I saw Kyle post this over at BlackBerryCool.com. It’s interesting to see this pop up because in most circumstances, with a reasonably large budget it is both possible and feasible for a government with control of a telco to do it themselves.
Every single BlackBerry device that leaves the factory is automatically loaded with what’s called a Peer-To-Peer encryption key. This key is exactly the same across every single BlackBerry device. This is used to "encrypt" PIN messages between devices. If the keys were different, a recepient device would not be able to decrypt the sender’s PIN message. However, since the keys are exactly the same across all devices, this offers only a limited amount of protection. While the PIN messages are not travelling over the wire in plain text, the packets could still technically be intercepted by the carrier. With some smarts on the backend the messages could automatically be decrypted as they pass through the telco layer. See extract from KB10498 below.
During the manufacturing process, Research In Motion® (RIM®) loads a common peer-to-peer encryption key onto BlackBerry smartphones. Although the BlackBerry smartphone uses the peer-to-peer encryption key with Triple Data Encryption Standard (Triple DES) to encrypt personal identification number (PIN) messages, every BlackBerry smartphone can decrypt every PIN message that it receives because each BlackBerry smartphone stores the same peer-to-peer encryption key. PIN message encryption does not prevent a BlackBerry smartphone other than the intended recipient from decrypting the PIN message. Therefore, consider PIN messages as scrambled, but not encrypted.
So please don’t automatically assume that your PIN messaging (including BBIM) is completely encrypted and secure by default. The only mitigation is to have a BlackBerry Administrator set a private Peer-to-Peer encryption key which enables secure PIN/BBIM messaging between all users on a particular BlackBerry Domain (BES). Please see the following KB’s for more information.
The WordPress for BlackBerry application has reached a1.0 release and is available in BlackBerry Appworld. Posting from it now Very cool! You can have multiple blogs, upload media, set categories and tags, choose to draft or publish and more. Quite impressed!
I woke up this morning to a rather pleasant surprise, pictured above.
I am currently checking with my Vodafone account mangers to see if they have finally launched their long awaited upgraded to their existing GPRS network.
If this is indeed the case, it will be appreciated by many people with 2G handsets. And also for people like me who prefer to use 2G even though they have a 3G handset and those who prefer to use 2G to get a far better battery life!
For those that don’t know, AAPT use the Vodafone network.
UPDATE 1: I live in Wollongong and travel to Sydney for work, and I lost the EDGE signal just past Thirroul. It was only GPRS from Waterfall to Sydney. In the Sydney CBD I am only getting GPRS.
UPDATE 2: I have confirmed with a friend of mine who also lives in Wollongong that he is also using EDGE. He quotes “It’s solid, latency is not high. Seems to be perfect for mobile devices. It’s as good as it was in Singapore and Hong Kong when I was there last”.
UPDATE 3: It looks like that this is going to be slowly made available in regional areas. No EDGE in the city, as far as we know.
Was it just me, or did anyone else think “Wow, those guys should really be using two factor authentication” at the start of the book/movie?
For those of you that haven’t seen it or read the book, the opening scene begins with a guy breaking into an area that is secured by a retina scan (eye scan) system. This guy gets in by killing and then ripping the eye out of a doctor who has access to the system, and using that to enter the secured area. Yeah a bit gross and extreme, but a valid lesson can be learnt here.
The ever increasing investment in authentication technology such as reliable and accurate retina and fingerprint authentication can make IT departments forget the importance of two factor authentication. Some places that I have worked in previously only required one form authentication – “something you are” – such as a retina scan or a fingerprint reader. This really doesn’t cut it. For places like banks and other financial institutions, there should definitely be more consideration on these matters, especially considering how easy it is to fake a fingerprint. (A quick Google search reveals several quick guides on how this can be easily).
In this Dan Brown example, an additional layer of security with a 6 digit pin code would make it much harder. Even if the burglar tortured the doctor into revealing a password, for example, there would still be more time to raise the alarm after the body was discovered.
As I turned to my girlfriend in the movies, I was about to explain all of this to her. But I wisely put the geek subject aside, as I’m sure she wouldn’t appreciate me ruining another movie by pointing out a technical flaw!
I have been lucky enough to be using the BlackBerry Enterprise Server 5.0 software for the past few months. It introduces several new improvements to the architecture of the BlackBerry domain, the most sought after being support for out of the box high availability. It was code named Argon, a stable gas, due to its promised reliability and solid performance. Below are some thoughts and findings that I made during my use of the software within my test environment. Screenshots are available towards the bottom.
A big thanks to Lee Williams from Gen-i for giving me the time and resources to familiarise myself with BES 5.0, enabling me to complete this article.
If you have any questions please let me know in the comments and I will get back to you promptly.
1. New Improvements and Features
The first change you will notice is the introduction BlackBerry Administration service. It replaces BlackBerry manager and is completely web based. It takes a while to get used to for every day tasks. It can feel a little cramped when attempting to select multiple users who don’t share the same group, IT policy, software configuration or otherwise. Yet after working with the interface for some time you do get used to it.
