[Bluenoser63]

Wouldn't it be more than 100% then?

Anyways, by a dumbphone you mean any other smartphone on the market such as droids or iphones, right?
Is my understanding correct that when NOC is down, you would still be able to operate personal email accounts, browse internet and connect to enterprise servers if VPN is installed from the personal side of the balance?
I hope VPN doesn't need BES or NOC, it should be direct communication like IMAP, POP3 protocols, no?

'['

That is correct. The NOC is needed for activation, after that, emails, policies and app distribution is not dependent on the NOC. And if it was a military or government implementation, there might also be something else that can be done to activate the device. Since we are talking about the Australian DOD, it isn't the same as what we see in our implementations.

[m1a1mg]

The NOC provides the secure container. So yeah, if you want unsecure, go ahead.

[m1a1mg]

BlackBerry offers another significant benefit to companies: All traffic from BlackBerry devices goes encrypted to the BlackBerry NOCs (Network Operations Centers) from where it goes to a company's (or ISP's) BES. This arrangement also provides for emails, contacts, task entries, memopad entries and calendar entries to be pushed actively out to the user rather than to wait for the user's device to initiate a synch operation.

EDIT: From here: BlackBerry Can Set EMM Standard With BES 10 - InformationWeek

[Its Spade]

Actually, it's the Brits who aren't using the correct spellings.

English came to America in the 16th and 17th Centuries, and was essentially identical to what was spoken in England. The reign of Louis XIV of France during the late 17th Century was hugely influential in Europe, and during the late 1680s, England was essentially governed by Louis XIV, with the British king being virtually appointed by him and in great debt to him. So powerful, successful, rich, and influential was Louis that all things French became extremely fashionable in England (London especially), and during this period, even the written language was altered to be "more French". This is where all of those extra letters come from.

Americans didn't take anything out; destitute England added them in, wanting to be more like the wealthy, powerful French of the day.

Ya learn something new everyday

Squircle device powered by 10.2.1.1055

[vrud]

BlackBerry offers another significant benefit to companies: All traffic from BlackBerry devices goes encrypted to the BlackBerry NOCs (Network Operations Centers) from where it goes to a company's (or ISP's) BES. This arrangement also provides for emails, contacts, task entries, memopad entries and calendar entries to be pushed actively out to the user rather than to wait for the user's device to initiate a synch operation.

EDIT: From here: BlackBerry Can Set EMM Standard With BES 10 - InformationWeek

Yeah, I'm aware of the push technology and experienced faster gmail delivery compared to android (which likely used pull).

I'm still not clear on the issue that if NOC goes down then every BB device becomes unusable.
My impression is that BB10 'personal' traffic goes directly (wifi or cellular) while 'enterprise' traffic would go through something else (either NOC or VPN).

And it's also unclear on what type of extra security NOC provides.
Some day I used VPN at home from my desktop computer. In my mind the data was encrypted on my side and decrypted on the enterprise side.
Wouldn't BB10 with personal side only achieve the same level of protection by activating VPN in settings?

This is so complicated for me but I hope my Z10 won't let me down when NOC or something else goes down.

[BigBadWulf]

If I understand how things work correctly, mist services (non BBID), would continue to function, up until you're required to sign in again. Typically that would be after OS upgrade, or any variety of phone failure.

Once you're BES though, I would defer to the expert, who really does know what he's talking about.

Edit - maybe the BL team could work on provisioning the OS, so it didn't require BBID sign in.

[bigglybobblyboo]

Ya learn something new everyday

Squircle device powered by 10.2.1.1055

Ya learn something new that's incorrect every day...

Feel It, Swipe It, Love It. BlackBerry Z10

[Sith_Apprentice]

Even on VPN BES NEEDS NOC. That is why you MUST have those ports open and a valid Srp, valid licenses etc. You would get email but literally nothing else. No data browsing, no apps, no policies, no password resets, no MDM of any kind. And if you use SCEP you would lose your email too. Actually, the more I think about it, the more you need BES for email too. That is where your email profile is held so the device gets even that from BES, which requires NOC.

So even VPN and internal WiFi configurations very much need the NOC.



