Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Not a security risk, but there was a huge, extended outage of RIM's server just a few weeks ago. It made the world news, and there were a lot of annoyed executives. And they're the ones who make purchasing decisions. It has nothing to do with Canada, so don't go looking for things to be offended about.

Also, last time I checked, RIM did not encrypt the subject lines of messages being transmitted via BES. This was something that Goodlink pointed out as being a real flaw in RIM's system. This was a while ago, hopefully RIM has corrected it. Plenty of people, especially those darn executives, use subject lines for communication.

Subject lines are also encrypted via BES even corproate MDS apps and Goodlink couldn't significantly prove that statement.
 
The Blackberry is already disappearing from the corporate world. Everyday I see more and more iPhones appearing in the workplace. People are buying them on their own and then handing in their Blackberries. RIMM will be deader than Palm in two years. I wouldn't be surprised if Verizon buys them.


Yeah right! Sure jo blo you and others buy their own PERSONAL device. But I have yet to seee a REAL corporate IT Department order iPhones as a means of corporate intranet, and email and ticketing or db system access remotely.

WHY do so many ppl NOT experienced or trained using a BES in a large corporate environment spread such saggin bull?

Can you use the Iphone to access corporate Remedy Ticketing system, sales force implementation, or even update or lookup calendaring appointment information? NO!

* Maybe with the upcoming MSMDS implementation but NOTHING in this SDK or licensing states that Microsofts Mobile Data System Server will support the iPhone. IF it did THEN we'd be talking.

Lets see how the average corporate user can type an FULL email after 3mths daily usuage on a BB vs an iPhone! Also on the BB I can run applications SIMULTANEOUSLY ... you cannot do this on the iPhone which makes this limitation BUNK at best - I'm saying the iPhone CANNOT do multi-tasking but its been limited a POOR move by Jobs & Co.

Loose your iPhone and have some punk set it up on the network. Sure you're data will be wiped with the Kill signal sent from your IT department - but PUNK can STILL use it as his own. All providers that support the BB can track the PIN and also specify the device to be a PUCK/Paper weight and disable message collaboration services.

There is SOO much ppl don't know about the RIM infrastructure!
Remember you're government rely's on RIM ... and their NOC setup is SEPERATE from ALL other corporate & consumers email ... so when a nationwide outtage occurs the US Gov is NOT affected.

(my statements are made with emotion but based on direct hands-on experience, fact & training in the Blackberry/BES/BIS field, and years of cellular experience.)
 
If you are refering to the voice conversation you are correct and in some cases web browsing.

But if you are refering to the emails, the answer is they are encrypted from your company to the device and back. However if you cc someone that is not in your company, the message is still going to go to your company exchange server via an encrypted chanel and a message to the cc recipient is going to go in the clear to that individual because the company can not encrypt it as the individual does not have a relationship with the company and a Blackberry.

Depends on what you do with your device.

You can set the Blackberry to use your company web proxy and connect via a secured channel back to the company. The web-proxy will take all your requests, send them to the net, (maybe make a log entry), get back the results (make a log entry), and send them back to your Blackberry in the encrypted channel. That way your company gets to keep taps on what you are doing over the web. Yes your device can be locked to work this way so you can not browse without the company having a record.

I did a major risk assessment on the Blackberry so I have an idea how secured it is and were the weaknesses are.

Then you should know that the Proxy is the least secure method to obtain corporate intranet information then, hmm?!
 
You're kidding, right?
If not, then it appears you're the only person spreading FUD here.
He was merely referring to the NOC (part of the equation) as the security risk, not Canadians. :rolleyes:

I'm not sure I followed this part of the conversation. I think the other cannuck was refering to the large media following with NTP vs RIM case back in 2006. But he/she should've stated so.

Has anyone YET proven a security hack to the RIM infrastructure at ALL, ever?? Not that I've seen or googled and not with proof backing it. ;)

Good move Apple but I'd like to see support for MSDMS implemented with ActiveSync. MSDMS uses ActiveDirectory for provisioning along with MobileVPN.
 
