BlackBerry Enterprise Server Express for Microsoft Exchange Feature and Technical Overview

BlackBerry Enterprise Server Express for Microsoft Exchange Feature and Technical Overview
BlackBerry Enterprise Server
Express for Microsoft Exchange
Version: 5.0 | Service Pack: 3
Feature and Technical Overview
Published: 2011-04-11
SWDT305802-1526466-0411010819-001
Contents
1 Overview: BlackBerry Enterprise Server Express..............................................................................................
What's new in BlackBerry Enterprise Server Express 5.0 SP3...........................................................................
Comparing the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express..........................
4
4
6
2 BlackBerry Enterprise Server architecture........................................................................................................
Architecture: BlackBerry Enterprise Server Express.........................................................................................
Architecture: Remote BlackBerry MDS Connection Service.............................................................................
Architecture: Remote BlackBerry Router.........................................................................................................
Architecture: Remote BlackBerry Administration Service................................................................................
Architecture: Remote BlackBerry Attachment Service.....................................................................................
Architecture: BlackBerry Web Desktop Manager.............................................................................................
9
9
13
14
15
16
17
3 BlackBerry Enterprise Server components and features..................................................................................
BlackBerry Administration Service....................................................................................................................
BlackBerry Configuration Panel........................................................................................................................
BlackBerry Mail Store Service...........................................................................................................................
Database tables in the BlackBerry Configuration Database that store contact information....................
Contact information that the BlackBerry Mail Store Service stores in the BlackBerry Configuration
Database....................................................................................................................................................
How the BlackBerry Mail Store Service accesses contact information that is stored on the messaging
server.........................................................................................................................................................
Configuring the BlackBerry Mail Store Service instance that updates the contact list.............................
BlackBerry messaging and collaboration services............................................................................................
BlackBerry Messaging Agent.....................................................................................................................
BlackBerry Synchronization Service...........................................................................................................
BlackBerry Attachment Service.................................................................................................................
BlackBerry MDS Connection Service.................................................................................................................
BlackBerry Applications....................................................................................................................................
BlackBerry Browser Applications...............................................................................................................
BlackBerry Java Applications.....................................................................................................................
Managing BlackBerry Java Applications and BlackBerry Device Software........................................................
BlackBerry device management.......................................................................................................................
Controlling third-party applications on BlackBerry devices.......................................................................
BlackBerry Policy Service..................................................................................................................................
BlackBerry Router.............................................................................................................................................
BlackBerry Web Desktop Manager...................................................................................................................
Comparison of BlackBerry Web Desktop Manager and BlackBerry Desktop Software features..............
19
19
20
20
20
21
21
21
22
22
25
27
28
29
29
30
30
31
31
31
32
33
34
Managing a distributed environment for BlackBerry Enterprise Server Express components.........................
Wireless activation...........................................................................................................................................
37
37
4 BlackBerry Enterprise Solution security............................................................................................................
Security features of the BlackBerry Enterprise Solution...................................................................................
Encrypting data that the BlackBerry Enterprise Server Express and a BlackBerry device send to each other.
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data................................................
Extending messaging security to a BlackBerry device......................................................................................
Encrypting user data on a locked BlackBerry device........................................................................................
Managing BlackBerry device access to the BlackBerry Enterprise Server Express...........................................
Using an IT policy to manage BlackBerry Enterprise Solution security.............................................................
Using IT administration commands to protect a lost or stolen device.............................................................
39
39
40
40
41
41
42
43
43
5 Wi-Fi enabled BlackBerry devices.....................................................................................................................
Types of Wi-Fi networks...................................................................................................................................
Wireless access points......................................................................................................................................
Connections that BlackBerry devices make to mobile and Wi-Fi networks.....................................................
Connecting Wi-Fi enabled BlackBerry devices to the BlackBerry Enterprise Server Express over a Wi-Fi
connection........................................................................................................................................................
Direct connections between BlackBerry devices and the BlackBerry Router over an enterprise Wi-Fi
network.....................................................................................................................................................
Wi-Fi connection when a VPN connection or direct connection between BlackBerry devices and the
BlackBerry Router is not possible..............................................................................................................
Priority for connections that BlackBerry devices make over a Wi-Fi network..........................................
BlackBerry services that are available over Wi-Fi connections.........................................................................
IEEE 802.11 wireless networking standards that Wi-Fi enabled BlackBerry devices support..........................
Characteristics of the IEEE 802.11a wireless networking standard that Wi-Fi enabled BlackBerry
devices support.........................................................................................................................................
Characteristics of the IEEE 802.11b wireless networking standard that Wi-Fi enabled BlackBerry
devices support.........................................................................................................................................
Characteristics of the IEEE 802.11g wireless networking standard that Wi-Fi enabled BlackBerry
devices support.........................................................................................................................................
Security features of a Wi-Fi enabled BlackBerry device...................................................................................
45
45
46
46
6 BlackBerry Enterprise Server process flows......................................................................................................
Messaging process flows..................................................................................................................................
Process flow: Sending a message to a BlackBerry device..........................................................................
Process flow: Sending a message from a BlackBerry device.....................................................................
Process flow: Sending a message that contains an attachment from a BlackBerry device.......................
48
48
48
48
49
51
51
51
52
52
54
54
54
55
55
Process flow: Searching an organization's address book from a BlackBerry device..................................
Message attachment process flows..................................................................................................................
Process flow: Viewing a message attachment...........................................................................................
Process flow: Viewing an attachment using a link.....................................................................................
Organizer data process flows............................................................................................................................
Process flow: Synchronizing organizer data for the first time on a BlackBerry device..............................
Process flow: Synchronizing subsequent changes to organizer data........................................................
