After reading through several forum posts/threads and the BTSC articles I am still curious about a few things in regards to creating groups, software configurations application control policies.

Here's my setup:

I have two 4.1.6 MR2 BES servers that combined serve about 1200 users on Exchange. They are within the same Blackberry domain with SQL locally installed on one of the BES servers.

Admins before created an IT policy which disables Bluetooth and requires a device password with complexity requirements. It also 'disallows third party applications'. This policy is assigned it to all users

Their is only one software configuration and it applies to all users (for the DST patch).
Their are no groups currently created.

I've already created 3 app control policies (Required, Disallow and Optional).

Where I'm stuck is group and software configuration.

I know how to create both, but I want to create my groups and software configs in a way that will be easiest to manage....

For example: If I wanted to install Google Maps for a user (myself) who is not currenty part of a group, has the default IT policy with the disabled BT, password and no 3rd party apps selected, I would create a software configuration, click google maps, set the delivery to wireless and choose the required app control policy.

This is where I get stuck..

From here, should I create a group for this user and assign the app to the group?
If so, what do I call that group? Google Maps?
If I call the group Google Maps, and a user (myself) later wants to add another application to my device like pacman... What do I do then?

Do I create a new application control policy called google maps and pacman, set both to required, then create a new group for those two and assign the new software configuration to the new group?

See where I'm heading? (I'm not too concearned right now with being able to index the different applications, that I have working).

Thanks!
N B A

BES 5 is what you need. Groups and Software configs are much more granular.

Just recommending someone to upgrade to BES 5 is not a satisfactory answer.
That is a big move for some companies, and BES 5 has its own issues right now that they are dealing with as well.

to OP, it sounds like you are going to have to create multiple software configurations. Keep in mind though, a software configuration can have more then one application. So in your example, it sounds like you would need one software configuration with both applications on it with one control policy.

__________________
MCSA 2003 +M MCITP | EMA
Who cares, RIM will just change how they do Cert's again

N B A -

This gives me a headache every time I think about this, but I’ve had the same thoughts as you and wondered the same thing. Standardization is what I think will be the end goal for those of us with a robust environment. My set up is similar to yours, though I’m going to move to BES 5.0 with some changes in the set up beginning this weekend.

IMHO, creating a group or application control policy for each application you use is going to be a nightmare to manage. Of course, if you can juggle them, more power to you. I’m definitely not that gifted.

To expand what bbhorrigan said. In my environment, I have tried my best to standardize what applications will be needed by my user base. For example, I may set up a group called ‘required applications’. In this grouping, I have also created a software configuration that contains the applications each of my users will most likely use, regardless of position/title. That might be Office Communicator, RSA, Google Maps, and Bloomberg. The application control policy is set to either optional or required. And the push is initiated.

For applications that may or may not be needed on the same scale, like your pacman example, I would create a separate software configuration containing this as well as any other applications, assuming you can also group the optional items. If not, then you have to go the route of a separate software configuration for each additional optional application, though if you find yourself making so many optional software configurations for these optional applications, I would consider you putting them all together like the required applications and again, try to simplify it. The application control policy would be set to optional and push out.

A couple of things to note. You may need to create an additional IT Policy for your groups. This would be dependent on any specific settings your OTA applications would require. Also, I don’t think you would need to create individual application control policies as you can just change the option on the attached control policy. Of course, if you just wanted to be able to affect an individual unit, a separate one would need to be made, but I don’t think it would need to be labeled as that specific application. You can easily just make generic disallow ACP to use on individual users.

The last thing that bothers me is that in your current BES set up, there was no real easy way to see who had what applications associated with them. You could export the information and sort on them or in my case, I have a 3rd party application that works with BES to show me who has what. Hope that helps.

I created Groups based on the Application Control Policy disposition. That is, one named Required, Optional, Disallowed. I created software configurations based on this e.g. All required apps get added to the one Software Configuration with the "Required" application control policy. That software configuration then gets assigned to the "Required" group. I then assign users to the groups.

...but then again, if this is for a single user or two, is there really a need for the group configuration? There's not much benefit. If Groups are standard within your environment and you're wanting to do it for the sake of standardization, then by all means... but if its just a single user or two...

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

What I do is create an App-Configuration and at the very top level apply disallow policy.

For each allowed application, set them to anything but disallow (Optional/Required). Make sure you set the install as "Wireless" so it will push OTA. This will allow you to remove the Disallow 3rd Party Application Installs and it will effectively wipe any 3rd party app that is not "Allowed".
You can add all of the standard apps to all app configurations this way and then layer on additional apps for additional users but they must have one of these configurations assigned or they'll have freedom to install anything/everything.

Groups? They stink on 4.1 and 5.0 as they aren't layered, they're simply prioritized and the best priority wins.

I am using 5.0 and I miss the old 4.1 interface terribly. I'm using Boxtone as well and at least that is helping with the transition to 5.0.

We were in a similar situation where no apps where allowed but we had to open up for some. I went through the same steps of one policy for all, one software config for all. The one thing we did differently was to set all the applications as required/wired (not wireless). Then we posted the jad files to a website and let the users install the applications they wanted from our "whitelist". Its a bit of a pain because the hash values from the BES have to match the hash values in the jad/cod, but it works great....and we don't have to worry about clobbering the BES during an application deployement.

Let me know if you want to pursue this route.