For what it does, Blackberry is an excellent device. It is quite secure and functional with BES. The major drawback to Blackberries is that it is all rather drab and limited. I don't think RIM has it in them to innovate/update to maximize what a portable push device can do. :apple: using Exchange server is pretty clever given that all BES are built upon an existing Exchange server so the changeover would be pretty painless.

What do you mean by rather drab & limited? HOW ... clarify, qualify, or quantify this statement pls?

Can you integrate your iPhone with a corporate PBX system? I'm still waiting for that solution. Can you look up Remedy tickets securely? Can you access your Oracle 8i, 9i DB's? Can you restrict a group of ppl from access certain outside sites vs other who get all ALL internet on their BB's? Corporate IM (not GoogleTalk or AIM/MSN) - SameTime, etc.

Again there is soOOOooo much more to a Blackberry than meets the eye, folks. I'm GLAD that Apple is going for the corporate market ... I just wanted to see MORE. For those of you that are old enough to remember ... the NEWTON offered so much as well and really had no competition. I personally see the iPhone as a next get Newton with SOOO much more potential but Apple is limiting it for some reason that I cannot understand (Bluetooth for example).

Maybe there is more to this "ActiveSync" agreement that'll show its head later this quarter.

PS: RIM has been working on changing the BES flow of corporate data/email to match with the competition; not available yet - 3rd party implementations handle this.
 
I guess your not in the government IT field, huh?

No I'm not. I was talking about the corporate world. I do not included government in the corporate world. They have their own set of rules. With that said, all Apple needs to do is remove the camera in the iPhone and they have a government phone.
 
Hands up anyone that thinks Apple will remove the camera and upset their core* iPhone buyers! :p


*Core iPhone buyer: Consumer that likes all-in-one devices (Music player, mail client, phone, camera – and bog-standard earphones).

Duh, that's not what he meant. Apple will sell a special version of the iPhone with a camera for those who do not allow cameras on their sites.
 
Apple is using the latest (and as of Exchange 2007, the only) supported new method which is the DirectPush variant.

Basically, the client device makes a secure (HTTPS) connection to the server. If there is any new event (calendar/contact/mail) then data is sent across the wire. If no data has been sent for the heartbeat interval (typically 30 minutes), then a simple ping message goes across to keep it alive. Otherwise the connection lies dormant, which on most devices means it isn't sucking battery life etc unless it is in the midst of exchanging data.

This DirectPush method does not use any SMS messages and should not be involved with the other patent issue you brought up. Of course, should they decide to sue Microsoft, Microsoft would go to bat to make sure DirectPush stays alive (as it is used by all their current Windows Mobile devices as well)

I had thought that SMS was no longer used. Thanks for the clarification; I learned something new today. I don't like 30min heartbeat interval part though. What if my WMPro device has a data connection with my provider and I go underground in the subway? (typically from West end of Toronto to North end takes around 40mins - with only a brief 2min outside window of network connection - not fast enough to fully establish an HSDPA/UMTS connection; GPRS/EDGE maybe but will it be long enough for MSExchange PUSH to establish another connection?)

I find this hard to believe. Just so you know if exchange is not working then you wont get mail. BB still works as a phone but if exchange is down then BB will not give you e-mail because guess what?? The exchange box is not there to give mail to the BES for delivery. You obviously do not understand that Active Sync depends on exchange as much as BB does.

To the contrary in the BB world there are more point of failure compared to Active Sync.

What point of failure are you mentioning? The data network (ie AT&T, TMobile USA/Germany/UK) is one such failure ... one that has been at fault (APN) lately except for the 2 RIM NOC outtages in 2007 - 1 in 2008 thus far. IF the NOC goes down, ppl can STILL use BBMessenger or direct PIN to their colleagues to send messages or attachments (if BES allowed).
 
That doesn't change the consumer part, methinks. Some places don't allow it, and I truly think that Apple introduced it, only to sell to broader segment. The same reason they tried ditching the FW800-port: "It's not broadly used feature".