Posted via CB10

[Bluenoser63]

Even on VPN BES NEEDS NOC. That is why you MUST have those ports open and a valid Srp, valid licenses etc. You would get email but literally nothing else. No data browsing, no apps, no policies, no password resets, no MDM of any kind. And if you use SCEP you would lose your email too. Actually, the more I think about it, the more you need BES for email too. That is where your email profile is held so the device gets even that from BES, which requires NOC.

So even VPN and internal WiFi configurations very much need the NOC.

Posted via CB10

Nope. Check the data flow again. You need SRP for activation, after that, the NOC can be used, but it not needed for policies, app provisioning and email.

[Bluenoser63]

On page 16 about activating a device. Here is the quote.

Note This data path is used only if communication over the BlackBerry Infrastructure is not allowed. In this scenario, the device requires a direct connection to the organization using a work Wi-Fi or VPN connection.

This means that a device can be activated without the NOC.

On page 18 again here is the documentation about email.

When users send and receive email and organizer data on a BlackBerry device, there are two communication paths that
can be used:
•Connectivity through the BlackBerry Infrastructure to the mail server that is running Microsoft ActiveSync to provide security for devices that are not connected to the organization's internal network or do not have a VPN connection
•Direct connection from the device to the mail server that is running Microsoft ActiveSync, through the VPN or over the work Wi-Fi network

No where in the documentation does it state where VPN or WiFi requires the NOC for email, activation, app distribution or policy push. If you don't agree with the documentation, don't come to me, talk to Blackberry. I am only reading the documentation that Blackberry has provided for BES 10.2. If you don't agree with the docs (they are pretty clear on how it works), I'm not to blame.

Now iOS and Android devices require the NOC for activation and most functions, but BB10 devices don't.

[Sith_Apprentice]

On page 16 about activating a device. Here is the quote.


This means that a device can be activated without the NOC.

On page 18 again here is the documentation about email.



No where in the documentation does it state where VPN or WiFi requires the NOC for email, activation, app distribution or policy push. If you don't agree with the documentation, don't come to me, talk to Blackberry. I am only reading the documentation that Blackberry has provided for BES 10.2. If you don't agree with the docs (they are pretty clear on how it works), I'm not to blame.

You are missing that the BES Needs the NOC for all that. It also specifically states you need the ports open to the infrastructure for even internal WiFi. The documentation has always been rubbish (heck it doesn't even show in the diagrams that you need the infrastructure for the BES itself)

The BES requires the NOC, period. Without access to the NOC it will fail. Perhaps they need to be more clear in the documents, but I can tell you it certainly needs the NOC.

Posted via CB10

[Sith_Apprentice]

Just for example

Service Name: BlackBerry Infrastructure
Start Date/Time: 16-Nov-2013 03:38:00 GMT
Duration: Ongoing
Region of Impact: EMEA
State of Service: Degraded
% of Subscribers Affected (estimated): 10
Service Impact: BlackBerry OS 10: Impacted users will be unable to use BES email and BBM.

Posted via CB10

[Bluenoser63]

You are missing that the BES Needs the NOC for all that. It also specifically states you need the ports open to the infrastructure for even internal WiFi. The documentation has always been rubbish (heck it doesn't even show in the diagrams that you need the infrastructure for the BES itself)

The BES requires the NOC, period. Without access to the NOC it will fail. Perhaps they need to be more clear in the documents, but I can tell you it certainly needs the NOC.

Posted via CB10

If you disagree with the documentation, that is fine. But I can tell you with my testing, that NOC isn't needed. The 10.2 docs are clear.

Note This data path is used only if communication over the BlackBerry Infrastructure is not allowed. In this scenario, the device requires a direct connection to the organization using a work Wi-Fi or VPN connection.

The only port that is NOC is 3101. The other ports don't have anything to do with NOC, but are needed to get around the use of the NOC. It is a pretty simple test. Block port 3101 (the NOC) and connect via WiFi or VPN and try to send a policy, app, or activate a BB10 device. It will work.

[bigglybobblyboo]

Actually, it's the Brits who aren't using the correct spellings.

English came to America in the 16th and 17th Centuries, and was essentially identical to what was spoken in England. The reign of Louis XIV of France during the late 17th Century was hugely influential in Europe, and during the late 1680s, England was essentially governed by Louis XIV, with the British king being virtually appointed by him and in great debt to him. So powerful, successful, rich, and influential was Louis that all things French became extremely fashionable in England (London especially), and during this period, even the written language was altered to be "more French". This is where all of those extra letters come from.

