Block Personal Blackberry Access to Corporate Email

Posted on 2009-02-22
Last Modified: 2012-05-06

Our company has a BES server and many BlackBerry users. Some of our employees, however, are connecting their personal BlackBerrys to our corporate email, using BlackBerry Internet Service (BIS).

We only want company owned devices connected to the BES to be allowed to sync email. Is there any way to block the personal BlackBerrys, since they are essentially emulating a user logging into Outlook Web Access to sync email?

Question by:epaschal
    LVL 63

    Expert Comment

    Turn off OWA or set it to use HTTPS with a certificate.

    LVL 20

    Expert Comment

    You obviously cannot block them setting it up since they are the owners of the blackberry device but you can block the messages.  Check out:

    On BES go to Firewall Block Incoming Messages under the Security Policy Group.

    Also check out:


    Author Comment


    Turning off OWA isn't an option in our case, neither is requiring users to install a security certificate.

    An ideal solution would be to find a way to block traffic coming from the BIS servers since anything coming from those would be for syncing personal devices.

    We are in a healthcare environment, so messages stored on personal devices are not appropriate since we can't enforce security on those devices like we can on our own BlackBerrys.

    Author Comment


    Making changes to BES (your first link) would not impact those using their personal blackberrys, since they are not connected to our BES.

    The second link refers to having our OWA users install certificats, which is unfortunately not practical for us.
    LVL 20

    Accepted Solution

    I know it can be difficult (been in various industries same issues and by the way I agree 100% with your idea), but realize since you have OWA available and that allows access to your email outside of your network you only have so many options.  You can shut down OWA and have a cisco VPN available to users to access their Outlook email, this would allow only access to outside email and essentially shutdown the personal bb users, outside of that and the certificate idea, not going to find anything.  Your problem is common, but people are starting to accept the fact, unfortunately, that private company and personal information mixing are ok for some reason.  

    You probably will not like this idea, but since you are not going to find an acceptable technology solution, your best bet is to set with a company policy, if the information is of a crucial nature, that personal blackberrys are not to be use for corporate work or you are gone.  But that one is basically a scare tactic and is going to be hard to enforce, but if you don't have the policy it is a start and if the user is dumb enough to leave "Sent from my Blackberry" signature then you have them and get HR to take it from there.  If the information is needed to be that secure this is an educational and policy situation and something you have to have drilled in their head.  One other thing is you can stop is was referenced in my first link is to stop the BES users that actually have corp approved bbs to not accept BIS emails. (sorry should have been a little clearer with the explanation).  This way the personal users will get frustrated that they cannot send to their corp bb users.  Also from an executive standpoint, you need the "hammer" in your corporate environment and drives this policy especially when you are cutting the BIS messages from getting thru, or this is just going to be talk.  Also if you are talking about someone high up enough in the organization who is using the personal bb via OWA, then this is all going to be talk any way, since they are going to go to someone else higher and get the "technology" solution you are referred to changed anyway.

    The contradictory policy of allowing OWA to be used but not allowing a bb user to use their device to access OWA is a problem.  They can easily access OWA on their "personal storage device" i.e. a laptop and save whatever emails and attachments they want and their is going to be very little you can do about it.

    The only other suggestion I can provide is to contact RIM, but I know they are going to tell you their is very little you can do.
    LVL 2

    Assisted Solution

    I really agree Jdera.

    But if you really want to block only BlackBerrys using BIS, just make a rule on your firewall to block BIS polling servers :

    Be very careful, just block RIM BIS polling servers, don't block RIM SRP Servers.

    Author Comment


    Very good points. I think the hangup is that with webmail, even though someone can still save the emails locally, it would take more of a continuous effort. With a personall blackberry, everything is always syncing, so a lost, unsecured device poses more of a risk. I really like your idea about putting OWA behind VPN, and long term that's the way we will go. Thank you.


    Thanks for the article with the IP information. This will get us by in the interim.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Title # Comments Views Activity
    Issue with sync emails to blackberry account 10 439
    Push root cert to client using BES 2 421
    BB9900 application Wolrd issue 9 1,301
    Firmware 9790 3 104
    There are various sources that I've used for this process and I've used it many times and adapted it with my own findings. This process is not meant to be a definitive troubleshooting guide for BlackBerry installation. That needs to be handled elsew…
    After going through the deployment of BlackBerry Device Service 10, and seeing a number of questions posted about it, this article addresses some of the issues and particulars of the installation. There have been a number of other questions posted, …
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now