Edit: You could use the same argument for a camera phone. It'll be useful for some – for instance to take a quick picture of something and mail it back to HQ. Or for video conferencing (assuming a two-camera product). It just doesn't change the basics: It's a liability, and to most "pros" (I use this term loosely here) it's useless.
Anyway, just a tad off-topic :)

This is VERY RELEVANT!

Some business' like LE LePage or other RealEstate corporations use the Camera on their BB's or WMPro devices to take pictures of houses, rooms, lawns etc to help sell the property. Your Governement will disable this feature OUTRIGHT. Remember when we're talking about using a smartphone as a corporate tool then anything that the IT department would like/want to administer is full game in this converstation/rebuttal.

Many ppl thought the same way with BB before the 8100 Pearl was introduced with BES Admins the ability to fully disable it or the MicroSD card.
 
I think you can use Certificate based authentication to help mitigate most of that risk or you could force your users to connect to a VPN prior to connecting to the exchange server, then you wouldn't have to open any extra ports.

I guess the VPN thing could work, provided your users don't mind the extra step, and assuming that there is a supported IPSec client available for the iPhone. Not everyone uses Cisco. In my case we have an F5 SSL VPN, which supports ActiveSync connections by proxying the request to the Exchange server, unfortunately direct push didn't work in this manner. And although we can support network access like a regular IPSec VPN, there is no F5 client available for the iPhone (or the Blackberry for that matter). So The VPN is out, the Firewall is out, that leaves only BES, or some other middleware solution like Visto.
 
Well Let me see. BB has a single point of failure. Plus you have to pay a monthly charge to use the BB service. Currently the company i work for uses BB it cost us 5000 $ US to buy the BES server software. this was only 25 Licenses. I have to purchase a 100 dollar license every time i add a new person to the BES. And on top of the normal Voice plan I have to pay 40 Dollars for the BB data plan.

It cost a lot of money to implement BB. this does not include upgrade fees when ever a new version of the BES comes out. Also it does not account for Device purchase.


So you don't have to pay a voice plan to use phone calls on your Windows Mobile device or regular phone? You don't have to pay a data plan to use internet or email connections either on your smartphone or regular phone? Please mentioning those costs is irrelevant. Stating BES charges from a prior installation is not relevant for current plans. Also I'm sure with that BES license if your BES Admin cannot resolve a problem he can call into Waterloo, or Texas, or NovaScotia, or Vancouver for support to get things resolved, right?
 
This is VERY RELEVANT!

Some business' like LE LePage or other RealEstate corporations use the Camera on their BB's or WMPro devices to take pictures of houses, rooms, lawns etc to help sell the property. Your Governement will disable this feature OUTRIGHT. Remember when we're talking about using a smartphone as a corporate tool then anything that the IT department would like/want to administer is full game in this converstation/rebuttal.
What do you mean "your [my] government"? I'm a dane, living in Copenhagen, Denmark, Europe, outside the US :p

Anyway, thanks for thinking it wasn't off-topic. I somewhat see your point: Since the iPhone is the challenger, the way the hardware functions (or not) could be relevant.


Many ppl thought the same way with BB before the 8100 Pearl was introduced with BES Admins the ability to fully disable it or the MicroSD card.

It's weird. Even as a journalist, audio recorder in hand, on my way to do an interview with someone up high in the hierarchy, I sometimes get my camera taken while doing the interview. I don't mind, as I'm not a photographer (I work with radio and write), but some places, they're very wary of camera phones/pocket cameras.
 
This is VERY RELEVANT!

Some business' like LE LePage or other RealEstate corporations use the Camera on their BB's or WMPro devices to take pictures of houses, rooms, lawns etc to help sell the property. Your Governement will disable this feature OUTRIGHT. Remember when we're talking about using a smartphone as a corporate tool then anything that the IT department would like/want to administer is full game in this converstation/rebuttal.

Many ppl thought the same way with BB before the 8100 Pearl was introduced with BES Admins the ability to fully disable it or the MicroSD card.

I can tell you now the FBI doesn't care if you can disable the camera, if it is on the phone you can't bring it in to the facility. Period. To be honest I know there are lots of DoD places that are the same way (basically anywhere that processes classified info). Yes that doesn't matter to the Real Estate person, but you would have to figure who spends more money on licenses, the government or a small mom and pop shop?
 
