- Hi
We have a new BES 10.2 installation & are looking to set up relevant policies before adding real users. I would like to know if anyone has developed policy template docs we could look at.
I have searched around & I know there are the BES10_v10.2_BDS_Policy_and_Profile_Reference_Guide _en.pdf & BES10_v10.2_UDS_Advanced_Admin_Guide_en.pdf that explain the individual options. Rather than re-invent policies from scratch, I would like to know what others have set, especially for scenarios like:
- BlackBerry Balance BYOD
- Regulated BlackBerry Balance
- Secure Work Space iOS
- Secure Work Space Android -can prob work that one out
- Restricted Bluetooth on corporate side, but allowing handsfree in car etc. ideally with access to corporate contacts
Not looking to lock them down so much that it becomes a waste to buy a BB10 handset, but need to reasonably secure work side.
Thanks - John12-16-13 11:11 AMLike 0 -
- Sith_ApprenticeMod Team EmeritusI can write something up for you, but it really depends on WHAT you want to secure and your specific environment. There will be little I can suggest other than some basic things to enforce some security. Can you detail what exactly you are trying to do in different scenarios (a paragraph or a few sentences on each would help) to make sure I have the same understanding you do? Generic templates, or even specific ones from other companies or agencies wont necessarily help you.pkcable likes this.12-17-13 06:46 AMLike 1
-
- Hi
We have a new BES 10.2 installation & are looking to set up relevant policies before adding real users. I would like to know if anyone has developed policy template docs we could look at.
I have searched around & I know there are the BES10_v10.2_BDS_Policy_and_Profile_Reference_Guide _en.pdf & BES10_v10.2_UDS_Advanced_Admin_Guide_en.pdf that explain the individual options. Rather than re-invent policies from scratch, I would like to know what others have set, especially for scenarios like:
- BlackBerry Balance BYOD
- Regulated BlackBerry Balance
- Secure Work Space iOS
- Secure Work Space Android -can prob work that one out
- Restricted Bluetooth on corporate side, but allowing handsfree in car etc. ideally with access to corporate contacts
Not looking to lock them down so much that it becomes a waste to buy a BB10 handset, but need to reasonably secure work side.
Thanks - John
In fact... I will do you one better and provide you with the exact text I sent to my management which they agreed to:
----
The following is my attempt to recap our conversation as to where the email team is currently headed, which is to leverage our new BlackBerry Enterprise Service 10 infrastructure that provides services for our BlackBerry 10 (and later) devices, to also provide MDM capabilities to iOS and Android devices. As a reminder the current directive from management is that only iOS devices will initially be considered for GFE, but that iOS and Android devices could be supported for POE (BYOD).
-History-
The email team initially looked managing the GFE and POE using two different sets of standards, so that GFE equipment could be completely "locked down" as per old way of managing BlackBerries, but also so that POE could be used for personal use while also accessing permitted government resources in a secure manner. The more we looked at this model and how it could be potentially deployed consistently across the 3 platforms (BlackBerry, iOS, and Android), the more we ran into implementation road blocks. Essentially we were trying to create 2 standards for all 3 device types, for a potential of 6 different configuration scenarios, but that became a became a moot point when we discovered the non-BlackBerry devices did not provide the same level control through any MDM solution today. For example BlackBerry 10 devices can be fully locked down (in a "Regulated" mode) similar to how the old BlackBerries were, but iOS and Android devices being first and foremost consumer devices are not currently built to support a complete device lockdown.
Being left with a scenario where we could not completely lock down the iOS or Android devices, we started to ask ourselves why would we then try to completely lock down a BlackBerry device, and the only reason we could come up with is because that's just what we have done in the past. That historical model of a complete device lockdown, which renders a device all but useless from a personal perspective, is also what causes (it is still happening today with the old BES system) users to "throw the device in a drawer" and forget about it which is something we would very much like to avoid both from a resource waste but it also impacts the infrastructure having email queued up indefinitely. Tangentially Government regulations have changed over time to allow users to use GFE for personal use as long as there is little to no cost to the agency and the user follows rules of behavior, so some of the concerns for locking government equipment down does not apply today. So without a substantial reason to completely lock down the BlackBerry devices going forward, and the inability to do so on the iOS and Android devices, we decided to change our approach to a single shared personal and work device model which would could be applied across all 3 device types, and prevent the perception of "punishing" just GFE BlackBerry users with a locked down environment.
