[a_kayaker]

We are currently discussing the benefits and drawbacks of allowing employees to purchase their own BlackBerries. The BB's would be allowed to connect to our BES just like our current units do.

We currently implement strict security. Our units are password protected and have a timeout configured. They also lock when holstered and have 3rd party apps disabled. Our BlackBerries are used for phone, email and internet. We are just starting to branch out into installing 3rd party apps, Google maps etc.

I also want to ask what kind of support do you offer the clients? We offer the platinum BB support here. Complete with hand holding and caressing. We are taking steps to phase that kind of support out and move to a internally hosted collection of training videos. We would like for our clients to become more self sufficient when it comes to training and support.

So, what do you do and how do you do it. What are some of the benefits and what are some of the drawbacks? What kind of security do you implement? How do your clients get their personal devices on the BES. Is it a bad idea?

Paint me a picture of your environment.

Thanks!

[knottyrope]

Been talked about before.

http://www.blackberryforums.com/bes-...d-devices.html

[a_kayaker]

Quote:

Originally Posted by knottyrope

Been talked about before.

http://www.blackberryforums.com/bes-...d-devices.html

Very nice. Thank you very much!

[Dubdub]

Personally, I wouldn't put my own device on a company BES. Too many things can be locked out and nothing is personal on a device connected to BES.

Just my opinion.

[CanuckBB]

You will thread into murky legal territory.

How do you ensure that corporate info and data is completely wipped from the device without wipping out the user's personal device? After all, it's his device.

Best not go down that road.

The best compromise I would come up with would be that I'll buy the device and the user can pay for the service. That way, it's my device.

[penguin3107]

Quote:

Originally Posted by Dubdub

and nothing is personal on a device connected to BES.

I really dislike blanket statements like this, especially when they're incorrect.

[El Josh]

well we allow it, under the assumption that you pay for the service, as our corporate accounts only gets used by VIPs...

[Dubdub]

Quote:

Originally Posted by penguin3107

I really dislike blanket statements like this, especially when they're incorrect.

One must assume that there is nothing personal on a device connected to BES.

Every BES Admin that I have talked with has a different opinion on what can and cannot be seen. Some say only corporate stuff and phone logs. Others say IMs, SMS, all email, etc. etc. And others say something in between. So it is really tough to get a straight answer as to what is and what isn't visible if the company wants to see it. Very few can agree on what is and isn't viewable or trackable.

Therefore, that is why I say what I did. If you intend for the info, email SMS, IMs, etc. to be private, then keep them off of BES. That way you are safe.

[knottyrope]

this makes for a good read
http://www.blackberryforums.com/bes-...ed-logged.html

[penguin3107]

Quote:

Originally Posted by Dubdub

One must assume that there is nothing personal on a device connected to BES.

If one does assume that, then they are making an incorrect assumption.

Quote:

Originally Posted by Dubdub

Every BES Admin that I have talked with has a different opinion on what can and cannot be seen. Some say only corporate stuff and phone logs. Others say IMs, SMS, all email, etc. etc. And others say something in between. So it is really tough to get a straight answer as to what is and what isn't visible if the company wants to see it. Very few can agree on what is and isn't viewable or trackable.

The perhaps you shouldn't make any statements at all, since you are merely perpetuating misinformation.
This isn't an opinion-based issue. It's a simple matter of some BES admins who know what they're talking about, and other BES admins who don't.
The ones who say "nothing is private when your device is on a BES" or "BES admins can see everything on your device" are the ones who simply don't know what they're talking about.

From the BES side, there's things that can be logged, and there's things that can't.
If you're going to make blanket statements about privacy, then that's the one you should be making.

[Jadey]

I have to agree with Penguin here. The problem is that people ask very broad questions, to which the answers are very subjective.

For example, what version of BES is being referred to? There are substantial changes between functionality between a 3.x and a 4.1.x BES.

Secondly, what is the BES config? There are certain things that CAN'T be logged. So... many BES Admins will block them. As such, they can say (correctly) that everything on THEIR BES is logged. This does not mean that a BES is capable of logging everything on a BB if the admin wants it to.

There are known limitations with logging of BlackBerry components, for example BlackBerry Messenger http://www.blackberryforums.com/bes-...ersations.html. Then we can make things more complicated - when someone says "Can BES log IM?" do you mean the half-baked solution in the link posted above? Or are people referring to their corporate IM application (for me, my SameTime server logs chats. Nothing to do with "BES" per se, I have yet to find an option in my BES to log SameTime. So yes I log SameTime chats held via BES, but I don't log them via BES. The end result is the same for the user, I log your chats, but the method is technically very different, it is native sametime logging and not BES logging). Or are people referring to IM meaning GoogleTalk, or AIM or something else?

