What is BlackBerry Enterprise Server 10 (BES10)?

Mobile Enterprise 101

By Craig Johnston on 17 Feb 2014 09:14 am EST

Those of you familiar with BlackBerry from its early days will be familiar with the BlackBerry Enterprise Server (BES).  The BES was (and still is) made up of multiple services that interact with a company’s email system (Microsoft Exchange, Lotus Domino, or Novell GroupWise), provide secure IP tunneling, and allow administrators complete control over the company deployed BlackBerrys including pushing out apps.

BES10 is similar, but in many ways very different.  BES10 started out life as BlackBerry Mobile Fusion, which was a service that allowed an administrator to manage the new BB10 devices and the BlackBerry PlayBook, but it also allowed for the management of iOS (iPhone/iPad/iPod Touch) and Android devices.

Components of BES10

BES10 has three main components. One component provides the ability to enroll and manage BB10 and BlackBerry Playbook devices.  Another allows for the enrollment and management of iOS and Android devices, while the third component is a web service that provides a single-view management console for managing BB10/Playbook, iOS/Android, and classic BlackBerry devices (and earlier).

iOS and Android

BES10 allows for the classic Mobile Device Management (MDM) of iOS and Android devices like its competitors in the industry MobileIron, AirWatch, etc., but it also provides something called Secure Work Space.  Secure Work Space provides a secure container on the iOS and Android device where all of the corporate data resides.  This is similar to other products on the market like Good Technology and Divide.  It is also referred to as Containerization or Dual Persona.

In both scenarios, BES10 provides the administrator with the ability to deploy apps, provide a corporate app store, and manage the devices, including remotely wiping them, and enforcing security policies.

Under the covers, this service is called Universal Device Service (UDS).


BES10 provides full administration of BB10 and Playbook devices, including deploying apps, enforcing security policies, remote wiping, and enforcing BlackBerry Balance.

Under the covers this service is called BlackBerry Device Service (BDS).

Classic BlackBerry (BBOS 7 and earlier)

The BES10 unified management web console also interfaces to classic BESs using Application Programming Interfaces (APIs). This allows day-to-day management and troubleshooting of classic BlackBerrys, although you must still keep the classic BES (or multiple BESs as is normally the case) running.

The BES10 unified management console actually interfaces with the classic BlackBerry Administration Service (BAS).

For a more in-depth look at BES10, see my previous article here and for a video walkthrough of Secure Work Space see Simon Sage’s post here.

Reader comments

What is BlackBerry Enterprise Server 10 (BES10)?


That has been going on for a while now, but the company must apply. Life time too.

But they must apply. And they must do it soon as the window of opportunity IS closing.

There was an opportunity to upgrade the licenses for free, you still need to install the BES10 server software though. In my country (Belgium), the license upgrade offer ended on the 31st of december 2013.

Offer ended Dec 31st 2013. It covered perpetual CAL's for BB10.
Company had 1000 CAL for BES 5.
Company installed free (no server license anymore) BES 10 and did an upgrade of 1000 CALs.
BlackBerry issued 1000 temporary CALs and company installed it on BES 10.
On Dec 31st. company had activated 560 BB10 devices.

Company was entitled to 560 perpeptual licenses only.

The problem is many companies are afraid to invest in anything blackberry our IT say they don't be around for that long and are pushing everyone out of BlackBerry they want to go with mobile Iron solution I wish I can find good argument for them to look at BMS 10.

More and more are on board. Major banks here in Canada are on BES10. We don't move fast, and risk managers analyze things to death. I'm not worried.

Posted via CB10 - Z30STA100-5/

CIBC (CIBC Mellon testing BB10/BES10 with full intention to migrate, also manage iOS devices using BES10).
BMO - already on BES10 I believe.
TDBank - testing or with BES10 for iOS Secure, and BB10
Royal Bank ... unsure (would be funny if they use BES10 exclusively internationally yet pushing Samsung's KNOX as a service to their clients lol; they do do the latter btw).

Barclays - supports Good Technologies on iOS & BES5 for BBOS, with limited implementation for BES10 for BB10 devices on a BYOD approval basis.

Other industries vary.

Those companies' IT departments need to check which solution the US government and president are going with.

This is where our Govt must provide a back stop to support eg. Bombardier, Potash and what happens in other countries. Wake up Canada we need to become leaders not just managers / employers !

Posted via CB10

Companies afraid to invest in BES10, thinking BlackBerry won't be around much longer, need to answer two questions:

1) Why do they have more enterprise customers than any other competitor and are still growing? We're not just talking by a small margin either.

