[kthhrrsn]

I upgraded to a Z10 in April & I received an email from our network folks yesterday asking why I haven't used my BlackBerry for a while. I explained that I'm now using the new Z10 & can access email, calender, etc. via ActiveSync. They removed me from the old BES server and advised that they do have a new BES server for the Z10. They told me that they could have me added, if I wanted them to...

My question to you is, what are the advantages of being added to the BES server? What would I be giving up? I do know that with my previous BlackBerry devices, they were able to restrict certain functionality, such as disabling my ability to sync Facebook calendar and contacts with my device. That's not a huge deal, but I do enjoy having complete control of a device that I purchased with my own money!

I think the workspace concept sounds cool, but I don't find it necessary.

Any help is greatly appreciated!

Thanks in advance.

Keith. Posted by CB10.

[howarmat]

Its more for your employer's benefit than yours. Without knowing the complete details of what policies your employer uses its hard to say what will change if you go on BES.

[kthhrrsn]

Its more for your employer's benefit than yours. Without knowing the complete details of what policies your employer uses its hard to say what will change if you go on BES.

Thanks Howarmat! I don't know all of the policies either. I do miss being able to browse the corporate network drives from my BlackBerry. No way to do that without being on BES, is there?

I'm leaning towards staying off of BES10...

Keith. Posted by CB10.

[howarmat]

Thanks Howarmat! I don't know all of the policies either. I do miss being able to browse the corporate network drives from my BlackBerry. No way to do that without being on BES, is there?

I'm leaning towards staying off of BES10...

Keith. Posted by CB10.

you would need BES or a VPN atleast to so that

[S180]

They will not be able to restrict you too much as long as they activate you in the Balance mode, and not in work-space only mode. With the balance mode, they cannot touch the personal side of your device. You will continue to have complete control over the personal side. They will not able to restrict, for e.g., BBM, or Facebook like you mentioned. That concept of complete control of the device from BBOS 7 and BES 5 does not apply to BB10 and BES 10 as long as you get activated into balance mode. You get the ability to view your corporate websites and corporate network drives via BES10, and admins are happy that they can control the work side of device much better. I'd say you cannot go wrong with activating to BES10 - again, for the main reason, if they activate your device in the Balance mode, they cannot touch the personal side of the device.

[kthhrrsn]

They will not be able to restrict you too much as long as they activate you in the Balance mode, and not in work-space only mode. With the balance mode, they cannot touch the personal side of your device. You will continue to have complete control over the personal side. They will not able to restrict, for e.g., BBM, or Facebook like you mentioned. That concept of complete control of the device from BBOS 7 and BES 5 does not apply to BB10 and BES 10 as long as you get activated into balance mode. You get the ability to view your corporate websites and corporate network drives via BES10, and admins are happy that they can control the work side of device much better. I'd say you cannot go wrong with activating to BES10 - again, for the main reason, if they activate your device in the Balance mode, they cannot touch the personal side of the device.

That's really good to know! I'll ask them to activate me in Balance mode. Seems like a win-win to me! Thanks for the reply.

[S180]

Now, I should've mentioned this, but from what I understand, one thing they can block you from doing even in balance mode is side loading and using the device in development mode. This would be a non matter if they haven't applied the policy to block it. But that is the only thing I know of that they can stop you from doing.

[smoothrunnings]

You have to understand your company email on your Z10 right now isn't your email, it's the companies emails. BES 10 gives the the control to police your device and their data however they seem fit to do so securing their data. One of the biggest problems in our world today is the amount of data that leaks from within a company through smartphone devices. In hind sight IT heads need to ask themselves how much is the data worth to their competitors, and if they lost a big chunk of it could the company still operated without any loss?

This is why having BES is so important.

[anon(153966)]

...smoothrunnings is spot on! I say count yourself lucky that you're not on BES, and thus not restricted at all.

PS: I hope you have BlackBerry Protect on

[kthhrrsn]

Now, I should've mentioned this, but from what I understand, one thing they can block you from doing even in balance mode is side loading and using the device in development mode. This would be a non matter if they haven't applied the policy to block it. But that is the only thing I know of that they can stop you from doing.

Thanks S180. I do have a few apps side loaded. Hopefully they won't restrict that. I don't thin there's anything that I absolutely can't live without, so if they do then I won't be overly concerned. I appreciate the insight.

[kthhrrsn]

You have to understand your company email on your Z10 right now isn't your email, it's the companies emails. BES 10 gives the the control to police your device and their data however they seem fit to do so securing their data. One of the biggest problems in our world today is the amount of data that leaks from within a company through smartphone devices. In hind sight IT heads need to ask themselves how much is the data worth to their competitors, and if they lost a big chunk of it could the company still operated without any loss?

This is why having BES is so important.

smoothrunnings - I do understand that I'm accessing the company's email right now. We do now have a BYOD policy, so I've decided to purchase a Z10. As you know, it doesn't require BES activation in order to get corporate email, as legacy BB OS's have long required. I understand that there's a monthly fee for me to be on the BES server, which the company could now save since I've purchased the Z10. I'm now simply accessing email the way that iPhone & Android users have for several years now. I was really looking to ensure that I wouldn't be giving up anything major by being added to the BES server. Additionally, I'm looking for justification, from my perspective, for doing so since it's no longer required. My LAN group did give me the option to be added to the server. They have, afterall, enabled ActiveSync for all users so that using a BlackBerry is no longer required.

