Block Personal Blackberry Access to Corporate Email
Hello,
Our company has a BES server and many BlackBerry users. Some of our employees, however, are connecting their personal BlackBerrys to our corporate email, using BlackBerry Internet Service (BIS).
We only want company owned devices connected to the BES to be allowed to sync email. Is there any way to block the personal BlackBerrys, since they are essentially emulating a user logging into Outlook Web Access to sync email?
Our company has a BES server and many BlackBerry users. Some of our employees, however, are connecting their personal BlackBerrys to our corporate email, using BlackBerry Internet Service (BIS).
We only want company owned devices connected to the BES to be allowed to sync email. Is there any way to block the personal BlackBerrys, since they are essentially emulating a user logging into Outlook Web Access to sync email?
SysExpert
Turn off OWA or set it to use HTTPS with a certificate.
You obviously cannot block them setting it up since they are the owners of the blackberry device but you can block the messages. Check out:
On BES go to Firewall Block Incoming Messages under the Security Policy Group.
http://na.blackberry.com/eng/deliverables/4222/Firewall_Block_Incoming_Messages_204212_11.jsp
Also check out:
https://www.experts-exchange.com/questions/23065210/How-do-you-block-Blackberry-Internet-Service-from-accessing-OWA.html
On BES go to Firewall Block Incoming Messages under the Security Policy Group.
http://na.blackberry.com/eng/deliverables/4222/Firewall_Block_Incoming_Messages_204212_11.jsp
Also check out:
https://www.experts-exchange.com/questions/23065210/How-do-you-block-Blackberry-Internet-Service-from-accessing-OWA.html
ASKER
SysExpert,
Turning off OWA isn't an option in our case, neither is requiring users to install a security certificate.
An ideal solution would be to find a way to block traffic coming from the BIS servers since anything coming from those would be for syncing personal devices.
We are in a healthcare environment, so messages stored on personal devices are not appropriate since we can't enforce security on those devices like we can on our own BlackBerrys.
Turning off OWA isn't an option in our case, neither is requiring users to install a security certificate.
An ideal solution would be to find a way to block traffic coming from the BIS servers since anything coming from those would be for syncing personal devices.
We are in a healthcare environment, so messages stored on personal devices are not appropriate since we can't enforce security on those devices like we can on our own BlackBerrys.
ASKER
jdera,
Making changes to BES (your first link) would not impact those using their personal blackberrys, since they are not connected to our BES.
The second link refers to having our OWA users install certificats, which is unfortunately not practical for us.
Making changes to BES (your first link) would not impact those using their personal blackberrys, since they are not connected to our BES.
The second link refers to having our OWA users install certificats, which is unfortunately not practical for us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jdera,
Very good points. I think the hangup is that with webmail, even though someone can still save the emails locally, it would take more of a continuous effort. With a personall blackberry, everything is always syncing, so a lost, unsecured device poses more of a risk. I really like your idea about putting OWA behind VPN, and long term that's the way we will go. Thank you.
fest45,
Thanks for the article with the IP information. This will get us by in the interim.
Eric
Very good points. I think the hangup is that with webmail, even though someone can still save the emails locally, it would take more of a continuous effort. With a personall blackberry, everything is always syncing, so a lost, unsecured device poses more of a risk. I really like your idea about putting OWA behind VPN, and long term that's the way we will go. Thank you.
fest45,
Thanks for the article with the IP information. This will get us by in the interim.
Eric