Everything you need to know about BlackBerry Enterprise Server 10

BlackBerry Enterprise Server (BES) 10.1.1 is Research In Motion’s BlackBerry’s latest version of their enterprise software that provides a single solution for managing and securing BlackBerry PlayBook, BlackBerry 10, iOS, and Android mobile devices.

If you still have older BlackBerry devices running BlackBerry OS seven (7) or older, you will still need to keep and maintain a separate infrastructure of servers as the new BES 10 is only for the devices mentioned above.

BES 10.1.1 is not perfect, and it seems to be a little more complicated to setup than it should be, but it does appear to do what it says it will.  Lets take a look.

Architecture

BES 10.1.1 (or as we’ll call it from now onwards, BES10) is actually three servers in one package, designed to all be installed on one physical (or virtual) server, or setup on separate servers if desired.

There is the BlackBerry Device Service (BDS) that only supports BlackBerry PlayBook and BB10 devices, the Universal Device Service that only supports iOS and Android devices, and the BlackBerry Management Studio, which provides a limited unified management console to both services. In fact in addition to the BlackBerry Management Studio, there are also separate web consoles for the BDS and UDS which means that there are actually three management consoles, or two IT console, and one “helpdesk” console.

Through intense port juggling, BlackBerry has managed to allow all of these services to run on one server so if you want to, you can run BES10 on one server.

In the old BES5 days, all BES5 servers connected to a single SQL database that provided a central storage repository for users, servers, and configurations.  This is known as the BES5 Domain. In fact if you want to learn more about BES5 and how it works, see my previous article on CrackBerry titled “BlackBerry Enterprise Server – What Is It?”.

BES5 also used a proprietary protocol and methodology to synchronize email, contacts, and calendar between your mail server and your BlackBerry.

BES10 does not share that BES5 configuration database and therefore cannot be in the same BlackBerry Domain as BES5 servers. When installing BES10, two new databases are created to support the BDS and UDS services. While you can use the same physical SQL server, these are new and separate databases.

BES10 does not use a proprietary protocol to synchronize email, contacts, and calendar, but rather it acts as a Proxy for the ActiveSync protocol that is built into Microsoft Exchange, and provided by gateways like Lotus Traveler if you are using Lotus Domino/Notes. ActiveSync is designed for mobile device synchronization and is not a burden on Exchange like the old BES5 synchronization process was.

BES10 offers two methods of connecting and managing iOS and Android devices.  The first uses the “classic” Mobile Device Management (MDM) approach that provides IT with complete control over the mobile device, much like BES5 did in the past. The application of IT Policies however is limited to the platform they are being applied to.  iOS is far more enterprise friendly as it allows many ways of controlling, restricting, and configuring iPhones and iPads via an MDM solution (like BES10), while Android provides extremely limited control as can be see in the chart below.

The second uses a secure container on the mobile device to provide a unified application of IT Policies across iOS and Android, plus the extra protection of work data in the event of a hacked device. This type of device security is also known as Dual Persona because the device has two personalities, one for personal and one for work.  In essence a container is an app that runs on the mobile device and provides what appear to be separate apps for mail, contacts, and calendar, but are really “mini-apps” that are part of the main app.  The app can secure its own data store of course, which is how it provides a secure container for work data.

For BlackBerry PlayBook and BB10 devices managed via the BDS, a hybrid between full device control and a container are implemented to create BlackBerry Balance.

BlackBerry Balance keeps work and personal data separate on the device, however it does so at the file system level. This means that the user continues to use the same apps for both personal and work data.

BES 10 Setup on iOS and Android Mobile Devices

To setup BES 10 on your iOS or Android device you must first install the BES10 Client app that you can find in the iTunes App Store or the Google Play Store.

If you are using Android, you must also install the Touchdown app by NitroDesk. I used Touchdown HD because I was using a Google Nexus 10 tablet. You need Touchdown because Android does not provide a way to remotely pre-configure Exchange email, nor does it provide a secure email client.  Touchdown provides both of these and BES10 supports it.

When you launch the client you start by entering a secure URL to bbsecure.com plus your BES 10’s SRP ID. Depending on where in the world you live, you will use a geographic specific URL.  Since I’m in the US I used us.bbsecure.com.

Next you are prompted to accept the certificate that will secure the communications between your device and BES 10.

Next you are asked to provide your Active Directory user name and password.

The next steps are slightly different between iOS and Android.