Process flow: Adding a contact picture on a BlackBerry device................................................................
Mobile data process flows................................................................................................................................
Process flow: Requesting BlackBerry Browser content on a BlackBerry device........................................
Process flow: Requesting BlackBerry Browser content while access control is turned on for the
BlackBerry MDS Connection Service.........................................................................................................
Process flow: Requesting BlackBerry Browser content with two-factor authentication turned on..........
Process flow: Pushing application content to a BlackBerry device............................................................
Process flow: Installing a BlackBerry Java Application on a BlackBerry device over the wireless
network.....................................................................................................................................................
BlackBerry device management process flows.................................................................................................
Process flow: Activating a BlackBerry device over the wireless network..................................................
Process flow: Resending an IT policy to a BlackBerry device manually.....................................................
Process flow: Authenticating data on a BlackBerry device without connecting to the BlackBerry
Infrastructure.............................................................................................................................................
57
58
58
59
60
60
61
62
63
63
7 Glossary............................................................................................................................................................
71
8 Provide feedback..............................................................................................................................................
76
9 Legal notice.......................................................................................................................................................
77
64
65
66
67
68
68
69
69
Feature and Technical Overview
Overview: BlackBerry Enterprise Server Express
Overview: BlackBerry Enterprise Server Express
1
The BlackBerry® Enterprise Server Express is designed to be a secure, centralized link between an organization's
wireless network, communications software, applications, and BlackBerry devices. The BlackBerry Enterprise Server
Express integrates with your organization's existing infrastructure, which can include messaging software, calendar
and contact information, wireless Internet and intranet access, and custom applications, to provide BlackBerry device
users with mobile access to your organization's resources. You can install the BlackBerry Enterprise Server Express
on the same server as your organization's messaging server, or you can install the BlackBerry Enterprise Server Express
on a separate server.
The BlackBerry Enterprise Server Express supports devices that are provisioned for a BlackBerry Enterprise Server or
for the BlackBerry® Internet Service.
The BlackBerry Enterprise Server Express supports AES and Triple DES encryption to protect and ensure the integrity
of wireless data that is transmitted between the BlackBerry Enterprise Server Express components and devices. You
can configure IT policy rules to control the features of the devices that are used in your organization's environment.
You can manage the BlackBerry Enterprise Server Express, devices, and user accounts using the BlackBerry
Administration Service, a web application that is accessible from any computer that can access the computer that
hosts the BlackBerry Administration Service. You can use the BlackBerry Administration Service to manage a
BlackBerry Domain, which consists of one or more BlackBerry Enterprise Server Express instances and remote
components that use a single BlackBerry Configuration Database.
What's new in BlackBerry Enterprise Server Express 5.0 SP3
Feature
Support for Windows® Small
Business Server 2011 Standard
BlackBerry® Device Software
updates
Description
The BlackBerry® Enterprise Server Express 5.0 SP3 supports Windows Small
Business Server 2011 Standard.
The BlackBerry® Enterprise Server Express includes the following
enhancements to the software update process:
• administrators can make software updates optional for BlackBerry
device users
• users have the option to rollback an optional software update
Enhancements to media file
downloads
The default settings for media file downloads changed to allow users to
download larger amounts of content using the BlackBerry® Browser or an
HTTP connection using the BlackBerry MDS Connection Service.
Users that have S/MIME encryption enabled on their devices can send or
forward email messages that contain attachments in signed, encrypted, or
signed and encrypted format.
Enhancements to highly secure
messaging
4
What's new in BlackBerry Enterprise Server Express 5.0 SP3
Feature and Technical Overview
Feature
Enhancements to the BlackBerry
Administration Service
Calendar synchronization process is
enabled by default
Support for assigning additional
configurations to groups
Enhancement to logging
JDBC driver upgrade
New IT policy rules
New application control policy rule
New traits
Description
This feature will be supported in an upcoming release of BlackBerry Device
Software.
The BlackBerry Administration Service includes the following
enhancements:
• ability for you to delete only work data from BlackBerry devices
• two new permissions that allow you to delete data from devices:
"Delete all device data and remove device" and "Delete only the
organization data and remove device permissions" (the "Edit a device"
permission no longer permits you to delete all device data)
• option for you to delete or disable a user account from the BlackBerry
Enterprise Server Express after you delete only work data or all data
from devices
• option for the BlackBerry Administration Service to automatically
select and authenticate with proxy servers
• improved search results including additional user information and the
option to sort and move columns for a customized display
• option to export the data from the user search results into a .csv file
The calendar synchronization process allows you to find and correct
differences between the calendar entries on devices and the calendar
entries on users' computers.
You can assign VPN profiles and Wi-Fi® profiles to groups using the same
method that you use to assign IT policies, software configurations, and roles
to groups.
By default, the logging level for deployment jobs is increased to debug to
help you more easily identify, diagnose, and solve issues with incomplete
jobs.
The JDBC driver that BlackBerry Enterprise Server Express components use
to connect to the BlackBerry Configuration Database is upgraded to version
2.0 for the BlackBerry Administration Service, and to version 3.0 for the
BlackBerry MDS Connection Service.
For information about new IT policy groups and IT policy rules, see the
BlackBerry Enterprise Server Express Policy Reference Guide.
A new application control policy rule named "Is access to the corporate data
API allowed" specifies whether a third-party application or an add-on
application developed by Research In Motion® can access work data on a
device.
