Re: [Bes-admins] Prevent personalBlackberries from accessingcompanyemail

Cool idea http://www.msexchange.org/articles-tutorials/exchange-server-2007/mobility-client-access/implementing-captcha-validation-owa-2007-authentication.html Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.com -Orig

Re: [Bes-admins] Prevent personalBlackberries from accessingcompanyemail

How do you install captcha ? Thanks. Benoit Perreault Directeur des opérations Groupe Névé / Névé Réfrigération Inc 1290 Labadie, Longueuil, Québec, J4N 1C7 T : (450) 677-9936 poste : 208 F : (450) 677-8005 -Original Message- From: bes-admins-boun...@dataoutages.com [mailto:bes-ad

Re: [Bes-admins] Prevent personalBlackberries from accessing companyemail

To defeat OWA... We discussed this recently. Our Internet-facing OWA now has a captcha. :) That stops BB, Droid, iphone, etc. from "scraping" a copy of the data down as a sync. The user can still go to OWA via the web browser which wouldn't leave a copy laying around on an uncontrolled device.

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

There is, but in this case we are talking about Blackberries that are not connected to the company BES. - Chris On Tue, Jul 20, 2010 at 3:43 PM, steveaschett...@yahoo.com < steveaschett...@yahoo.com> wrote: > There is no IT Policy to simply disable BIS? > > -- > *Fr

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

There is a great way to find out: http://docs.blackberry.com/en/admin/deliverables/16679/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-1063796-0616124539-001-5.0.2-US.pdf or, yes, there is a way to do this via IT Policy. From: bes-admins-boun...@dataoutages.com [mailto:bes-a

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

There is no IT Policy to simply disable BIS? From: Darhl Thomason To: "A list for BES Admin's to discuss issues, etc." Sent: Tue, July 20, 2010 2:03:18 PM Subject: Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email I saw that.  I ha

Re: [Bes-admins] Prevent personal Blackberriesfrom accessingcompany email

Exactly my point. If you open OWA you run a huge risk regardless. Anyone can go to any pc with an internet connection and log in. Anyone can get credentials. Sent via BlackBerry by AT&T -Original Message- From: Don Andrews Date: Tue, 20 Jul 2010 11:48:53 To: ; A list for BES Admin's to

Re: [Bes-admins] Prevent personal Blackberriesfrom accessingcompany email

nothing - we use 2 factor auth to a reverse proxy - no public OWA without. - Original Message From: "wrbdec...@gmail.com" To: "A list for BES Admin's to discuss issues, etc." Sent: Tue, July 20, 2010 11:11:19 AM Subject: Re: [Bes-admins] Prevent personal Blackberriesfrom accessingcom

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

I think you are just paranoid enough. From: Josh Armour To: "A list for BES Admin's to discuss issues, etc." Sent: Tue, July 20, 2010 11:06:53 AM Subject: Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email So that takes care of the a

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

Yes, I got it, sorry. I had sent this before your other message hit my inbox. I was just too quick on the reply. d Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.com From: bes-admins-boun...

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

I saw that. I had already sent this one before his reply hit my inbox. That's what I'm configuring now. Thanks everyone for the thoughts, ideas, and solutions. d Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.com

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

Rather than giving the end user the ability to make a decision, I see those that are truly security conscious make the decision to go to with some form two-factor authentication . and those that need to meet requirements / regulations simply don't allow access; period. From: bes-admins-bou

Re: [Bes-admins] Prevent personal Blackberriesfrom accessingcompany email

What stops them from using any public PC for OWA access? Sent via BlackBerry by AT&T -Original Message- From: Josh Armour Sender: bes-admins-boun...@dataoutages.com Date: Tue, 20 Jul 2010 11:06:53 To: A list for BES Admin's to discuss issues,etc. Reply-To: "A list for BES Admin's to disc

Re: [Bes-admins] PreventpersonalBlackberries from accessing companyemail

The documentation that RIM puts out is pretty good. Problem being . most people don't take the time to read through it. It gives you recommendations on ways to meet your security requirements; just need to put in the effort. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun.

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

So that takes care of the actual mail delivery issue but there is a lurking issue with BIS access. That issue is users giving (or being comfortable with giving) their credentials to another company. Maybe we are just a little too paranoid over here? That is what I think most institutions are get

Re: [Bes-admins] PreventpersonalBlackberries from accessing companyemail

I wish there was a consolidated resource that accounted for the various iterations/possibilities that need to be considered/configured to prevent unauthorized third party access to BES (be it device, application or service). Is there such a beast? Food for thought... Displaced and/or rogue

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

Just saw that, didn't realize that BES was outbound initiated, but good to know that I can block the inbound 80/443 from that IP range to block the BIS. Thanks! Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.com

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

Sigh. You don't need to outright block all inbound access to those IP addresses; just port 80 and 443 . or whatever ports you have IIS serving OWA running on. That said, you could also block all inbound/outbound traffic to those IPs with the exception of TCP port 3101 outbound initiated. Re

