[Xayinn]

Hi,

At the moment, I have a BES5 in my organisation, but we're looking at the possibility to upgrade to BES10 / BB10.
We're also using Microsoft Exchange and Active Directory. The IT department has set a policy that users must change their password every month.
For our existing Blackberries, this is not a problem, because (if what I've read is true) it's the BES5 Service Account that accesses the user's mailbox, so a password change of the user account is not relevant, and their Blackberry just keeps working, without the need to enter the new password or anything.
We also have some iOS devices here and there, but they're a real nightmare, because they're locking out user accounts every single month, due to saved passwords on the device!

Now I was wondering, since BB10 also uses the ActiveSync protocol, how do those devices react to password changes?
I suppose that, if they aren't connected to the BDS, they can also cause account lockouts, but what if they are?
Is the BDS accessing the mailboxes with the Service Account, like BES5, or does it simply provide the information (username, domain, etc.) to setup an ActiveSync session directly to Exchange (thus completely bypassing the BDS)?

Much appreciated if anyone can clear this up!

[anon(2523636)]

The BDS does not access the mailbox. Your device is talking direct via Activesync (via a BDS tunnel).
Like any Activesync device you should get prompted to enter the new one as the existing one is now 'incorrect'. It can be problematical though, mainly because if the password expires and the user is only on the Activesync device the user does not know the password is expired (only 'incorrect') and will just re-enter their existing password (often repeatedly until lockout). You cannot change the password via Activesync.

[aragone79]

You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.

[VariisNetworks]

ah, that's going to be a pain for support staff. The password dilema continues for help desks around the world.. lol

[Xayinn]

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

[smoothrunnings]

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.

[aragone79]

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

That sounds better.

[Xayinn]

Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.

I've used an HTC Desire X for a month. The browser (Chrome) was great; definately a great improvement over my BB 9360. The large amount of apps was also nice (though I'm not really an app addict). But other than that, I wasn't very enthousiastic about it. The standard ActiveSync client is rubbish, you can't even push a profile from BES10. And I missed some key EAS features, like my memopad. Of course you can install TouchDown mail, which does support EAS profiles and memopad, but that's another 10-20$.... Also, the shady "multitasking" frustrated me: I want to close an app when I'm not planning to use it again any time soon. But Android doesn't offer that option. All apps just seem to run in the background, somehow...
After that month, I kinda had enough of Android and took my 9360 out of the shelf. According to my experience, I wouldn't advice anyone to use Android as a company phone OS.

I don't have that much experience with iPhone, but it definately is more CxO-proof than Android (more user-friendy, less chance that they mess something up). But it's insanely expensive (the newest one at least), and Apple isn't quite the innovator anymore (since Jobs passed away...).

But what the password-problem concerns, there's no reason why I would pick iOS/Android over BlackBerry as company phone. It's just that BlackBerry lost a reason why I should pick them.

I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

That sounds better.

I've never heard of EAP-SIM before. I'm gonna look into that.
We do use MAC address authentication on a network level: when someone plugs an unknown PC in the switch, it gets rejected until the MAC address is entered in the switch by an administrator.
The downside of MAC address authentication is that you will regularly (depending on the size of your company) get requests to add/delete MAC addresses when a new PC is installed.
Also, MAC spoofing isn't all that hard, so it raises some security concerns as well.

[smilloy519]

You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.

What do you mean by owa website?

This problem is starting to give me headaches.

Our IT policy forces PW changes every month like the other poster above.
I currently only have 10 z10s on the BES and iv gotten the question from 8 out of the 10 users as to why their devices "stopped working"

It turns out they changed their PW on their Desktop, and the BB never prompted them to enter the up to date one, thus leaving the work portion of the device "dead".

My problem is two fold.
1. Why is it not prompting some users? (When i changed my PW it took 4h for the device to realize it was out of date, and then prompted for PW. During those 4h emails still worked).
Meanwhile just today i had this problem with 2 users. 1 had to reboot the device to get the prompt (and be allowed to change PW), the other simply got no prompt.

2. How do i manage users who either A, (dont use any form of work desktop), or B are away from their work desktop for extended periods (ie vacation).
A is fairly easy, I can just set it for the PW not to expire.
B is going to cause issues down the line. What am i supposed to tell the owner, when he goes on vacation for a few weeks, and his PW expires while he is away. He now has no way of communicating with me other than BBM/Text/Phone etc. I would then have to change his network PW for him, then send it to him, then have him change it.
(And thats assuming he even notices the PW expired since it doesnt seem to give prompts sometimes.


Little things but seem to cause the biggest headaches.

[AquaGoat]

aragone79 was referring to the Outlook Web Application. If you set this up on your exchange, if one of your users is away from the office when the expiry hits he can log on to the OWA with his old credentials, which will prompt him to create a new password.

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

[smilloy519]

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.

[AquaGoat]

Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.

On the monitor...too easy. I'll be really clever and hide it under my keyboard. No one will look there.

[smoothrunnings]

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

This is why you enforce complexity on passwords so that ones like daughtername13 are rejected by AD. Failing to enforce the complexity on passwords is management problem not a user one. So if Joe Blow's account is compromised management should take the fall for not properly setting up password security in their own organization.

[Sith_Apprentice]

You can try the DoD route and not use AD username/pw and instead use smart card logon (or force it better yet), then you cannot use BB10 yet. :-p

[BarrySaunders]

Hi there

No real answer to your original query but I have the same issue.
Our workforce has a large number of users that don't have a desktop at all and our support is a nightmare.