On iOS you are asked to install an MDM Profile which is a mechanism designed by Apple to ensure that your iOS device is controlled only by verified MDM vendors and it is indeed your company that wants to control your device (please ignore the “Not Verified” notation in this screen shot as it was taken in a lab environment. In the real world you would not want to accept an unverified profile).

On Android you are asked to allow the BES 10 client to be the Device Administrator which will let your company have control over your device.

Next, the BES10 client pre-sets up the device to connect to your companies email system. On Android it launches and pre-configures the TouchDown app and you are asked to type in your network password. On iOS it creates a new Exchange profile on your device and asks you to type in your network password.

Once this setup is complete, your iOS or Android device will be setup to be controlled by your company via the BES10 client installed on your device, and you will have access to your company email, contacts, and calendar.

Company Apps

Once your iOS or Android device is under the control of BES10, your administrator can require that you install apps. Today, unlike BES5 and BB0S7 and earlier, your administrator cannot silently install apps to your device (although in iOS7, Apple does provide an API to do just that so hopefully BES10 will be updated to support this), so as a user you are asked to install the app and if you don’t comply, your administrator can block your device or take other actions to force you to install the app.

The apps can be publically available apps in the iTunes App Store or Google Play, but they can also be apps created by your company to access company data or interact with company systems.

Your administrator can also simply make apps available for you to install at will and you will find those apps on your device under the Work Apps tab in the BES10 client.

If an app is required you will be notified on your device.

BES 10 Secure Workspace Setup on The Mobile Devices

Secure Workspace works differently from the regular BES10 MDM client because it provides a secure container, or second personality that has all of your email, contacts, and calendar in it.  Using the Secure Workspace means that your IT department has no control over your device, only what is in the secure container. Companies that adopt a BYOD policy may find this approach friendlier to users.

The setup of Secure Workspace follows the same steps as outlined earlier, but instead of the BES10 client applying IT policies to your device and setting up an Exchange email connection, you are asked to install a few extra apps:

• BES10 MGR (Android only)
• Work Connect
• DocsToGo

On Android, BES10 MGR manages the transition between personal and work personas. Work Connect is the actual secure container while DocsToGo is a special version of DocumentsToGo that is designed to work with Work Connect to ensure that email attachments remain secure and private when opened on your device. As of the writing of this post, the special DocsToGo for iOS was not yet available in the iTunes App Store so it wouldn’t install.

BES 10 Setup on PlayBook and BB10 Devices

To setup BES 10 on your BlackBerry PlayBook and/or BB10 device (like a Z10), it is less like a setup and more like simply using the built-in BlackBerry OS functionality to activate your device against the BES.

In the Accounts screen you start by adding a new Work Account. Notice that you are able to add a standard Microsoft ActiveSync account too, which would allow you to activate your PlayBook or BB10 device against a standard Exchange server running ActiveSync in an environment with no BlackBerry servers installed at all.

That approach however would not provide all of the extra security that is provided by a BES10.

Next you type in your email address as your User ID, your Active Directory password, and the SRP ID of your BES10 server.

This activation information will be provided by your BlackBerry administrator or automatically emailed to you when you are added to the BES.  As you can see it is identical to the old BES5/BBOS7 activation process.

If the activation is successful, your device will be configured as per the IT Policy and Software Configurations that have been applied to you.

Setting Up And Configuring BES10

The initial setup of BES10 seems to be overly complicated and hiccups were common, but I can say that BlackBerry support was outstanding when it came to helping me resolve issues with setup. Once BES10 is setup however it is relatively easy to manage and configure, bearing in mind that you are actually setting up two services, BDS and UDS, not just one unified BES like the BES5 days.

Setting up BlackBerry Device Service (BDS)

BDS is the service that manages BlackBerry PlayBook and BB10 devices.  BDS cannot manage older BlackBerry devices.

Lets look at some of the key settings.

Connections To Directory And Email

BES10 can integrate with Microsoft Exchange and Lotus Domino (as long as it is running the Traveler Gateway). In my lab I’m using Microsoft Exchange so I had to first setup a connection to Active Directory.

You can choose to provide the basic information like the Domain, user name and password, or you can further configure the connection by providing an LDAP search filter if you want the BES to only look at a certain part of your directory tree, change the Object mappings and attributes between your company directory and objects used by BES10 if you don’t use default objects.

Next you need to setup a connection to the mail server or gateway.  In my case since I’m using Exchange I setup an Exchange profile.

Notice that you can specify settings like whether to allow synchronization of certain data, and whether to allow S/MIME email.

IT Policy

Once you have your connectivity setup to your environment, you can move on to managing your IT Policies.