There is an API available for developers to write plugins for the BlackBerry Administration Service, so it will be relatively easy to introduce new functionality into the environment.
One of the best improvements in BES 5.0 is the more granular level of control admins have for role based administrator user accounts. You can add users to these groups, apply multiple groups to roles, and have multiple roles apply to a single user. Additionally, you can prevent certain users or groups from performing any changes on other certain users or groups. For example, in a 24×7 helpdesk scenario, you may not want to let the CEO’s account be accessed by anyone other than a few select users.
Users can also belong to multiple IT policies. This is quite cool, however, the order of IT policies are applied in a hierarchal, consecutive order. IT policies are not combined.
A feature that is well and truly overdue is the ability to whitelist applications. Finally! Default permissions can also be set for unknown applications. Additionally, the BlackBerry Administration Service downloads nightly builds of the device.xml file straight from RIM, so you don’t need to worry about updating to the latest version. Oh, one more cool addition to application deployment is adding your alx/cod files to the appropriate directory, you don’t need to prepare them for deployment by running the loader.exe /index command. This is now done automatically by the BlackBerry Administration Service, as it monitors the appropriate folders.
For those of you with high load SQL environments, you can now limit concurrent tasks by throttling transactions across the BlackBerry domain, not just per BES. This would be helpful when changing a setting within an IT policy applied to thousands of users, to limit the huge increase of I/O on your database.
Another extremely cool introduction is the Enterprise Transporter. This is used to move users between BlackBerry domains. Basically, you use this as a bridge between two BESMgmt databases that you authenticate against. Works with 4.0 SP7 and 4.1 SP6. In my lab environment, I used this and it was fairly simple to figure out, and I didn’t really have any problems. However, I definitely recommend careful consideration and planning when implementing this in a production environment – at the very least, a pilot program is a must.
2. High Availability
High availability has been available for BES Admins for some time now, through various third parties such as Neverfail and Doubletake. With BES 5.0, high availability can be enabled out of the box, for free. There is no additional cost per BlackBerry server.
There is an excellent document available called the BlackBerry Enterprise Server Planning Guide. This document goes into depth about the different features of High Availability. It’s a great read and provides some thorough insight into how the technology works. I have summarised the high availability options for the more common options here.
BlackBerry Enterprise Server
HA within BES has been designed so that even if the primary server fails, there is minimum downtime for end user’s message and data flow. High availability works by installing two BlackBerry Enterprise Server instances on two different computers.
The Secondary BlackBerry Enterprise Server tries to periodically connect to the Primary BlackBerry Enterprise server to perform health checks. These health checks are highly customisable (see the planning document for more information). If the Secondary BlackBerry Enterprise Server finds that a threshold is not met, it will try to raise its status to take over messaging duties.
Please note that for smaller environments, it is absolutely fine for you to install all of the below components on two separate boxes. You do not need to split out each service to it’s own separate box. You can also customise multiple broken out services on a single box (this is good and overdue).
BlackBerry Administration Service
The two main ways you can achieve high availability on your BlackBerry Administration Service – using a hardware network load balancer, or simply using DNS round robin.
Actually, a colleague of mine pointed out to me that HA for this component may be a little overkill for some organisations. During setup, you are asked to enter the high availability DNS pool name. But there’s nothing stopping you from using a different one for each installation, and give people two links to use and say “If this doesn’t work, use this one instead”. Most helpdesk staff should be able to handle this.
BlackBerry Attachment Service
This is not like your ordinary HA scenario, because the attachment service has some nice built in load balancing as well. This gets a little confusing so try and bear with me.
You can configure one or more pools, each with a primary group consisting of two or more Attachment server instances, and an optional secondary group with two or more Attachment server instances, for each BlackBerry Enterprise Server.
So, instead of having one attachment service doing all the work and another just sitting by waiting for it to fail, you can split this out by creating a pool. Within this pool, there is primary group, consisting of two or more attachment service instances.
You can leave it at this if you like – there is no requirement to add anything else. However, you have the option of creating another Secondary group with two or more attachment service instances in it as well.
You can set each instance to process only specific types of attachments. If an attachment cannot be processed in the primary group, it is passed to the secondary group.
BlackBerry Configuration Database
Can be achieved using database mirroring with SQL 2005 SP2. If the principal database fails, the BlackBerry Enterprise Server attempts to connect to the mirrored instance.
High Availability can be achieved for the following additional services.
- BlackBerry Collaboration Service
- BlackBerry MDS Connection Service
- BlackBerry MDS Integration Service
- BlackBerry Monitoring (manual only)
- BlackBerry Router
Please see the BlackBerry Enterprise Server Planning Guide for more information on these services.
Oh, by the way. It is really easy to set up, as you will see below.
