[Roveer]

Soon I'll be coming from an old BB 7 BES 4.1.4 environment to BES 12. I need to have an understanding about network security if I wanted to support Android (Priv) or IOS devices.

In my old BES 4.1.4 world I didn't have to open any inbound ports to make it work. It was what I called an outbound only solution. I liked that because I'm not an IT administrator, we are a very small company. I really didn't have ANY inbound ports open to my MS server and therefore could feel a little more comfortable that I wasn't getting attacked from the outside at least.

Fast forward to today and I'm working on BES 12 in my test environment. Right now I've got 2 BB 10 devices that I've been playing with and again, still down't have to open any inbound ports. Loving it.

BUT...

Looking at the Priv I'm guessing that it will be treated like an android device which would require activesync ports to be open in order to make it work? Throw IOS on top and it's a must. Now I'm horrified. I don't have any time in my world to defend a MS Server against outside attacks because I've opened ports.

Can anyone shed any light on this. Does supporting Android and IOS really raise the security threat as I am thinking or am I overthinking this. I've been comfortable with the thought that all my ports were closed tight as a drum before and it really terrifies me to think about opening anything but I would hate to have to pass on Priv because of it.

Roveer

[BB-JAM215]

I'm interested in this, but can't offer you much advice, except that you should get more informed input from this forum than from you're other post in the Priv forum.

[chasdrury]

If you use a gold activation on Ios and Android with secure workspace you still only need outbound 3101 and internal only activesync. MDM only controls need external facing activesync.

Posted via CB10

[Roveer]

What what!!! I totally missed that in the literature. That's pretty huge in my book. I was under the impression that anything other than a BB10 device required activesync inbound ports. I'm going to confirm this with my BB contact. Thanks for providing this information. It changes a lot for me and opens up lots of possibilities.

I plan on using Gold because I want to LOG SMS logs and found that I was going to need gold in order to do that.

Roveer

[chasdrury]

What what!!! I totally missed that in the literature. That's pretty huge in my book. I was under the impression that anything other than a BB10 device required activesync inbound ports. I'm going to confirm this with my BB contact. Thanks for providing this information. It changes a lot for me and opens up lots of possibilities.

I plan on using Gold because I want to LOG SMS logs and found that I was going to need gold in order to do that.

Roveer

Ok, you really don't need to 'check it with your BlackBerry contact'. Check the literature. It's in there. I am responsible for a BES12 environment with thousands of devices. It works.

Posted via CB10

[chasdrury]

For BlackBerry devices you need port 3101 open to xx.srp.blackberry.com and for iOS / android you need xx.bbsecure.com

There is another name for secure connect plus I think it's xx.turnb.bbsecure.com but need to check.

Xx = your country.

Posted via CB10

[chasdrury]

https://help.blackberry.com/en/bes12...186882879.html

Posted via CB10

[deiop]

You do not need SWS on android. You can use android for work with BlackBerry Secure Connect Plus. BSCP is 3101 connection.

Posted via CB10

[chasdrury]

You do not need SWS on android. You can use android for work with BlackBerry Secure Connect Plus. BSCP is 3101 connection.

Posted via CB10

Same principal though. And you need a Gold flex license for AfW. The point I was making was that you can't have only port 3101 and Silver.

You could use KNOX with gold flex too and 3101 only

Posted via CB10

[zephyr613]

This should help:

3 Ways to Manage Android Apps & Devices over BES12 | BlackBerry Developer Blog

STL100-4 10.3.2.2789

[Roveer]

Let me clarify. This seems to have stumped the BB sales tech support (either that or they are just slow to respond). They are asking lots of questions and have not provided a definitive response other than to say MDM only does not require, but what about email?

So My particulars:

On Site Exchange NOT exposed to the internet, POP3 connector on SBS 2011, Prem BES 12, Gold License.

Right now I have a test environment with a Q10 and Classic activated. No inbound ports open at all. Working just fine.

So in this configuration I can activate Android and IOS devices the same way under gold license, not requiring any inbound ports for Activesync?

My main motivation would be for Priv. The company owner is pretty picky about hardware and I don't know that most Android or IOS would ever suite his needs. Pretty adamant about keeping physical keyboard. Current plan is Classic, but man that thing is heavy. That is coming from Torch.

[chasdrury]

Let me clarify. This seems to have stumped the BB sales tech support (either that or they are just slow to respond). They are asking lots of questions and have not provided a definitive response other than to say MDM only does not require, but what about email?

So My particulars:

On Site Exchange NOT exposed to the internet, POP3 connector on SBS 2011, Prem BES 12, Gold License.

Right now I have a test environment with a Q10 and Classic activated. No inbound ports open at all. Working just fine.

So in this configuration I can activate Android and IOS devices the same way under gold license, not requiring any inbound ports for Activesync?

My main motivation would be for Priv. The company owner is pretty picky about hardware and I don't know that most Android or IOS would ever suite his needs. Pretty adamant about keeping physical keyboard. Current plan is Classic, but man that thing is heavy. That is coming from Torch.

Yes. Gold licenses. No need for anything else apart from xx.bbsecure.com needed on port 3101 as well as xx.srp.blackberry.com. If you want to use android for work also open xx.turnb.bbsecure.com on port 3101

Posted via CB10

[Roveer]

Just checking. The 3101's are all outbound as far as I can see from looking at the documentation correct? I'm getting ready to blast the BB sales technical support. I gave them the same information (over 2 days ago) that I gave you guys and you've given me far more information than they have. I guess I've confused them.

What can I say. Thank you for the information that BB has yet to provide.

Roveer

[chasdrury]

Outbound initiated, bidirectional as per for regular bb10 devices.

Posted via CB10