is far more enterprise friendly as it allows many ways of controlling, restricting, and configuring iPhones and iPads via an MDM solution (like BES10), while Android provides extremely limited control as can be see in the chart below.

The second uses a secure container on the mobile device to provide a unified application of IT Policies across iOS and Android, plus the extra protection of work data in the event of a hacked device. This type of device security is also known as Dual Persona because the device has two personalities, one for personal and one for work.  In essence a container is an app that runs on the mobile device and provides what appear to be separate apps for mail, contacts, and calendar, but are really “mini-apps” that are part of the main app.  The app can secure its own data store of course, which is how it provides a secure container for work data.

For BlackBerry PlayBook and BB10 devices managed via the BDS, a hybrid between full device control and a container are implemented to create BlackBerry Balance.

BlackBerry Balance keeps work and personal data separate on the device, however it does so at the file system level. This means that the user continues to use the same apps for both personal and work data.

BES 10 Setup on iOS and Android Mobile Devices

To setup BES 10 on your iOS or Android device you must first install the BES10 Client app that you can find in the iTunes App Store or the Google Play Store.

If you are using Android, you must also install the Touchdown app by NitroDesk. I used Touchdown HD because I was using a Google Nexus 10 tablet. You need Touchdown because Android does not provide a way to remotely pre-configure Exchange email, nor does it provide a secure email client.  Touchdown provides both of these and BES10 supports it.

When you launch the client you start by entering a secure URL to bbsecure.com plus your BES 10’s SRP ID. Depending on where in the world you live, you will use a geographic specific URL.  Since I’m in the US I used us.bbsecure.com.


iOS


Android

Next you are prompted to accept the certificate that will secure the communications between your device and BES 10.


iOS


Android

Next you are asked to provide your Active Directory user name and password.


iOS


Android

The next steps are slightly different between iOS and Android.

On iOS you are asked to install an MDM Profile which is a mechanism designed by Apple to ensure that your iOS device is controlled only by verified MDM vendors and it is indeed your company that wants to control your device (please ignore the “Not Verified” notation in this screen shot as it was taken in a lab environment. In the real world you would not want to accept an unverified profile).


iOS MDM Profile Acceptance

On Android you are asked to allow the BES 10 client to be the Device Administrator which will let your company have control over your device.


Android Device Administrator Detail screen

Next, the BES10 client pre-sets up the device to connect to your companies email system. On Android it launches and pre-configures the TouchDown app and you are asked to type in your network password. On iOS it creates a new Exchange profile on your device and asks you to type in your network password.


iOS

   
Android

Once this setup is complete, your iOS or Android device will be setup to be controlled by your company via the BES10 client installed on your device, and you will have access to your company email, contacts, and calendar.

Company Apps

Once your iOS or Android device is under the control of BES10, your administrator can require that you install apps. Today, unlike BES5 and BB0S7 and earlier, your administrator cannot silently install apps to your device (although in iOS7, Apple does provide an API to do just that so hopefully BES10 will be updated to support this), so as a user you are asked to install the app and if you don’t comply, your administrator can block your device or take other actions to force you to install the app.

The apps can be publically available apps in the iTunes App Store or Google Play, but they can also be apps created by your company to access company data or interact with company systems.

Your administrator can also simply make apps available for you to install at will and you will find those apps on your device under the Work Apps tab in the BES10 client.


iOS

 
Android

If an app is required you will be notified on your device.


iOS

  
Android

BES 10 Secure Workspace Setup on The Mobile Devices

Secure Workspace works differently from the regular BES10 MDM client because it provides a secure container, or second personality that has all of your email, contacts, and calendar in it.  Using the Secure Workspace means that your IT department has no control over your device, only what is in the secure container. Companies that adopt a BYOD policy may find this approach friendlier to users.

The setup of Secure Workspace follows the same steps as outlined earlier, but instead of the BES10 client applying IT policies to your device and setting up an Exchange email connection, you are asked to install a few extra apps:

  • BES10 MGR (Android only)
  • Work Connect
  • DocsToGo

On Android, BES10 MGR manages the transition between personal and work personas. Work Connect is the actual secure container while DocsToGo is a special version of DocumentsToGo that is designed to work with Work Connect to ensure that email attachments remain secure and private when opened on your device. As of the writing of this post, the special DocsToGo for iOS was not yet available in the iTunes App Store so it wouldn’t install.

BES 10 Setup on PlayBook and BB10 Devices

To setup BES 10 on your BlackBerry PlayBook and/or BB10 device (like a Z10), it is less like a setup and more like simply using the built-in BlackBerry OS functionality to activate your device against the BES.

In the Accounts screen you start by adding a new Work Account. Notice that you are able to add a standard Microsoft ActiveSync account too, which would allow you to activate your PlayBook or BB10 device against a standard Exchange server running ActiveSync in an environment with no BlackBerry servers installed at all.

That approach however would not provide all of the extra security that is provided by a BES10.

Next you type in your email address as your User ID, your Active Directory password, and the SRP ID of your BES10 server.

This activation information will be provided by your BlackBerry administrator or automatically emailed to you when you are added to the BES.  As you can see it is identical to the old BES5/BBOS7 activation process.

If the activation is successful, your device will be configured as per the IT Policy and Software Configurations that have been applied to you.

Setting Up And Configuring BES10

The initial setup of BES10 seems to be overly complicated and hiccups were common, but I can say that BlackBerry support was outstanding when it came to helping me resolve issues with setup. Once BES10 is setup however it is relatively easy to manage and configure, bearing in mind that you are actually setting up two services, BDS and UDS, not just one unified BES like the BES5 days.

Setting up BlackBerry Device Service (BDS)

BDS is the service that manages BlackBerry PlayBook and BB10 devices.  BDS cannot manage older BlackBerry devices.

Lets look at some of the key settings.

Connections To Directory And Email

BES10 can integrate with Microsoft Exchange and Lotus Domino (as long as it is running the Traveler Gateway). In my lab I’m using Microsoft Exchange so I had to first setup a connection to Active Directory.


Android Device Administrator Detail screen

You can choose to provide the basic information like the Domain, user name and password, or you can further configure the connection by providing an LDAP search filter if you want the BES to only look at a certain part of your directory tree, change the Object mappings and attributes between your company directory and objects used by BES10 if you don’t use default objects.

Next you need to setup a connection to the mail server or gateway.  In my case since I’m using Exchange I setup an Exchange profile.


Exchange Email Profile

Notice that you can specify settings like whether to allow synchronization of certain data, and whether to allow S/MIME email.

IT Policy

Once you have your connectivity setup to your environment, you can move on to managing your IT Policies.

Similar to BES5 and BBOS7 and earlier, BES10 allows very granular control over the BB10 and PlayBook devices. This includes control over NFC, Wi-Fi, camera, HDMI, Bluetooth and Bluetooth parameters, password control and password complexity, forced logging of BBM, call logs, and SMS messages, and other hardware and software settings.

Work Apps

Once a PlayBook or BB10 device is activated on a BES10, the administrator can provide BlackBerry World apps and/or internally built apps to the user.

Those familiar with BES5 will feel right at home with this process.  Like BES5, you will provide a network share where the BES stores the apps, and then you create Software Configurations to group the apps together.

Those Software Configurations can be assigned to individual users or groups (more common).  Your Software Configurations can include in-house apps built by your company and apps already available in the BlackBerry World app store.

Those assigned apps will show up in the Work tab of BlackBerry World on the PlayBook and BB10 devices.

Setting up Universal Device Service (UDS)

UDS is the service that manages iOS (iPhone, iPod Touch, iPad) and Android devices.

Lets look at some of the key settings.

Connections To Directory And Email

BES10 can integrate with Microsoft Exchange and Lotus Domino (as long as it is running the Traveler Gateway). In my lab I’m using Microsoft Exchange so I had to first setup a connection to Active Directory.

You can choose to use Windows Single Sign-on that allows console access without having to provide your AD login and password in the sign-on screen.

Next you need to setup a connection to the mail server or gateway.  In my case since I’m using Exchange I setup an Exchange profile.

Notice that you can use Exchange Web Services if you have iOS devices using Secure Work Space.

Apple Push Notification Service (APNS) Setup

To manage iOS devices and push alerts to them, Apple provides a free push notification network. Before an MDM service (like BES10) can use the APNS to manage devices, it must first register and obtain a certificate from Apple.  Once that certificate has been installed, you can successfully enroll and manage iOS devices.


The BES10 admin console walks you through all of the steps with the exception of the final (but most important) step of importing that certificate into Windows.  You’ll have to dig around on forums to figure it out which is a bit disappointing, but nevertheless, once it is all done, you’ll be ready.

Once you have your connectivity setup to your environment, you can move on to managing your IT Policies.

IT Policy

There are two types of IT Policies.  The one is for iOS and Android devices that are enrolled as regular MDM controlled devices.  The second IT Policy is specifically for iOS and Android devices that enroll to use the Secure Workspace.

Lets start with the regular MDM IT Policy. As mentioned before, IT Policies are only as affective as the mobile OS they are being applied to.  BES10 does not support the special version of Android that Samsung created (Samsung S.A.F.E) which has similar features to iOS that allows it to be very enterprise friendly.  BES10 just supports regular Android.

As you create your IT Policy, you can see which mobile OS (iOS and/or Android) that the policy will be honored and supported by, and which version of iOS and Android is needed to support that policy.

The Work Space IT Policy controls not only how a user gains access to the Secure Work Space, but if data can be shared between the Secure Work Space container and the regular device.

On Android devices you can also allow personal apps the ability to access data stored in the Work Space, and prevent the user from installing browser plug-ins when using the Work Space web browser.

Work Apps

Once an iOS or Android device is activated on a BES10, the administrator can provide iTunes App Store or Google Play apps and/or internally built apps to the user.

You can also place Secure Apps into a Software Configuration.  A Secure app is one that has been “wrapped” by the BES server so that it is secure and can only work with the Secure Work Space.