2) Why would the U.S. and other governments in the world invest in a company that is in danger of going out of business in the near future?

If anyone has LOGICAL answers backed with supporting statements, facts, etc, then I want to hear them.

Posted via CB10

Question 0:
Stop having idiotic, junk news susceptible paranoia in their CIO's who cannot make a decision without fully swallowing Gartner reports without triple checking.

Gartner didn't believe BB would be around for 2yrs back in late 2012, it's 2014 and WE STILL HERE! Guess their eating their words on a dirty horse stall worn & unclean 12mth old boot!

"2) Why would the U.S. and other governments in the world invest in a company that is in danger of going out of business in the near future?"

Well because with Knox or iOS, their government would be in great danger?

I wouldn't feel safe by going with Mobile Iron at all. They're one of the last major independent MDM vendors out there, facing Airwatch (VMWare), Afaria (SAP), XenMobile (Citrix) and BlackBerry in the arena, which will have two possible outcomes:
1) They'll get blown out of the water by these juggernauts.
2) Some other big company comes in and takes them over, and a investing in a company that's being interated in a bigger one is always risky business.

As addition, IBM with Fiber link (Maas360)
MobileIron doesn’t going to make it alone.

Posted via CB10

That's odd because Mobile Iron is the leader with iOS support (at least originally out of the gate).

I've trialed Maas360 - what a joke those guys back in early 2013 had no clue how to properly use their services ... didn't even know what a heartbeat was (I didn't either but I'm not the director nor manager of infrastructure who knew, nor the CIO). Took them a full week to get back to us stating "yes we know what that is" and b) "sorry with Maas360 you cannot configure this per client" .... they where done meetings adjourned not on our list. AirWatch was selected (not the best choice, but alas ... nothing but headaches yikes).

Air-Watch is leader in iOS support by MDM. MobileIron reminds me of Microsoft SMS v1. A bunch of bad scripts moving data around with a very nice pimped GUI.

Posted via CB10

I'm not saying that their product is bad, I'm sure it isn't. It's just that they're positioned bady business-wise. If I were the owner of Mobile Iron, I'd start looking for a buyer asap.

Think twice about MobileIron it is not secure. High TCO, very high active hackers community (Xcon) for hacking and fooling the MobileIron client. And it's a complete DMZ implementation with for example the mysql user and config dB sitting there something you don't do from a security and architecture point of view . If they really don't want to use BlackBerry BES10 than have a look at Citrix Xenmobile ore VMWare Air watch.

Posted via CB10

True most companies are afraid to invest that much money in blackberry devices. I think once the US government takes the lead on this, will see a strong surge of some companies taking advantage of BES10. Remember BlackBerry devices are the safest in terms of mobile phone security. BlackBerry should and must capitalize on this.

Posted via CB10

The Government of Gernamy going BB10 should have been a good nudge on the right direction, but eh... Let's see what happens!

Unfortunately for those companies that don't require gold standard security the majority of their users are on iphones and Android Samsung s so they don't need to spend money on upgrading to BES10. The competition is probably cheaper. BlackBerry will be lucky if they can retain a fraction of a fraction of what they once dominated. The competition has such a lead and keeps on leading they ll never ever come close to catching up.

Posted via CB10

BES10 software is free, there is no more software license costs like in BES5.

Cal licenses for iOS and Android are cheaper then with other vendors.

Posted via CB10

We the community NEED a more qualitative and in-depth review to factualize such a statement (not a real world but you KNOW what I mean).

Then CrackBerry to publish an Article on this.

Hey Kevin, chop chop ... book a meeting with Mr. Chen and his top boy in Enterprise Management and relationships ... get the full skinny on this and publish it pronto!

Video please and documentation. Even how Mr. Chen plans to regain corporate deals, corporate opinion of BlackBerry beyond the oh we're making qwerty devices our prime focus jazz.

Thanks Craig, glad you're back, great article, I think their is a problem with the video link at the end of the article?

I flick all my words from my amazing BlackBerry Z10

If BES10 is to become a true MDM solution, they need to really improve on the UDS features so that they're on par if not better than the other competitors such as Airwatch and Good technology...their current offerings are better with regards to iOS and Android device management. I read a while back that WP8 support is on the way but nothing since, anyone heard any updates?

Posted via CB10

Nothing has been officially announced yet.
But I do not disagree with your statement :-)

Now we're talking ... full tier and competitive suite support.

Now BES10 will fully highlight what makes BB10 a truly better solution. Can't wait for it!

Great overview Craig.
What advantages does BES10 with its MDM and SWS have over the rest ? Is it security, especially if they use BlackBerry mobile end to end ?