Wow even for interviews, the camera/camera phone is off-limits ?! Wow didn't think of that.

I think it might be because I could "nip to the toilet" and get me some pictures, whereas a huge-arse camera (for the photographer) or my audio recorder can't do much inconspiciously on the way to the toilet. I don't know, though, it's just my guess.
 
Yeah right! Sure jo blo you and others buy their own PERSONAL device. But I have yet to seee a REAL corporate IT Department order iPhones as a means of corporate intranet, and email and ticketing or db system access remotely.

WHY do so many ppl NOT experienced or trained using a BES in a large corporate environment spread such saggin bull?

Can you use the Iphone to access corporate Remedy Ticketing system, sales force implementation, or even update or lookup calendaring appointment information? NO!

* Maybe with the upcoming MSMDS implementation but NOTHING in this SDK or licensing states that Microsofts Mobile Data System Server will support the iPhone. IF it did THEN we'd be talking.

Lets see how the average corporate user can type an FULL email after 3mths daily usuage on a BB vs an iPhone! Also on the BB I can run applications SIMULTANEOUSLY ... you cannot do this on the iPhone which makes this limitation BUNK at best - I'm saying the iPhone CANNOT do multi-tasking but its been limited a POOR move by Jobs & Co.

Loose your iPhone and have some punk set it up on the network. Sure you're data will be wiped with the Kill signal sent from your IT department - but PUNK can STILL use it as his own. All providers that support the BB can track the PIN and also specify the device to be a PUCK/Paper weight and disable message collaboration services.

There is SOO much ppl don't know about the RIM infrastructure!
Remember you're government rely's on RIM ... and their NOC setup is SEPERATE from ALL other corporate & consumers email ... so when a nationwide outtage occurs the US Gov is NOT affected.

(my statements are made with emotion but based on direct hands-on experience, fact & training in the Blackberry/BES/BIS field, and years of cellular experience.)
You should have placed you disclaimer before your comments.

With that said, perhaps it's time that you hedge your bets and stop thinking like a typical "know it all IT person" and open up to other technologies.

RIM and Blackberries had a nice run and it may continue, but if it doesn't you shouldn't be so closed minded to newer technology.

I've seen this a million times. Sure yesterday's technology may have some cool features and may be technically better, but if that's not what the enduser wants to use then....

What I'm seeing more and more are people, mostly sales people either carrying both a Blackberry and a iPhone around (with the iPhone being their preferred device) during work hours and then when it comes time to just carry one device they choose the iPhone.

I've also seen many small to medium business buy into the Blackberry and then when it doesn't work they go to their Exchange Administrator who tells them that their server is up, it must be something in the black cloud which is RIM. Just recently RIM customers had to suffer through a 3 - hour service outage because RIM had problems upgrading an internal data routing system. Alright I'm a sales person on the road and I want to connect to my e-mail and I can't because of this. I call my IT department and they tell me that they're up, but RIM is down.
 
I had thought that SMS was no longer used. Thanks for the clarification; I learned something new today. I don't like 30min heartbeat interval part though. What if my WMPro device has a data connection with my provider and I go underground in the subway? (typically from West end of Toronto to North end takes around 40mins - with only a brief 2min outside window of network connection - not fast enough to fully establish an HSDPA/UMTS connection; GPRS/EDGE maybe but will it be long enough for MSExchange PUSH to establish another connection?)

Nothing wrong in that scenario, it happens all the time. That heartbeat is just used to keep the connection alive. If the connection is dropped, the client just re-establishes it the next time it has connectivity and resets the interval again.

It works quite well on the latest Windows Mobile devices (even going in and out of coverage as you mention), it is just a pain to get going. I think Apple has a great opportunity to do this right...
 
The one point that always seems conspicuously absent is that in order for ActiveSync to work, you must punch an inbound hole in your firewall, directly to your Exchange server on port 80 or 443. Exposing your Exchange server directly to the Internet in this manner, is something that should set off alarm bells in the minds of any Network Administrator. I would say this is the reason, along with the fact that some firewalls don't even support the long HTTP connections required for direct push to work, that ActiveSync has failed to make any significant dent in the dominance of Blackberry.

