I have read books that deal with security and blackberry. The topics discuss device security and server security and range from conservative to liberal in terms of security. One view was to split up the services offered by the BES into different servers. This would allow you to put services that needed to touch the outside world into your DMZ and keep the rest within your corporate lan. We are going to opt to put the entire server in the DMZ to avoid the headache of splitting the BES server apart.

Device security and IT Policy is currently stock on our system. There is a list of things we need to make a decision on. Ultimately I just need to go through the list and choose, however, I am not sure what the best practices are that seem to make both the end user and the sys admin happy.

How do you administer your companies IT policy to your end users? Do you even use an IT policy? Do you push all Blackberry traffic through your BES or do you let it go straight out to the internet? Passwords? Third-party apps? Bluetooth? And the list goes on...

Lastly, is there a resource that I can goto to view best practices for IT policy on Blackberry handhelds?

First off, welcome! Glad to have you here. Are you using Domino or Exchange for your mail platform? That said, regardless I'd recommend against doing this ... putting your BES in the DMZ isn't supported by RIM and if you really really really want to protect, check out this post on firewall / connection requirements for BES.

Generally I recommend taking the path of least resistence. What policies do you have in place for Desktops / Laptops? Find a happy way to integrate BlackBerry into that policy that protects the data from those that shouldn't have it, but is still convenient enough for those that use it.

At a minimum I would use a password policy and an idle lock time out. You should think about how you want to manage applications also ...

I recommend every IT Administrator have a security policy in place that they are able to participate and provide input on creating ... that they then implement ... but make sure it is signed off on by a CIO / CTO / CSO. Nothing is worse than an Administrator making policy decisions.

Every BlackBerry handheld on a BES has an IT Policy ... some people choose to leave the default ... which I never find to be a good move.

Another good one. Do you want everything tracked on the device and logged? Do you want people to be able to access sites that might be blocked on your corporate network? It all depends on how much you want (need) to control the device and what it does.

Always.

Depends ... if you don't manage apps effectively it can become a real mess ... but if you're a small environment it isn't that big of a deal.

I never block it unless there is a compelling reason to do so. ... no one has actually ever posed one to me.

... you just gave me a great idea for a blog post. Everyone has their own flavor ... I'll come up with some sample ones.

Attached Files

Policy_Reference_Guide.pdf (1.01 MB, 548 views)

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

I was talking with someone the other day regarding DMZ placement of the BES and/or BlackBerry Router. My first question would be - do you allow internet access from your servers on the internal network (does your mail servers have access to Google, for example). If so, then I would not even think about installing a distributed component in the DMZ, much less the entire server.

Secondly, as hdawg mentioned, the placement of the entire BES in the DMZ is NOT supported by RIM. In fact, I would argue that there may be only a handful of companies in the world who have this sort of configuration, if that many. The firewall configuration for opening ports for the entire BES in the DMZ connecting back to your internal network would be far more complicated than opening a single port (or two) for the distributed Router component.

The most important IT Policy configurations for the device is centered around password. Regardless, any policy you implement should be well documented and align with corporate desktop security policies (if not a tad more flexible, depending on your organization). There are a lot of options to choose from, most of which you'll never need and some that are no longer even application. Be sure to make note of which ones you want to implement and their corresponding device software versions. I'll list my policy here shortly.

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

Jumping in on the Best Practices part, I'm not sure one can really come up with one. I think the prime example was talking to people at WES and hearing of the vast differences in company security requirements for BlackBerry devices. Maybe that is something that "should" be standardized across the board to some extent, but I really do not see that happening.

To use as an example, I've seen enough Desktop Computer Best Practices sheets to know that a majority of them apply to any computer (personal or business) on any network at any time (firewall, disabling certain services, automatic updates, antivirus, strong passwords, etc.). Full disk encryption might be a recommendation for certain businesses, but it's typically not considered a best practice for everyone.

With BlackBerry devices (or smartphones in general), outside of password protection, I really do not see too many best practices that can apply to the masses. Anything centered around the password "could" be (length, lockout, etc.), but things such as Content Protection, Disabling Bluetooth, 3rd party apps, etc. wouldn't be included. One size does not fit all with a BES environment. Whatever is important to your organization, your users, and your data integrity are what should be considered your best practices.

^^^ I'm with Pinjo.

__________________