3. Installation Options
The installation was very familiar to the installation of BES 4.1, but there are definitely a few noteworthy differences. I won’t cover each step of the installation, but I will show some of the new steps in BES 5.0 that I think are worth mentioning.
The first screen that you are greeted with after you launched the installation is the following.
This has obviously been introduced as a reminder to ensure that you’re logged in as the BESAdmin account, and not the Administrator account.
Choose between BlackBerry Enterprise Server…
… or Remote Components. After you have installed one instance, the checkbox “Install a Standby BlackBerry Enterprise Server” becomes available.
At the Pre-installation Checklist, you get a very nice warning about the Send As permissions. If you are not familiar with the potential problems with BlackBerry devices and sending emails, please visit http://blackberry.com/sendas/
Database mirroring is supported natively in BES 5.0. As discussed earlier, means that High Availability can be achieved on your database server. If the BES cannot connect to the principal database, it will automatically try and connect to the mirrored instance.
This feature requires Microsoft SQL Server 2005 SP2.
Here you are asked to type the pool name for the BlackBerry Administration service. Basically if you are installing a single server, then you can comfortably use the FQDN of the machine you are installing this on.
However, if you are using high availability for the BlackBerry Administration Service, enter an internal FQDN (that obviously exists in your DNS server) such as http://blackberryadmin. You then need to enter this record into your DNS server as a round robin entry, and enter in both resolvable IP addresses of each computer hosting a BlackBerry Administration Service.
This is the Active Directory account that the BlackBerry Administration Service queries Active Directory/Exchange for user information.
BlackBerry Administration Service – Advanced Settings.
There are two authentication methods that your administrator account can use to log on to the BlackBerry Administration Service. By using BlackBerry Administration Service
That’s it for the installation. From here, the services start and the BlackBerry Administration console address is displayed.
4. Operational Screenshots
I thought I might include some screenshots of the Blackberry Administration Service in action.
Currently, I’m using the BlackBerry Administration Service account to log in, rather than using integrated Windows authentication.
Adding a user
Available actions for users
Available IT policies
Managing IT policy
Available IT policies – a little cluttered.
Role based administration
Different roles installed out of box (except the 24×7 role)
Granular level of control…
Click on Manual Failover to initiate failover.
Failover complete. (Easy!)
Customisable failover thresholds.
RIM has finally announced the long awaited BES 5.0, which sports a few interesting features including
- Retrieve corporate documents behind firewalls
- Add, read, rename and delete folders on the handset and have those changes be applied to the desktop email client
- Create rules within the inbox to filter email and have those changes be applied to the desktop
- View attachments in calendar entries and meeting requests
- Download and store emails and email attachments onto microSD cards
They are a fair while behind schedule, although, I do believe that HTML email and remote server search were originally going to be implemented in BES 5.0 too, however they were included in a service pack. I will be interested to see the pricing schematics they have in mind for it – perhaps in order to upgrade to BES 5.0, it may be a one off fee, similar to going from 4.0 to 4.1. I hope they don’t increase the CAL prices.
I have been lucky enough to be using my Javellin 8900 for several weeks. Honestly, it’s a really a solid device. It’s the *almost* perfect mix between the Bold and the Curve, except it’s lacking 3G.
BGR has reported that a 3G Blackberry Gemini 9300 may be coming out towards the end of 2009 or early 2010. Possible specs from BGR are inserted below.
- The screen will be larger than the BlackBerry 8900, and that will also include a higher resolution
- The CPU will also be beefed up. We’re not sure if this means it will include something more powerful than the Bold’s 624MHz processor or not, but we’d like to think so.
- The device is said to be silver (think BlackBerry 8830)
- The keyboard is a little more rounded than the BlackBerry 8900
- The Send/End keys are rounded instead of being flat on the sides
- Styling is not drastically different — it keeps with the 8900/Storm styling
- It of course rocks quad-band GSM/GPRS/EDGE, and tri-band UMTS/HSDPA
- Wi-Fi and GPS was not confirmed, but we’d say there’s about a 99.99% chance
- Camera specs were not confirmed as well, but you can bet you’re looking at 3.2 megapixels or better
I was trying to deploy Google Maps over the air from a BES we manage for one of our customers. It looked like it installed correctly to the Blackberry, but I was receiving the following message when trying to launch the application from the device.
“Class ‘net.rim.device.api.system.WLANInf0$WLANAPInfo’ not found”
The problem was the lack of free space on the device. Check the free space available on the Blackberry device (Settings/Options > Status). I encountered this error several times when trying to push the application down to a group of pilot users. Most users had other languages installed on the device which took up a substantial amount of room, and after removing the languages and the failed install of Google Maps, it pushed down again successfully.
Don Kerr from the WMOz blog has informed us that there are several new guides available for MDM SP1 Integration. These include integrating MDM with:
- Existing Web Sites or Microsoft Office Sharepoint Server portals
- Microsoft Exchange Server
- Microsoft Office Communications Server 2007
These guides are available from the following Technet page.