The outbound connection required for BES to work, plus data encryption at the source, is much more secure that the direct access model employed by ActiveSync, even if data is held on a third party server.

Apple would have had better luck in the enterprise if they had licensed Blackberry Connect software. As much as I crave the iPhone, I think I'll have to stick with Blackberry.

LOL. There's no port 80 involved, it's all SSL (port 443). Which is already open on any exchange setup that is offering OWA (which is most). Anyone serious is filtering that traffic through a hardware firewall appliance or software firewall such as ISA. And it's encrypted end to end - you don't seem to know too much about exchange. Enjoy your crackberry now because the sun is setting =)

As for the earlier question about exchange 2007 - I know a number of administrators who have pushed it out. It will get another big push with the advent of Small Business Server 2008 and the mid-sized business equivalent microsoft is releasing soon. 2007 offers far greater control and scalability, and has some much-needed enhancements to activesync and device management that 2003 doesn't offer. ex2003 service pack 2 is extremely solid, however, and will continue to be run for a loooong time due to ex2007 requiring 64 bit hardware.
 
Hi all,

this is a real interesting thread and I have learn A LOT. Thanks for those comment now I do have one question for you. I would appreciate if you could enligthen me here..

My gf got a Blackberry Pearl few months ago for personal usage. She took the special "Blackberry option with the cellphone provider.
She had to go to the cellprovier website and to open an account to set up her Gmail account in order to receive her GMail messages as push.

What happened there? How can Gmail suddenly offer push? Does the cellprovider run a BBExchange server that communicate in some way with Gmail to push it to the phone

I mean what is this account that she created?

And could it be possible for Apple to offer such a server to provide ush mail to everyone?

Thank you
 
Newton

Palm has been circling the drain for years. They self-destructed long ago with no help from Apple, so let's not get carried away giving credit where it isn't due.

Well.. you might be missing a point: Palm did kill the Newton, an early iPhone incarnation (without the telephone and multimedia bit)
 
Hi all,

this is a real interesting thread and I have learn A LOT. Thanks for those comment now I do have one question for you. I would appreciate if you could enligthen me here..

My gf got a Blackberry Pearl few months ago for personal usage. She took the special "Blackberry option with the cellphone provider.
She had to go to the cellprovier website and to open an account to set up her Gmail account in order to receive her GMail messages as push.

What happened there? How can Gmail suddenly offer push? Does the cellprovider run a BBExchange server that communicate in some way with Gmail to push it to the phone

I mean what is this account that she created?

And could it be possible for Apple to offer such a server to provide ush mail to everyone?

Thank you

She is probably using BIS (blackberry internet services) which is kind of a BES "lite" that cell providers use to provide basic email services for standalone crackberries. It doesn't do contacts/calendar like Exchange/BES does.
 
Paranoid Canadian

FUD, FUD, FUD.

I hate that he portrays us Canadians as a huge security risk to you Americans. Yeah, play on the fears of the ignorant American who thinks anyone on foreign soil must be the bad guy.

Just one more paranoid canadian, I don't recall that Steve Jobs said that Canadians are a huge security risk just RIM's system. You obviously live in the east!
 
I think you can use Certificate based authentication to help mitigate most of that risk or you could force your users to connect to a VPN prior to connecting to the exchange server, then you wouldn't have to open any extra ports.
+1
Firewalls can be configured to temporarily authenticate a device IP to pass through the firewall using either a certificate or token+pin and domain credentials. No permanent open ports are necessary.
 
LOL. There's no port 80 involved, it's all SSL (port 443). Which is already open on any exchange setup that is offering OWA (which is most). Anyone serious is filtering that traffic through a hardware firewall appliance or software firewall such as ISA. And it's encrypted end to end - you don't seem to know too much about exchange. Enjoy your crackberry now because the sun is setting =)

True, I'm not an Exchange expert, although I'm not sure how you've determined that from my post. I have a working knowledge, which includes the configuration of Exchange for ActiveSync and OWA, and while both support SSL, neither requires it. My implementations of both of these have used run-of-the-mill HTTP, but neither were exposed directly to the Internet, both required a VPN connection.

