Block a Device from BES

**moixca** · 08-02-2007, 12:00 AM

My company has decided that they want to block certain models of the blackberry (e.g. 8100, 8800) for internal reasons.

My question is that how easy is this to do? Or will somebody have to manually search for the "unwanted" devices and block them from the BES server? Is there an automated way to do this..?

When we set up a new device sometimes it is over the phone so we can't physically see what device the user has purchased.

Thanks

**naviwilliams** · 08-02-2007, 05:26 AM

This would have to be done by an IT Policy. But, it would not be till they try to add the device that they'd know if it was an unwanted device. Are they trying to block devices with cameras?

**moixca** · 08-02-2007, 06:11 AM

actually no.. The intent is to keep the number of different models in use low so that troubleshooting issues doesn't become a problem due to lack of knowledge from the Helpdesk. I don't see the issue as most BB devices are pretty much the same but we have close to 6,000 users with devices.

So if a user calls into the support center, gets his activation password (claiming to have one type of device) and applies it to the device themselves thus activating the BB there would be no way to know if they had a Pearl 8100 vs a Curve 8300 without seeing it physically and logging into that users account to disable it?

I think that is happening fairly often. I am not an administrator for BES but I do have some responsibility for enforcing company policy.

**naviwilliams** · 08-02-2007, 06:29 AM

Part 1:
I totally disagree! I work in Technical Support, I ALONE support 45 BlackBerry's, ranging from old to new, but mainly new. It's having the different carriers that's the problem, trust me...

Part2:
I've double checked BES, and the I.T Policy and don't see anything that tells me what devices people have (albeit, I have a list elsewhere). The problem for them would be when they DO call the Helpdesk and they say, "I have a 8100, and need some assistance". The support person then says, "Oh, sorry we don't support that device"... (better still offer training on other models, no?)
Bottom line is, in the company policy manual, there should be an entry saying, "We (whatever the name of the company is) only support X BlackBerry model devices. If you connect your device to our server, you have to abide by this rule" - or something like that, and since the employee signs that 'book' you as the HR / company policy enforcer are covered...

**moixca** · 08-02-2007, 07:02 AM

Ok sorry about Part 1.. I guess from a User-only perspective they all seem pretty close to the same for me. I will admit a total lack of knowledge on that end. But we are restricted to two carriers in order to get your data package reimbursed.

And yes we have the written policies in place and we do not offer support to users who have purchased their own (out of policy) devices and been able to get them attached to the server when they have issues. We also don't reimburse the cost of non-supported devices "by policy" but I know that gets through as well, people are sneaky.

I was being pushed my management to see if we could just get them all kicked off the server to end the political crap that happens when Bob see's Bill with a Pearl at training and comes to IT wanting on...

Thanks for your input.. Sounds like in our situation where we are forced by geography to activate BB's over the phone many times that we will never be able to enforce this other than with just "policy" and hoping people play by the rules.

**naviwilliams** · 08-02-2007, 07:29 AM

Maybe you should have a database of device bought by the company for users. And, ONLY support devices bought by the company...

Unless, of course you find an I.T Policy for BES that can tell you what devices are on the server.

You know what, send a message to audit01, he might have a solution. I wonder, there might be a report / log that could tell what devices are on BES...

**audit** · 08-02-2007, 07:33 AM

Simple, click on each user and it will tell you the model, software version, phone number, etc. I've been known to completely wipe and disable devices that were put on the BES without my OK or knowledge.

**naviwilliams** · 08-02-2007, 08:22 AM

Audit01, can we be specific here? I've checked, and either I'm missing it, or just don't know where to look. I see device type, but that just lists GPRS / CDMA, etc, etc...

**audit** · 08-02-2007, 08:45 AM

As soon as I'm feeling better this morning/afternoon then I'll VPN into my network at the office and login to the BES server and get more specifics for you.

**naviwilliams** · 08-02-2007, 09:28 AM

No rush, but thanks as always...