The BlackBerry Enterprise Trait Tool includes the following new traits:
•
•
PolicyEnterpriseWipeCommandOrderTraitType
BASIsProxyWPADOptionEnabled
5
Comparing the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express
Feature and Technical Overview
Feature
Description
•
•
•
•
•
•
•
•
•
•
•
•
•
Support for Microsoft® Office 2010
file attachments
Support for Microsoft® Hyper-V®
Server 2008 R2
End of support for Microsoft® SQL
Server® 2000
BASNumberOfAdditionalWiredApplicationsToIncludeInACP
BASProxyBasicAuthUID
BASProxyBasicAuthPassword
EWSDomain
EWSPassword
EWSServiceAccount
MaxDomainSlowSyncsPerMin
MaxSyncServerSlowSyncsPerMin
MaxSyncServerSlowSyncsInProcess
MaxPollCycleCountForHungSlowSync
MaxPollCycleCountForNoResponseToSlowSync
NumberOfUserTargetTypeForSlowSyncInParallel
SlowSyncPollCycleInterval
For more information about new traits, see the BlackBerry Enterprise Server
Express Administration Guide.
The BlackBerry Enterprise Server Express is designed to support Microsoft
Office 2010 file attachments in messages.
The BlackBerry Enterprise Server Express is designed to support the
Microsoft Hyper-V Server 2008 R2 virtualization platform.
The BlackBerry Enterprise Server Express no longer supports Microsoft SQL
Server 2000 and MSDE.
If the installer detects Microsoft SQL Server 2000 or MSDE, the setup
application displays a warning message and you cannot continue to install
or upgrade the BlackBerry Enterprise Server Express until you upgrade the
database server.
Comparing the BlackBerry Enterprise Server and the
BlackBerry Enterprise Server Express
The following table compares the features of the BlackBerry® Enterprise Server and BlackBerry® Enterprise Server
Express.
Feature
BlackBerry Enterprise Server
Supported
• Microsoft® Exchange
messaging platforms • IBM® Lotus® Domino®
• Novell® GroupWise®
6
BlackBerry Enterprise Server Express
•
•
Microsoft Exchange
IBM Lotus Domino
Comparing the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express
Feature and Technical Overview
Feature
Supported
operating systems
BlackBerry Enterprise Server
BlackBerry Enterprise Server Express
•
•
•
•
•
Installation on the
computer that hosts
the messaging
server
BlackBerry Domain
Microsoft Exchange
mixed environments
Administator roles
IT policies
Exporting and
importing IT policy
data
Windows Server® 2003 SP2 (32-bit or
64-bit)
Windows Server 2003 R2 SP2 (32-bit or
64-bit)
Windows Server 2008 SP2 (32-bit or 64bit)
Windows Server 2008 R2
Not supported
•
Supports multiple BlackBerry
Enterprise Server instances in one
BlackBerry Domain
• Supports different BlackBerry
Enterprise Server versions in one
BlackBerry Domain
• Does not support BlackBerry Enterprise
Server Express instances in the same
BlackBerry Domain as BlackBerry
Enterprise Server instances
Supports mixed environment of Microsoft®
Exchange Server 2003 and 2007, or
Microsoft Exchange Server 2007 SP2 and
2010
• Preconfigured administrative roles
• Custom administrative roles
• Default IT policy and various
preconfigured IT policies
• Custom IT policies
• Full set of IT policy rules
Supported
Windows Server 2003 SP2 (32-bit or 64bit)
• Windows Server 2003 R2 SP2 (32-bit or
64-bit)
• Windows Server 2008 SP2 (32-bit or 64bit)
• Windows Server 2008 R2
• Windows® Small Business Server 2003
• Windows Small Business Server 2008
• Windows Small Business Server 2011
Standard
Supported for the BlackBerry® Enterprise
Server Express for Microsoft® Exchange
•
Supports multiple BlackBerry
Enterprise Server Express instances in
one BlackBerry Domain
• Supports different BlackBerry
Enterprise Server Express versions in
one BlackBerry Domain
• Does not support BlackBerry Enterprise
Server instances in the same BlackBerry
Domain as BlackBerry Enterprise Server
Express instances
Supports mixed environment of Microsoft
Exchange Server 2003 and 2007, or
Microsoft Exchange Server 2007 SP2 and
2010
• Preconfigured administrative roles only
•
•
•
Default IT policy
Custom IT policies
Reduced set of IT policy rules
Not supported
7
Feature and Technical Overview
Feature
BlackBerry devices
that are associated
with the BlackBerry®
Internet Service
Enterprise instant
messaging using
collaboration clients
developed by RIM
BlackBerry
Monitoring Service
High availability
BlackBerry® Mobile
Voice System
BlackBerry®
Enterprise Server for
Voice Services
BlackBerry®
Pushcast™ Software
Log files for PIN
messages, SMS text
messages, and
phone calls
8
Comparing the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express
BlackBerry Enterprise Server
Not supported
BlackBerry Enterprise Server Express
Supported
Supported
Not supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
Feature and Technical Overview
BlackBerry Enterprise Server architecture
BlackBerry Enterprise Server architecture
2
Architecture: BlackBerry Enterprise Server Express
The BlackBerry® Enterprise Server Express consists of various components that are designed to perform the following
actions:
•
•
•
•
Permit BlackBerry device users to access your organization's tools and data from BlackBerry devices and run
your organization's applications on devices
Monitor other BlackBerry Enterprise Server Express components
Process, route, compress, and encrypt data
Communicate with the wireless network
9
Feature and Technical Overview
10
Architecture: BlackBerry Enterprise Server Express
Feature and Technical Overview
Component
BlackBerry Administration Service
BlackBerry Mail Store Service
BlackBerry Attachment Service
BlackBerry Configuration Database
BlackBerry Controller
BlackBerry Dispatcher
BlackBerry MDS Connection Service
BlackBerry Messaging Agent
Architecture: BlackBerry Enterprise Server Express
Description
The BlackBerry Administration Service connects to the BlackBerry
Configuration Database. You can use the BlackBerry Administration Service
to manage the BlackBerry Domain, which includes BlackBerry Enterprise
Server Express components, user accounts, and features for BlackBerry
device administration.