My issue was not so much about encryption, SSL is easy enough to set up. My concern is about exposing the Exchange server directly to the Internet. Regardless of whether I expose it on port 80 or 443, there's inherent risk that has nothing to do with encryption.

While I'm not an Exchange expert, I am an expert on our Firewall and VPN. I know that there are complicated DMZ arrangements which mitigate some of my concerns. VPN is also an option, as long as iPhone has a client that supports it, and your users don't mind the extra step. But why go through these contortions to solve a problem that Blackberry has already solved?

Don't get me wrong. I have no love of the Blackberry. It has been the bane of my existence from the first day it appeared on my network. I have stubbornly resisted the tide and stuck with my Palm Pilots and iPaqs, using Visto or ActiveSync for e-mail. Neither Visto or ActiveSync matched what was available on the Blackberry, but I didn't care. I was more concerned with other functions. Blackberry has always been strong on e-mail, but weak on applications, WiFi, and VPN support. So while I, as an individual, could live with the shortcomings of Visto or ActiveSync, neither of these proved to be viable for the enterprise as a whole, where access to e-mail was the driving factor.

Blackberry, however, has come a long way in supporting my individual requirements, plus the Exchange integration that has always been there. Visto on the iPhone doesn't support Calendar, and ActiveSync didn't work properly through our SSL VPN. So I think Blackberry wins out in our case, much to my chagrin.
 
True, I'm not an Exchange expert, although I'm not sure how you've determined that from my post. I have a working knowledge, which includes the configuration of Exchange for ActiveSync and OWA, and while both support SSL, neither requires it. My implementations of both of these have used run-of-the-mill HTTP, but neither were exposed directly to the Internet, both required a VPN connection.

My issue was not so much about encryption, SSL is easy enough to set up. My concern is about exposing the Exchange server directly to the Internet. Regardless of whether I expose it on port 80 or 443, there's inherent risk that has nothing to do with encryption.

While I'm not an Exchange expert, I am an expert on our Firewall and VPN. I know that there are complicated DMZ arrangements which mitigate some of my concerns. VPN is also an option, as long as iPhone has a client that supports it, and your users don't mind the extra step. But why go through these contortions to solve a problem that Blackberry has already solved?

Don't get me wrong. I have no love of the Blackberry. It has been the bane of my existence from the first day it appeared on my network. I have stubbornly resisted the tide and stuck with my Palm Pilots and iPaqs, using Visto or ActiveSync for e-mail. Neither Visto or ActiveSync matched what was available on the Blackberry, but I didn't care. I was more concerned with other functions. Blackberry has always been strong on e-mail, but weak on applications, WiFi, and VPN support. So while I, as an individual, could live with the shortcomings of Visto or ActiveSync, neither of these proved to be viable for the enterprise as a whole, where access to e-mail was the driving factor.

Blackberry, however, has come a long way in supporting my individual requirements, plus the Exchange integration that has always been there. Visto on the iPhone doesn't support Calendar, and ActiveSync didn't work properly through our SSL VPN. So I think Blackberry wins out in our case, much to my chagrin.

As I mentioned, Outlook Web Access requires port 443 for SSL connections from web browsers already. And very few large shops would be passing traffic directly to the exchange server - again most run this traffic through a hardware firewall appliance and/or ISA 2006 firewall (which is designed specifcally to work with exchange 2007). If you know how to set it up properly (which it sounds like you probably have to know-how to handle) then it is no less secure than RIM's solutions at their NOC. In fact it is perhaps a bit MORE secure due to the obscurity of not having your traffic all flowing to a very well-known and probably highly-targeted NOC!

I understand your concerns but you have to allow some traffic (smtp for example) otherwise nothing works =) Nothing gets in our out of my infrastructure but SMTP and SSL, with the exception of a single box that serves up a few websites on port 80 from my DMZ. SMTP is also locked down to a particular IP range since our email is pre-screened by MXLogic (similar to postini).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.