**moixca** · 08-02-2007, 09:29 AM

Ok but it sounds like we would have to go into each user's profile individually... with as many users as we have I think we will avoid undertaking that right now and try to enforce this harder from the policy side right now. I actually just inquired and we have 8,965 BB's in use right now so it was higher than I thought.

Thank you both for your input on this.

**jzipper** · 08-28-2007, 02:32 PM

I new to the BES world, but I don't understand how an unsupported device could get onto the server. Would they do this by swapping sim cards from a supported device? My understanding was that this would not allow the unsupported device to connect to the BES due to the use of a PIN. Or perhaps the PIN just enables the BES to "know" what device is connecting to it (therefore you would be able to tell what device they were using).

Sorry, I'm not helping, but I am trying to figure all this out because I'm an IT Risk Consultant. By the way, what is the risk of having "unsupported" devices connected to the BES, other than the users not being able to get support.

Thanks in advance for any help.

**audit** · 08-28-2007, 02:56 PM

Yes they would need to do a Enterprise Activation on each device they try to put on the BES and that involves setting them up with a new password each time they try it so in reality, they can't put a new device on the network unless the BES Admin gives them a new EA Password.

As far as having "unsupported" devices connected to the BES, you answered your own question more or less. Because of the camera's, memory cards, etc, the company needs to cover their own *** more or less due to the obvious security risks that just those 2 things have associated with them.

What firm do you work for if you don't mind me asking? As an IT Risk Consultant, you should really study up on these devices and what risks they pose. This is coming from one security guy to another, although I may be higher up in the chain then you.

**jzipper** · 08-28-2007, 03:18 PM

Thanks for your help Audit01... I work for a company called Protiviti, we do all sorts of risk consulting (including IT). To date, most of my work has focused on risks to corporate applications (e.g. PeopleSoft, SAP, etc.) and the underlying databases than on things like Blackberry devices. However, with more and more concern about things like electronic discovery (i.e. litigation) and protection of intellectual property I'm trying to learn more about how Berries and the BES work.

From what you wrote, it sounds like an unsupported device couldn't receive corporate e-mail as long as the BES administrators are doing their job. Which leads me to ask... How are unsupported devices getting on moixca's corporate BES in the first place?

Also, any good references for learning about this stuff (other than here)?

Thanks again!

**naviwilliams** · 08-28-2007, 09:24 PM

Wait, hold the phone!

I tested this a long while back, if a user has a laptop / desktop connected to directly to the domain, and has Desktop Manager installed, connects a BlackBerry. It WILL try to connect to the server (BES). The most it would ask them for is to verify encryption, i.e. they have to move the mouse around for about 30-45 seconds...

Now, the only thing I don't recall was if I did this for users that was NEVER on BES, or for exsisting users...

**audit** · 08-29-2007, 09:24 AM

It would be for users that were on the BES before. I do remember that now between my med's kicking my head in.

**ntm** · 09-13-2007, 11:18 PM

What about Enterprise Service Policy? I have 4.1.4 and don't know if it's available on your version but this setting allows me to control what devices can connect to the BES by PIN, PIN range, manufacturer, and BB model. I am able to allow/deny connections based on BB model here.

It's found at BlackBerry Domain > Properties > Enterprise Service Policy.

Nick

Posted from my CrackBerry at wapforums.crackberry.com

**MattUK** · 11-15-2007, 02:51 PM

Hi Nick,

Just a quick one. I plan to activate this feature shortly but I only want to restrict the model types so that we have to approve new models before people add. If I only activate the model whitelist and leave the PIN lists empty, will that just activate based on model?

Thanks!

Originally Posted by ntm

What about Enterprise Service Policy? I have 4.1.4 and don't know if it's available on your version but this setting allows me to control what devices can connect to the BES by PIN, PIN range, manufacturer, and BB model. I am able to allow/deny connections based on BB model here.

It's found at BlackBerry Domain > Properties > Enterprise Service Policy.

Nick

Posted from my CrackBerry at wapforums.crackberry.com