Compliance Profile

A Compliance Profile is a set of rules that check for certain compliance issues like is a required app installed, or is the device Jail Broken or Rooted, and depending on the situation, take action.

For example you may set a rule where if an iOS device is found to be Jail Broken, the BES10 client can immediately wipe the entire device, or maybe just the work data depending on how aggressive your IT administrator wants to be.


 

Managing BES10

BES10 provides a few management consoles that are appropriate for Help desk, and varying levels of IT.

The Management Studio is a console that provides you access to simple management functions for a Helpdesk.  The Dashboard is also well designed and as CrackBerry Forum Xayinn user puts it, perfect for copy/pasting pie charts for management.

This console also lets you manage your licensing.

One noticeable thing is how all of the consoles show pixel perfect images of BlackBerry devices, but as soon as you click to a non-BlackBerry device, you just see what looks like a vague grey representation of a Galaxy Nexus. The device database also cannot seem to recognize many device types and you seen Unknown Device many times as noted by CrackBerry forum user Xayinn.

I know that this doesn’t affect functionality but it seems to show the product was rushed to market, but some may also see this as BlackBerry almost begrudgingly providing this support and visually showing which is more important to them.

How Does BES10 Compare To Other Solutions

BlackBerry BES10 contains functionality to support BlackBerry PlayBook and BB10 devices using the BDS, as well as Android and iOS devices using the UDS.

If your company has decided to support and/or migrate to BlackBerry PlayBook and BB10 then BES10 is the only game in town. BES10 is required if you need to support these devices.

If you plan to migrate to iOS and/or Android devices then you could opt for BES10 since it supports these two mobile operating systems, or you have a choice of many other MDM solutions on the market that are much more mature than BES10 including MobileIron, Air-Watch, MaaS360, Good Technology, Enterproid, etc.

Many of these other MDM solutions support a much broader set of devices including Windows Phone, Windows Mobile, Symbian, BlackBerry (including BB10), and even Apple Macintosh (Mac) computers as more companies embrace BYOD and allow Apple Mac desktops and laptops.

Many MDM vendors support Samsung’s security model (S.A.F.E) that emulates Apple’s model by providing many extra APIs to control and configure certain Samsung models.

Some of these solutions provide a way to actually manage BlackBerry PlayBook and BB10 devices by interfacing to your BES10 using APIs.

Current BES5 CALs are transferable to BES10 apparently until December 2013 if you are a current BlackBerry customer, which is a good move by BlackBerry but this is only if you are migrating the user from and older BlackBerry to a new BB10.  If the user is migrating from an old BlackBerry to an iOS or Android device then a new license must be purchased.

Read more about the trade up program here.

Recently BlackBerry reduced the price of the EMM Corporate license (this is for regular MDM-type management of PlayBook, BB10, iOS, and Android) to $19 per device per year.  The EMM Secure Workspace is $99 per device per year (this is for the secure container on iOS and Android).

The problem here is that most other MDM/Dual Persona vendors are going on $5 per user per month (or around $60 per year per user). All of them provide full in-the-cloud solutions so no on-premise servers are needed.  This reduces the cost even further. Notice that the non-BlackBerry vendors use a per-user pricing model so if a user has more than one device, the price is the same.

BlackBerry is apparently conducting trials of BES10 in the cloud but so far it is not an official product.

Dual Persona/Containerization

BES10 support of iOS and Android provides an optional Dual Person (aka Containerizaton) approach to accessing company assets.  BlackBerry calls it Secure Workspace. Your email, contacts, and calendar are only available in the secure container, while company apps are wrapped in a security blanket so they can be secured by IT.


BlackBerry Dual Persona on iOS – Work Connect
 


BlackBerry Dual Persona on Android – Work Connect
 


Divide Dual Persona on iOS
 


Divide Dual Persona on Android
 

The company that has been doing this longest is Good Technology. They started out as a “BlackBerry clone” with their own Good G100 “BlackBerry look-alike” device but later moved into building a Dual Persona approach with the Good client being available for many different mobile devices.

Like BlackBerry, the Good secure container routes data via its NOC, requires company servers to be installed on-premise, but Good also uses a proprietary protocol to synchronize data.

Other vendors like Enterproid that makes the Divide container, use out-of-the-box ActiveSync, and provide a full 100% Cloud approach.

BlackBerry’s secure container approach is good for a first stab and it compares favorably with products like Divide.  In the case of BlackBerry, while they are relying on pure ActiveSync, they do route the data via the RIM NOC.

Conclusion

BES10.1 is not a top-of-the-line solution, it has some issues and evidence of being rushed to market, but it is OK. RIM/BlackBerry did acquire Ubitexx (which became MobileFusoin and then BES10) back in 2011 so it is odd that it has taken so long to bring BES10.1 out which is why I’m being a little harsh about the incomplete solution.

If you plan to support Windows Phone, Symbian, or Apple Macs then BES10 doesn’t look as attractive, mainly because it doesn’t support those device types.
You could go with a hybrid approach by purchasing BES10 and licenses for your BB10 and PlayBook users, and purchasing a second MDM solution like MobileIron, or Air-Watch to manage all of the other devices, and front-end the BES10 console.

