OK. I know this has been beaten to death way too many times elsewhere, but I like beatings.

For those of you who do allow personal BlackBerry handhelds on your BES, I have some questions pertaining to security, licensing, support, and policy. If you prefer to PM me instead, please do.

Some companies are much more locked down than others, so I hope to get a wide range of responses. I have a genuine interest in educating myself and others on the many different courses people take in supporting personal BlackBerry devices. If you want to provide more than what I am requesting, please feel free.

If you want to provide your industry and number of BES users, you may do so, but that's not what my goal is. My questions are:

1. Do your personal devices have different IT Policies than corporate owned (if applicable)?

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.)

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number)

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices)

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question?

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)?

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure?

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"?

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver?

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device?

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data?

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies?



Sorry for the large number of questions and I thank you ahead of time for those willing to respond.

Aswers in bold


1. Do you personal devices different IT Policies than corporate owned (if applicable)? NO

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) NO

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) No pass here

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices)
none
5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? support it and even upgrade the OS.

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)? on their own and we allow apps

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure? absorb it and make them pay for data plans unless in sales

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"? buy as needed at 5 ata atime
9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver? depends on person, salesmen get a wipe though

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device? I do it all. see 9

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data? secure is not needed here, default wipe on active sync devices suffice for us

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies? will have to see if we get it

__________________
------------------------------------------------------

Torch 9800 on BES 4.1.6 MR7, Exchange 2003, SQL 2005.
WES 2009-2010 Survivor

1. Do you personal devices different IT Policies than corporate owned (if applicable)?
Not currently but looking it it.

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.).
Yes, they are grouped but that is all. Group will leveraged if different policies are implementated.

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number).
No. Password is required. Min 4 characters w/o complexity requirements.

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices)
No.

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question?
OS upgrades are performed on a break/fix basis. Support is for provided for anything short of how to/instructional. Customer is directed to the user manual or other training materials for questions of device usage.

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)?
No decisions made yet. Applications are not allowed to be installed. Just about to push our first major application soon.

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure?
Yes, one time license fee + monthly usage fee.

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"?
Enterprise license. True up once a year.

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver?
All company owned devices are supposed to be recovered. But I don't know specifics.

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device?
Kill pill is sent anytime an account is removed from BES server.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data?
Only BlackBerry devices are allowed.

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies?
Probably, but have not explored anything yet.

I believe that it may be helpful in knowing whether or not someone allows personal devices on their BES environment. So with that said, we don't allow them.

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

I might as well provide my own answers:

1. Do your personal devices have different IT Policies than corporate owned (if applicable)? No

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) No, but considering separate groups for identification only. It might help during troubleshooting in events that data plan or hardware issues arise.

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) No, it is slightly shorter (6) and we are not requiring a BB reset after x days and do not require a password different fro mthe last x.

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices) Not yet. This is in the planning stages and will be done. I want to talk to people at WES about their experiences. I have concerns about enabling this while a password policy is in place, which might confuse users, how a device password change effects the CP password (whether by user or by BB Manager), and most importantly, support. If we encrypt media cards on personal devices, how do we (if possible) handle recovery? Device switches?

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? Right now, local desktop support is trained on how to backup and upgrade a device's OS. We are trying to proactively update non-4.5 OS's so everyone can benefit from those features. Looking into the distant future, we will likely leave much of this up to the user. We will support the BES integration functionality of the device and diagnose issues. Actual fixes and upgrades (personal app and data backup) will be the responsibility of the device owner.

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)?

None. They are allowed. Backing up and purchased applications from App World or other vendors are the responsibility of the device owner.

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure?

Currently, their sponsored department is charged back a monthly fee. We will be changing this model in the summer, bringing all costs of the BES into general Infrastructure costs. The feeling is that we have driven some users who want the BES service away because of the monthly fee. Some departments are not willing to sponsor someone, others will not spend the time with user to setup a payment plan to reimburse the monthly fee, and some users are not willing to pay their department back for yet another cost. It's bad enough that so many balk at the requirement of a more expensive Enterprise Data plan.

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"?

We try to always have a 10 license cushion.

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver?

