Results 1 to 3 of 3

Guys, I'm not sure if your company is against it or not but we have ... Server Admins forum

  1. #1
    inertiatic's Avatar
    inertiatic no está en línea Stack level 2
    Join Date
    Mar 2007
    Posts
    21

    BES Admins vs Personal Blackberry's and BIS

    Advertisement



    Guys,
    I'm not sure if your company is against it or not but we have been seeing more and more employee's (non approved Blackberry users), purchase a personal Blackberry and get it configured over their wireless carriers BIS to receive company related email.

    Apparently T-Mobile and others offer a free BIS service with their Blackberry Plan or other plans. A user goes to their online billing account and is prompted for their company's email address that they would like to setup on the Blackberry and the registered password. I believe it uses OWA and somehow determines the companies OWA address based off your email address. Users can then send/receive email from their company email address on their personal Blackberry.

    We discovered these a while back after attaching the <confirm> command in the subject line of messages that are sent out to all users before planned network maintenance. I then look at all the kickbacks and compare it to the approved users on our BES. Today, I found 3 improperly using these. Currently we are just telling them to cease all traffic immediately but really had no way to stop this without completely turning off OWA.

    I did contact Blackberry T-Support and after some research, they pointed me to KB Article # 11036. This shows you what ports need to be open to allow communication from BIS to the messaging environment.

    Hopefully blocking these ports will stop this from happening in the future. I figured I would post it here in case some of you were unaware of how easily a device can be setup. Having data on unapproved and unmanaged equipment is a huge security risk!

  2. #2
    chatster18's Avatar
    chatster18 no está en línea Stack level 5
    Join Date
    Nov 2006
    PIN/ID
    ASK
    Posts
    1,121
    I take it you have a tight IT policy structure! That's great!

    I had a user do that, and then we bought a BES, I activated the bb and he was getting duplicates! I couldn't figure out why, and then I checked his BIS email accounts and he had taken the liberty to set it up himself, which caused the duplicates....not exactly your problem per se but I see the security risk and understand why this is a big deal. Glad to hear RIM gave you the BIS ports to block, gotta love those guys!

    ~via BB (wap.pinstack.com)~

  3. #3
    PwDiamond's Avatar
    PwDiamond no está en línea Stack level 3
    Join Date
    Jul 2007
    PIN/ID
    249df67d
    Posts
    102
    Quote Originally Posted by inertiatic View Post
    Guys,
    I'm not sure if your company is against it or not but we have been seeing more and more employee's (non approved Blackberry users), purchase a personal Blackberry and get it configured over their wireless carriers BIS to receive company related email.

    Apparently T-Mobile and others offer a free BIS service with their Blackberry Plan or other plans. A user goes to their online billing account and is prompted for their company's email address that they would like to setup on the Blackberry and the registered password. I believe it uses OWA and somehow determines the companies OWA address based off your email address. Users can then send/receive email from their company email address on their personal Blackberry.

    We discovered these a while back after attaching the <confirm> command in the subject line of messages that are sent out to all users before planned network maintenance. I then look at all the kickbacks and compare it to the approved users on our BES. Today, I found 3 improperly using these. Currently we are just telling them to cease all traffic immediately but really had no way to stop this without completely turning off OWA.

    I did contact Blackberry T-Support and after some research, they pointed me to KB Article # 11036. This shows you what ports need to be open to allow communication from BIS to the messaging environment.

    Hopefully blocking these ports will stop this from happening in the future. I figured I would post it here in case some of you were unaware of how easily a device can be setup. Having data on unapproved and unmanaged equipment is a huge security risk!

    Hi Inertiatic,

    I can definitely understand your wish to quell this type of issue. We maintain a high level of security with all data on all devices, whether they're laptops or BB's, and try to keep as much data as possible OFF of the devices and on our servers. For example, we have what we call an "Autodestroy" policy which is applied to lost/stolen devices, which applies a maze of contradictary and restrictive settings to the device, rendering it useless even as a simple phone to a layperson, for as we all know it can be quite difficult to remove a stubborn policy unless you know what you're doing.

    A security best-practice is to change your SMTP port on your front-end exchange server if you can (we use Appriver Securetide--our MX records point to them, they filter out all the spam and viruses and then direct the mail to us on a port other than 25 which we chose... I recommend a service like this, it cuts our server/message load by nearly 90%), and be sure that POP and IMAP are disabled or (they are by default, but if you didn't set up the environment yourself, you might want to double-check). If these services are required for some reason, be sure to use a different port.

    You might also consider using s/mime, which takes some setting up and tinkering with in your security policy on the BES and clients, but it's quickly being implemented by more and more organizations every day.

    So did RIM's KB get you all squared away? Dunno if you've tried it out in a test environment yet... interested to hear though. I think we were already locked down due to our firewalls and settings, but your question made me double-check

    _____________________________________________
    So many policies, so little time :-D
    Los Angeles, CA
    BES Admin 4.1.5

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •