Blackberry 10 and Windows Phone 8 Password Prompts

by Ed Sparks

Now that more BB10 and WP8 devices are out in the wild, there are a few issues coming to light in regards to the connection to Exchange ActiveSync.

The most common is that users are periodically prompted for their password after having successfully synced with the server for some time.​  In many cases (particularly BB 10) this results in an account lockout if the user simply cancels the prompt, or doesn't enter the password successfully.

The same issues do not seem to appear when using any iOS, Android or Windows Phone 7.x device against the same servers.  It's not yet clear why the implementation is different on these other platforms.​

The solution - adjust the timeout settings on your Exchange server, or ISA/TMG or ASA gateways, so that the connections are held open for longer than the heartbeat interval of the ActiveSync device.​

Exchange
Follow the steps in this article to ensure the correct configuration is in place for both Exchange (2003/2007/2010) and your ISA/TMG.

​ISA/TM
Under the Web Listener for the EAS/OWA Rule - uncheck the "Apply session timeout to non-browser clients" setting as per this article.

​Cisco ASA
Ensure any NAT rules that pass traffic to Exchange on HTTP/HTTPS have no timeouts, or very long timeout values.

Curious how all this fits together? Here's a great backgrounder on how EAS Direct Push works, heartbeat intervals, firewalls and more.  
http://technet.microsoft.com/en-us/library/cc182270.aspx

The new face of BES - Connecting Blackberry 10 devices to Exchange

by Ed Sparks

With Blackberry 10 just days away from launch, we're seeing an increasing amount of interest and confusion about how these new devices will connect with mail environments, and how it compares to previous versions of the devices and servers.

Part of this confusion is due to RIM somewhat changing the plan along the (very long) way to BB 10. Thankfully the initial impressions of the devices look solid, so we expect there to be an uptick in usage again.
 

So what's changed? In a word, everything.

BB 10 (and Playbook 2.x) devices all use Exchange Activesync (EAS) as their only supported method of syncing with email servers.  This is great news for Exchange, and reduces much of the complexity of past.  The biggest win is that the devices now natively support email without a BES or BIS connection - just like iOS, Windows Phone and Android.  MUCH better user experience.

In the Enterprise, a BES is no longer required at all, if you simply want to connect and manage your BB 10 handhelds in a mostly unmanaged way - simply by continuing to publish your EAS servers to the public internet.  Autodiscovery and all of those niceties are supported by BB10.  As are EAS policies for passwords, remote wiping and the like.

So what does RIM bring to the table beyond that as part of their 'legendary security'?

It turns out quite a nice set of functionality - albeit at a pretty high price point.

Blackberry Enterprise Service is (not Server) is the new BES 10 but this has no relation to the old BES.  It is simply a management tool, and is an updating and re-branding of their previous Mobile Fusion, and Universal/Blackberry device services products.  The new BES will NOT talk to older Blackberry devices.  Period.  You will always need to keep a BES 5 server around while still using legacy devices.

Nicely, however, the BES 10 management product will manage your old devices, by pushing down policy to BES 5 and onto the devices.  Likewise, it will manage Android and iOS devices with certificate management, and installable clients if desired.  You can keep consistent policy across all of these, and report on them etc.  Sounds quite promising.

As for syncing - where most of the confusion occurs due to the native EAS support - is what BES 10 adds to that part of the puzzle.  
 

RIM will offer three levels of EAS/security:

1. Native EAS - no BES involved
2. Native EAS with BES Management - pushes the email settings and policy to the devices (so user's don't have to enter anything, and BES policy trumps EAS policy)
3. Full BES (our name) - device connections will be routed over an encrypted tunnel through the RIM network, back into your BES and then proxied on behalf of the user into the internal EAS server.  External publishing of EAS is not required.  This will only function on the "Work" side of the Blackberry 10 or Playbook 2's "Balance" profiles.  Casual users cannot natively get this functionality.

Overall we think the approach they are taking makes a lot of sense, and is a huge improvement over the former days of the steaming pile of Java crud that was the old BES.
It remains to be seen how well all this comes together, but if RIM pulls this off correctly, they've got a fighting chance, at not only a good device, but a great MDM product as well.

BES 10 is now available for download.

Need help with updating your environment? Questions?  Contact us today for Blackberry therapy.

Controlling EWS Access in Exchange 2010 - Mac, Samsung, Blackberry and more

by Ed Sparks

common request we get from customers it how they can block many problematic or unauthorized (and uncontrolled) email clients connecting to their Exchange servers via Exchange Web Services

Exchange 2010 SP1 - Rejoice!
Thankfully Microsoft heard the feedback loud and clear, and beginning with Exchange 2010 SP1, this is highly manageable via new block and allow settings and lists that can be applied at an organizational or mailbox level!

The two commands used:
set-organizationconfig
and
set-casmailbox

Note: Settings enabled/configured at the organization level are overridden by those at the mailbox level. This means you are able to enforce a secure policy by default, then just make a few exceptions for users. 

The most common configuration we setup for client is as follows:

Read More