[kthhrrsn]

...smoothrunnings is spot on! I say count yourself lucky that you're not on BES, and thus not restricted at all.

PS: I hope you have BlackBerry Protect on

I do indeed have BlackBerry Protect on. I do protect my company's data. And yes, I do feel liberated by not being on BES.

[singleturbog35]

There are many reason why you want to use BES besides what has been mentioned on this thread.. One reason to use BES is that BES encrypt and compress your data so that will save you some data consume on your plan. Also you're lucky that your Exchange/Email Admin allow users to activate activesync by themselves which can be a security concern especially without any MDM solution to control devices when the device is compromise or jailbroken, not to mentioned there is a license for ActiveSync so what if a person decides to activate 10 devices? The Exchange HubCAS server will have a field day...The other advantage is that what if your main internet connection goes down in your office and your company has a backup route? what happen is your activesync will fail because the public DNS/IP you are pointing too is down. With BES, it dont matter because the BES server will use any route it finds to get back to the RIM infrastructure and your device connect to the RIM infrastructure to get to your BES...

[Cesare21]

I'm on Exchange active sync and I feel the BlackBerry Balance feature is amazing.. right now, my IT admin can wipe my phone including the personal side. With balance enabled, your personal data is secure..

sexy as hell Z10 via CB10

[TheScionicMan]

It would be interesting to see just what an EAS remote wipe command would do to a non-BES10 device.

[Romdeau]

With a BB10 Balance activation on BES10 i'm not 100% sure but i think it does wipe your profiles and data on first activation? It's been a while since the execs had their phones upgraded to Z10's.

The advantages of doing this are more down to what your BES/Exchange admin team have activated, secure work space documents (or whatever the document pushing feature is called) and device printing can be very handy features to have to enabled working on the go above and beyond email.

There are many reason why you want to use BES besides what has been mentioned on this thread.. One reason to use BES is that BES encrypt and compress your data so that will save you some data consume on your plan. Also you're lucky that your Exchange/Email Admin allow users to activate activesync by themselves which can be a security concern especially without any MDM solution to control devices when the device is compromise or jailbroken, not to mentioned there is a license for ActiveSync so what if a person decides to activate 10 devices? The Exchange HubCAS server will have a field day...The other advantage is that what if your main internet connection goes down in your office and your company has a backup route? what happen is your activesync will fail because the public DNS/IP you are pointing too is down. With BES, it dont matter because the BES server will use any route it finds to get back to the RIM infrastructure and your device connect to the RIM infrastructure to get to your BES...

All of these "reasons" are either actually only on BES 5.x or down to whether the feature was setup:
BES10 no longer compresses your email, as BES 10 is really just an MDM now, email is still activesync its just passed through BES10 as a gateway. Most people find that after switching to a BB10 device their data usage volume rises significantly compared to legacy BB devices.
Licensing wise Exchange CAL's (standard or enterprise) are licensed per user, so there's no licensing issue there.
And activesync (or more specifically autodiscover) is as resilient as you set it up to be, it fails over just fine in a link failure situation provided it was setup.

You are however correct that end users being able to activate their own activesync partnerships can potentially be a security issue.

It would be interesting to see just what an EAS remote wipe command would do to a non-BES10 device.

It triggers a device wipe, I'm not sure what you were expecting? Some of the really old activesync device won't work, but any modern smartphone wipes fine.

[jonty12]

If your company uses Microsoft Lync for internal instant messaging, you have to use BES to have a BB10 client it doesn't work without BES.

Same for BlackBerry office drives or whatever the office file access app is called.

Posted via CB10

[singleturbog35]

All of these "reasons" are either actually only on BES 5.x or down to whether the feature was setup:
BES10 no longer compresses your email, as BES 10 is really just an MDM now, email is still activesync its just passed through BES10 as a gateway. Most people find that after switching to a BB10 device their data usage volume rises significantly compared to legacy BB devices.
Licensing wise Exchange CAL's (standard or enterprise) are licensed per user, so there's no licensing issue there.
And activesync (or more specifically autodiscover) is as resilient as you set it up to be, it fails over just fine in a link failure situation provided it was setup.

You are however correct that end users being able to activate their own activesync partnerships can potentially be a security issue.



It triggers a device wipe, I'm not sure what you were expecting? Some of the really old activesync device won't work, but any modern smartphone wipes fine.

Can you provide a whitepaper that BES 10 doesnt encrypt and compress data before it goes to the device? I have spoken with RIM support and have RIM engineer onsite and all said to us that it does. Our company also have an NDA with RIM so I dont thing they will lie to us. Also even with the MS Enterprise License Agreement, do you really want all your users to be able to activate any device they want? I'm pretty sure you already know that the Hub CAS server do have their limitation and your server may not be spec to handle that much simultaneous connection...