If you plan to use Secure Workspace on iOS and Android then other, more mature Dual Persona solutions are already out there, are cloud-based, and $5 per user per month or $60 per user per year.

I think at the end of the day, BlackBerry has provided a decent on-premise MDM/Dual Persona solution for those clients who are migrating from BES5/BBOS7 to an environment where their users will have BB10, PlayBook, iOS, and Android devices.

The pricing is a little out of whack though and while you can get regular MDM-type management for $19 per year per device, if you start using Secure Workspace, that will set you back $99 per device per year.

I encourage you to comment on this post and let me know if you need any clarification on any aspect of the information, or need more information on a specific area.

Reader comments

Everything you need to know about BlackBerry Enterprise Server 10

117 Comments

Nice right up!! We were all setup with UDS, we tested a few iPhones and Androids but in the end, it's too complicated, users do not understand all this work vs personal stuff and they don't care. Also, you need $$ additional licenses and Touchdown is not free either.

We tried Meraki, which is free for our iPhones, and so far so good.

We've tested it along side AirWatch, MaaS360, Sophos, and MobileIron. So far MobileIron seems to be the best solution which offers the VPN-like features that BES offers. We've since removed BES10 from our network and replced all BB10 devices with Windows Phones. We still have 65% of our user base using the Bold 9900 and BES5.

I was looking forward to locking down A/S from the outside and having all my devices, BB10, iOS, and Android, use the secure work space connection for email. However, they lost me at $99 per device per year.
I was told by our reseller the $99 work space license was also in addition to the regular CAL needed. This may or may not be true.

Good question:
$99 is a suggested retail price as I understand it and you may be able to get better pricing if you find another seller, and you don't need a regular CAL plus this one.

Nice article. So bad my company choose SAP Afaria over BES, they were worrying email going out of country and store in temporary server.

Great write-up. Might be worth mentioning some great additions that can make BES10 really stand out. The two of note are Work Drives - This allows the user access to network shares using the BES10 as a proxy. This works really well. The second is Enterprise IM - This extends you Microsoft Lync deployment onto the BB10 device, again using the BES10 server as a proxy. So if you have a Microsoft Lync server as well this is a great addition especially as it meant I didn't need to install an edge server for my Lync deployment.

It is but the functionality is just the same as 10.1.1, I think it's just a change to the installer with 10.1.2 ?.

10.1.2 was released to address some bad installation and upgrade bugs, it doesn't have new features. The install and upgrade bugs were so many, varied and destructive that they had to focus on improving the situation before releasing new features.

Posted via CB10

if you have a good vendor you can do a lot better then $99/year/device (for Secure WorkSpace Licensing). I'm paying about $79/year/device and was for a 5 device cal I'm sure if you are buying more licenses you can do even better.

Great write up. Nice to see informative articles like these to help consumers understand the enterprise side of things.

Well.

You should be using the work space features of bes10. Then u don't have to worry about installing touchdown on your Android devices.

Not only do have the ability to remove all work related content on the work space app but u also have remote access to internal company websites without the need for vpn creation for the mobile users.

In all honesty if i can install bes10 and have. It exist along side besx then most people can.

My only issue is that the gui for the uds page is totally different from the bds gui.

Posted via CB10

That was an awesome read. I work for a major university medical center in IT. I'm not a server guy, but this was a very thorough and easy to understand explanation of what BlackBerry offers. Here you see still see a few older BBOS phones, but more often iPhones and iPads. It sounds like BlackBerry and Apple are much more compatible and have similar perspective on how the devices should be able to be managed by IT.

I would like to see a column for Windows Phone in the IT Policy iOS/Android comparison.

Nice work indeed. I'm a server admin in a small enterprise with about 300 BB users, about 60 of whom we've migrated to BB10. Appreciate the breakdown of the various server components.

Our organization is in the midst of installing BES10 to upgrade our 4K+ devices to BB10 devices. Also, we will be extending this to use UDS for a possible BYOD implementation. UDS will be tested against another MDM application and our solution will be determined at that point.

Thanks for the detailed description and your take on BES10. Keep that information coming!!!!

Cheers from my Z10!! - 00

I wanted to make sure I thanked Richard Cermele, James Richardson, and Simon Sage who all helped in creating this post. They were my test users. As Simon is such a rebel, he used his Jail Broken iPhone on my BES10. I almost wiped his device but gave him a break ;-)

NTT DATA also helped greatly by providing the sandbox for this environment.

So from the write up it sounds as though what BlackBerry is best st doing, they're no longer the best at doing it? I mean BES10 in this description doesn't sound like something many companies would want. Which sucks.

Posted via CB10

After an extensive investigation of eight MDM solutions, my company choose BES10 to be our MDM partner for the foreseeable future to manage our growing fleet of 4000+ BBOS, BB10 and iOS. We found that all the MDM where comparable in terms of functionality but at the end of the day, BlackBerry truly understood our needs which is a credit to their decade of experience.

