1) Do a double check on one of the handhelds that 2.3 patch manager is actually applied...it should have resolved a lot of the 0x87 and 0x88 errors.
2) In your software config you have the "Application Software" heading, then you can expand that to show all the apps you are pushing. Right at the "Application Software" heading, change the Application Control Policy to be <none>, then assign an Application Control Policy to the actual DST 2007 entry you have listed below. In that Application Control Policy look at the "External Network Connections" and set it to Allow (not the default Prompt) and change the Disposition to Optional (i'm assuming it's at required right now)
There are two different things you can test to rule in/out MDS or App Push. Complete application loader (erasing all currently installed applications) then manually downloading the patch manager from the web site before activating it. This should work 100%. Next test is with one of the ones getting the 0x88 and 0x87 error, delete the Desktop [IPPP] service book and pull the battery for 10 seconds. when it boots back up, it should no longer see the MDS connection and therefore default to another IPPP connection or the WAP browser. If this works, tells you that the Patch Manager is not properly failing over to the next transport like it should, and 2.3 was supposed to fix this. If this handheld now get's the 0x8D error, then you probably have the app control policy set at the application software level instead of the DST Patch level. You can confirm/deny that this is causing the error by app loading a handheld to remove the patch manager, re-activating on the BES, but do not have the user assigned to the software config. Go to the web site and download manually...should work perfectly
Zro