We re-approached the BlackBerry MDM capabilities with this new shared personal and work device model, and quickly determined that BlackBerry 10 devices supported this "out of the box" very nicely with what is called "BlackBerry Balance" (which is their "Corporate" mode). BlackBerry Balance completely separates personal and work spaces on the BlackBerry 10 devices, and all of the work data and applications are protected on the segregated and secured work side. More on Balance here:
BlackBerry Balance and BlackBerry World for Work on BlackBerry 10 | Inside BlackBerry
Believing that that the secured work side of the BlackBerry 10 devices would most likely address the security requirements for connecting devices to our email system and also storing corporate data and applications on the device, we then looked to mirroring this type of approach for iOS and Android devices. BlackBerry's solution for those device types is called the "secure workspace" which essentially containerizes all of the corporate data into a self-contained FIPS 140-2 solution, and we believe this will also most likely address the security requirements for hooking these devices up to our infrastructure.
The only caveat that we are aware of so far to the secure work space for non-BlackBerry devices is that because all of the government data is in a secure container, including the email and other associated functions, the access to this data is also isolated through the secure container. This means if we rolled this technology out tomorrow, the customers would not need be able to read their work email from their native device email clients that operate outside of the secure container, primarily because those clients don't support APIs to hook into an alternate email storage and retrieval mechanism (something BlackBerry is looking into with Apple and Google). While we want to provide our customers the most seamless experience possible on their non-BlackBerry GFE & POE, the email team currently believes that does not outweigh the stated advantages and others such a secure workspace provides such as providing a web browser that works through the BlackBerry server to connect users securely to the inside websites just like on a BlackBerry device.
-Summarizing-
All of this led us to present to you the approach of a true "balanced" (a play on the BlackBerry Balance phrasing) style shared personal and work space across all mobile devices, whether they are GFE or POE. This should greatly reduce customer confusion that were sure to come with different management models for different platforms including the variable of who bought the device. As a result of our discussion, you all tentatively agreed with this balanced approach as our initial starting point for mobile device management testing once BlackBerry provides us with the updated code to utilize secure workspaces on the non-BlackBerry devices.
It is my perception that the BlackBerry devices in particular will continue to provide a superior level of security, with an added attention to data segregation, due to their long history of mobile device security. However I think we should be able to adequately support and protect data on non-BlackBerry platforms using this approach as well.
With your concurrence we will present this unified direction to our management and update our documentation to reflect this 1.0 approach.
------
Since then we have moved forward with the BES 10 roll out and are going to announce production support for iOS devices (in addition to the existing support for BB 10 devices) in the next month.
I hope this helps you.Last edited by HotFix; 12-26-13 at 12:53 PM.
Sith_Apprentice likes this.12-26-13 12:17 PMLike 1 - Sorry... after re-reading your OP, I see that you are looking for configurations of the actual policies, and not the approach we took.
My apologies for the unnecessary information above. I am going to leave it on hopes that it helps you or someone else make the case to cut down on the number of different policies implemented in the BES. In the end we want our systems to be secure but also user friendly.
Unfortunately I don't feel comfortable sharing my organization's actually policy settings, but we did use the spreadsheet BlackBerry provided and reviewed them as a team with a "common sense" approach.
Again my apologies for missing your original question.
Posted via CB10Sith_Apprentice likes this.12-26-13 03:42 PMLike 1
- Forum
- Enterprise
- BlackBerry Secure UEM & Productivity Suites
BES 10.2 Policy Template Suggestions?
« Delete mail from handheld -> deletes mail in Oultook. Since when ?
|
Knox - more security flaws just found »
Similar Threads
-
Updating to OS 10.2 how???
By sagii in forum BlackBerry Z10Replies: 15Last Post: 12-21-13, 07:00 PM -
10.2.1.176 ???
By LibertyPhone in forum BlackBerry 10 OSReplies: 13Last Post: 12-19-13, 12:55 AM -
10.2.1.1055 - Z10 Media card loosing access
By yknujssab in forum BlackBerry 10 OSReplies: 9Last Post: 12-17-13, 04:03 AM -
Official Telus Z10 10.2 Autoloader?
By zyad in forum BlackBerry 10 OSReplies: 2Last Post: 12-16-13, 02:54 PM
LINK TO POST COPIED TO CLIPBOARD