We have deployed BES 10.1 and are supporting both Apple and BES 10 devices.

There is good and bad news:
Both act in a similar fashion to password changes.
Bearing in mind that all now happens via Activesync we observed the following:
"When changing the active directory password at a desktop, the mobile device continued to work unaffected with no prompt. We tested each hour and still no prompt - till the next day when we were prompted which confused the end-user as the two events were seemingly unrelated/unconnected. We suspect that BES went off around midnight and refreshed from the Global catalogue, found a change and caused the prompt"
"Next time we repeated the above, we got prompted after 15 mins (device remained connected during this time) which we think is the default for Active Directory or ActiveSync ?"
"Why the difference ? We suspect that the device lost connection in the 1st instance but can't be sure"
"We then tried switching the device off over the weekend, changed the password and returned to be prompted on Monday morning"

Now the good news is that this worked for the Apple (via UDS) in the same way as the BB10 device. Previously the Apple simply locked out....
The challenge is understanding what is taking place as opposed to guessing.

Is there anyone out there that can actually comment on how it should work (in theory) that can help me get a better understanding ?

Thanks in advance....

[Sith_Apprentice]

Both situations you listed above would be AD related, not BES related. If the AD password changes, the BlackBerry should stop communicating (because of ActiveSync) relatively quickly (15 minutes is about right). The fact that it took an entire day the first time means any changes likely didn't propagate through your network until that point. The BES doesnt have anything to do with this aspect of it, so for a root cause I would check your DCs. Perhaps point the BES to the primary DC instead of a child?

[smoothrunnings]

You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.

Please note this feature you are talking about must be enabled by the IT Administrator on the server otherwise it doesn't work.

[chasdrury]

Use certificate authentication. Then you dont need password

Posted via CB10

[jj482]

Use certificate authentication. Then you dont need password

Posted via CB10

That's what I'm thinking. We were going to let our BES infrastructure die but I'm going to push for a POC

My understanding is the BES can help with client certificate enrollment or at least assignment


Posted via CB10 on my sweet Z10

[BarrySaunders]

Yup, I figure this has to do with AD or ActiveSync rather than BES.

Did some further testing.
Set up BES 10 UDS libary ActiveSync Profile :

1. On the menu bar, click Library.
2. In the Microsoft ActiveSync pane, click the + icon.
3. In the Profile name field, type the profile name.
4. In the Credentials drop-down list, perform one of the following actions:
• Select None for basic authentication (for example, using a username and password).
• For iOS devices, if you select Certificate as the authentication type and Single reference as the type of certificate
linking, in the Certificate identifier drop-down list, select a certificate.
• For iOS devices, if you select Certificate as the authentication type and Variable injection as the type of
certificate linking, type the profile name of the certificate profile. For SCEP, type scep-<SCEP_profile_name>-
%UserName% where <SCEP_profile_name> is the name of the SCEP profile. If the Microsoft ActiveSync profile is
for one user, type the username instead of %UserName%.
5. Type the domain name of the Microsoft ActiveSync server.
6. In the Email address field, perform one of the following actions:
• If the profile is for one user, type the email address of the user.
• If the profile is for multiple users, type %UserEmailAddress%.
7. Type the host name or IP address for the Microsoft ActiveSync server.

Now at this point we entered the ActiveSync Server Address.
We then forced the password change at the AD level.
This take around 10 minutes to fully replicate in the environment.
Using Wi-Fi the device almost immediately prompts for a password authentication - proving the AD reset has taken place.

However, via the GSM network, it can take between 15min-24hours.....
As a further test while waiting :
1. Switched the device off for 15 min
- result was that the old password continued to work until eventually prompted (up to 24 hours)

2. Switched to Aeroplane Mode
- Waited at least 10 min
- Switched back and was prompted immediately for the new password

3. No matter what, it always prompted the next day.....

Okay, we think ActivSync is the delay although we can't find where but logically :
AD change --> ActiveSync --> IIS (?) ---> UDS ---> Device

Now I think that the iOS devices can't talk to AD directly ? only ActiveSync ?
So if we could point the UDS at AD rather than ActiveSync we would avoid the delay and have a role for UDS....

AD <----------> UDS <---------------ActiveSync------> iOS device

Not sure of the above but it would need us to use an Active Directory server address rather than an ActiveSync Server Address in the profile definition.
Is this what you are suggesting with the DC above ?

Am I making any sense here ?

Seems MobileIron, Airwatch, Maas360 etc all claim AD capability in their features...... Is this a differentiator in the scenarios above ?

Any new ideas ?

[tk-093]

I know this doesn't really help your issues now, but changing your password every 30 days seems a little much, IMO. I think the Microsoft best practices guide for accounts suggests 42 days for a Medium and a High security company. We are actually doing 90 days.

Now that BES10 has gone ActiveSync, I think Good Mobile Messaging might be the only MDM left that does the account impersonation that BES5.x did.

[bawoodvine]

Sorry, no new ideas, but will add that we are seeing this as well. On both devices through MDM and BES10 servers, so it's definitely related to ActiveSync. I've found some articles referencing delays, but nothing recent or definitive.

We use an MDM for iOS and Android, and i can tell you that any AD integration they offer is unrelated to the email traffic or the exchange account authentication. That is still reliant on ActiveSync, so the issue has to be somewhere in the AD to ActiveSync communications. On thing to check is replication between AD sites if you have a user connected to one and changing their password, but their device using a different site for authentication. This isn't the issue for us though.

Anyone?

[smoothrunnings]

Call Microsoft PSS and ask them!