Working with Blackberry enterprise server 5.0
A new BES brings a very different way of working with BlackBerrys, with a new Web-based administration console that makes life simpler and more complicated at the same time.
The latest version of Research in Motion’s BlackBerry Enterprise Server is a very different beast. You might think you’re installing the same old BES when you upgrade your customers’ systems, but once it’s up and running you’re going to find a lot of changes – and a lot of really useful features that will make managing your clients’ BlackBerrys a lot easier.
End users won’t see many changes at first, unless they’re using devices that have the new BlackBerry OS 5.0 (which will be new BlackBerry models and upgrades to existing handsets from the start of 2010). Once devices upgrade to OS 5.0, they’ll get significant improvements to the BlackBerry messaging tools, making them behave much more like Outlook. Where BES 5.0 excels over previous versions is the new Web console ‘administer anywhere’ capability, along with improved policies and enhanced management tools.
Installing BES 5.0 is relatively easy. The installer is similar to that used by earlier versions of BES, and if you’re upgrading an existing installation you’ll be walked through upgrading existing databases (and existing users). It’s quick enough that if you run the process overnight, users won’t even know that they’ve been upgraded. There’s no need to re-register and re-activate every phone, as devices that are already activated will just keep on working. The upgrade process backs up the current database before converting it to the new BES schema, so you can roll back servers if there are any problems with the install.
RIM has done a lot of work on giving BES 5.0 high availability features, so the install now gives you the option of using database mirroring with SQL Server 2005. You’ll also be able to set up a second BES (if you’ve got the appropriate licences) as a failover install, keeping users online if there’s a hardware failure on the main BES on a client site. BES 5.0 can also be set up so that many of its key components can be installed on different servers; useful if you’re using virtual servers and want to dynamically load balance BES to improve performance.
One of the most important pieces of the BES 5.0 install is its Apache Web server, which supports the new Web-based administration console (and the equally new self-service tools). We’d recommend not installing on a server that’s running IIS. If you do, you’ll end up having to remap the default URLs for BES onto non-standard ports to avoid conflicts between two different Web servers.
The BES 5.0 installer is a lot clearer than previous versions about what accounts need what permissions. You need to give the key accounts Send As permissions, and the installer reports on whether or not it can find the appropriate permissions, as well as giving outline instructions on how to set them correctly. If you’re using Exchange 2007, it’s worth making sure by running the following PowerShell commands (using the Exchange Management Shell):
You’ll be presented with a list of the Exchange permissions currently in place, and any that aren’t currently set will be added.
Once you’ve run through the pre-install checks, the installer will complete the process of updating and migrating accounts. If you’re updating an existing server there will be a temporary loss of service while the software is updated – and the server will reboot at least once (possibly more than once if there are problems stopping and starting the various BES services). The update process will also update various server components, including the Microsoft XML parser and Java.
At the end of the install BES gives you a list of the Web addresses of the key BES services. Take a copy of these, as they’re how you’ll access BES’s administration tools from now on. The old BES administration tool has gone away, and BES now has a Web-based user Interface, so you can work with BES 5.0 from anywhere you can get an HTTPS connection. That’s both good and bad. Good, as you don’t need a remote desktop connection to a client’s server. Bad, as you’re now limited to using Internet Explorer as RIM has built its tools using an Active X control.
The first time you access one of the administration tool pages it will download the appropriate controls – and if you’re running your browser in medium or high security settings you’ll need to make sure that the administration site is promoted to trusted status. There’s another issue to watch out for: BES’s pages are not compatible with Internet Explorer 8. They appear to work at first, but key content doesn’t render. While RIM hasn’t included a compatibility header in its pages, you can force IE8 to render the pages correctly using group policies so you don’t have to click the compatibility mode button for all the BES pages on every site. One option is to force all intranet sites to be rendered using the Internet Explorer 7 mode. Alternatively (and preferably) you can define a list of sites, including BES, that need IE 7 features, and push the list of sites to the users. See http://support.microsoft.com/kb/956197 for details. RIM says this will be addressed in the next BES update.
You can set BES up to use Windows log-in credentials, or its own authentication service. The former is best if you’re going to have a group of administrators; the latter is good if you’re locking down BES so only you can have access, keeping administration passwords out of your clients’ Active Directories. There’s also the option to lock down the roles of all the server administrators. You probably won’t want any junior support staff working with the BlackBerrys of your clients’ managing directors or CEOs, so you can make sure that only senior engineers have access to those accounts.
The power of policies
BES 5.0 adds a significant number of policies, which give you much more control over users and devices. Some of the new policies may cause confusion, especially where new defaults conflict with software that your clients’ users may already be using. One obvious clash occurs with RIM’s own social network tools, which have become increasingly popular – especially the Facebook client. The default policies stop these tools from working with the built-in BlackBerry tools, so users stop getting Facebook events in their calendar, or receiving address book updates. Depending on your clients’ policies you may wish to disable this setting in the default site policies.
