06-04-2009 03:03 PM
I have read books that deal with security and blackberry. The topics discuss device security and server security and range from conservative to liberal in terms of security. One view was to split up the services offered by the BES into different servers. This would allow you to put services that needed to touch the outside world into your DMZ and keep the rest within your corporate lan. We are going to opt to put the entire server in the DMZ to avoid the headache of splitting the BES server apart.
Device security, on the other hand, we are not so sure upon. There is a list of things we need to make a decision on. Ultimately I just need to go through the list and choose, however, I am not sure what the best practices are that seem to make both the end user and the sys admin happy.
How do you administer your companies IT policy to your end users? Do you even use an IT policy? Do you push all Blackberry traffic through your BES or do you let it go straight out to the internet? Passwords? Third-party apps? Bluetooth? And the list goes on...
Lastly, is there a resource that I can goto to view best practices for IT policy on Blackberry handhelds?
Solved! Go to Solution.
06-08-2009 10:31 PM
06-09-2009 11:25 AM
NO NO NO NO NO.... Don't put the whole BES in the DMZ!!! Not Supported.
The BES initiates an outbound bi directional connection to the relay / BlackBerry infrastructure on port 3101. Therefore the box is never exposed externally to the outside world as the connection is initiated from the inside the firewall to the outside. If need be you can put the blackberry router component on a seperate box in the DMZ. Don't put the whole BES in the DMZ!!
Re your devices - The way I would approach this is to say 'What would you do with a laptops?'. Align your BB IT policy to your corporate laptop IT policy. Effectively the BES acts as a proxy into your corporate network, so those devices are sitting on your network in effect.
Create a defualt IT policy that is as locked down as it can be / is necessary. Possibly a little overkill if you can so everything is limited! Then if an admin forgets to assign an IT policy you can sleep safe knowing that the device has an IT policy.
You will no doubt get requests to have users with different IT policies so think up a good naming convention.
Create a excel spreadsheet as a living IT policy document detailing each setting for individual policies as your reference. You can use the BES Resource Kit tools to make this process a lot easier. When I started doing it we didn't have such tools and it was a nighmare!! It is a bit easier now!