BlackBerry BES 10
26th Feb 2013 | 09:00
Aligns BB10 with BYOD, but installation is a challenge
Introduction and installation
A new BlackBerry operating system means a new version of the BlackBerry Enterprise System (BES), the company's security and device management software.
BB10 is a completely new platform and BlackBerry has needed to make significant changes to BES. It starts with the way it's licensed, switching to a per-device licensing model instead of the server-based pricing used by earlier versions.
BES 10 comprises three services: BlackBerry Device Service (BDS), BlackBerry Management Studio (BMS) and Universal Device Service (UDS). If you're only planning on managing BlackBerry devices you'll only need to install the first two, as UDS adds tools for managing Android and iOS devices.
As BDS is only for BlackBerry 10 devices, you'll also need to keep running any existing BES 5 installation to support older BlackBerry devices.
An installation odyssey
One thing we noticed while installing our copy was that the licence keys we were sent didn't match what the software was asking for – or so we initially thought. When entering the Server Routing Protocol (SRP) identifier and authentication key, you have to use the UDS serial number and licence key.
We also encountered an issue with BlackBerry's SRP and the Universal Device Service, which needs to be changed to match the BlackBerry routing information used by the BDS.
BDS installs its own Apache web server, so you may need to change the ports it uses for HTTP and HTTPS connections during setup if your server is already hosting a web server. You may have to click forward and back a couple of times in the setup app to ensure your chosen ports don't conflict.
The UDS uses IIS, and will also require you to install a certificate for SSL connections to its management website. You can create a self-signed certificate in Internet Information Server (IIS) if you don't want to generate a third party certificate (though there are plenty of free SSL options out there, so creating a certificate needn't be expensive).
Running two web servers on the same system isn't always recommended (and you also need multiple versions of Java); BlackBerry expects most customers to have each component on a separate server or at least in a virtual machine.
One thing to note is that BES 10 won't yet run on Windows Server 2012, and you'll have problems installing the Device Manager components on anything other than Windows Server 2008 R2. That could be an issue for anyone running a modern, high availability data centre and looking to manage BYOD devices more effectively.
The heart of BES 10 is the BlackBerry Management Studio (previously known as BlackBerry Fusion). It makes it possible to manage different BDS and UDS installations from a single interface, while keeping different groups of devices separate.
You'll still need to use the BDS and UDS tooling to manage policies and email connections, as Management Studio only handles provisioning and querying devices. You can use Management Studio to deploy IT policies to devices, as well as managing stored data – for example, deleting work (but not personal) data from a device that's no longer part of a BYOD deployment.
BMS will also deploy the policies from UDS to control iOS and Android systems, if you don't want to do that through Exchange.
One key feature of the new BlackBerry platform is the separation of work and personal data, using the Balance tools built into the BB10 platform. As a result there are far fewer policies in BES 10 than in previous versions, making it simpler to control devices (because there is less that you can control).
New policies determine how Balance separates work and personal information, including defining work domains and whether users see a unified mail view for their personal and work accounts.
BB10 has added support for Microsoft's Exchange ActiveSync (EAS), which means that BES 10 has a very different role in managing email. Instead of linking directly to a mail server as in previous versions, it now wraps EAS channels in BlackBerry's secure network connection. Also, rather than setting up connections to Exchange during setup, you create mail profiles in BDS that can be assigned to users.
BES is no longer linked to a specific mail server; instead it can route mail from any internal EAS server to a BlackBerry. You can now treat a BES 10 mail connection as an extension of your firewall, keeping mail as secure en route and on a device as it is inside your network.
There is also the option of using BES 10 to just deliver mail server information to devices, letting them connect directly to external EAS servers. This means that users can finally have multiple devices associated with a mail account, rather than being constrained by the old limit of one user, one device.
BES 10 also lets you manage apps, either delivering them directly to user devices, or by offering apps you've selected from the BlackBerry World app store. Those delivered this way will appear in the Work side of Balance on a BB10 device (there's a BlackBerry World for Work interface for apps from the store), and users can have Personal and Work versions of the same app – running separately and accessing separate information on the device.
It's also possible to give BB10 devices direct access to folders on your network.
The biggest problem with BES 10 is its legacy. While BDS 6.2 remains a Java application running on Apache, it will always conflict with the newer IIS based tooling.
If you're installing the various BlackBerry servers on a single box, you'll need to be careful about installation order. While the installer implies that you should install BDS first, in practice you need to install the UDS tools first in order to make sure that you have IIS running before you install Apache.
There may also be issues with setting up databases, and where possible we would recommend always using the advanced installation options.
One SQL database, two web servers, three versions of Java and three separate server apps. Given that BES doesn't actually do email any more, why does it need all these resources? For managing and securing not just your new BB10 BlackBerrys but also the iOS and Android devices your users are bringing to work.
BES 10 and BB10 go a long way to solving many problems created by the 'bring your own device' trend, separating work and personal and providing tools for delivering work apps to mobile devices. Fewer administrative policies and support for EAS make it a lot easier to bring BES into an existing network, and a flat $99 (£65) fee per connecting device gives it a very simple licensing model.
Installing BES 10 was a complex process, and it took us several attempts before we had a working system. To get the best out of BES 10 you're going to need at least two and possibly three servers (though virtual machines are just fine), in order to reduce the risk of conflicts between web servers and databases.
There are also two different user interfaces, the familiar BES look and feel in BDS, with a new, more modern interface in both UDS and BMS. This is not a simple or well integrated solution.