With all due respect to the other vendors (US based) who we interviewed and trialed, there intent seemed to indicate that they wanted us to remove all BlackBerry devices and BES from our portfolio, then replace them with iOS or Android and their solution. Why? likely because they cant manage BBOS/BB10 devices and considering that BlackBerry consists 70% of our fleet, this was not an option for us.

With that said and based on our requirements, BlackBerry was the only provider who could say "One MDM to rule them all".

Not to question your choice but it is disappointing to hear that your impression was that the other guys wanted you to remove BlackBerrys. Many of the top MDM vendors actually support BlackBerrys via the BES10 APIs. While that is limited, they have made sure that they support them.

Would be good to see a write up on the Enterprise Messaging Client (Lync equivalent), that we cannot seem to get working as yet.

There is limited to no documentation about it.

Two points of clarification:
"You could go with a hybrid approach by purchasing BES10 and licenses for your BB10 and PlayBook users" - BES10 is free, you only have to pay for the device licenses.

It is incorrect to say "iOS 4+" or any iOS version with a + sign because BES 10.1.2 does not support iOS 7. This will be coming in BES 10.2.

Otherwise excellent write up!

You can do basic MDM for iOS 7. Secure Work Space etc. will be released with BES 10.1.3 and an updated BES 10 client.

I cant see any reference to data compression.
I travel a lot and I have seen my roaming charges triple since swapping my 9900 on the corporate BES (my BB10 uses active sync until we decide whether or not to deploy BES in an increasingly BYOD company).
I assume this is because of the lack of BES Compression. So how does this compare across the mdm platforms?

Posted via CB10

No - BES 10 does not compress. The tunnel is encrypted using AES-256, but there is no compression as BES 5 did. The huge savings with BES 5 was because emails was opened and converted into a proprietary format, compressed and only first 2K data was transmitted initially.

BB10 uses plain ActiveSync and is comparable to any other handheld.

The AES-256 adds some extra data to the transmission (not to talk about the huge latency of going through the BlackBerry Relay servers).

I beg to differ, from this document: http://ca.blackberry.com/content/dam/blackBerry/pdf/BlackBerry_Enterpris...

Is data on BlackBerry 10
devices compressed?
When managed by BlackBerry Enterprise Service 10, BlackBerry
10 devices feature BlackBerry Balance.  This is technology that
will automatically and contextually identify & separate work and
personal content. Content classified as Enterprise data on BlackBerry 10
devices (i.e. work email, attachments, work contacts, calendar
and notes, work browser, and enterprise applications) will
pass through BlackBerry Enterprise Service 10 and will be
compressed. Data that is not classified as work (i.e. personal
browser, personal email and applications) will not pass through
BlackBerry Enterprise Service 10 and will not be compressed.
It is anticipated that the majority of personal data consumption
will not benefit from additional compression due to the nature
of the content (i.e. video streaming, embedded flash content,
music and video downloads, video conferencing, application and
game downloads).

Hi,

That is correct.
But Since EAS traffic is per default compressed (by IIS) and encrypted (also by IIS) the BES10 tunnel just adds an extra layer of AES-256 encryption on top of the EAS content.

There will be little to nothing to compress.

If you are working with file transfers (work drives) or accessing any non-compressed content you will see some compression.

But on average most traffic in the work partition is EAS and there is no practical compression advantage of going through the BES10.

Article mentions that this is rushed because of lack of images of non-BlackaBerry devices. Has anyone considered legal implications and requirements if they did? And I know for a fact that you can upload custom images for those they don't ship with. That seems like work done, not rushed.

Posted via CB10

I think this represents a fair use scenario; I doubt there's a legal issue. And not using the actual device images does serve to make BlackBerry look a little spiteful. I'm sure that wasn't intentional :-)

I would not be so sure about legality. This is not a publication or "free speech" but would be embedded in the product. I had to deal with (stay away from) these issues in my past life. By using custom images feature you can put whatever images you want. That looks like working around problems, not "spite".

Posted via CB10

Is BES10 gets accepted by many enterprises, is there any hope that they could do end to end secure email transport? My understanding is BES10 only protects your internal work emails from leaving the organization, so its not going to get pried on.

But what about between companies and customers, or companies and vendors? If both parties have BES10 servers, could they develop something where emails are transported securely? Getting into a new 'standard' would be dynamite.

BES 10 only protects transmissions between the BB10 devices and the BES10 server, by means of an extra layer of encryption. Furthermore you don't need to publish your Exchange server for the EAS connection.

Between organisations you would look into a VPN connection and possible a trust.
No need to involve BlackBerry for this.

Right, I'm saying what if a new service was available to not require VPN's between each, I'm saying each of those 25,000 BES10 servers can send to one another without much additional setup.

I'm irked by the fact that emails go out over the internet, and would very much like a standard or service that makes it 'just work', and not have to deal with PGP keys per email box, etc.

I'm just thinking out loud how BlackBerry could do this and make sweet money at the same time.