Basically, when someone asks "can my BES Admin see this?" the only real answer is "send me a copy of your BES config and I will let you know" - apart from that, it is guestimation using the information available.


However, as the OP did not ASK about BES logging or what it is capable of, this thread is skewering off direction.
So I would refer the OP back to the original link posted by Knotty, and throw my 2p in:

I prefer NOT to allow personal devices. This is because personally, I find that users who have had an "unrestricted" BB who suddenly get EA'd and inherit my policies are not happy. This leads to endless circular conversations along the lines of:

User "My BB won't do half the stuff it used to"
Me "No, well, your BB is restricted by IT Policy now"
User "But it is MY BB"
Me "And it is on a corporate BES with a corporate security policy"
User "Can you change the policy?"
Me "No"
User "But it is MY blackberry. I want to be able to use Google Mail"
Me "No"
etc

It is also a pain to remove corporate IT policy from device, and/or clear corporate data when the user leaves, or not to have control over the account the device is on (BES data plan necessary, users will just turn this off and wonder why the BB "stopped working") etc.

I have a gazillion reasons to disallow personal devices. Almost all of them come down to expected levels of support, unrealistic user expectations of what the IT policy means in reality, and an unrealistic meeting of corporate and personal ideas of security.

I am lucky that I work for a company who believe that if a user needs a BB, we will spend the money and get one. Owned by company. Managed by company. Controlled by company. It really is a LOT easier.
I appreciate that not all BES Admins have this luxury.

[aglenn]

We dont allow personal bbs to be used.. if it's not my device i have no legal right to wipe it if someone decides to walk away.

[penguin3107]

Quote:

Originally Posted by aglenn

if it's not my device i have no legal right to wipe it if someone decides to walk away.

Actually, that's not true at all.
Your company owns the data on that device, and you have every right to protect your company assets.
This is one reason why the 'Erase Data & Disable Handheld' feature exists.

[djm2]

Quote:

Originally Posted by Jadey

I have to agree with Penguin here. The problem is that people ask very broad questions, to which the answers are very subjective.

For example, what version of BES is being referred to? There are substantial changes between functionality between a 3.x and a 4.1.x BES.

Secondly, what is the BES config? There are certain things that CAN'T be logged. So... many BES Admins will block them. As such, they can say (correctly) that everything on THEIR BES is logged. This does not mean that a BES is capable of logging everything on a BB if the admin wants it to.

There are known limitations with logging of BlackBerry components, for example BlackBerry Messenger http://www.blackberryforums.com/bes-...ersations.html. Then we can make things more complicated - when someone says "Can BES log IM?" do you mean the half-baked solution in the link posted above? Or are people referring to their corporate IM application (for me, my SameTime server logs chats. Nothing to do with "BES" per se, I have yet to find an option in my BES to log SameTime. So yes I log SameTime chats held via BES, but I don't log them via BES. The end result is the same for the user, I log your chats, but the method is technically very different, it is native sametime logging and not BES logging). Or are people referring to IM meaning GoogleTalk, or AIM or something else?

Basically, when someone asks "can my BES Admin see this?" the only real answer is "send me a copy of your BES config and I will let you know" - apart from that, it is guestimation using the information available.


However, as the OP did not ASK about BES logging or what it is capable of, this thread is skewering off direction.
So I would refer the OP back to the original link posted by Knotty, and throw my 2p in:

I prefer NOT to allow personal devices. This is because personally, I find that users who have had an "unrestricted" BB who suddenly get EA'd and inherit my policies are not happy. This leads to endless circular conversations along the lines of:

User "My BB won't do half the stuff it used to"
Me "No, well, your BB is restricted by IT Policy now"
User "But it is MY BB"
Me "And it is on a corporate BES with a corporate security policy"
User "Can you change the policy?"
Me "No"
User "But it is MY blackberry. I want to be able to use Google Mail"
Me "No"
etc

It is also a pain to remove corporate IT policy from device, and/or clear corporate data when the user leaves, or not to have control over the account the device is on (BES data plan necessary, users will just turn this off and wonder why the BB "stopped working") etc.

I have a gazillion reasons to disallow personal devices. Almost all of them come down to expected levels of support, unrealistic user expectations of what the IT policy means in reality, and an unrealistic meeting of corporate and personal ideas of security.

I am lucky that I work for a company who believe that if a user needs a BB, we will spend the money and get one. Owned by company. Managed by company. Controlled by company. It really is a LOT easier.
I appreciate that not all BES Admins have this luxury.

Thank you. This is perhaps the best explanation that I have seen on this subject.

[b52junebug]

Quote:

Originally Posted by djm2

Thank you. This is perhaps the best explanation that I have seen on this subject.

Here here.. I can sympathize with this last entry.. We have a shop of personally owned devices. Some of which the company pays the service for, but charges back the taxes. This is because we are non-profit company. But the device was paid for by the employee.