The BlackBerry Mail Store Service connects to the messaging servers in your
organization's environment and retrieves the contact information that the
BlackBerry Administration Service requires to search for user accounts on
the messaging servers.
You install a BlackBerry Mail Store Service when you install a BlackBerry
Enterprise Server Express. The BlackBerry Mail Store Service connects to
the messaging server using the same connection information that the
BlackBerry Enterprise Server Express uses. The BlackBerry Administration
Service is designed to communicate with the BlackBerry Mail Store Service
using RPC.
The BlackBerry Attachment Service converts supported message
attachments to a format that users can view on their devices.
The BlackBerry Configuration Database is a relational database that
contains configuration information that BlackBerry Enterprise Server
Express components use. For example, the BlackBerry Configuration
Database includes the following information:
• details about the connection from a BlackBerry Enterprise Server
Express to the wireless network
• user list
• address mappings between PINs and email addresses for BlackBerry
MDS Connection Service push features
The BlackBerry Controller monitors the BlackBerry Enterprise Server
Express components and restarts them if they stop responding.
The BlackBerry Dispatcher compresses and encrypts all data that devices
send and receive. The BlackBerry Dispatcher sends the data through the
BlackBerry Router, to and from the wireless network.
The BlackBerry MDS Connection Service permits users to access web
content, the Internet, or your organization's intranet, and also permits
applications on devices to connect to your organization's application servers
or content servers for application data and updates.
The BlackBerry Messaging Agent connects to the IMAP server so that users
can activate their devices over the wireless network. The BlackBerry
Messaging Agent connects to your organization's messaging server to
provide messaging services, calendar management, address lookups,
11
Feature and Technical Overview
Architecture: BlackBerry Enterprise Server Express
Component
Description
attachment viewing, attachment downloading, and encryption key
generation. The BlackBerry Messaging Agent also acts as a gateway so that
the BlackBerry Synchronization Service can access organizer data on the
messaging server. The BlackBerry Messaging Agent synchronizes
configuration data between the BlackBerry Configuration Database and the
BlackBerry profiles database. The BlackBerry Messaging Agent synchronizes
configuration data between the BlackBerry Configuration Database and
user mailboxes. The BlackBerry Messaging Agent synchronizes
configuration data between the BlackBerry Configuration Database and the
message store databases.
BlackBerry Policy Service
The BlackBerry Policy Service performs administration services over the
wireless network. It sends IT policies and IT administration commands and
provisions service books. IT policies and IT administration commands
specify security, settings for synchronizing data over the wireless network,
and other configuration settings on devices. The BlackBerry Policy Service
also sends service books to devices to configure settings for features and
components on devices.
BlackBerry Router
The BlackBerry Router connects to the wireless network to send data to and
from devices. It also sends data over your organization's network to devices
that users connected to computers that host the BlackBerry® Device
Manager.
BlackBerry Synchronization Service The BlackBerry Synchronization Service synchronizes organizer data
between BlackBerry devices and the messaging server over the wireless
network.
BlackBerry® Web Desktop Manager The BlackBerry Web Desktop Manager is a web-based application that
permits users to manage their devices. For example, users can activate
devices, back up and restore data, select messaging options, synchronize
data, and install applications. The BlackBerry Web Desktop Manager
includes the BlackBerry Device Manager.
organization's application server or Your organization's application server or content server provides push
content server
applications and intranet content that the BlackBerry MDS Services use.
messaging server
The messaging server stores email accounts.
user's computer that hosts the
The user's computer that hosts the BlackBerry Device Manager permits
BlackBerry Device Manager
users to connect their devices to their computers using a serial connection
or USB connection. The BlackBerry Enterprise Server Express and devices
use the connection to send data between each other.
Data traffic from devices bypasses the wireless network when devices are
connected to users' computers. The BlackBerry Device Manager connects
to the BlackBerry Router, which sends data directly to devices.
12
Feature and Technical Overview
Component
Architecture: Remote BlackBerry MDS Connection Service
Description
Users can install the BlackBerry Device Manager when they install the
BlackBerry® Desktop Software or at another time. The BlackBerry Device
Manager is an optional component, but it is required to support a bypass
connection to the BlackBerry Router.
Architecture: Remote BlackBerry MDS Connection Service
You can install the BlackBerry® MDS Connection Service on a computer that is separate from the computer that hosts
the BlackBerry® Enterprise Server Express. The BlackBerry MDS Connection Service can use increased system
resources when it processes requests for content. You can install the BlackBerry MDS Connection Service on a remote
computer to minimize the impact on the delivery of messages and data, support multiple BlackBerry Enterprise Server
Express instances, or create a BlackBerry MDS Connection Service pool that can support multiple BlackBerry
Enterprise Server Express instances.
Component
BlackBerry Administration Service
BlackBerry Configuration Database
Description
The BlackBerry Administration Service permits you to manage the
BlackBerry MDS Connection Service, configure the central push server, and
configure the browsing and application features.
The BlackBerry Configuration Database contains the configuration data that
the BlackBerry MDS Connection Service uses.
13
Feature and Technical Overview
Architecture: Remote BlackBerry Router
Component
BlackBerry Enterprise Server
Express
Description
The BlackBerry Enterprise Server Express encrypts and compresses content
data that BlackBerry devices receive, and decompresses and decrypts
content data that BlackBerry devices send.