Similar to BES5 and BBOS7 and earlier, BES10 allows very granular control over the BB10 and PlayBook devices. This includes control over NFC, Wi-Fi, camera, HDMI, Bluetooth and Bluetooth parameters, password control and password complexity, forced logging of BBM, call logs, and SMS messages, and other hardware and software settings.

Work Apps

Once a PlayBook or BB10 device is activated on a BES10, the administrator can provide BlackBerry World apps and/or internally built apps to the user.

Those familiar with BES5 will feel right at home with this process.  Like BES5, you will provide a network share where the BES stores the apps, and then you create Software Configurations to group the apps together.

Those Software Configurations can be assigned to individual users or groups (more common).  Your Software Configurations can include in-house apps built by your company and apps already available in the BlackBerry World app store.

Those assigned apps will show up in the Work tab of BlackBerry World on the PlayBook and BB10 devices.

Setting up Universal Device Service (UDS)

UDS is the service that manages iOS (iPhone, iPod Touch, iPad) and Android devices.

Lets look at some of the key settings.

Connections To Directory And Email

BES10 can integrate with Microsoft Exchange and Lotus Domino (as long as it is running the Traveler Gateway). In my lab I’m using Microsoft Exchange so I had to first setup a connection to Active Directory.

You can choose to use Windows Single Sign-on that allows console access without having to provide your AD login and password in the sign-on screen.

Next you need to setup a connection to the mail server or gateway.  In my case since I’m using Exchange I setup an Exchange profile.

Notice that you can use Exchange Web Services if you have iOS devices using Secure Work Space.

Apple Push Notification Service (APNS) Setup

To manage iOS devices and push alerts to them, Apple provides a free push notification network. Before an MDM service (like BES10) can use the APNS to manage devices, it must first register and obtain a certificate from Apple.  Once that certificate has been installed, you can successfully enroll and manage iOS devices.

The BES10 admin console walks you through all of the steps with the exception of the final (but most important) step of importing that certificate into Windows.  You’ll have to dig around on forums to figure it out which is a bit disappointing, but nevertheless, once it is all done, you’ll be ready.

Once you have your connectivity setup to your environment, you can move on to managing your IT Policies.

IT Policy

There are two types of IT Policies.  The one is for iOS and Android devices that are enrolled as regular MDM controlled devices.  The second IT Policy is specifically for iOS and Android devices that enroll to use the Secure Workspace.

Lets start with the regular MDM IT Policy. As mentioned before, IT Policies are only as affective as the mobile OS they are being applied to.  BES10 does not support the special version of Android that Samsung created (Samsung S.A.F.E) which has similar features to iOS that allows it to be very enterprise friendly.  BES10 just supports regular Android.

As you create your IT Policy, you can see which mobile OS (iOS and/or Android) that the policy will be honored and supported by, and which version of iOS and Android is needed to support that policy.

The Work Space IT Policy controls not only how a user gains access to the Secure Work Space, but if data can be shared between the Secure Work Space container and the regular device.

On Android devices you can also allow personal apps the ability to access data stored in the Work Space, and prevent the user from installing browser plug-ins when using the Work Space web browser.

Work Apps

Once an iOS or Android device is activated on a BES10, the administrator can provide iTunes App Store or Google Play apps and/or internally built apps to the user.

You can also place Secure Apps into a Software Configuration.  A Secure app is one that has been “wrapped” by the BES server so that it is secure and can only work with the Secure Work Space.

Compliance Profile

A Compliance Profile is a set of rules that check for certain compliance issues like is a required app installed, or is the device Jail Broken or Rooted, and depending on the situation, take action.

For example you may set a rule where if an iOS device is found to be Jail Broken, the BES10 client can immediately wipe the entire device, or maybe just the work data depending on how aggressive your IT administrator wants to be.

Managing BES10

BES10 provides a few management consoles that are appropriate for Help desk, and varying levels of IT.

The Management Studio is a console that provides you access to simple management functions for a Helpdesk.  The Dashboard is also well designed and as CrackBerry Forum Xayinn user puts it, perfect for copy/pasting pie charts for management.

This console also lets you manage your licensing.

One noticeable thing is how all of the consoles show pixel perfect images of BlackBerry devices, but as soon as you click to a non-BlackBerry device, you just see what looks like a vague grey representation of a Galaxy Nexus. The device database also cannot seem to recognize many device types and you seen Unknown Device many times as noted by CrackBerry forum user Xayinn.

I know that this doesn’t affect functionality but it seems to show the product was rushed to market, but some may also see this as BlackBerry almost begrudgingly providing this support and visually showing which is more important to them.