We don't. We can issue the kill command, but if the device can't receive it, they still have the data. I posed this question to see whether or not anyone has had this happen. It is theoretical. Since a device would not be turned in and they walk out the door, if a wipe fails, I assume almost everyone's corporate policy covers data that walks out the door on someone's personal device.

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device?

I maintain several systems, so I am notified someone separates from the company. We wipe the device, wait for the acknowledgment, then remove from BES. If it fails, we alert the local support personnel to take it from there to work on obtaining the device and wiping it.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data?

Sadly, we do not. Because of this, we are looking at bringing up MDM as well.

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies?

I really do not have an answer other than the full utilization of the Web Admin interface and roles, so more people can utilize some of the features and many levels - setting Activation Passwords, issuing kill commands, resetting device passwords etc.

No, it's not helpful, because you are the ones who have it easy. Personal devices are hell.

I have some environments I work with that don't allow personal devices, but I picked one I work with everyday.

1. Do your personal devices have different IT Policies than corporate owned (if applicable)? No

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) No

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) Yes

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices)

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? We deal with BES issues, any email related issues, we do not deal with device issues

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)? None as of yet, we'll see though

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure? This enviroment charge, but I've seen it go either way.

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"? This is really hard to answer, I work for a company that hosts the BES, so we know well ahead if someone will need CAL.

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver? None, stupid huh? we've had many cases where a user has walked away, kept the data plan on the device, and we have wiped the device even though they were no longer with the company. Some companies have private agreements with users, I have no seen them only heard of them though.

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device? We wipe the device and confirm that it has been wiped, if we are unable to wipe we notify the company.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data? BES only, but I agree I often wonder this.

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies? Hmm... none really, I've been using BES 5 for about 6 months now, and I can't see how it would change policies, but I just do the BES hosting piece

__________________
MCSA 2003 +M MCITP | EMA
Who cares, RIM will just change how they do Cert's again

We do not allow them. That being said I will answer as we have discussed at my work:

1. Do your personal devices have different IT Policies than corporate owned (if applicable)? NO, they still access our network

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) They would be in their own group and monitored more than non-personal devices

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) Yes the policy is the same. 6 characters+, complex with a recommendation of 15+

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices) Yes content protection is enabled. All devices are upgraded to 4.5+ to allow for resetting of passwords from BES 4.1.6. Broken devices would be the responsibility of the owner, even if broken during work hours

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? Upgrades are done by IT to keep the devices in line with other corporate devices

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)? Blocked, no exceptions

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure? Users would not pay for licenses as they would be kept by the command if the user transfers/leaves for any reason

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"? We keep an extra set of licenses equal to the number of active CALs on a second active server for failover if necessary. This may change with BES 5.0

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver? No user would do this, it would be a Federal Offense and the issue would be taken very seriously

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device? The device will be wiped by IT. Personal data is included in the wipe.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data? We do not support devices other than BlackBerrys

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies? NO

__________________

I'm simple,

Yes we allow them, No I don't support them.

Policy is based on what rank you are in the company.

I do as I want with the BES and policies so depending on where the person ranks, (EX: CEO, President, etc) is what policy they get before my head get's ripped off.

I kill them before they know they are being let go from the company 99% of the time and since they all love me, (stop laughing) I just tell them I need to install a patch and then I do a backup of their device including the SD card before I turn them into bricks, which normally happens right before they are called into the meeting with HR so they don't have a problem with me having their BB during that time, it's after they are let go and see their device is wiped clean that they have a problem but by then they are out the door.

__________________
audit

1. Do your personal devices have different IT Policies than corporate owned (if applicable)? We did when we first implemented BES, but we don't anymore. There are still a few people that are 'grandfathered' in as users

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) Nope. They all get the same policy, even the one that blocks text messages. Mainly because they all expense their devices/bills so technically it's company 'owned' anyway

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) Ours is different. Corp. PC pwd policy is 8 character min with 2 of 3: 1 alpha, 1 uppercase, and/or 1 special character. BB pwd is 6 character min, with 1 alpha & 1 letter

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices) No

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? Yes, if I like them . I usually don't draw the line and will help everyone if I can. If there is something that their carrier has to fix, I will explain it to them so they understand why I cannot help.

