BlackBerry’s new BlackBerry 10 platform is very different from the versions that have come before. No longer based...
on Java, it’s built on the QNX real-time operating system (OS) found in many cars.
With a new foundation, BlackBerry has been able to make a lot of changes to how its phones access email servers and to how they’re managed.
The underlying BlackBerry network architecture is very different in BB10. Mail is now handled by the familiar EAS protocol and BlackBerry’s management tools move from pushing mail to giving you a secure path between your mailservers and your managed devices – as well as controlling BlackBerry’s Balance BYOD solution for both BB10 devices and the PlayBook tablet.
BlackBerry has used the launch of BB10 to rationalise its servers and its device licensing model, building its new BES10 family around its BlackBerry Management Studio mobile device management (MDM) tools – previously known as BlackBerry MobileFusion.
With BES10 BlackBerry is changing the way it charges for its servers. Instead of a licence fee for the server plus a device client access licence (CAL), it is now providing the server for free with a $99/device licence model. Those device licences are not a subscription, either; they are perpetual licences valid for connections to BES10 servers. Existing CALs can be transferred to the new model, if users are replacing older BlackBerrys with new BB10 devices.
Planning and installing BES10
BES10 is a three-part solution (four, if you count the BES5 and BES Express systems you’ll need to keep in place to support older devices). That’s three different servers you’ll need to install – and BlackBerry recommends they are all installed on different servers or in separate virtual machines.
In practice, if you are not planning on using BES10 to manage Android or iOS devices, you’ll only need to install two new servers as you will not need to run the Universal Device Service management tool which adds support for non-BlackBerry devices.
There is no direct upgrade path from earlier versions of BES to BES10 and, as you will be managing a completely new class of devices, we’d recommend keeping existing BES systems running (if you want to reduce costs, consider transitioning BlackBerry 5 and BlackBerry 6 devices to BES Express).
Unmanaged BlackBerry 10 devices are still able to access corporate email if you have an externally-facing EAS system, but can be controlled using Exchange’s built-in device management tools and policies. That means you’ll only need to roll out BES10 if you are planning on taking advantage of BB10’s Balance tools and want to ensure separation of work and personal data.
Installation is straightforward, though there are some issues that need to be considered. We would recommend starting with a fresh Windows Server install as BES installs its own web servers and databases. Use Windows Server 2008 R2, as Windows Server 2012 is not supported.
Make sure your server is domain joined and is able to access your Active Directory. You’ll also need to ensure that port 3101 is open on any firewalls to ensure your BES server can connect to the secure BlackBerry network.
While you can install all the BES servers on one machine, it’s better to install them separately as they use different web servers and different versions of Java. If resources are limited, you can use VMs for each server.
There is another good reason for virtualising BES10 though: BES10’s tripartite architecture means that you don’t get the high-availability features of earlier BES, so you’ll need to set up your own disaster recovery environment. Using VMs means you can use snapshots to store standby copies of your BES servers, ready to go online if your primary servers fail.
If you’ve installed any earlier versions, BES10’s installation dialogues will be very familiar as it’s very much the same process. One thing to note is that BlackBerry has changed the language associated with the various licence keys on the download page, but not in the installer. Use the BDS serial number and licence keys where you’re asked for SRP keys, and the CAL authentication key as your server licence key.
You’ll also need to set up a database to store device management information. This can be the bundled SQL Express or an external SQL Server.
Connecting mail servers
BlackBerry Device Service is an update for BB 10 of the old familiar BES – it even shares the same installer.
The biggest difference between a BES10 installation and any previous BES is that there’s no direct integration with an Exchange server. Instead you’ll need to set up a mail profile in the BlackBerry Device Service console, which allows you to either build a secure tunnel to an internal EAS endpoint or use BES as a router between an external email service, like Office 365, and your users’ devices.
Once you’ve installed the BlackBerry Device Service, you’ll need to install BlackBerry Management Studio. This is the heart of BES10, where you will manage devices and deploy policies you’ll create in the BDS.
While BDS has the old, familiar BES look and feel, BMS is a much more modern application. Its web console takes design cues from the new BB10 and PlayBook user interface, with clear icons and a well laid-out page.
The third component of BES10, Universal Device Service, adds support for Android and iOS devices, and is also controlled via BMS.
Managing devices and getting some Balance
BMS gives you the tools to create users and activate their devices. Users can be sent activation emails to automatically enrol devices or you can give them an activation password and the BlackBerry network address of your BES (the SRP ID used to identify your server when you set up BDS).
Use the BlackBerry Device Service to create profiles and policies, handling connections to mail servers running Exchange ActiveSync.
Once activated, the default profiles set up Balance and deactivate any existing connections to corporate mail accounts – deleting downloaded mail from those accounts for example. While BMS gives you the tools to manage devices, you will use BDS to set up email profiles to control access to mail servers, as well as handling certificate distribution and access to VPNs.
Balance is possibly the most important feature on BB10. It lets you set up a corporately managed workspace on BYOD devices, one that’s completely separate from users’ own apps and data. Users still see a unified mailbox but they cannot move data between work and personal spaces. Also, when you de-provision a BYOD BB10 device, you will not affect their personal data, keeping pictures and high scores safe.
Users will be required to set up a password to control access to their work space as part of device activation. Separating work and personal information and applications simplifies device management and BES10 has far fewer IT policy options than earlier versions. That makes it easier to manage BB10 devices and also keeps your users from complaining that they do not have access to the apps and services they want to use on their BYOD smartphones.
Getting BES10 up and running is relatively simple. Despite being built around three separate servers, it is a less complex installation than earlier versions of BES and BMS gives you a more modern approach to device management and policy deployment.