A little Advice would be appreciated...

[storm6610]

I work for a government agency that has approximately 60 different departments...

Our IT department has about 145 people on the BES. However, in my particular department we only have about 3-4 people on the BES.

After reading a lot of articles on how intrusive the BES admin can be I have been tasked with the project of trying to find an alternative to the BES.

So my question is this..if we have a BES on an exchange server, if we wanted to pull off the BES and use something else is there anything else??

I have been reading about BPS, but don't fully understand how it works...

We have one guy who uses the redirector software that runs on his PC which he keeps up all the time, but that doesn't seem a good option...for many reasons...

The problem is some of the text messages we send, messenger messages etc that are sent are sent because prying eyes should not be able to see, as it can cause a safety risk (I don't really want to go into a lot of detail)...

Just looking not to get flamed (GET A PRIVATE PHONE etc.), but more or less ideas since I guarantee there is someone out there that is in a similar situation that has made it work..

Appreciate the time...and advice..

[Threefive]

Well I can say this when on a BES server the device is more secure than off of it. Also on the BES it is not like real time they have to send the logs off to be read and then they get sent back to them. Besides most BES admin don't sit there and go through everything, the only time they find something really is if you report a problem and they have to go digging. Be careful of how you proceed with this it could cost you your job.

[Rh1noo]

If you use BES 5.0 you can make use of the role based administration that gives users the rights to administer the BES without being able to do anything to anybodys mailbox.

The admin roles in BES 5.0 can be adjusted so you only give the required user the minimum rights they need.

You can then restrict the number of users that knows the besadmin password.

[storm6610]

I never knew that they had to send out the logs for them to be read and get them back before reading them??

I thought a BES admin could simply browse through "file folders" of some type or another and see what the user base is doing.

Appreciate the responses.

[CanuckBB]

SMS are not logged real-time. They are looged in .CSV files on the BES server. From there it is a matter of who has rights to those folders. If your department has different security requirements, you could always get your own BES and remove rights to the log folder. Be aware that removing rights from users like Enterprise Admin can really mess up your system.

It does come down to the concept that admins that have access to user IDs giving them unfeterred access to data need to be trusted. You are trying to solve a people problem with technology.

[storm6610]

Well put CanuckBB...The thing is if we already have one BES running, then even though I know it is possible to have two BES's running on one network, I know it is not generally a good thing. Right??

That is why I asked about another viable alternative..that we could run internally within our department.

Email forwarding isn't a viable alternative for several reasons. I am just surprised there isn't another alternative out there..

[CanuckBB]

There is nothing wrong with running multiple BES, other that 1) the expense of the hardware and software, and b) the myriad of issues you will have trying to own a server on the AD domain in a government agency.

You also do realize that SMS is horribly insecure don't you?

If you need to send confidential information via a BB, use email. encrypted end-to-end and secure in the mail box.