Your previous article if I am not mistaken said the competitors provided secure work space at a cheaper price ! But is the security at the same level ?

Posted via CB10

BES10 has the lowest TOC and install costs compared to all other MDM Vendor if you also take the sizing, security and functionality in perspective.
BB10 and Playbook cal= €15 per year per device
Android and iOS MDM controle cal= €15 per year per device
SecureWorkSpace Android and iOS cal= €55 per year per device.

MobileIron is the most unsecure and expensive (a lot of extra cost for addition functionality wich BES10 provides default with SWS) MDM solution. Entire solution is placed and managed in DMZ, while EMM vendors like BlackBerry BES10 and Citrix Xenmobile have it done right with a BB ROUTER ore a tcp/proxy in the dmz. From architecture and security point of view the only correct way to do it.

Posted via CB10

Hi QuickSoft,

I would like to challenge you on the BES router part in the DMZ.

The only explanation I have ever found is "for installations that does not allow direct connections between LAN and WAN".

If you look at the BES solution, the connection made through the router arrives form the dispatcher and is a single oubound initiated, bi-directional connection (why write that - all TCP connections are bi-directional!), to one or two IP adresses at RIM. The router only works as a ... router! A router simply forwards packages so there is nothing gained from a security point of view.

IMHO the router in DMZ only satisfies a political design decison.

For the MDM solution (not SWS) for iOS/Android the situation is different.

Hi, your right the router in the dmz is bidirectional, but it's still a encrypted tunnel were also you're srp is checked with server specific characteristics like mac adress for example. Also you only have one port number opend to let both the BDS and UDS connect to the BlackBerry NOC. Other vendors like mobile iron have al least 5 to 7 ports opend on the dmz firewalls. Even with BES10 you don't ever have to open up your exchange or Lync infrastructure to be publicly published on the Internet.

Posted via CB10

I don't think the router does any checking at all. Only the SRP header is visible to the router other than knowing the SRP number of the dispatcher instances in use, there is really not much to check.

I have never heard anybody talk about security checks in the router component. If you have any links I would love to see them.

The dispatcher does all the encryption/compressing and decryption/decompressing and this component is always on the LAN.

I have havd numerous discussions about placing the router in the DMZ and I have *never* gotten one reasonable reason to do it (other than "it is a political decission). Just consider this: Replace the BlackBerry *router* with any other (package) *router* and place it in the DMZ. For a single instance BES10 installation this is technically the exact thing happening and a router in basic definition is *not* a security device.

The router has nothing to do with *not* publishing things to the Internet. The Dispatcher is making the connection (and the BlackBerry router is not even installed by default on a BES 10 installation).

IMHO the DMZ requirement is made by people not understanding the BlackBerry solution and still thinking "making the server public on the internet".

UDS only connects to the BBI for SWS (unless they changed something recently).
I am not even sure UDS can use a BlackBerry router component.

For basic MDM the iOS/Andtoid clients have to connect to the communications module which typically is placed in a DMZ as it is a published service.

As a addition BlackBerry Router in DMZ is part of the network segmentation security architecture. This model is used mostly by banking, government and other higher level over network security designs.

Posted via CB10

From a security point of view it still makes no sense because its still just a router. Adding an extra router does not make a network more secure - just more complicated.

Even for larger installations where several BES 10 servers can share the router, it still does not make anything simpler, as you have to make firewall rules for each BES 10 instanse to the DMZ and one rule from DMZ to BBI IP's

Well 'written' I think you'll find.

Oh the irony. Thankfully Craig 'wrotes' better than you 'does'. on O2 UK - Activated on BES10.2.1

Sorry to have struck a nerve. I was sitting in a waiting room to have a physical so I suppose my mind was, somewhere else, perhaps?

Great piece Craig. I was going to write about BES for Kevin and CrackBerry but your astute writings make that moot.

A good read for everyone. This is a great piece of the BlackBerry reality that has been often overlooked.

We all appreciate your renewed contributions!!

Posted via CB10

First let us know what you want to use it for.
I don't really see any use case for a private person for using BES.

If you have the server setup ready, the license cost is $19/year for 1 CAL (not Secure Work Space for iOS/Android).

Instead I hope BlackBerry will add multiple identity on BB10 (first step in replacing a desktop PC) and add cloud synchronization for docs, settings, apps etc.

When is going to be supported z10 and z30 on bes 10 for Microsoft online services?
I can't believe that blackberry cloud services with Microsoft online just support OS 7 or down.

Posted via CB10

I'm mostly interested in pricing and revenue potential. The one year of free licenses is now expiring, no?

