Alex Williams

Working at Openface has challenged my thinking in regards to network and system security. I’m always focused on maintaining the highest levels of security on the systems I operate, but in an ISP it’s a whole other ball game. When it came time to install our own BlackBerry Enterprise Server (BES), many questions were raised in regards to the level of security which should be applied.

If you simply drop a BES in your network, without applying the proper IT policies and access rules, you will be providing full access to anyone from exploiting it. Now don’t worry, out of the box, the server is very secure. The problem lies with the devices themselves since they act as a gateway to your internal network.

Luckily, Research in Motion (RIM) has provided us with tools and features to apply security settings on our BlackBerry devices.

On with the show!

To start, it’s important to enable Pull Authorization. This automatically prevents activated BlackBerry device applications from accessing internal resources using the Mobile Data Services (MDS err MDAT). When I say internal resources, this means hosts on specific ports using specific protocols (i.e: intranet on port 80 using HTTP, or shellserver on port 22 using TCP).



Once that’s done, you will need to create Access Rules and apply them to specific groups or users. This is all documented in the BES Admin Guide. What’s not well documented are the Access Rules Patterns. Here’s the proper syntax to specifically enable the above examples:

intranet.yourdomain.com:80/* and choose HTTP service
shellserver.yourdomain.com:22 and choose TCP service

The MDAT logs on the server should show error messages in the event your rules are not working.

Next, you will need to apply IT policies to specific groups or users (preferably all).

I strongly believe some default policy settings should be created and enabled for every device as soon as they are activated, this way even if they are not yet added to a group, they will inherit the default IT policy.

IT Policies on the BES are extremely important to protect the data on a BlackBerry device, and the information it can access in the event it is lost or stolen. There is a large number of settings that can be applied to each device, thus giving administrators full control over their usage.

As for Openface, with the various services we offer, I wouldn’t be surprised if we start offering BES services for our customers too.

For more information on BlackBerry and BES security, you can read the white papers and articles found here.

As usual, feel free to post your questions or comments below.