This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
The new BlackBerry Enterprise Service (BES) release goes all-in on mobile device management. But does it have what it takes to succeed in a crowded MDM market?
BES 12 is BlackBerry's latest iteration of its management software, completing its pivot from device-specific email router to mobile device management suite. Like Microsoft jumping from Windows 8 to Windows 10, Blackberry is taking its middleware straight from BES 10 to BES 12, with support for iOS, Android, Windows Phone, BlackBerry 10 and legacy BlackBerry devices.
One initial note: installation is a lot simpler than previous BES editions we've used. Instead of multiple servers, there's just one installer — and one BES install with one web-based UI. That's a big change from previous releases, with the new installer taking design cues from BlackBerry 10 and the current BlackBerry website. You'll still need to install Java on your server, so make sure you're using JRE 1.7.
While it's possible to upgrade existing BES 10 installs to BES 12, we opted for a clean install on our test system. It's recommended that you create a service account with the appropriate privileges before setting up BES 12, making sure it's able to work with the SQL Server or SQL Server Express database you're using. BlackBerry provides a readiness tool to check your server is ready for use, and we'd recommend running it to ensure your network is configured for access to BlackBerry's network — especially if you're using proxy server or a standalone BlackBerry router.
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
There's no longer the need for multiple reboots during setup, and once installed everything is handled through a browser, with shortcuts installed as part of the installation process. If you're using Windows Server 2012 or 2012 R2 it's a good idea to pin the link to the administration portal to the start screen and to the taskbar. The first time you log in, you'll need to set a password (the default admin/password is a little on the insecure side).
Highly available, again
BES 12 brings back high availability support, using SQL Server's AlwaysOn features to work as part of a Windows Failover Cluster. You'll need to set up your failover cluster before installing BES 12, connecting to the SQL Server Availability Group network name. Multiple BES instanced can be connected to the same BES database, giving you increased resilience.
There's one recurring question with every release of BES, and with every fresh install: why can't BlackBerry install a web server certificate with BES that's in the Windows trust chain? Although you can install the certificate in the Windows certificate store, it's still annoying to have to click through a 'Do you want to visit this untrusted website' dialogue until you've stored the BlackBerry certificate correctly.
BES still uses SRP keys to handle connection to the BlackBerry network, and you'll need to enter these when you log onto BES 12 for the first time. This is a much simpler process than in previous versions, where keys had to be entered in a separate application. BlackBerry does provide a tool for simplifying loading device CALs, although you can load these via the administration tool.
You'll next need to configure BES 12 to work with other platforms. Managing iOS requires configuring the Apple iOS push service, and BES 12 will generate the appropriate certificate request. Follow the wizard's instructions to upload this to the Apple certificate signing service, which will deliver back a certificate to install in BES — ready to manage iOS devices.
Multiple Mobile Device Management
The BlackBerry world has changed. BES used to be a tool for pushing email to devices, with some management features on the side. The latest release turns that on its head: in most cases you're just managing devices with BES 12, not email. That means you'll need to configure access to a mail server to send enrolment and other messages to your device, using BES 12's SMTP support. Although free SMTP servers for Windows are easy to come by, you'll probably want to connect BES 12 to your existing email infrastructure. Configure BES to use an appropriate email identity for messages, and make sure the account is set up in your mail server.
BES 12, like BES 10, uses existing mail protocols to handle mail — either routing mail through its secure connection (if you're using a BlackBerry 10 device) or letting make their own connections to servers. One new feature in BES 12 lets you manage access to Exchange servers using BlackBerry's gatekeeping service. This allows you to block access to Exchange email for devices that don't meet your security or compliance policies, whitelisting devices that are allowed to access mail. You can only do this with an on-premises Exchange server, as it requires setting up remote management roles.
Working with Active Directory and Office 365
We were pleased to find that it's a lot easier to connect BES 12 to an Active Directory server; all you need to do to set up a connection is add a domain admin user name (and password), the name of a domain, and BES 12 does the rest. If you don't use AD, there's the option to work with LDAP directories — or to import users and groups via CSV files.
However there are still some idiosyncrasies, and we did have problems using BES 12 with both AD and Office 365 on a BlackBerry 10 device when the two services don't have a common directory — and where the two use different passwords. BES 12 will use the AD password over and above the user password, even when the user enters their Office 365 password as part of the BlackBerry registration process. There is a workaround, so if you've got separate local and cloud ADs, BlackBerry recommends setting up users as locally managed in BES. Alternatively for smaller installations, you can deliver custom email profiles for each user.