Because of this, it has also prompted people to object to the simplist of password policy. We just require the minimum 4 length pw, time out set to 20 min.. etc..

The complaint is that it is too hard to put in a 4 letter pw everytime they have to access data. WAAAAA.. it makes me very angry to think that we have information on these devices that makes our company vulnerable, and the users cant stand to be inconvienced by a 4 letter pw. I mean give me a break. The other thing that has happened is that if you have to do any work on the devices, do you dictate what version of the software they run? Do you update everyone, or let them update themselves? Oh and if you do have to wipe the device and reactivate, you will have some user who is devistated because you cant restore text messages, because their device was messed up.

I have worked in several environments, and I would love to be back in a company owned BB environ, not this every man for himself deal. That way we have the ability to lock down information and ensure the security of our company data. We have had too many breachs already and we are just getting our feet wet.

[Aroc]

The support costs for user-owned equipment is generally higher than that of corporate owned gear, mainly due to handware, software, and other differences in standardizations (or lack there of).

We do support a few user-owned devices. Not all of them are reimbused for service changes (from the carrier) but some are. All get the same IT Policy. The device gets wiped when they leave. They don't get treated any different than employees with company-owned devices, and I still reserve the privilege to remove any programs I need to (including BIS service books, if need be) in order to maintain the healthy functionality of the device. In some cases (if HR and corporate agree) we will provide their Address Book or other personal information on CD/DVD so they can import it at their next job. But that's someone else's call. Just like integrating a personal device with our BES is someone else's call.

[wunderbar]

we used to allow it, but no more.

My personal opinion is that the user should get to pick their device, but while they work for the company it is a company owned device. If they decide to leave the company they should have the option of buying the device from the company if they want to continue to use it, but the device is wiped clean before that transaction is complete. We don't do that here, but it's an endgame I'm working towards.

[joeygator]

Quote:

Originally Posted by penguin3107

Actually, that's not true at all.
Your company owns the data on that device, and you have every right to protect your company assets.
This is one reason why the 'Erase Data & Disable Handheld' feature exists.

I'm no BES admin but two thoughts:

1. If the end user owns the device and has personal data on it that you wipe, aren't you in some legal issue as the admin/employer if you have not permitted the backup of the personal data?

2. The discussion about privacy is a mute point for me as an end user. If I am using a corporate device, for all practical purposes, I should assume my employer can see everything. Even if they can't, it is their device and I should be prepared for that. Isn't that the way we all view desktop email? And even if it is my device, be cautious. I don't want to lose a job because of something stupid and I doubt anyone else does. So while technically there may be details and an employer can't see on my device, I would err on the side of caution!!

[michaelalanjones]

This is precisely why I did not go on my company's BES. I bought my Bold, and I pay the monthly bill. The company that I work for is like the military, and they are extremely big-brother-ish. If given the chance, they would log all my activities on my Bold, I know it.

If I was one of a_kayaker's employees, I would tell him, that is fine, but I want a contract that says what will and will not be logged. If it is acceptable, I would sign it, and then get the BlackBerry, and if not, I would not get the BlackBerry on their BES.

That's only fair. If the company doesn't want to state on paper what will be logged, they what are they hiding? If they don't plan to log user data, they should put that in the contract. If they fire someone later for a private email where Suzie tells Bob that "Cindy is a bee-yotch", I would produce that contract, and say, "Oh, I am sorry, we have to go to court."

[rsk]

Quote:

Originally Posted by michaelalanjones

This is precisely why I did not go on my company's BES. I bought my Bold, and I pay the monthly bill. The company that I work for is like the military, and they are extremely big-brother-ish. If given the chance, they would log all my activities on my Bold, I know it.

If I was one of a_kayaker's employees, I would tell him, that is fine, but I want a contract that says what will and will not be logged. If it is acceptable, I would sign it, and then get the BlackBerry, and if not, I would not get the BlackBerry on their BES.

That's only fair. If the company doesn't want to state on paper what will be logged, they what are they hiding? If they don't plan to log user data, they should put that in the contract. If they fire someone later for a private email where Suzie tells Bob that "Cindy is a bee-yotch", I would produce that contract, and say, "Oh, I am sorry, we have to go to court."

bwhaaa haaa haaa, good luck with that, using company infrustructure to send personal messages is pretty stupid to begin with, but demanding a contract is just about the funniest thing I have ever heard. Most places have blanket policies in place that state they reserve the right to monitor any or all electronic communications. why would you have any expectation of privacy using company provided hardware or infrustructure ? if your job requires you to carry a BB for any reason then you carry one, or they find someone else to do your job who will carry one and not be such a pompous ass about it.

it's business, it's not about being fair.