07-18-2012 06:59 PM
We have a MS Exchange 2010 Server, which could be accessed from external (via a MS TMG). We would like to use the "Blackberry Universal Device Service" now, but I couldn´t understand from the installation manual, at which point the device (or the server) will connect to ActiveSync.
So must I open the internal firewall so, that the "Blackberry Universal Device Service" can reach our internal Exchange CAS server? Or is that only a plugin on the device, which allows me to manage the device, and the "real" activesync traffic is still going via the MS TMG over the old way?
07-19-2012 10:42 AM
The Blackberry Universal Device Service does not connect to the mail platform so you wont have to open any internal ports for that. Main purpose of UDS is to manage / secure iOS/Android devices.
UDS also allows you to create profiles and push them to device so end users wont have to manually enter the details (i.e.. Wifi, ActiveSync, VPN)
If you push out an ActiveSync profile to device via UDS, the device will connect to your Exchange CAS the same way it would if you were to manually enter the ActiveSync profile on a device.
Hope that helps.
07-19-2012 11:07 AM
thanks for the fast reply. How could we then ensure, that the user then didn´t use the "normal" active sync way or manually configure active sync without using the Blackberry Universal Device Service?
07-19-2012 11:23 AM
No problem. Looking at the Feature Guide (page 6) you can enable Certificate-based authentication
Here is a quick summary.
You can use the Universal Device Service to send certificates to devices using certificate
profiles or SCEP profiles. The Universal Device Service helps to restrict access to Microsoft
ActiveSync, Wi-Fi connections, or VPN connections to devices that use certificate-based
authentication. Also, this feature helps you to control Microsoft ActiveSync, Wi-Fi connections,
or VPN connections on devices because the Universal Device Service is designed to
automatically remove profiles and certificates when a device violates one of the predefined
compliance policies, for example, compliance policies for jailbroken devices or rooted
devices. Certificate-based authentication does not require a proxy server between the device
and your organization's messaging server
With this enabled, it looks like profiles sent to device will be used and anything else would be considered non compliant and removed.
Hope this helps.