Rather than giving the end user the ability to make a decision, I see those that are truly security conscious make the decision to go to with some form two-factor authentication . and those that need to meet requirements / regulations simply don't allow access; period.
From: [email protected] [mailto:[email protected]] On Behalf Of Josh Armour Sent: Tuesday, July 20, 2010 2:07 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email So that takes care of the actual mail delivery issue but there is a lurking issue with BIS access. That issue is users giving (or being comfortable with giving) their credentials to another company. Maybe we are just a little too paranoid over here? That is what I think most institutions are getting at when they decide to block BIS access. Don't get me wrong, its important to block new data from getting out onto a phone with no device management or policy enforcement. But the user is also a problem in those cases.. ------------------------------------------ Josh Armour MobileOps - Sysadmin [email protected] (541) 205-4262 ------------------------------------------ On Tue, Jul 20, 2010 at 11:08 AM, Jonathan Evenden <[email protected]> wrote: BES is outbound - just don't block outbound and you're fine. You're blocking inbound for OWA/BIS, which is what he said in an earlier post. -- Jonathan Evenden Director of IT Consulting MCP - Microsoft Certified Professional TNTMAX, LLC. Technology Solutions by Design 010101000100111001010100011011010110000101111000 (201) 891-8686 Main (201) 891-4672 Fax [email protected] 253 Madison Ave, Wyckoff, NJ 07481 http://www.tntmax.com __________________________________________________________________ NOTICE OF CONFIDENTIALITY The information contained in this transmission is confidential and may be privileged and/or contain confidential information that is legally protected by state and federal law. This information is intended only for the use of the individual or organization to whom it is addressed. If it is not meant for you please notify the sender immediately by telephone so arrangements may be made to return the documents or destroy them. Use, disclosure, distribution or copying of documents transmitted to you in error is strictly prohibited. Thank you. From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 1:43 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email HDawg, Your post shows these addresses as the BIS servers: BIS IP Range 206.51.26.0/24 193.109.81.0/24 204.187.87.0/24 206.53.144.0/20 216.9.240.0/20 67.233.64.0/19 93.186.16.0/20 68.171.224.0/19 Another post on your site http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.ht ml shows the same IP range for BES: BES IP Range 206.51.26.0 /24 193.109.81.0/24 204.187.87.0/24 216.9.240.0/20 206.53.144.0/20 67.223.64.0/19 93.186.16.0/20 68.171.224.0/19 Which means that I can't block those IP's or BES stops working as well. Back to the drawing board. Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 10:28 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com From: [email protected] [mailto:[email protected]] On Behalf Of hdawg Sent: Tuesday, July 20, 2010 10:13 AM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.htm l for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Barker Sent: Tuesday, July 20, 2010 1:09 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins] Prevent personal Blackberries from accessing company email BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: [email protected] [mailto:[email protected]] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 9:55 AM To: '[email protected]' Subject: [Bes-admins] Prevent personal Blackberries from accessing company email I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3, we have that turned off at the Exchange level. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | <http://www.papamurphys.com> www.papamurphys.com ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009 ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009 ------------------------------------------------------------------------------------ Consumer-voted "Best Pizza Chain in America" 2003-2009 _______________________________________________ Bes-Admins mailing list [email protected] http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins --------------------------------- Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
_______________________________________________ Bes-Admins mailing list [email protected] http://www.dataoutages.com/mailman/listinfo/bes-admins http://www.dataoutages.com http://www.dataoutagenews.com RSS Feed: http://feeds.feedburner.com/Bes-admins --------------------------------- Bes-Admins mailing list is sponsored by Dataoutagenews.com. http://www.dataoutagenews.com