BlackBerry MDS Connection Service The BlackBerry MDS Connection Service processes requests for web content
from the BlackBerry® Browser or a BlackBerry Java® Application, and it
manages the connections between a BlackBerry® Application and the
application that is located on your organization’s application servers, web
servers, or databases.
BlackBerry Router
The BlackBerry Router connects to the wireless network to send content to
and from BlackBerry devices.
organization's application servers or Your organization's application servers or content server provide push
content servers
applications and intranet content for the BlackBerry MDS Services.
proxy servers
Proxy servers authenticate the BlackBerry Browser or a BlackBerry Java
Application before they can access push applications or content data.
Architecture: Remote BlackBerry Router
You can install the BlackBerry® Router on a computer that is separate from the computer that hosts the BlackBerry®
Enterprise Server Express. You can install the BlackBerry Router on a remote computer if you want to support multiple
BlackBerry Enterprise Server Express instances, or if your organization's security policy requires that internal systems
cannot make connections directly to the Internet and all systems must connect through another system in the DMZ.
The BlackBerry Router does not use many system resources, but it is a critical connection point for the BlackBerry®
Enterprise Solution.
If you install the BlackBerry Router in the DMZ, you can permit users to log in to your organization's LAN remotely
and you can deploy BlackBerry devices through a computer that is running the BlackBerry® Device Manager.
14
Feature and Technical Overview
Component
BlackBerry Configuration Database
BlackBerry Device Manager
BlackBerry Enterprise Server
Express
BlackBerry Router
Architecture: Remote BlackBerry Administration Service
Description
The BlackBerry Configuration Database contains configuration data that the
BlackBerry Administration Service manages.
The BlackBerry Device Manager permits BlackBerry devices to connect to
the BlackBerry Router.
The BlackBerry Enterprise Server Express encrypts and compresses data
that BlackBerry devices receive, and decompresses and decrypts data that
BlackBerry devices send.
The BlackBerry Router connects to the wireless network to send data to and
from BlackBerry devices.
Architecture: Remote BlackBerry Administration Service
You can install the BlackBerry® Administration Service on a computer that is separate from the computer that hosts
the BlackBerry® Enterprise Server Express. The BlackBerry Administration Service can use increased system resources
when it processes requests. You can install the BlackBerry Administration Service remotely to minimize the impact
on the delivery of messages and data, or to create a BlackBerry Administration Service pool to support multiple
BlackBerry Enterprise Server Express instances.
You can install the BlackBerry® Web Desktop Manager with the BlackBerry Administration Service. You can install
the BlackBerry Web Desktop Manager separately to make sure that BlackBerry device users cannot access the
computer that hosts the BlackBerry Enterprise Server Express.
15
Feature and Technical Overview
Component
BlackBerry Administration Service
BlackBerry Configuration Database
BlackBerry Enterprise Server
Express
BlackBerry Router
BlackBerry Web Desktop Manager
Architecture: Remote BlackBerry Attachment Service
Description
The BlackBerry Administration Service permits you to manage the
BlackBerry Enterprise Server Express, user accounts, and BlackBerry
devices.
The BlackBerry Configuration Database contains configuration data that the
BlackBerry Administration Service manages.
The BlackBerry Enterprise Server Express encrypts and compresses data
that BlackBerry devices receive, and decompresses and decrypts data that
BlackBerry devices send.
The BlackBerry Router connects to the wireless network to send data to and
from BlackBerry devices.
The BlackBerry Web Desktop Manager permits users to activate and
manage their BlackBerry devices, back up and restore data, configure email
settings, update the BlackBerry® Device Software, and install new
applications.
Architecture: Remote BlackBerry Attachment Service
You can install the BlackBerry® Attachment Service on a computer that is separate from the computer that hosts the
BlackBerry® Enterprise Server Express. You can install the BlackBerry Attachment Service remotely if you want to
increase the number of conversion requests that can occur concurrently without impacting message delivery, or to
support multiple BlackBerry Enterprise Server Express instances.
16
Feature and Technical Overview
Component
BlackBerry Administration Service
BlackBerry Attachment Service
BlackBerry Configuration Database
BlackBerry Enterprise Server
Express
BlackBerry Router
Architecture: BlackBerry Web Desktop Manager
Description
The BlackBerry Administration Service permits you to manage the
BlackBerry Attachment Service instances and set up attachment conversion
features.
The BlackBerry Attachment Service converts the attachment and returns
the attachment data to the BlackBerry Attachment Connector.
The BlackBerry Configuration Database contains the conversion data that
the BlackBerry Attachment Service uses when processing attachment data.
The BlackBerry Enterprise Server Express receives requests to convert
message attachments from BlackBerry devices and uses the BlackBerry
Attachment Connector to send the attachment data to a BlackBerry
Attachment Service instance for conversion. After the BlackBerry
Attachment Service instance returns the converted attachment to the
BlackBerry Attachment Connector, the BlackBerry Enterprise Server
Express sends the attachment data to the user's BlackBerry device for
viewing.
The BlackBerry Router connects to the wireless network to send email
messages and attachments to and from BlackBerry devices.
Architecture: BlackBerry Web Desktop Manager
The BlackBerry® Web Desktop Manager consists of server-side services that are installed with the BlackBerry
Administration Service and Microsoft® ActiveX® controls that are installed on the browser of the BlackBerry device
user's computer. HTTPS authentication secures the connection between the server and the browser.
