1. drbgt3's Avatar
    I setup RSA on our BES and everything is working fine. I can authenticate with RSA on the blackberry. The question I have is why is it that I can still send and receive email without being authenticated with RSA? From what I have read it sounds like you only need authenticated when you are using an internal app. Is there a way to configure the blackberry to need the RSA authentication on order to process email?
    03-19-09 09:28 AM
  2. necr0tic's Avatar
    you're trying to set it up so that in order to send/receive messages, you have to enter the token code? you want them to enter the token code for every message or on a session by session basis? i admin both BES 4.1 and RSA SecureID 6.1 so im very curious about what you're trying to do.
    03-19-09 09:32 AM
  3. drbgt3's Avatar
    Well, I don't really want to do this, but my company wants to have dual authentication setup. They want to have users unlock their BB and then have to authenticate with RSA to send and receive email. I am guessing this would be per session basis with a timeout.
    03-19-09 09:46 AM
  4. necr0tic's Avatar
    i dont see how a session w/ timeout would work for email unless you force the user to use web mail? which ultimately would defeat the purpose of the blackberry. blackberry push mail isnt a "session" that can time you out. it just doesnt work that way. RSA SecureID has software tokens for blackberry, though. have you gone through their admin guide? would that satisfy the company's requirements? feel free to im me on AIM, if you want.
    03-19-09 10:12 AM
  5. drbgt3's Avatar
    Yeah, i didn't think it would work like that. So, you don't think it is possible to get RSA authentication to work on email? So, by turning on RSA in the MDS connection what exactly does that put RSA on?
    03-19-09 11:38 AM
  6. rrrebo's Avatar
    Oh my, they want their employees to have to stop what they are doing no matter where they are to whip out their BlackBerries and enter a tokencode every time an e-mail comes in? That completely and utterly defeats the purpose of having BES! Give them iPhones or Treos and be done with it. BES push is supposed to be close to realtime, and ongoing. BB uses triple-DES encryption that's good enough for the US government.

    Is there a client app on the handheld itself that could compute the tokencode on the fly? We used to deploy soft-tokens like that on company PCs.

    No offense, and maybe I'm not up on RSA's technology curve, but this seems like a fairly ludicrous request.
    03-19-09 11:46 AM
  7. necr0tic's Avatar
    Yeah, i didn't think it would work like that. So, you don't think it is possible to get RSA authentication to work on email? So, by turning on RSA in the MDS connection what exactly does that put RSA on?
    that would apply RSA to applications, i think. if, for instance, you've made internal apps available via MDS you can require a token code for that. you might want to call RSA directly, assuming you have a valid support contract.

    i think the purpose of RSA software tokens is also to allow use of the blackberry itself to generate token codes as well as provide access to vpn resources. if that makes sense?

    try to impress upon whomever came up w/ this idea that A)its not technically feasible and B)it serves no real purpose. keep me updated, please. im very curious about this.
    03-19-09 12:05 PM
  8. drbgt3's Avatar
    Yeah, this was not my idea at all! I think BES works fine just the way it is. Unfortunately, the upper management of my company is obsessed with security. So much that it is beginning to effect production. Thanks for all your help.
    03-19-09 12:54 PM
  9. necr0tic's Avatar
    i have the same problem here.
    03-19-09 01:13 PM
LINK TO POST COPIED TO CLIPBOARD