RE: NANOG:RE: [outages] News item: Blackberry services down worldwide
Exchange administration is not my primary job, but in my past experience on Exchange and the iPhone, if I enforced a security policy that the phone could not meet then the user would not be able to sync with the server and setup their account. I remember having to tone back the security policy to a point where the iPhone would actually sync. So effectively they are enforced. You can also simply limit what ActiveSync devices are allowed. If you don't like iPhones but Android is ok, you can do that... at least in Exchange 2010 I can. -Vinny -Original Message- From: Scott Howard [mailto:sc...@doc.net.au] Sent: Thursday, October 13, 2011 5:42 PM To: McCall, Gabriel Cc: NANOG Subject: Re: NANOG:RE: [outages] News item: Blackberry services down worldwide On Thu, Oct 13, 2011 at 12:21 PM, McCall, Gabriel < gabriel.mcc...@thyssenkrupp.com> wrote: > ActiveSync on Android allows corporate to force compliance with security > policy and allow remote wipe. User cannot complete the exchange account > setup without permitting the controls. If the user doesn't agree their sync > isn't enabled. Moreover, if corporate requirements change sync is disabled > until you approve again. That seems like it covers all the bases to me. > There's two key differences between ActiveSync and BES. The first is that ActiveSync implementations vary widely between different manufacturers/implementations/versions/etc. There is a core set of features that all manufacturers must implement, but it's a very small percentage of the full feature set of controls that ActiveSync supports. Things like enforcing a PIN code fit into this category, but other options like disabling the camera and (from memory) device encryption or even remote wipe are NOT in this category. As a result, even if you enable these features on your Exchange/ActiveSync server, you can't be sure that they are actually being enforced as you can't readily control which devices are being used with ActiveSync, and (realistically) you can't stop a user from changing devices so that even if you gave them a handset that supported all the features you wanted, they could simply move over to a new device that didn't. The second key difference is inbound v's outbound. ActiveSync requires you to allow connections into your network from outside, where BES doesn't. In todays world that's not really an issue - especially as most people will have their email servers accessible from the Internet in some way or other - but in BB's heyday this alone was one of the key differientators for Blackberry v's anything else (be that ActiveSync, POP/IMAP/etc, or any other protocols) With so many companies today working on the entire concept of Mobile Device Management (MDM), Blackberry will fade into insignificance in the not too distant future if they don't come out with something better than the competition - but even today they still allow far better control over handsets than ActiveSync alone does. Scott.
Re: NANOG:RE: [outages] News item: Blackberry services down worldwide
On Thu, Oct 13, 2011 at 12:21 PM, McCall, Gabriel < gabriel.mcc...@thyssenkrupp.com> wrote: > ActiveSync on Android allows corporate to force compliance with security > policy and allow remote wipe. User cannot complete the exchange account > setup without permitting the controls. If the user doesn't agree their sync > isn't enabled. Moreover, if corporate requirements change sync is disabled > until you approve again. That seems like it covers all the bases to me. > There's two key differences between ActiveSync and BES. The first is that ActiveSync implementations vary widely between different manufacturers/implementations/versions/etc. There is a core set of features that all manufacturers must implement, but it's a very small percentage of the full feature set of controls that ActiveSync supports. Things like enforcing a PIN code fit into this category, but other options like disabling the camera and (from memory) device encryption or even remote wipe are NOT in this category. As a result, even if you enable these features on your Exchange/ActiveSync server, you can't be sure that they are actually being enforced as you can't readily control which devices are being used with ActiveSync, and (realistically) you can't stop a user from changing devices so that even if you gave them a handset that supported all the features you wanted, they could simply move over to a new device that didn't. The second key difference is inbound v's outbound. ActiveSync requires you to allow connections into your network from outside, where BES doesn't. In todays world that's not really an issue - especially as most people will have their email servers accessible from the Internet in some way or other - but in BB's heyday this alone was one of the key differientators for Blackberry v's anything else (be that ActiveSync, POP/IMAP/etc, or any other protocols) With so many companies today working on the entire concept of Mobile Device Management (MDM), Blackberry will fade into insignificance in the not too distant future if they don't come out with something better than the competition - but even today they still allow far better control over handsets than ActiveSync alone does. Scott.