Americans didn't take anything out; destitute England added them in, wanting to be more like the wealthy, powerful French of the day.

Riiiiggghhhttt.

So since England was essentially governed by Louis XIV by the late 1680's The Glorious Revolution never happened and everyone wore berets....

Feel It, Swipe It, Love It. BlackBerry Z10

[Bluenoser63]

Just for example

Service Name: BlackBerry Infrastructure
Start Date/Time: 16-Nov-2013 03:38:00 GMT
Duration: Ongoing
Region of Impact: EMEA
State of Service: Degraded
% of Subscribers Affected (estimated): 10
Service Impact: BlackBerry OS 10: Impacted users will be unable to use BES email and BBM.

Posted via CB10

BBM is a NOC service and will not work without it.

BES email is dependent on how the are connecting. Does it state that if you connect via WiFi or VPN that BES email won't work? No. You are making assumptions.

Just do like I did and setup a test environment of a 10.2 server and block 3101 traffic after you have setup the server and running with NOC, then see what you lose. I think it will surprise you.

Just follow the documentation.

[Sith_Apprentice]

BBM is a NOC service and will not work without it.

BES email is dependent on how the are connecting. Does it state that if you connect via WiFi or VPN that BES email won't work? No. You are making assumptions.

Just do like I did and setup a test environment of a 10.2 server and block 3101 traffic after you have setup the server and running with NOC, then see what you lose. I think it will surprise you.

Just follow the documentation.

Ok, lets try this again...

Page 13-15 of the Security Technical Overview..

How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other

The BlackBerry Infrastructure and BlackBerry Device Service must authenticate with each other before they can transfer data. The BlackBerry Device Service uses SRP to authenticate with and connect to the BlackBerry Infrastructure.

SRP is a point-to-point protocol that runs over TCP/IP. The BlackBerry Device Service uses SRP to contact the BlackBerry Infrastructure and open a connection. When the BlackBerry Device Service and BlackBerry Infrastructure open a connection, they can perform the following actions:

1.Authenticate with each other
2.Exchange configuration information
3.Send and receive data

The BlackBerry Device Service and BlackBerry Infrastructure use the SRP authentication key when they authenticate with each other. The SRP authentication key is a 20-byte encryption key that the BlackBerry Device Service and BlackBerry Infrastructure share.What happens when the BlackBerry Device Service and the BlackBerry Infrastructure open an initial connection

After the BlackBerry Device Service and the BlackBerry Infrastructure open an initial connection over the Internet, the BlackBerry Device Service sends a basic information packet to the BlackBerry Infrastructure immediately. A basic information packet includes the BlackBerry Device Service version information, SRP identifiers, and other information that is required to open an SRP connection. Both the BlackBerry Device Service and BlackBerry Infrastructure can recognize the basic information packet. The BlackBerry Device Service and BlackBerry Infrastructure can use the basic information packet to configure the parameters of the SRP implementation.

Data flow: Authenticating the BlackBerry Device Service with the BlackBerry Infrastructure

1.The BlackBerry Device Service sends a data packet that contains its unique SRP identifier to the BlackBerry Infrastructure to claim the SRP identifier.
2.The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Device Service.
3.The BlackBerry Device Service sends a challenge string to the BlackBerry Infrastructure.
4.The BlackBerry Infrastructure hashes the challenge string it received from the BlackBerry Device Service with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to the BlackBerry Device Service as a challenge response.
5.The BlackBerry Device Service hashes the challenge string it received from the BlackBerry Infrastructure with the SRP authentication key, and sends the result as a challenge response to the BlackBerry Infrastructure.
6.The BlackBerry Infrastructure performs one of the following actions:
•Accepts the challenge response and sends a confirmation to the BlackBerry Device Service to complete the authentication process and configure an authenticated SRP connection
•Rejects the challenge response

If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerry Infrastructure and BlackBerry Device Service close the SRP connection.

If the BlackBerry Device Service uses the same SRP authentication key and SRP identifier to connect to (and then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the SRP identifier to help prevent an attacker from using the SRP identifier to create conditions for a DoS attack.

How the BlackBerry Device Service protects a TCP/IP connection to the BlackBerry Infrastructure

After the BlackBerry Device Service and the BlackBerry Infrastructure open an SRP connection, the BlackBerry Device Service uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure.