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)? Haven't done anything for AppWorld yet. Mainly because it requires Paypal to buy stuff, which to me means the app cost won't wind up on the corporate invoice

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure? We did not, and now don't have to worry about it.

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"? See previous answer

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver? None, other than sending a 'kill' command to the device.

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device? I wish we had something like this. I usually am not notified of 'separations' until someone is gone for a day or more.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data? We are just starting a pilot (sort of) for iPhones - and I am the lucky IT person responsible for them. I am clueless so far.....

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies? I guess it will depend on what type of policy changes 5.0 includes. Sometimes it's just fun to mess with users

__________________
You may know me as Juwaack68

Financial Services F100 company

1. Do your personal devices have different IT Policies than corporate owned (if applicable)? Presently we do not allow personal liable devices. We continue to look at it.

2. Do you manage them differently in any other way (identify by group membership, assign different policies, etc.) I do have a group setup in the event we ever have to allow these devices and likely would have a seperate IT policy that allows application download, appworld.

3. Is your password policy in line with corporate policy for devices? (ex. Corporate systems - minimum 8 characters with a letter and a number, plus upper and lowercase for corporate vs. BB Policy that requires 6 characters and at least one letter and one number) We mirror the time out policy (30 mins) but are not mirroring the every 3 month required change.

4. Do you enable Content Protection over the device? Over media cards too?
How do you combat content protection issues, especially on a personal device? (This could include out of sync/forgotten passwords and/or broken devices) Device level - no. Encryption on media card set to match password. Personal liable will be a challenge as we already get people asking about moving photos taken with camera capable devices.

5. Do you provide IT Support for OS upgrades if they have issues or force them to go to their provider? Where do you draw the line of support for them for any type of support question? Depends on how busy we are but am hoping this gets more streamlined as it's very hands on right not. BlackBerry - Update your Device Software, BES OS push are a good start to get a total management solution around this.

6. App World - What policy changes have you decided to make (if any) on allowing them access? How about supporting the apps on the device? (not from answering questions, but from a wiping a device standpoint, backup, transferring to a new device)? Appworld is presently blocked on corporate owned devices. Users that install 3rd party apps and report issues we usually wipe the device clean and reactivate when troubleshooting.

7. Do you make the personal device users pay for licenses they consume (charge one time or monthly fee) or absorb it into your infrastructure? Major sticking point in allowing personal liable. Thoughts are a one time fee to cover CAL and maintenance.

8. If the costs are absorbed, how do you plan for the "unknown", such as how many licenses do you need vs. having a cushion "just in case"? We are now in Enterprice CAL so we only true up what is used. Easier to manage but painful to pay.

9. What protections do you have in place in the event someone with a personal device just walks out one day with the company data on it and your opportunity to wipe the device is lost (maybe they are smart enough to cancel service or kill the antenna)? A liability waiver? Other then erase handhelp this would be a matter for your security department.

10. If a user separates from your company, do you have policies within HR or IT Security to wipe the device or are there desktop support guys on foot who also have a shared responsibility to be notified and can personally remove the data from the device? Device would be collected and eventually find it's way to me if company liable. Now this brings the question on termination on how to proof to security / HR who own the device or not. My guess is they would keep the device until determined as there is likely discovery occuring over abrupt termination.

11. If you also support other mobile devices like iPhones or Windows Mobile (Exchange environments), but use the built in Active Sync tools instead of MDM, how do you handle those devices differently without the management capabilities? Do you have users sign a waiver that they are knowingly using a less secure platform to handle company data? Major pain but across iPhone / WM we have remote wipe capabilities.

12. Looking ahead to BES 5.0, what do you foresee having to change in your policies? Not much. Excited to be able to make a custom role so users can have access to things and I can lock down other things as the present profiles have features I'd rather not let people have.

__________________

We do not allow personal BlackBerrys on our network.
We do allow personal iPhones on our network.

seems kind of backwards....

__________________

Consumers go out and buy iPhones. Many more than the number that buy BlackBerrys for personal use. We lock down the iPhone; people can use them to get their mail, and most of them get bored with the iPhone and return it anyway and ask for their BB back.

I see. Our infosec department wont allow them just not secure enough

__________________