Re: [Bes-admins] Prevent personal Blackberriesfrom accessing company email

BES is outbound - just don't block outbound and you're fine. You're blocking inbound for OWA/BIS, which is what he said in an earlier post. -- Jonathan Evenden Director of IT Consulting MCP - Microsoft Certified Professional TNTMAX, LLC. Technology Solutions by Design 010101000100111001010100

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

HDawg, Your post shows these addresses as the BIS servers: BIS IP Range 206.51.26.0/24 193.109.81.0/24 204.187.87.0/24 206.53.144.0/20 216.9.240.0/20 67.233.64.0/19 93.186.16.0/20 68.171.224.0/19 Another post on your site http://www.port3101.org/featured-blackberry-kb-articles/793-kb037

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

There is a difference though between the user providing their credential to the OWA service themselves and giving their credentials to RIM or the Carrier to check the email for them. -- Josh Armour MobileOps - Sysadmin jarm...@google.com (541) 205-4262 -

Re: [Bes-admins] Prevent personalBlackberries from accessing companyemail

The ONLY way is by users' hardcoding username/password combos on BBs. This is a complete security meltdown. My CIO is melting in his chair now while hearing the words in this thread. It basically comes down to policy. Not only is it a security issue for corporate data and such, you also can

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

It's policy that no personal handheld devices can access email. In principle I agree with you on why not BB OWA if PC OWA is OK, but I still get to enforce the policy. Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 360-449-4044 | c 360-607-5617 | www.papamurphys.com

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

Yes: http://www.port3101.org/featured-blackberry-kb-articles/793-kb03735-firewall-connection-requirements-blackberry-enterprise-server.ht ml. Keep in mind that all you have to do is explicitly deny port 80/443 to these IP addresses to block access to OWA. Also, keep in mind that with BES you'

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

+1 I'll at least give you a piece of chocolate for your password. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Josh Armour Sent: Tuesday, July 20, 2010 1:36 PM To: A list for BES Admin's to discuss issues, etc. Subject: Re: [Bes-admins]

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

If the user uses OWA no issue, but if they choose to tell the carrier or RIM there work username and password then they have chosen to share their password with another party. No matter how reputable the company, users should simply not be sharing their user and password.

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

HDawg, This looks to be the most promising solution. Is there another list that shows the BES IP's? I'd want to make sure that they were allowed, the ranges provided for BIS are pretty large and I wouldn't be surprised if they overlap to some degree. Thanks! Darhl Thomason | SysAdmin | Busi

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

If they have OWA access then what is the harm in OWA access on their personal blackberry? From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 10:09 AM To: bes-admins@dataoutages.com Subject: Re: [Bes-admins

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

Ugh! Is there any way to prevent BIS from accessing corporate email? I set up a test account and it looks like it is accessing via OWA, but I cannot turn off OWA as that is the main method our stores use to get email. Darhl Thomason | SysAdmin | Business Technology Papa Murphy's Int'l. | d 3

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

Yes, its usually IMAP/POP3 for BIS access. I have considered identifying RIM's BIS IP range and blocking at the firewall level. If those IP's are only used for BIS email access and I dont want that. What about IT Policy that blocks the service book? I think that this would only block the sendin

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

BIS can also use OWA. See: http://www.port3101.org/featured-blackberry-kb-articles/792-kb11036-firewall-connection-requirements-blackberry-internet-service.htm l for a list of what IP's BIS connections are coming from. Block these inbound connections at the firewall and you've blocked BIS. Fr

Re: [Bes-admins] Prevent personal Blackberries from accessingcompanyemail

They're using Outlook Web Access to sync. Not sure you can prevent that but if possible I would look in IIS without disabling OWA entirely. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of DOWER, BRIAN Sent: Tues

Re: [Bes-admins] Prevent personal Blackberries from accessing company email

BIS uses IMAP and POP3. Are you sure it's turned off? Other options include offline sync using Desktop manager or a 3rd-party EAS bridge like AstraSync. From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

You are correct, it would be BIS - configured at the store they purchased the phone from. I was at Verizon the other day and this is the conversation that I heard... TECH:Sure, you don't need the $45 dollar (data) plan, just get the $30 buck one and Ill show you how to access your com

Re: [Bes-admins] Prevent personal Blackberries from accessing companyemail

We allow people to do that here, they configure it as a webmail account like a Yahoo or gmail From: bes-admins-boun...@dataoutages.com [mailto:bes-admins-boun...@dataoutages.com] On Behalf Of Darhl Thomason Sent: Tuesday, July 20, 2010 12:55 PM To: 'bes-admins@dataoutages.com' Subject: [Bes-

[Bes-admins] Prevent personal Blackberries from accessing company email

I just found out that we have people with personal Blackberries accessing their company email, they are definitely not set up on my BES, so I'm guessing they must be using BIS. How can I prevent them from accessing their company email on their personal devices? I know it's not via IMAP or POP3

[Bes-admins] Custom report from the database

Is there an easy way to pull a custom report from the BES database? Or do I need to go directly to the tables and figure out what tables/columns everything is in? Is there a reference for where that data is located in the tables? I need a report that shows: User Name Model ESN PIN Carrier OS Ver