Posted via CB10

No - the converted licenses are perpeptual and can be used forever with BES 10.

The CALs are for BES 10, so I assume the are valid as long as the product is called BES 10. The question is if will continue to be named BES 10, version 11.x, 12.x or it will change name to BES 11 and thereby invalidating the CALs at some point.

Yes, BES10 adds an extra layer of encryption, and the traffic is routed over the BlackBerry NOC.


The primary reason is, that you mail server (Exchange ActiveSync) is not published againt the public Internet because the BlacKberry Dispatcher creates an outbound connection to the BlackBerry Infrastructure which works as a router between devices and BES 10 servers. The protocol used is called SRP (Service Relay Protocol)

Secondary reason is an additional layer of Encryption is added to the connection and the key is specific between the device and the BES 10.

Technically you could hack the SRP protocol and try to target a BES 10 server (only requires you to know SRP ID of the BES) in order to start "communicating" with it. The BES 10 should however reject all packages if
1) The PIN number of the client used/simulated is not activated on the BES
2) The encryption key is not valid.

So unless you can find an exploit in the Dispacher component, there is not much chance to compromise anything.

PS: Many companies does publish their Exchange anyway to allow Outlook Web Access connections. The invalidates any security gained by BES 10...

BlackBerry NOC wil if I am correct already drop/reject the connection of a simulated Device PIN that trys to target a BES SRP when it cannot be verified as active. Also the device is registered on the BlackBerry network with more then the pin only (see the BlackBerry logo next to carrier). Theoretical a simulated pin there fore cannot target a BES.

Posted via CB10

It is all about hacking the protocol and using the environment.
You might be right and it might be impossible.

The main message is: It makes it a lot harder or even impossible to get to your Exchange IIS if it is accessed through a BES.

I am deeply shocked and amazed that Crackered could get the name of BlackBerry's biggest product in market wrong, guys it's BlackBerry Enterprise Service 10, not Server.

As an official BlackBerry UK installation partner, I have to have this info correct on all our company documentation.

Posted via CB10

Heh I had to scroll all the way to the top to check, but indeed you're right! It's "Service"!

BES10 has 4 default components. The end users Self Service Portal was forgotten in your blog. Also a additional free component the BlackBerry Collaboration Service is available that makes Enterprise IM(ms Lync) available in you're BlackBerry Balance Work partition.

Posted via CB10

Thanks for moving this info more into the public eye on CrackBerry.

iPhone for me? Scr... ahem Q that! (posted from the latter)

Isn't there some way to try the experience of work account and balance without having an actual server to install BES on?

Posted via CB10

Not at the moment.

I have not looked into their cloud offering. The solution seems to be renamed BlackBerry Unite.
This would probably be the easiest way to test when it is available.

Chen needs to have a discussion with Gartner Research...these guys recommended to CIO's to move away from BES10 within 6 months late last year. Chen should convince them otherwise.

Good point!
I hope he tries to make a very solid foundation before sending the message.

This is a good breakdown of BES10, thanks for posting. I've dealt with touchdown (nitrodesk) and was not a big fan at all! I'm currently using activesync on a Q10 but would prefer BES 10.

today my IT admin told me, that the BES10 server is running smooth. I am upgrading 110 BlackBerry Bold to 110 BlackBerry Z10 now.

Keep rockin BlackBerry!!!

Posted with my Z10 or Q10! ..or on my Z30. ..while I wait for a BB slider.

BES 10 is much more stable than BES 5 for one reason: It's a lot simpler.

The whole PIM sync and conversion part has been removed, so all BES 10 is now is a VPN concentrator and MDM solution (OK - simplified).

But it is very stable and so far it seems that there are fewer issues with BB10 devices running EAS than the legacy devices and BES5.

So go ahead and enjoy BB10. Remember to go for OS :-)
Download and use the autoloader in the thread by Darcy - then upgrades are done in a few mins per device.

BES10 means BlackBerry Enterprise Service, not Server. In BES 5 it is for Server ;)

Posted via CB10

No matter how great BES 10 many places will not want it, speaking from experience there is many Apple and Android Fan boys, in my IT Department I am the rebel they say laughing because I own proudly a Blackberry z10, Blackberry needs to get their sales team hitting the pavement harder, this is a great product ,

We just installed bes10 fresh and currently have 20 users (waiting on hardware to compleye rollout). I must say its brilliant, the simplicity and flexibility us great. Bit dissapointed in lack of policies and pushing out drive maps to the work drives is awful but other than that this is a game changer for us

Posted via CB10