The TCP/IP connection between the BlackBerry Device Service and BlackBerry Infrastructure is secure because the BlackBerry Device Service and device encrypt the data that they send to each other. No intermediate point decrypts and encrypts the data again.

After the activation process begins, no data traffic of any kind can occur between the BlackBerry Device Service and an activated device unless the BlackBerry Device Service can decrypt the data using a valid device transport key. Only the BlackBerry Device Service and the device have the correct device transport key.

You must configure your organization’s firewall or proxy server to permit the BlackBerry Device Service to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port 3101.



You seem to be missing the forest for the trees here. Yes, devices can connect directly to BDS without the use of the NOC. However, the BES MUST maintain connection to the BlackBerry Infrastructure in order to function properly (and in many cases at all).

[Bluenoser63]

Ok, lets try this again...

Page 13-15 of the Security Technical Overview..

How the BlackBerry Device Service and the BlackBerry Infrastructure authenticate with each other

The BlackBerry Infrastructure and BlackBerry Device Service must authenticate with each other before they can transfer data. The BlackBerry Device Service uses SRP to authenticate with and connect to the BlackBerry Infrastructure.

SRP is a point-to-point protocol that runs over TCP/IP. The BlackBerry Device Service uses SRP to contact the BlackBerry Infrastructure and open a connection. When the BlackBerry Device Service and BlackBerry Infrastructure open a connection, they can perform the following actions:

1.Authenticate with each other
2.Exchange configuration information
3.Send and receive data

The BlackBerry Device Service and BlackBerry Infrastructure use the SRP authentication key when they authenticate with each other. The SRP authentication key is a 20-byte encryption key that the BlackBerry Device Service and BlackBerry Infrastructure share.What happens when the BlackBerry Device Service and the BlackBerry Infrastructure open an initial connection

After the BlackBerry Device Service and the BlackBerry Infrastructure open an initial connection over the Internet, the BlackBerry Device Service sends a basic information packet to the BlackBerry Infrastructure immediately. A basic information packet includes the BlackBerry Device Service version information, SRP identifiers, and other information that is required to open an SRP connection. Both the BlackBerry Device Service and BlackBerry Infrastructure can recognize the basic information packet. The BlackBerry Device Service and BlackBerry Infrastructure can use the basic information packet to configure the parameters of the SRP implementation.

Data flow: Authenticating the BlackBerry Device Service with the BlackBerry Infrastructure

1.The BlackBerry Device Service sends a data packet that contains its unique SRP identifier to the BlackBerry Infrastructure to claim the SRP identifier.
2.The BlackBerry Infrastructure sends a random challenge string to the BlackBerry Device Service.
3.The BlackBerry Device Service sends a challenge string to the BlackBerry Infrastructure.
4.The BlackBerry Infrastructure hashes the challenge string it received from the BlackBerry Device Service with the SRP authentication key using HMAC with the SHA-1 algorithm. The BlackBerry Infrastructure sends the resulting 20-byte value to the BlackBerry Device Service as a challenge response.
5.The BlackBerry Device Service hashes the challenge string it received from the BlackBerry Infrastructure with the SRP authentication key, and sends the result as a challenge response to the BlackBerry Infrastructure.
6.The BlackBerry Infrastructure performs one of the following actions:
•Accepts the challenge response and sends a confirmation to the BlackBerry Device Service to complete the authentication process and configure an authenticated SRP connection
•Rejects the challenge response

If the BlackBerry Infrastructure rejects the challenge response, the authentication process is not successful. The BlackBerry Infrastructure and BlackBerry Device Service close the SRP connection.

If the BlackBerry Device Service uses the same SRP authentication key and SRP identifier to connect to (and then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure deactivates the SRP identifier to help prevent an attacker from using the SRP identifier to create conditions for a DoS attack.

How the BlackBerry Device Service protects a TCP/IP connection to the BlackBerry Infrastructure

After the BlackBerry Device Service and the BlackBerry Infrastructure open an SRP connection, the BlackBerry Device Service uses a persistent TCP/IP connection to send data to the BlackBerry Infrastructure.

The TCP/IP connection between the BlackBerry Device Service and BlackBerry Infrastructure is secure because the BlackBerry Device Service and device encrypt the data that they send to each other. No intermediate point decrypts and encrypts the data again.