Re: NANOG:RE: [outages] News item: Blackberry services down worldwide
ActiveSync on Android allows corporate to force compliance with security policy and allow remote wipe. User cannot complete the exchange account setup without permitting the controls. If the user doesn't agree their sync isn't enabled. Moreover, if corporate requirements change sync is disabled until you approve again. That seems like it covers all the bases to me. Sent from my Verizon Wireless Phone -Original message- From: Andrea Gozzi To: Jamie Bowden , Christopher Morrow , Jay Ashworth Cc: NANOG Sent: Thu, Oct 13, 2011 17:02:53 GMT+00:00 Subject: Re: NANOG:RE: [outages] News item: Blackberry services down worldwide Can't but agree with Jamie. The ability to centralize management for all Blackberry users and _force_ them to comply with company policy (it's an investment bank) saved us lot of hassle when, and it happens regularly, people lose their handsets. Otherwise, it would be all unencrypted, unmonitored and unprotected access points to customer's private data. Some of our representatives recently switched to iphones, but nobody from management will ever be allowed anything than a Blackberry. Andrea On 10/13/11 5:55 PM, "Jamie Bowden" wrote: > > >> -Original Message- >> From: Christopher Morrow [mailto:morrowc.li...@gmail.com] >> Sent: Thursday, October 13, 2011 11:36 AM >> To: Jay Ashworth >> Cc: NANOG >> Subject: Re: [outages] News item: Blackberry services down worldwide >> >> On Thu, Oct 13, 2011 at 11:13 AM, Jay Ashworth >wrote: >> > - Original Message - >> >> From: "Jamie Bowden" >> > >> >> Someday either Google or Apple will get >> >> off their rear ends and roll out an end to end encrypted service >> that >> >> plugs into corporate email/calendar/workgroup services and we can >> all >> >> gladly toss these horrid little devices in the recycle bins where >> they >> >> belong. >> > >> > I'm fairly sure K-9 does GPG, at least for the email >> >> plus normal mail + k9 will do TLS on SMTP and IMAP... or they both do >> with my mail server just fine. (idevices seeem to also do this well >> enough) >> >> It's possible that the 'encryption' comment from Jamie is really about >> encrypting the actual device... which I believe Android[0] will do, I >> don't know if idevices do though. > >As of 2.3[.x?] (can't remember if it's a sub release that intro'd this), >Android devices can be wholly encrypted, though I don't know if they are >by default. All these kludges are great on a small scale, but the BES >does end to end encryption for transmission, plugs into Exchange, Lotus, >Sametime, proxies internal http[s], and lets us manage policies and push >out software updates from a central management point. When it works, >it's also scalable, which matters when you have thousands of devices to >manage. > >Jamie > > >
Re: NANOG:RE: [outages] News item: Blackberry services down worldwide
Can't but agree with Jamie. The ability to centralize management for all Blackberry users and _force_ them to comply with company policy (it's an investment bank) saved us lot of hassle when, and it happens regularly, people lose their handsets. Otherwise, it would be all unencrypted, unmonitored and unprotected access points to customer's private data. Some of our representatives recently switched to iphones, but nobody from management will ever be allowed anything than a Blackberry. Andrea On 10/13/11 5:55 PM, "Jamie Bowden" wrote: > > >> -Original Message- >> From: Christopher Morrow [mailto:morrowc.li...@gmail.com] >> Sent: Thursday, October 13, 2011 11:36 AM >> To: Jay Ashworth >> Cc: NANOG >> Subject: Re: [outages] News item: Blackberry services down worldwide >> >> On Thu, Oct 13, 2011 at 11:13 AM, Jay Ashworth >wrote: >> > - Original Message - >> >> From: "Jamie Bowden" >> > >> >> Someday either Google or Apple will get >> >> off their rear ends and roll out an end to end encrypted service >> that >> >> plugs into corporate email/calendar/workgroup services and we can >> all >> >> gladly toss these horrid little devices in the recycle bins where >> they >> >> belong. >> > >> > I'm fairly sure K-9 does GPG, at least for the email >> >> plus normal mail + k9 will do TLS on SMTP and IMAP... or they both do >> with my mail server just fine. (idevices seeem to also do this well >> enough) >> >> It's possible that the 'encryption' comment from Jamie is really about >> encrypting the actual device... which I believe Android[0] will do, I >> don't know if idevices do though. > >As of 2.3[.x?] (can't remember if it's a sub release that intro'd this), >Android devices can be wholly encrypted, though I don't know if they are >by default. All these kludges are great on a small scale, but the BES >does end to end encryption for transmission, plugs into Exchange, Lotus, >Sametime, proxies internal http[s], and lets us manage policies and push >out software updates from a central management point. When it works, >it's also scalable, which matters when you have thousands of devices to >manage. > >Jamie > > >