Block Personal Blackberry Access to Corporate Email

Posted on 2009-02-22
Medium Priority
Last Modified: 2012-05-06

Our company has a BES server and many BlackBerry users. Some of our employees, however, are connecting their personal BlackBerrys to our corporate email, using BlackBerry Internet Service (BIS).

We only want company owned devices connected to the BES to be allowed to sync email. Is there any way to block the personal BlackBerrys, since they are essentially emulating a user logging into Outlook Web Access to sync email?

Question by:epaschal
LVL 63

Expert Comment

ID: 23707782
Turn off OWA or set it to use HTTPS with a certificate.

LVL 20

Expert Comment

ID: 23707833
You obviously cannot block them setting it up since they are the owners of the blackberry device but you can block the messages.  Check out:

On BES go to Firewall Block Incoming Messages under the Security Policy Group.


Also check out:



Author Comment

ID: 23707972

Turning off OWA isn't an option in our case, neither is requiring users to install a security certificate.

An ideal solution would be to find a way to block traffic coming from the BIS servers since anything coming from those would be for syncing personal devices.

We are in a healthcare environment, so messages stored on personal devices are not appropriate since we can't enforce security on those devices like we can on our own BlackBerrys.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 23707996

Making changes to BES (your first link) would not impact those using their personal blackberrys, since they are not connected to our BES.

The second link refers to having our OWA users install certificats, which is unfortunately not practical for us.
LVL 20

Accepted Solution

jdera earned 1000 total points
ID: 23708539
I know it can be difficult (been in various industries same issues and by the way I agree 100% with your idea), but realize since you have OWA available and that allows access to your email outside of your network you only have so many options.  You can shut down OWA and have a cisco VPN available to users to access their Outlook email, this would allow only access to outside email and essentially shutdown the personal bb users, outside of that and the certificate idea, not going to find anything.  Your problem is common, but people are starting to accept the fact, unfortunately, that private company and personal information mixing are ok for some reason.  

You probably will not like this idea, but since you are not going to find an acceptable technology solution, your best bet is to set with a company policy, if the information is of a crucial nature, that personal blackberrys are not to be use for corporate work or you are gone.  But that one is basically a scare tactic and is going to be hard to enforce, but if you don't have the policy it is a start and if the user is dumb enough to leave "Sent from my Blackberry" signature then you have them and get HR to take it from there.  If the information is needed to be that secure this is an educational and policy situation and something you have to have drilled in their head.  One other thing is you can stop is was referenced in my first link is to stop the BES users that actually have corp approved bbs to not accept BIS emails. (sorry should have been a little clearer with the explanation).  This way the personal users will get frustrated that they cannot send to their corp bb users.  Also from an executive standpoint, you need the "hammer" in your corporate environment and drives this policy especially when you are cutting the BIS messages from getting thru, or this is just going to be talk.  Also if you are talking about someone high up enough in the organization who is using the personal bb via OWA, then this is all going to be talk any way, since they are going to go to someone else higher and get the "technology" solution you are referred to changed anyway.

The contradictory policy of allowing OWA to be used but not allowing a bb user to use their device to access OWA is a problem.  They can easily access OWA on their "personal storage device" i.e. a laptop and save whatever emails and attachments they want and their is going to be very little you can do about it.

The only other suggestion I can provide is to contact RIM, but I know they are going to tell you their is very little you can do.

Assisted Solution

fest45 earned 1000 total points
ID: 23712531
I really agree Jdera.

But if you really want to block only BlackBerrys using BIS, just make a rule on your firewall to block BIS polling servers : http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=63832630&stateId=1%200%2063826436

Be very careful, just block RIM BIS polling servers, don't block RIM SRP Servers.

Author Comment

ID: 23719276

Very good points. I think the hangup is that with webmail, even though someone can still save the emails locally, it would take more of a continuous effort. With a personall blackberry, everything is always syncing, so a lost, unsecured device poses more of a risk. I really like your idea about putting OWA behind VPN, and long term that's the way we will go. Thank you.


Thanks for the article with the IP information. This will get us by in the interim.



Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Having now spent 3 months on the iPhone, I am at a loss as to how anyone would choose this device for business use. After many years using Blackberry phones (several 7xxx models and, until recently, an 8100 Pearl) I have reluctantly had to switch to…
This is a basic guide on setting up email accounts on BlackBerry mobile devices using the BlackBerry Internet Service (BIS). If you just want access to your email with the option to send email using this same account then this guide should be helpfu…
Loops Section Overview
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question