Review: RIM’s BlackBerry Enterprise Server Express
Enterprises can use BESX to help bring the entire mobile device fleet into compliance with regulations that affect the business
Familiar Architecture and Management
Anyone who has experience with BES 5.0 will be instantly familiar with both the architecture and the day-to-day management of BESX. For management, BESX employs a carbon copy of BES 5.0’s web-based BAS (BlackBerry Administration Service). BESX also includes the BlackBerry Attachment Service (which converts supported attachments for viewing on devices), the BlackBerry MDS Connection Service (which facilitates access to online content and applications) and the BlackBerry Router. I installed each of these units on a single server, but the components can be split out to multiple servers for additional performance.
BESX does lack BES 5.0’s high-availability clustering capabilities, and it doesn’t integrate with the BlackBerry Mobile Voice System or Microsoft Office Communicator. And, by my count, BESX offers only 38 IT control policies (along with 26 application control policies) to govern attached devices, compared with the over 450 policies available through BES.
Using BESX, I was able to easily create an IT policy that required a device password with an enforced complexity policy, disabled MMS (Multimedia Messaging Service) while keeping SMS (Short Message Service) enabled, disabled the device video camera while permitting still photos and required on-device encryption. As with BES 5.0, with BESX I could set up a Wi-Fi policy that specifies network name, wireless security type and a preshared key (or certificates if needed), but those are set up and enforced via a separate policy.
A full list of BESX control policies can be found online in the Policy Reference Guide.
Shared applications
BESX also can be used to deploy and configure Java applications for BlackBerry devices in the field. Administrators can publish applications to a share on a protected network and add it to the BAS application repository, then create an application control policy to dictate the network connections, device features and APIs to which an application has access on the device. Administrators can also centrally permit or deny users the ability to add untrusted applications on their own and can define a policy to govern application control for those applications in bulk.
IT and application control policies (and application distribution policies) can be applied directly to individual user accounts or to groups of users defined within BESX. This allows an administrator to craft different policies depending on the user’s role within the company or other factors. As with BES 5.0, BESX pings the Windows Active Directory daily to automatically pull a list of users that can be added by an administrator to the BlackBerry domain, but BlackBerry groups must be created within BAS (not using existing Active Directory structures.)
Again like BES 5.0, BESX comes with predefined administrative groups with differing levels of access, oversight and control over the BESX system. In tests, this allowed me to easily grant a different level of control to front-line help desk workers than I would to data centre engineers. And I could either use existing Active Directory credentials to log on to BAS, or I could create distinct administrative accounts local to the BESX system.
When used with BlackBerrys running 5.x versions of the mobile operating system, BESX can also parse connections to protected file shares, allowing users to remotely access their data while on the road without needing a separate VPN. BESX also provides a much more usable interaction with Exchange than would otherwise be possible when provisioned for BIS through the mobile operator—wirelessly synchronising Outlook and Exchange contact and calendar data in addition to email. Plus, 5.0 OS clients can also manipulate Exchange folder structures from the device.
In tests, security features such as device lock, password reset and remote wipe worked as expected, with the events triggering correctly on powered-on, network-connected devices within a minute after the command was issued from within BAS.