Let me be clear on the ActiveSync connection I mentioned. When I said backup route, I meant your traffic gets re-routed to let say a different office. I know it's not the norm but we have offices around the world and sometimes there are situation that traffic has to be re-routed to go to a different office and that means your gateway changes hence the ActiveSync is not 100% dynamic enough compare to ActiveSync manage by BES.



EDIT:

Here I found it on the BDS Technical Overview..


Encrypting data that the BlackBerry Device
Service and devices send to each other over
the BlackBerry Infrastructure


To encrypt data that is in transit between the BlackBerry Device Service and devices in your organization, the BlackBerry
Device Service and devices use BlackBerry transport layer encryption. BlackBerry transport layer encryption is designed to
encrypt data in transit over the BlackBerry Infrastructure.
Before the BlackBerry Device Service and devices send data to each other, they compress the data, encrypt the data using
message keys, and encrypt the message keys using the device transport key. When the BlackBerry Device Service and
devices receive data from each other, they decrypt the message keys using the device transport key, decrypt the data, and
then decompress the data.
The BlackBerry Device Service and devices use AES-256 in CBC mode as the symmetric algorithm for BlackBerry transport

[Romdeau]

Can you provide a whitepaper that BES 10 doesnt encrypt and compress data before it goes to the device? I have spoken with RIM support and have RIM engineer onsite and all said to us that it does. Our company also have an NDA with RIM so I dont thing they will lie to us. Also even with the MS Enterprise License Agreement, do you really want all your users to be able to activate any device they want? I'm pretty sure you already know that the Hub CAS server do have their limitation and your server may not be spec to handle that much simultaneous connection...

Let me be clear on the ActiveSync connection I mentioned. When I said backup route, I meant your traffic gets re-routed to let say a different office. I know it's not the norm but we have offices around the world and sometimes there are situation that traffic has to be re-routed to go to a different office and that means your gateway changes hence the ActiveSync is not 100% dynamic enough compare to ActiveSync manage by BES.
*SNIP for brevity*

I never said anything about encryption. If they do compress the data as stated its at a level no where near BES5, as my BB10 users have comparable data volumes to people running iOS/Android. A quick google search shows a lot of people complaining about the volume of data BB10 devices are using. As such the compression is at a level where its not a compelling argument for using BES based off of my experience, and seemingly that of many others. YMMV.

Activesync doesn't allow users to activate any device they want provided your exchange admin has setup activesync correctly. Depending on whether you're worried about the kind of devices being registered (can be managed with ABQ as of Exchange 2010) or just end user enrollment in general this can all be disabled from standard exchange. If you're serious about using BYOD in an enterprise configuration you're going to be using an MDM anyway.

As far as too many exchange connections goes; if your Exchange Server can't handle the volume of devices you're attaching having a BES in between isn't going to change the issue that your Exchange is overloaded, it may even make it worse.

For your strange failover scenario i can't see what you're describing. On Exchange, assuming that DAG or some other HA email scenario is in place provided my device can find a valid SCP to an Edge Transport device i will have access to my email from any site office. Given how you're describing your scenario (traffic being routed out of a different endpoint, perhaps on an MPLS?) the edge transport service should be contactable from that endpoint anyway. If i'm not understanding your scenario please feel free to clarify.

Essentially this thread comes down to "Do i need a BES to use my BB10 in business" and the answer is no, probably not for what i would hazard a guess is the vast majority of BB10 users. If the company the OP worked for had serious data sensitivity concerns then he wouldn't have been able to enroll his device himself in the first place.

[johnnyuk]

BES10 no longer compresses your email, as BES 10 is really just an MDM now, email is still activesync its just passed through BES10 as a gateway.

Incorrect. BES10 is the ONLY way to have the same compression and encryption in transit that you used to get on BES5, but it's only for the data transmitted/received by the Work Space of the activation on the phone as that goes through the NOC. Personal Space data transmitted/received does NOT benefit from the compression, encryption and transit through the NOC.

Most people find that after switching to a BB10 device their data usage volume rises significantly compared to legacy BB devices.

That's because the data being transmitted/received by the Personal Space is not compressed.

Licensing wise Exchange CAL's (standard or enterprise) are licensed per user, so there's no licensing issue there.

Exchange CALs can be per user OR per device. It depends entirely on the company's/organisation's licensing agreement with Microsoft. In my organisation work owned devices are licensed for Exchange per decvice while personally owned BYOD devices are licensed per user.


Posted via CB10

[SamFromDowntown]

BES10 no longer compresses your email, ...

Are you sure this is correct?

[tk-093]

I'm on Exchange active sync and I feel the BlackBerry Balance feature is amazing.. right now, my IT admin can wipe my phone including the personal side. With balance enabled, your personal data is secure..

Actually as a BES10 Admin I still have the option to wipe your entire device if I so desire.

[Cesare21]

Actually as a BES10 Admin I still have the option to wipe your entire device if I so desire.

Thanks for the tip. Good to know. But generally and logically speaking, will you as a BES10 admin wipe my personal side when all my work related data is on the work side of things?