How Does BES10 Compare To Other Solutions

BlackBerry BES10 contains functionality to support BlackBerry PlayBook and BB10 devices using the BDS, as well as Android and iOS devices using the UDS.

If your company has decided to support and/or migrate to BlackBerry PlayBook and BB10 then BES10 is the only game in town. BES10 is required if you need to support these devices.

If you plan to migrate to iOS and/or Android devices then you could opt for BES10 since it supports these two mobile operating systems, or you have a choice of many other MDM solutions on the market that are much more mature than BES10 including MobileIron, Air-Watch, MaaS360, Good Technology, Enterproid, etc.

Many of these other MDM solutions support a much broader set of devices including Windows Phone, Windows Mobile, Symbian, BlackBerry (including BB10), and even Apple Macintosh (Mac) computers as more companies embrace BYOD and allow Apple Mac desktops and laptops.

Many MDM vendors support Samsung’s security model (S.A.F.E) that emulates Apple’s model by providing many extra APIs to control and configure certain Samsung models.

Some of these solutions provide a way to actually manage BlackBerry PlayBook and BB10 devices by interfacing to your BES10 using APIs.

Current BES5 CALs are transferable to BES10 apparently until December 2013 if you are a current BlackBerry customer, which is a good move by BlackBerry but this is only if you are migrating the user from and older BlackBerry to a new BB10.  If the user is migrating from an old BlackBerry to an iOS or Android device then a new license must be purchased.

Read more about the trade up program here.

Recently BlackBerry reduced the price of the EMM Corporate license (this is for regular MDM-type management of PlayBook, BB10, iOS, and Android) to $19 per device per year.  The EMM Secure Workspace is $99 per device per year (this is for the secure container on iOS and Android).

The problem here is that most other MDM/Dual Persona vendors are going on $5 per user per month (or around $60 per year per user). All of them provide full in-the-cloud solutions so no on-premise servers are needed.  This reduces the cost even further. Notice that the non-BlackBerry vendors use a per-user pricing model so if a user has more than one device, the price is the same.

BlackBerry is apparently conducting trials of BES10 in the cloud but so far it is not an official product.

Dual Persona/Containerization

BES10 support of iOS and Android provides an optional Dual Person (aka Containerizaton) approach to accessing company assets.  BlackBerry calls it Secure Workspace. Your email, contacts, and calendar are only available in the secure container, while company apps are wrapped in a security blanket so they can be secured by IT.

The company that has been doing this longest is Good Technology. They started out as a “BlackBerry clone” with their own Good G100 “BlackBerry look-alike” device but later moved into building a Dual Persona approach with the Good client being available for many different mobile devices.

Like BlackBerry, the Good secure container routes data via its NOC, requires company servers to be installed on-premise, but Good also uses a proprietary protocol to synchronize data.

Other vendors like Enterproid that makes the Divide container, use out-of-the-box ActiveSync, and provide a full 100% Cloud approach.

BlackBerry’s secure container approach is good for a first stab and it compares favorably with products like Divide.  In the case of BlackBerry, while they are relying on pure ActiveSync, they do route the data via the RIM NOC.

Conclusion

BES10.1 is not a top-of-the-line solution, it has some issues and evidence of being rushed to market, but it is OK. RIM/BlackBerry did acquire Ubitexx (which became MobileFusoin and then BES10) back in 2011 so it is odd that it has taken so long to bring BES10.1 out which is why I’m being a little harsh about the incomplete solution.

If you plan to support Windows Phone, Symbian, or Apple Macs then BES10 doesn’t look as attractive, mainly because it doesn’t support those device types.
You could go with a hybrid approach by purchasing BES10 and licenses for your BB10 and PlayBook users, and purchasing a second MDM solution like MobileIron, or Air-Watch to manage all of the other devices, and front-end the BES10 console.

If you plan to use Secure Workspace on iOS and Android then other, more mature Dual Persona solutions are already out there, are cloud-based, and $5 per user per month or $60 per user per year.

I think at the end of the day, BlackBerry has provided a decent on-premise MDM/Dual Persona solution for those clients who are migrating from BES5/BBOS7 to an environment where their users will have BB10, PlayBook, iOS, and Android devices.

The pricing is a little out of whack though and while you can get regular MDM-type management for $19 per year per device, if you start using Secure Workspace, that will set you back $99 per device per year.

I encourage you to comment on this post and let me know if you need any clarification on any aspect of the information, or need more information on a specific area.