View Single Post
  #27 (permalink)  
Old 03-05-2013, 11:16 AM
rcastle2 rcastle2 is offline
BES Activated
Join Date: Mar 2013
Location: Florida
Posts: 1

Originally Posted by Joolie View Post
You've seen or heard the question [probably] countless times:

"What can my BES administrator see on my personal device if I connect it to the BES?"

Since this question gets asked frequently, by both end users and administrators, I thought it would be good to include a comprehensive list of what the BES does/can log and what can actually be seen by a BES/Email administrator.

The BES can 'see' most things, although to be fair most of the data isn't actually stored on the BES, it's actually on the mail servers. That is, if I want/need to see someone's actual corporate email, that would be accessed from the mail server, not the BES.

What syncs/is stored/is accessed by the BES includes:
  • Corporate email
  • Corporate calendar
  • Corporate PIM data: Address book, memo pad, tasks
  • Browser bookmarks
  • Browser site history: Via the BlackBerry Browser
  • Password Keeper data: Although this cannot be accessed in any way, even when restored to another device, without the PK password
  • PIN messaging data: Including the actual message sent/received; logging turned off by default
  • Phone call data: Date/time of call, number called/received, length of call; logging turned on by default
  • Text message data: Including the actual verbage of the text message; logging turned off by default
  • MMS message text: Can view the actual verbage included, but not any photos sent
  • Blackberry Messenger data: Prior to BES 5.0 SP1, this one is extremely klunky to get and I don't know a single BES Admin that turns this one on. With the release of SP1 for BES 5.0, logging BBM data is done the same as PIN, phone call, and text message logging, so I expect more companies will be using this feature.
  • All applications installed on the device: Games, stock apps, etc.
  • OS version installed on the device: So we'll know if you upgraded to a beta OS!)
In addition anything that is a part of automatic wireless backup could *technically* be viewed by performing a restore to a new device.

What a BES Admin can't see:
  • BIS email messages (I *might* be able to see what service books you have, but cannot read the messages)
  • Browser site history (via internet/WAP Browser)
  • 3rd party IM messages (Yahoo!, MSN, etc), although I can see which of these applications you have installed.
  • BlackBerry Messenger contact names/PINs
What else should you consider?
If you are thinking about connecting your personal device to a corporate BES, you should also find out what sort of security policies your device will be subjected to. Every device on a BES has an IT Policy assigned to it (even if it's the 'Default' policy) which can allow/restrict certain functions. You'll want to find out things like:
  • Will a password be enforced?
  • If there will be a password, what is the maximum timeout and password criteria (length, strength, etc)
  • How often do you have to change the password and can you re-use old passwords?
  • Will the device lock upon holstering?
  • Will you be allowed to download 3rd party applications?
  • Will SMS/MMS messages be allowed or blocked?
  • Will your memory card be encrypted? If so, how?
  • Will the camera be allowed or blocked?
  • Will personal (BIS) email be restricted (i.e., you may be able to receive your BIS email, but you cannot send as the BIS account from the device)
There are quite a few other features that can be controlled, but the ones above are the most common. Best to find out what you're getting yourself into BEFORE you find out you suddenly can't do something you wanted to do.

Note: This post was written with 4.1.6 in mind (which is what I'm currently running), but hdawg confirmed that it also applies to 5.0 (so far anyway). This sticky will be updated as needed when any of these logging functionalites are updated on the BES.
I was under the impression that Blackberry PIN messages were encrypted and cant be read. I also thought PIN messages bypassed Enterprise servers and were sent direct device to device. Can anyone confirm this?
Reply With Quote