17
Feature and Technical Overview
Component
BlackBerry Administration Service
BlackBerry Enterprise Server
Express
BlackBerry Configuration Database
messaging server
user's computer with BlackBerry
Web Desktop Manager browser
application
BlackBerry Administration Service
and BlackBerry Web Desktop
Manager services
18
Architecture: BlackBerry Web Desktop Manager
Description
The BlackBerry Administration Service is a web application that is a required
component of the BlackBerry® Enterprise Server Express. Administrators
use the BlackBerry Administration Service to manage user accounts; assign
user groups, administrator roles, software configurations, and IT policies to
user accounts; and manage servers and components in a BlackBerry
Domain.
The BlackBerry Enterprise Server Express encrypts and compresses data
that BlackBerry devices receive, and decompresses and decrypts data that
BlackBerry devices send.
The BlackBerry Configuration Database is a relational database that
contains configuration information, such as BlackBerry Enterprise Server
Express connection details and user information.
The messaging server stores the email accounts of the BlackBerry device
users.
The BlackBerry Web Desktop Manager browser application is the Microsoft
ActiveX controls that a user installs in a browser to manage the BlackBerry
device.
The BlackBerry Administration Service and BlackBerry Web Desktop
Manager services provide the server-side services for the BlackBerry Web
Desktop Manager browser application.
BlackBerry Enterprise Server components and features
Feature and Technical Overview
BlackBerry Enterprise Server components and
features
3
BlackBerry Administration Service
The BlackBerry® Administration Service is a web application you use to manage user accounts; assign user groups,
administrative roles, and software configurations and apply IT policies to user accounts; and manage servers and
component instances in a BlackBerry Domain. You can open the BlackBerry Administration Service in a browser on
any computer that can access the computer that hosts the BlackBerry Administration Service. You can share
administrative duties with multiple administrators who can access the BlackBerry Administration Service
simultaneously using unique user names and passwords. When Microsoft® ActiveX® controls are turned on in your
browser, you can connect BlackBerry devices to your computers and manage the BlackBerry devices while you are
logged in to the BlackBerry Administration Service.
Feature
ability to assign users to multiple
groups
custom server and component
names using friendly names
BlackBerry Administration Service
authentication or external
authentication
options for viewing the BlackBerry
Domain
Description
Groups permit you to share administrative roles, IT policies, and other
configuration settings among similar user accounts so that properties can
be set once instead of for every user. You can assign a user account to more
than one group so that the user inherits the properties of every group that
the user belongs to. You can also assign groups to other groups to share the
properties of the parent group with all of the user accounts in the child
groups.
To help you identify servers and component instances, you can define a
friendly name for each BlackBerry Enterprise Server Express and component
instance that displays in the BlackBerry Administration Service. Each
regional language that the BlackBerry Administration Service supports can
have unique friendly names.
Administrators that log in to the BlackBerry Administration Service must
provide their user names and passwords. A user name and a password is a
unique combination that is stored securely in the BlackBerry Configuration
Database and known only to the BlackBerry Administration Service.
Alternatively, you can use external authentication, which permits
administrators to log in to the BlackBerry Administration Service using the
same information that administrators use to access your organization's
messaging server.
You can find and manage BlackBerry Enterprise Server Express component
instances using the server view or component view.
19
BlackBerry Configuration Panel
Feature and Technical Overview
BlackBerry Configuration Panel
The BlackBerry® Configuration Panel displays data that the setup application collected during the installation process.
You can use the BlackBerry Configuration Panel to view or change the following settings:
• Database connection and authentication
• Wi-Fi® SRP information
• Settings for activating BlackBerry devices over your organization's Wi-Fi network
• Certificate keystore information
• BlackBerry Router settings
• Log settings for the BlackBerry Router and BlackBerry Controller
BlackBerry Mail Store Service
The BlackBerry® Mail Store Service connects to the messaging servers in your organization's environment and
retrieves the contact information that the BlackBerry Administration Service requires to search for user accounts on
the messaging servers.
The BlackBerry Mail Store Service performs the following actions:
• synchronizes your organization's contact list to the BlackBerry Configuration Database
• updates the contact list in the BlackBerry Configuration Database every 24 hours automatically
• permits the BlackBerry Administration Service to access user account information that is stored in the mailbox
or mail file on the messaging servers
• exposes an API that the BlackBerry Administration Service can use to connect to the BlackBerry Mail Store Service
• searches for contact information on behalf of the BlackBerry Administration Service
You install a BlackBerry Mail Store Service when you install a BlackBerry® Enterprise Server Express. The BlackBerry
Mail Store Service connects to the messaging server using the same connection information that the BlackBerry
Enterprise Server Express uses. The BlackBerry Administration Service is designed to communicate with the
BlackBerry Mail Store Service using RPC.
Database tables in the BlackBerry Configuration Database that store
contact information
The BlackBerry® Mail Store Service synchronizes contact information to two database tables in the BlackBerry
Configuration Database.
Table name
MsDomains
MsAddresses
20
Description
This table contains a list of domains and messaging servers that are located
in your organization's environment.
This table contains a list of the email addresses that are included in your
organization's contact list.
BlackBerry Mail Store Service
Feature and Technical Overview
Contact information that the BlackBerry Mail Store Service stores in the
BlackBerry Configuration Database
The BlackBerry® Mail Store Service synchronizes contact information that is stored in the messaging environment to
the BlackBerry Configuration Database. To compare the contact information changes that occurred between
synchronization processes, the BlackBerry Mail Store Service maintains two copies of the contact information.
The BlackBerry Mail Store Service synchronizes contact information that is stored in the messaging environment to
the BlackBerry Configuration Database. The contact information is stored in database properties in the BlackBerry
Configuration Database.
Contact information
address type
Database property name
Type
display name
DisplayName
email address
MailboxSMTP
mailbox path
messaging server path
MailboxKey
ServerName
Description
This property specifies whether this is the address for a
user or distribution list.