Under Policy, open Manage IT Policies. Select Default and then pick View complete IT policy. Open the RIM Value-added Applications tab, and look for ‘Disable organizer data access for social networking applications’. Set this to No to allow RIM’s Facebook tool to integrate with the rest of the BlackBerry applications.
RIM’s policy-based management tools are one of the most important features in BES 5, and you should treat them much as you would, Windows’ Group Policy Objects. Use the Group tools to create roles for BlackBerry users, and then attach appropriate policies. BES 5.0 does use some confusing terminology here. There is a Roles option, but this is for managing your administrators – and giving different groups of administrators different privileges. Groups of users can be assigned to groups of administrators too, so you can make sure that support calls always come through to the right team members.
There are more than enough policy options for most business needs, including tools that enhance the security of messages, using PGP’s security tools (built into the handset OS but only available when you buy the appropriate licences). Other options let you lock down Instant messaging tools, and force all browser traffic through BES. If you have got clients in the financial services sector you’ll need to investigate these policy rules in more detail, as they can help your clients meet their regulatory commitments, while still letting their staff use BlackBerrys.
If you’re deploying Windows 7 for customers, you’re probably looking at its AppLocker application blacklist/whitelist tool. Now that RIM’s BlackBerry AppWorld an increasingly popular source of BlackBerry applications of all shapes and functions, it’s good to see that RIM has given BES 5.0 a similar function, with application control policies. These let you define what access rights unlisted software has – whether it can use the GPS, whether it has access to device settings, or even if it can use the network. Applications can also be kept away from APIs that expose information on and around a device. That way you’ll know that an apparently innocuous application isn’t taking screenshots of every email that‘s read and mailing them to a client’s main competitor or turning on a microphone when they’re in a meeting. Open the Software tab to create a new application policy.
The other piece of the application protection jigsaw is BES’s software configuration tool. This allows you to create lists of approved applications, and also run your own software distribution server for customers. Applications that aren’t on the list can be blocked completely, or given an appropriate (and probably minimal) set of access rights. Use the BES 5.0 management tools to drill down into a device and see what’s installed. Run an audit so you can warn end users if policy changes will affect the applications they’re currently using.
BES 5.0 also comes with a Web desktop application, where end users can manage their own devices. The self-service tools in the Web desktop will handle both device activation and many of the functions of the standard BlackBerry desktop tools. There’s no need to install hefty software applications to back up and restore devices, or manage email settings. Activating these self-service tools for all your end users should save you time, as users can deal with many issues that used to require a call to a help desk.
One of the most important new features in BES 5.0 is the high availability capabilities. There’s no additional fee to use the service (beyond the license costs for the BES installs). Once enabled, you’ll have two BES servers to manage. The first, the Primary Server, handles all the BES functions. The second, the Secondary Server, keeps in sync with the first, and uses a heartbeat to identify if the Primary server has failed. If that’s the case, it takes over and handles all BES functionality. Users will only see minimal downtime, and all messages will be delivered.
There are alternative high availability scenarios, but these are really intended for large installations with several BES instances in place. They’re worth considering if you have larger customers or if you run BES for many customers yourself, as they allow you to split BES functions across several servers. These can then be built into pools of functionality, which allow you to use them to load balance the BES service. Like the standard two server setup, there’s a Primary and a Secondary pool, one for normal usage, one to take over in event of a failure. One option is to use this to handle the BlackBerry Attachment Service, which manages file attachments. Pools can be set up to work with specific types of attachment, which should also give services a performance boost.
Upgrading your clients to BES 5.0 should be a high priority. It’ll give them a more secure, more reliable BlackBerry service, and it’ll give you more control over devices and users – and the self-service features will save on help desk time. Increased control reduces risk, for you and for your clients. If improved messaging and calendaring on OS 5.0 devices (which require BES 5) isn’t a selling point, the application management and policy-based management features in BES 5.0 should help clients meet their ever increasing regulatory requirements.
BlackBerry Enterprise Server high availability RIM’s guide to building high availability BES systems specifically covers small-scale environments:
Port3101.org : Your BES Connection Get BES hints and tips from an active community of BES administrators: port3101.org
Step By Step
BES 5.0 will upgrade any existing BES installs, so you don’t need to reactivate every single BlackBerry for customers. As part of the upgrade process it will update existing service databases.
If you’re going to set up a high availability BES to keep services up and running in event of an outage, you can add database mirroring for additional security. Two BES servers and two BES databases make for a much more reliable service cluster.
BES 5.0 is a lot more modular than previous versions, and you can set up the various components across several different servers, for improved scalability. Components can be grouped into pools for additional availability improvements.
RIM’s new Web-based administration tools need their own Web server – and you’ll need to install Apache. This means that IIS shouldn’t be running on your BES server, unless you’re prepared to change the assigned server ports for either Web server.
Take note of the URLs for the various console addresses as that’s where you’ll go to work with all the BES and BlackBerry features.
Volume 2, Edition 1
Setting up BES for small businesses FEATURE FINDER code 2128a.
Volume 2, Edition 3
Small business apps for Blackberry FEATURE FINDER code 2314a.
RIM BlackBerry Enterprise Server 5.0
£2,745.00 (including 20 CALs).