After the activation process begins, no data traffic of any kind can occur between the BlackBerry Device Service and an activated device unless the BlackBerry Device Service can decrypt the data using a valid device transport key. Only the BlackBerry Device Service and the device have the correct device transport key.

You must configure your organization’s firewall or proxy server to permit the BlackBerry Device Service to start and maintain an outgoing connection to the BlackBerry Infrastructure over TCP port 3101.



You seem to be missing the forest for the trees here. Yes, devices can connect directly to BDS without the use of the NOC. However, the BES MUST maintain connection to the BlackBerry Infrastructure in order to function properly (and in many cases at all).

I take it you will be telling Blackberry that they are wrong with the data flow documentation. I guess you also didn't actually try disabling port 3101 and connecting via WiFi or VPN to see if they will still function. Try it.

You also seem to be focused on BDS. You do know that BDS doesn't handle email transport.

[Sith_Apprentice]

I take it you will be telling Blackberry that they are wrong with the data flow documentation. I guess you also didn't actually try disabling port 3101 and connecting via WiFi or VPN to see if they will still function. Try it.

You also seem to be focused on BDS. You do know that BDS doesn't handle email transport.

Read up, I DID say that you can get Email (and to include PIM) without the infrastructure. It is literally everything else. I am also curious what will happen to your email profiles once BES goes kaput. They may continue to function but any changes/new profiles wont be pushed. SRP connection is absolutely necessary.


(and yes, they have corrected documentation many times prior to release based on my suggestions lol) The data flow only shows device to BDS, doesnt show BDS to Infrastructure

[bradu1]

Ya learn something new that's incorrect every day...

Feel It, Swipe It, Love It. BlackBerry Z10

Yup, I read a nice correction to the lesson up there on a channel I subscribe to. :-)

#IchooseBlackberry10 (BBM#25)

[Bluenoser63]

Read up, I DID say that you can get Email (and to include PIM) without the infrastructure.

At least we are making progress.

[mapsonburt]

Actually, it's the Brits who aren't using the correct spellings.

English came to America in the 16th and 17th Centuries, and was essentially identical to what was spoken in England. The reign of Louis XIV of France during the late 17th Century was hugely influential in Europe, and during the late 1680s, England was essentially governed by Louis XIV, with the British king being virtually appointed by him and in great debt to him. So powerful, successful, rich, and influential was Louis that all things French became extremely fashionable in England (London especially), and during this period, even the written language was altered to be "more French". This is where all of those extra letters come from.

Americans didn't take anything out; destitute England added them in, wanting to be more like the wealthy, powerful French of the day.

As with most things on the internet, that's only partially correct... there are certainly some words that the English changed from the old Canadian/American way of spelling to the French way (Program->Programme, Maneuver->Maneuvere, etc.) but most of the differences were introduced by Noah Webster when he created the Webster's Dictionary in 1928. He was TRYING to prove that American English had "evolved" and changed many of the words to make them simpler... This is where most of the differences between Canada and the US crop up... We still say "centre" while the US says "center"... we say "colour", they say "color" (although we have shifted to Tire instead of Tyre). He also put the "ize" on many words while we still go with "ise" (e.g. "prioritize" vs "prioritise"). Another key difference is that American (and Canadian) English tend to use nouns as verbs - e.g. I'm going to "interview" someone... or I'm going "backpacking". Most Canadians are ambidextorous these days and can do either in the right context. If I was writing to an American, I'd use their spelling but if I'm talking to an international audience... I'll stick with Canadian eh! :-)

[rohetaku]

English is always evolving. You can't say it's wrong today and correct tomorrow


Sent from my BlackBerry - remember me!

[moosbb]

Oh yes! You can thanx frenchies for "programme"

Actually, it's the Brits who aren't using the correct spellings.

English came to America in the 16th and 17th Centuries, and was essentially identical to what was spoken in England. The reign of Louis XIV of France during the late 17th Century was hugely influential in Europe, and during the late 1680s, England was essentially governed by Louis XIV, with the British king being virtually appointed by him and in great debt to him. So powerful, successful, rich, and influential was Louis that all things French became extremely fashionable in England (London especially), and during this period, even the written language was altered to be "more French". This is where all of those extra letters come from.

Americans didn't take anything out; destitute England added them in, wanting to be more like the wealthy, powerful French of the day.

Q10 ? OS 10.2.1.176