This property specifies the display name for the user
account.
This property specifies the email address for the user
account.
This property specifies the unique mailbox path.
This property specifies the path to the messaging server.
How the BlackBerry Mail Store Service accesses contact information that is
stored on the messaging server
In a Microsoft® Exchange environment, the BlackBerry® Mail Store Service can connect to the messaging server and
search for contact information using MAPI or LDAP. By default, the BlackBerry Mail Store Service uses MAPI to search
for contact information. If you configure the BlackBerry® Enterprise Server Express to use LDAP to search for contact
information, the BlackBerry Mail Store Service can also use LDAP to search for contact information.
For more information about how the BlackBerry Enterprise Server Express uses LDAP, visit www.blackberry.com/
support to read article KB05174.
Configuring the BlackBerry Mail Store Service instance that updates the
contact list
The BlackBerry® Configuration Database contains your organization's contact list and a list of BlackBerry® Enterprise
Server Express instances. By default, the BlackBerry Mail Store Service instance that you installed with the first
BlackBerry Enterprise Server Express instance that appears in the list updates the contact list. If you prevent the
BlackBerry Mail Store Service that you installed with the first BlackBerry Enterprise Server Express instance from
updating the contact list, the next available BlackBerry Mail Store Service instance in the list updates the contact list.
21
Feature and Technical Overview
BlackBerry messaging and collaboration services
By default, if you install multiple BlackBerry Mail Store Service instances, each instance can update the contact list
in the BlackBerry Configuration Database. The first BlackBerry Mail Store Service instance that updates the contact
list prevents the other instances from also updating the contact list. Each BlackBerry Mail Store Service instance
searches for time stamp information in the BlackBerry Configuration Database to determine if another BlackBerry
Mail Store Service instance is updating the contact list already before it starts to update the contact list.
You must verify that at least one BlackBerry Mail Store Service instance can update the contact list in the BlackBerry
Configuration Database so that the BlackBerry Administration Service can access the latest contact list information
when you create and manage user accounts. If you prevent all of the BlackBerry Mail Store Service instances from
updating the contact list, the BlackBerry Configuration Database might not contain the contact information for all
user accounts on your organization's messaging server.
If the BlackBerry Configuration Database does not contain contact information for a user account, you cannot create
the user account by searching for the contact information in the BlackBerry Administration Service. You can only
create the user account if you use the Add from company directory option in the BlackBerry Administration Service.
The Add from company directory option permits the BlackBerry Mail Store Service to search the contact information
that is stored in the messaging environment so that you can create the user account even if the BlackBerry
Configuration Database does not contain the contact information for the user account.
BlackBerry messaging and collaboration services
The BlackBerry® messaging and collaboration services provide a wireless extension of your organization's messaging
environment. These services include the BlackBerry Messaging Agent, the BlackBerry Synchronization Service, and
the BlackBerry Attachment Service.
BlackBerry Messaging Agent
The BlackBerry® Messaging Agent connects to your organization's messaging server and provides messaging services,
calendar management, address lookups, attachment viewing, attachment downloading, and encryption key
generation. The BlackBerry Messaging Agent acts as a gateway for the BlackBerry Synchronization Service to access
organizer data on the messaging server. The BlackBerry Messaging Agent synchronizes configuration data between
the BlackBerry Configuration Database and user mailboxes.
The BlackBerry Messaging Agent integrates with existing email accounts in your organization. The BlackBerry
Messaging Agent redirects messages from users’ email applications to their BlackBerry devices automatically. If users
configure identical signatures on their BlackBerry devices and in their email accounts, recipients cannot distinguish
between messages that users send from BlackBerry devices and messages that they send from email applications.
When users move or delete messages or mark messages as read or unread on their BlackBerry devices or in their
email applications, the BlackBerry Messaging Agent reconciles changes over the wireless network between
BlackBerry devices and email applications. By default, BlackBerry devices and the BlackBerry® Enterprise Server
Express reconcile email messages over the wireless network.
Wireless messaging features
BlackBerry® device users can use many of the same messaging features that are available in the email applications
on their computers.
22
Feature and Technical Overview
Feature
email reconciliation
email message filters
message forwarding
signature
out-of-office reply
contact lookup
contact list updates
custom fields in the contact list
attachments
BlackBerry messaging and collaboration services
Description
The BlackBerry® Enterprise Server Express reconciles the status of messages
between users' BlackBerry devices and their email applications. If users
delete, archive, or move messages to personal folders in their email
applications, the messages are deleted from the message list on the users'
BlackBerry devices. If users mark messages as read or unread in their email
applications, the messages appear with the same status on their BlackBerry
devices.
You can turn off wireless email reconciliation.
You or users can create and change email message filters. Email message
filters determine the actions that the BlackBerry Enterprise Server Express
takes if incoming messages match specific criteria: forward, forward with
priority, or do not forward to BlackBerry devices. For example, users can
create email message filters to forward messages from specific senders to
their BlackBerry devices with high priority.
Users can turn off message forwarding to their BlackBerry devices (for
example, if users are outside of a wireless coverage area). You can also turn
off message forwarding to users' BlackBerry devices.
Users can add a signature to all messages that they send from their
BlackBerry devices. You can add a signature and disclaimers to all messages
that the members of a user group send or a specific user sends.
Users can set and change their out-of-office replies using their BlackBerry
devices.
Users can search for a contact’s first name, last name, or both in their
organization's directory. The BlackBerry Enterprise Server Express returns
results for a maximum of 20 of the closest matches.
When users select contacts from the contact lookup results, they can add
the contacts to the contact lists on their BlackBerry devices.