Well... if all 25.000 server could communicate "trusted" this would just be interconnected BES 10 servers with "transparent" VPN connections.

How would you decide which BES 10 server was responsible for which mail domains?

(I could easily create blackberry.com on my LAN and thereby tricking by BES10 to believe it was responsible for all mail traffic to BlackBerry and "announce" this to the BlackBerry Infrastructure).

There is no easy way to establish trusts between multiple parties.

Hence, a new BlackBerry service :)

My understanding is that gmail has trusted services with a number of big companies so that in my mailbox, I can see an icon that tells me its legit and really from them. So maybe this service already exists, just being setup one by one. And that is probably just authenticating the server, not encrypting the emails in transport, but I don't know.

I don't know how Google works, but Sender Protection Framework (SPF) could be one technique. It is based on DNS and basically is a way of publishing "which mail servers can send on behalf of this domain".

I think we have other and bigger issues. In general the SMTP protocol has lots of issues. One example is related to what you are suggesting: Sender validation. This could effectively stop SPAM once and for all (simply by blocking the sender - e.g. by revoking this certificate). It's ridiculus that we still have to spend money on anti-spam solutions.

Exactly man. There is a large problem waiting to be solved, and anyone who can effectively establish a better way to do things will make it rain. I want BB to figure out the solution and turn things around.

With all the NSA attention in the media, there must be lots of start ups in the making trying to solve this.

Not all android devices require Touchdown. Motorola and others have opened their API to allow BES10 to automatically configure email accounts. Samsung has not.

And Touchdown isn't required for Android at all any more, if you're using the Secure Workspace piece.

Fantastic breakdown, thank you.

I'm not an admin guy - I employ people for that ;-) - um, BES10 encrypts mail between devices, I understand, but outside the network: no. Can one use pgp or something? Or is that a separate issue altogether?

Posted via CB10 on my BlackBerry Q10

BES 10 encrypts traffic between the BlackBerry 10 device and the local network where the BES 10 is located. Furthermore the ActiveSync traffic is typically encrypted using SSL which is terminated by the CAS (Exchange) or a SSL offloader.

BES 10 does not encrypt anything between devices.

Nice article, and a correct assessment of BES10 (so far)!

I do hope that BlackBerry decides to support Windows Phone. Due to the lack of security on Android, and the high TCO of an iPhone fleet, WP8 is becoming an interesting option for enterprises.

And like I've read a few times in the comments: a writeup about Enterprise IM would be nice. We also have Lync server in our company, but I haven't done the Enterprise IM implementation (yet) because I'm not sure it's worth the effort. Maybe it's easier to just wait for the official Lync 2013 client for BB10, which is supposedly coming.

Anyway, it's nice to see an enterprise-focused article on CrackBerry once more!

Nice comprehensive write up, good work.

One thing I noticed though was your comment:
"If you still have older BlackBerry devices running BlackBerry OS seven (7) or older, you will still need to keep and maintain a separate infrastructure of servers as the new BES 10 is only for the devices mentioned above."

I don't think this is technically correct, although not necessarily a bad idea anyways. But for the record, as of BES 10.1, you can actually install the BES 10 components on the same server as BES 5.

Posted via CB10

Yes you can install BES10 on the same physical hardware (or VM) as BES5 for sure (if you have a server that can handle it) but they are still completely different environments from a management standpoint. They have separate BB domains.

You can however integrate the BES 5 in the BMS console. This will provide access to the daily tasks from a single console.

I'd like to see additional write ups in regards to other MDM solutions and the setup and installs. Maybe note on the complexity of those installs, the additional proxy servers you need to install, additional ports, back end access to the mail platform, added permissions for those outside vendor accounts, and don't forget if you want a VPN, additional cost of that.

Posted via CB10

I've been using BES 10 for about 3 months now, managing a small user base of about 50 Z10s and a handful of IOS/Android devices. While I was pleased BES now supports these platforms, I absolutely agree that it appears as a whole BES10 was rushed out the door. As a long time Blackberry shop, the number of policies available in BES10 is without question a fraction of what was available in BES5. One such example is the ability to create custom policy rules. Our organization used this specifically in BES5 to define various attributes for apps. We recently attempted to roll out the HP ePrint enterprise app for mobile printing, however the lack of custom policy rules in BES10 makes this app incompatible at present.

100% agree!

Custom policies should be taken one step further. I participated in a focus group at BlackBerry Live 2012 where I proposed this design:

Custom policies:
1) The developement tool (IDE) should support easy implementation of custom policies.
2) The IDE should create an XML file which is included in the BAR file
3) Upon deployment from the BES, the XML file should be automatically imported and a wizard should guide the BES admin through the policies.
4) Custom policies settings should be able to migrate between version upgrades of the same app if not changed.

We also spend some time talking deployment and security (as nobody understood with BES 5):
1) Implement all security settings in a XML file (metadata) to the installer (BAR) file.
2) The development tool (IDE) should scan the API used in the project and create the metadata automaticaly.
3) The developer should explain the usage of each permission (e.g. access to contacts, email, ...)
4) When an BES admin wanted to deploy an BB app, he should see the metadata and the developers description and easily accept/decline.

