I'm not sure if your company is against it or not but we have ... Server Admins forum
BES Admins vs Personal Blackberry's and BIS
I'm not sure if your company is against it or not but we have been seeing more and more employee's (non approved Blackberry users), purchase a personal Blackberry and get it configured over their wireless carriers BIS to receive company related email.
Apparently T-Mobile and others offer a free BIS service with their Blackberry Plan or other plans. A user goes to their online billing account and is prompted for their company's email address that they would like to setup on the Blackberry and the registered password. I believe it uses OWA and somehow determines the companies OWA address based off your email address. Users can then send/receive email from their company email address on their personal Blackberry.
We discovered these a while back after attaching the <confirm> command in the subject line of messages that are sent out to all users before planned network maintenance. I then look at all the kickbacks and compare it to the approved users on our BES. Today, I found 3 improperly using these. Currently we are just telling them to cease all traffic immediately but really had no way to stop this without completely turning off OWA.
I did contact Blackberry T-Support and after some research, they pointed me to KB Article # 11036. This shows you what ports need to be open to allow communication from BIS to the messaging environment.
Hopefully blocking these ports will stop this from happening in the future. I figured I would post it here in case some of you were unaware of how easily a device can be setup. Having data on unapproved and unmanaged equipment is a huge security risk!
I take it you have a tight IT policy structure! That's great!
I had a user do that, and then we bought a BES, I activated the bb and he was getting duplicates! I couldn't figure out why, and then I checked his BIS email accounts and he had taken the liberty to set it up himself, which caused the duplicates....not exactly your problem per se but I see the security risk and understand why this is a big deal. Glad to hear RIM gave you the BIS ports to block, gotta love those guys!
~via BB (wap.pinstack.com)~
Originally Posted by inertiatic
I can definitely understand your wish to quell this type of issue. We maintain a high level of security with all data on all devices, whether they're laptops or BB's, and try to keep as much data as possible OFF of the devices and on our servers. For example, we have what we call an "Autodestroy" policy which is applied to lost/stolen devices, which applies a maze of contradictary and restrictive settings to the device, rendering it useless even as a simple phone to a layperson, for as we all know it can be quite difficult to remove a stubborn policy unless you know what you're doing.
A security best-practice is to change your SMTP port on your front-end exchange server if you can (we use Appriver Securetide--our MX records point to them, they filter out all the spam and viruses and then direct the mail to us on a port other than 25 which we chose... I recommend a service like this, it cuts our server/message load by nearly 90%), and be sure that POP and IMAP are disabled or (they are by default, but if you didn't set up the environment yourself, you might want to double-check). If these services are required for some reason, be sure to use a different port.
You might also consider using s/mime, which takes some setting up and tinkering with in your security policy on the BES and clients, but it's quickly being implemented by more and more organizations every day.
So did RIM's KB get you all squared away? Dunno if you've tried it out in a test environment yet... interested to hear though. I think we were already locked down due to our firewalls and settings, but your question made me double-check
So many policies, so little time :-D
Los Angeles, CA
BES Admin 4.1.5
Tags for this Thread