Managing users and apps
The heart of BES 12, like earlier BES releases, is its collection of policies and profiles. With support for four different brands of device, you won't be able to control everything on every device — but you will be able to put in place a set of policies that will cover most key scenarios on your managed devices. Device capabilities are managed through a familiar set of IT policies — policies that go back to the good old days of the BlackBerry Enterprise Service. BES administrators will be able to quickly assign profiles to users and groups, although you'll need to consider adding device groups for managing capabilities on non-Blackberry devices.
BES12 provides tools for managing the apps on users' devices, either through BlackBerry OS's secure Workplace on BlackBerry devices, or using whitelists and blacklists on iOS, Android and Windows Phone. There's also support for pushing internally-developed apps to managed devices, although you need to ensure that you have the right security certificates in place. If you're using Apple's Volume Purchase Program you can link a VPP account to a BES 12 system, so your users can access corporate apps when they need them — and of course they're deleted and licenses are recycled when users leave BES management.
Keeping track of managed devices can be hard, so BES 12 gives you a dashboard for a quick overview of your fleet status, with graphs of key information. From the dashboard you can see devices that are out of compliance, the most popular managed apps installed, and the platforms currently in use. You can then drill into individual devices, with the ability to get detailed information on managed devices — and to generate detailed reports on specific devices. The BES 12 users and devices view can be quickly filtered, making it easier to track down a device and apply new management profiles.
As always, the tricky bit is licensing. BES 12 takes a per-device approach to licensing, with Silver and Gold levels. Silver gives you basic device management and security tools, while Gold gives you support for BlackBerry's secure workspace tools on iOS and Android, with additional management features for BlackBerry devices. In practice you're likely to use Silver licenses for BYOD users, and Gold for managed users who need additional security — your C-level management team, for example. Tiered licensing makes a lot of sense for traditional BlackBerry users, but might not make economic sense when compared to the per-user licensing models used by other MDM packages.
Keeping on top of things
There's a lot of documentation on the BlackBerry support site, and you're going to need to read most of it if you want to get the best from a BES 12 installation — especially if you're managing more than just BlackBerry devices. Perhaps the most useful is a matrix showing device support for key features, including data encryption, remote wipe and policy management. It's not surprising that BlackBerry 10 has the most supported features, with Android a close second.
One thing to note: you'll need to connect BES 12 to a SMTP server if you want it to send activation messages to users. Although most sites are going to be using it with on-premises email servers, you'll need to set up an SMTP gateway if you're working with cloud servers — or see if your cloud service offers a SMTP gateway option. We were able to use our test BES 12 deployment with our Office 365 account's SMTP gateway, but check the documentation before you set up a connection.
Activation messages can be sent from the administration tool, or via the BES self-service portal. We did find the registration message a little confusing — it contained the user name and passwords needed to activate a device, but there was also a bcp:// URL that appeared to be an activation link. That's not the case: you activate via the tools built into the BlackBerry 10 OS or with downloaded iOS, Android and Windows Phone apps. We'd recommend using the built-in tools to create your own custom activation mails, with separate mails for each device type.
There's a lot to like here, with much progress evident since BES 10. However the inconsistencies and occasional complexities detract from the overall polish of the platform. We'd like to see better enrolment tools, and more support for cloud email and directory services — features that BlackBerry will need to add as organisations migrate those functions to Google's and Microsoft's cloud platforms. BlackBerry's latest management suite compares well with other MDM tools and services, and it's clearly the only solution for managing fleets of BlackBerry devices. It's harder to justify it when working with other platforms, especially when key features on iOS and Android require an additional Work Space license, and when many Windows Phone features aren't supported.
BES 12 is an important release for BlackBerry, with its strongest set of cross-device management capabilities yet. However, the MDM market is a crowded one, where the underlying economics of on-premises device management are being challenged by cloud-hosted services like Microsoft's Intune. BlackBerry still has a lot of loyal users, and there's definitely a market for BES 12's compliance management tools in regulated industries and government. Although many existing BES users are likely to upgrade, BlackBerry will have more of a challenge bringing new users into the BES fold.
With a free trial available, BES 12 is certainly well worth a look alongside its many competitors. The only real question is, will companies that have never used BlackBerry devices buy it as a MDM solution? It's the new users that are going to be the challenge for BlackBerry. That could be as a problem as, while substantially redesigned, BES 12 still has a lot of its BlackBerry device heritage, making it harder for new users to learn. Also, with spotty cross-platform support that's reliant on apps, it's harder to manage non-BlackBerry devices to the same level as BlackBerry's own hardware.