Hi Craig, its actually not 3 servers, its 2 servers in one install, BDS and UDS - as the management Studio is not a server, its just a web service. Also, the 2 servers must be installed together, they can not be separated. Only the consoles can be separated from the server. Each server has it's own console, so there are 2, as well as the management studio which is geared toward a helpdesk to manage users and devices from all servers (including BES 5).

The advantage of using the Secure workspace over competitor solutions, is the secure connection through the blackBerry infrastructure. This allows companies to provide a secure AES encrypted end-to-end connection from the users device to the server - without having to use a VPN with a certificate authentication.

It is 2 servers you're right but many may argue that the BlackBerry management console is a hefty service in itself so could be thought of as its own server.

The advantage as you mention may not be seen as an advantage by everyone. The NOC is a single point of failure that is out of your control. Some see this as a problem if the NOC goes down, so does your whole companies connectivity to its employees.

Also , its not unique really. Good Technology does the exact same thing and have their own NOC too.

End-to-end security may not be AES but it is secure. VPNs aren't hard these days. In years past yes, but not anymore.

Craig,

My understanding is that VPNs are not nearly as elegant a solution as compared with connecting via the NOCs. With VPNs you need a heartbeat signal, and you are not "always on". This allows for better performance and better power management. This is how I understand it. What are your views?

Apple has apparently a lot of problems supporting VPNs, apparently. They always get dropped when you go into lockscreen.

As for Good's NOCs, my understanding is that they are not nearly as comprehensive as BB's NOCs. I would like to know more about the differences however.

I would also like to know more about the user experience. Good apparently "sucks". Lot's of complaints. Go to Google Play and see the reviews. SWS , while early days, is getting good reviews for everything but the browser. Again, this is only how I understand it. Your thoughts?

Posted via CB10

Android seriously needs a complete overhaul!

Screw all these stupid UI updates to the UI we see and use, along with specific Google apps. I think it's still based on java and if so no wonder the quality of the apps looks like crap, not to mention this loop hole java Google is using is beginning to show its age! Nitro desk must be making a pure killing just to have ActiveSync accounts secured: there are over 30 mdm solutions on the market rated in various levels by Gartner and all of them require NitroDesk for Android - except that long overdue and still pending solution by Samsung which works only on their devices!!

Sad times and still a hole in the solution offered by BlackBerry, I was hoping they didn't require this for.their solution for Android.

Posted via CB10

BlackBerry BES10's Secure Workspace is a Dual Persona solution, and like all the other solutions on the market (Good, Divide, etc.) Nitrodesk is not required because everything is happening inside their secure container.

If you don't want to use a Dual Persona solution then you have to rely on standard device MDM, which BES10 also provides along with MobileIron, Air-Watch, MaaS360, etc.. This is when Nitrodesk is needed.

Does all these other solutions provide mobile devices secure access to a company firewall? With BES5 and BES10 mobile users can access intranet, applications, file server behind the firewall and you can control internet access and usage via proxy server.

Posted via CB10

Many solutions provide behind-the-firewall access. Good provides this since it uses a proprietary connectivity model. Other solutions provide this either via their MDM proxy, or by pre-setting up VPNs on the devices. Some solutions even take it a step further by providing things like access to your network share and SharePoint.
In iOS7, Apple provides per-app VPN capabilities (see my article on iMore about iOS7 in the enterprise) which means that now an admin can choose to only allow certain apps to get behind the firewall, and not all apps.

Great article Craig, does BES10.1.x provide integration with Office 365, if it does can it function in a hybrid mode? For example supporting a MS Exchange 2013 hybrid solution. I must say the documentation for BES10 is ambiguous and disjointed as usual. There is a KB article that talks about migrating from on premise to Office365 but it is lacking in detail (http://www.blackberry.com/btsc/KB34889).

We currently use the hybrid approach bes10 / movie iron for iPhones not android phone allowed in our environment

The management studio still need a bit of work. In its currently version there are still items missing that are present in bes 5

And only oddly enough we have been having more issues with the q10 than the z10. Emails stop working seems to be some kinda of active sync issue.

We have 100+ bb10 devices currently active plus all the older berries on bes 5.

And there are less issues with the older berries. I'm hoping they continue to update and offer more functionality I'm bes 10 so it's already on par with the older version.

Posted via CB10

Hi, im new to all this and have tried to install but had problems. Gone through the step by step guide but still found issues. I'm on windows 8 x64 any advice would be appreciated. Is there somewhere that does a package to download all the programs needed for smooth install? Thanks

Posted via CB10

Dear Blackberry,

Why not offer this free? Meriaki is free. BES Express was free. Where is the free, or one time cost for small businesses.

This is all made worse since BBM devices support Activesync, and don't need a BES server.

The pricing is retrograde step, and will not help there cause for companies considering whether they should still deploy Blackberry phones.

Hi,
Thank you for the summary. We´re also using BES10 as our MDM to control and manage our 52 devices (17x IOS, 10x BB10 and 35x BES5) for 2 month now. It´s working quite good so far for our needs:
- devices out of contact
- deployment email settings
- delpoyment vpn settings
- deployment wifi settings
- mobile device inventory
and compared to other MDM solutions the pricing isn´t so bad --- 13,50€/device/year (BB10 and IOS)

Unfortunately there are a few bugs/missing functions which Blackberry needs to fix shortly.
- enable legacy mode in BB10 (should come with BES 10.2)
- disable roaming for IOS permanently (right now the user can enable it again)
- no automatic messages for the admin (jailbreak, deletion of MDM app, etc)
- ios7 is shown as 6.2
- list of all apps which are installed on the devices

Simon, i'm fairly certain Apple doesn't expose a way to permanently disable roaming. They only allow a way for it to be turned off. I think this is a decent way to handle this. The last thing i would want is for one of our employees to be traveling abroad and get stuck in an emergency situation and not be able to make a call due to the roaming policy. At least the user having to turn it back on each time the server turns it off is a good reminder to be careful with the expense. imho.

Some of the details here are wrong, especially the pricing. It starts at $99/device for a perpetual CAL, not per year. Check this link for confirmation, and click on "Buy Now" under "BlackBerry Enterprise Server 10 Client Access License":
https://enterprise.ecomm.webapps.blackberry.com/direct/on-premise-softwa...
If you want to go the annual option, I found info here:
http://ca.blackberry.com/business/software/bes-10.how-to-get-it.html
It states, "To learn more about how to manage iOS, Android & BlackBerry 10 devices for only $19 a year*** please call 1-877-255-2377 or contact your preferred carrier or reseller partner"
So, a much better deal than you described.

Appreciate your feedback but I spoke to BlackBerry about the pricing before I wrote it in the post to make sure it was correct. It is $19 per device per year for regular MDM of BlackBerry, iOS, and Android devices. It is $99 per device per year for Dual Persona on iOS and Android. BlackBerry calls it Secure Workspace.
Of course bulk purchases always get discounts but these prices are correct as provided to me by BlackBerry.

Craig,

Did you see my question above? You did not really compare user experience on the various client solutions. For example, as I understand it, one of main advantages of BES and SWS is that it is always on and requires no periodic re-login as is the case with VPN-based solutions and Good. I do know Apple has problems with VPNs -- they cut out when the lock screen cuts in. Also, power management remains an issue. Any thoughts here?

I apologize, you are correct. It's possible to get a perpetual CAL for BlackBerry and for regular MDM management of an iOS or Android device, but it looks like there is no perpetual CAL for the Secure Work Space option. It starts at $99/device per year for a single CAL, and goes down for bulk purchases.

So Craig am I correct to say that the CALs for bb10 devices are $19 /year and have free upgrade (to bb10) for existing bb07 device users till December 31? If so, I'm not sure how the pricing would be a problem unless the you've already gone to majority non-bb devices and aren't interested in saving money by switching back. I think that's the whole idea...given that many vendors of MDM solutions out there have been marketing the 'bb-free enterprise' (whether or not their solutions will work with BES 10), I think this is fair game. They've now written off all the z10 inventory and will start dumping devices at very reasonable prices. So it's only fair to point out that, by implimenting BES 10 (and only BES 10), enterprise will likely be able to find significant cost savings by negotiating bulk bb10 device purchase orders and migrating users onto these devices at $19/yr vs. $60/yr for other solutions /devices. Balance comes free with the devices. Please correct me if I'm wrong (I'm not an IT guy). Thanks.

My company is currently testing Android & IOS devices on our BES10 Server.
Originally i thought the only options for these devices was to use the secure containerized work space. However after reading this article it appears I can use the BES10, without the secure work space.

I am having problems getting a Samsung Galaxy S4 to work properly. I have the bes10 client and Touchdown App installed.
I activate my device on the Bes10 client. Once complete the TD app opens and asks for my PW.
When i enter my PW it thinks for a few seconds then closes the TD app.
I dont get any errors, but as far as i can tell it doesnt work. If i reboot the devices i asks again for my PW for TD app.
Is there some setting on the BES i need to enable to allow for the TD app to work properly?

I should add that we had the device working yesterday with the secure work space. Trying to get it to work without the container.

On important thing to add... I was unable to connect to BES10 while testing the BYOD deploy at my work. After two hours of mocking around I came to find out that Active Sync only allowed me to connect 10 devices.... Had I looked at my Outlook a little more often I would have seen it and I had to use webmail to delete some of the older devices. Just for those of us who go through phones like cupcakes ;-)

Anyone can help me with this question? Is there any restriction to use Z30 on BES10 server while the Z10 and Q10 devices can be used on the BES10 server?

This is a great write-up - with a lot of details. I'm still reading it. I'm hoping someone can point me in the right direction.
I have a requirement to be able to control my blackberry users' address book and to restrict incoming and outgoing calls to only numbers contained in the address book.
We are in the process of upgrading from BES5 to BES10, and I am wondering if this will be possible.

Thank you in advance.