If your organization maintains custom fields in users’ personal contact lists,
you can map these fields to corresponding fields that appear in the contact
list on BlackBerry devices. Users can use these custom fields to search for
contacts on their BlackBerry devices.
Users can send messages that contain attachments from their BlackBerry
devices. The BlackBerry Attachment Service does not convert these
messages; the BlackBerry Messaging Agent processes them only.
Attachments must meet the following requirements:
• If a user sends one attachment in a message, the file size of the
attachment cannot exceed 3 MB.
• If a user sends multiple attachments in a message, the total file size of
the attachments cannot exceed 5 MB.
23
BlackBerry messaging and collaboration services
Feature and Technical Overview
Feature
Description
•
downloading attachments
save sent messages
personal distribution lists
public folders
personal folders
follow up flag
24
If an attachment exceeds 64 KB, the BlackBerry device sends the
attachment in multiple data packets.
Users can send messages with attachments only from supported BlackBerry
devices that are running BlackBerry® Device Software version 4.2 or later.
If you want to manage the system resources that the BlackBerry Messaging
Agent uses to upload and send attachments, you can limit the file size of
attachments or prevent users from attaching files to messages. For
example, if too many users are sending large attachments, such as pictures
or videos, you might want to limit the file size of supported attachments or
turn off support for message attachments.
Users with BlackBerry devices that are running BlackBerry Device Software
version 4.5 or later can download attachments and store them on their
BlackBerry devices. Users can open and make changes to the downloaded
attachments using an appropriate third-party application on their
BlackBerry devices. Users can open supported attachment file formats using
the media application on their BlackBerry devices.
To manage network resources in your organization's environment, you can
change the maximum file size of attachments that users can download to
their BlackBerry devices.
Users can configure their BlackBerry devices to save copies of messages that
they send from their BlackBerry devices in the sent items folder in their
email applications.
Users with BlackBerry Device Software version 5.0 or later can view personal
distribution lists in their contact lists. Users can send messages to the
personal distribution lists and delete personal distribution lists from their
BlackBerry devices.
Users with BlackBerry Device Software version 5.0 or later can view and use
contacts in public folders from their BlackBerry devices, and copy the
contacts to their contact lists. Users can only view the public folders that
they have the appropriate permissions for.
Users can specify which public folders they want to synchronize to their
BlackBerry devices using the BlackBerry® Desktop Manager or BlackBerry®
Web Desktop Manager. You can limit the number of public folders that users
can synchronize to their BlackBerry devices.
Users with BlackBerry devices that are running BlackBerry Device Software
version 5.0 or later can add, delete, move, and rename personal folders
from their BlackBerry devices.
Users with BlackBerry devices that are running BlackBerry Device Software
version 5.0 or later can flag messages from their BlackBerry devices and set
reminder times.
BlackBerry messaging and collaboration services
Feature and Technical Overview
Feature
personal contact subfolders
forwarding calendar entries
availability of meeting participants
remote search for email messages
rich content email messages
Description
Users with BlackBerry devices that are running BlackBerry Device Software
version 5.0 or later can view personal contact subfolders on their BlackBerry
devices and change contact information.
Users can specify which contact subfolders that they want to synchronize
to their BlackBerry devices using BlackBerry Desktop Manager or BlackBerry
Web Desktop Manager. You can limit the number of contact subfolders that
a user can synchronize to their BlackBerry devices.
Users with BlackBerry devices that are running BlackBerry Device Software
version 5.0 or later can forward meeting invitations and calendar entries
from their BlackBerry devices.
Users with BlackBerry devices that are running BlackBerry Device Software
version 4.5 or later can view the availability of meeting invitees on their
BlackBerry devices. You can turn off this feature using the BlackBerry
Administration Service.
Users with BlackBerry devices that are running BlackBerry Device Software
version 4.5 or later can search for email messages that are located on the
messaging server from their BlackBerry devices. You can turn off this feature
using the BlackBerry Administration Service.
Users with BlackBerry devices that are running BlackBerry Device Software
version 4.5 or later can view HTML and rich content email messages. You
can turn off this feature using the BlackBerry Administration Service.
Access to documents on a network from BlackBerry devices
Users with BlackBerry® devices that are running BlackBerry® Device Software version 5.0 or later can use a file browser
on their BlackBerry devices to access documents that are located in a shared location such as a network drive. Users
can view document information such as the file name, file type, file size, author, and date the file was last changed.
Users must have access to the shared location using their network credentials, or you must configure the BlackBerry®
Enterprise Server Express to access the documents for the users.
Users can send the documents as attachments in messages, view supported document types using the attachment
viewer, download copies of the documents, or open and make changes to the documents using an appropriate thirdparty application on their BlackBerry devices. They can also add attachments from messages or documents that they
access using the BlackBerry® Browser to the network drive.
BlackBerry Synchronization Service
The BlackBerry® Synchronization Service synchronizes organizer data such as tasks, memos, and contacts over the
wireless network so that the entries on BlackBerry devices are consistent with the entries in the email applications.
With wireless data synchronization and wireless email reconciliation, users are not required to connect their
BlackBerry devices to the BlackBerry® Desktop Software to synchronize organizer data and reconcile email messages.
25
Feature and Technical Overview
BlackBerry messaging and collaboration services
The BlackBerry Synchronization Service backs up user settings and data over the wireless network from BlackBerry
devices to the BlackBerry Configuration Database. You can restore the user settings and data to BlackBerry devices
when the BlackBerry devices are activated over the wireless network. By default, the BlackBerry® Enterprise Server
Express automatically backs up the user settings and data over the wireless network.
Synchronization features
You can change the settings for synchronization features so that users can manage the user experience and system
resources in your organization's environment.
Feature
initial synchronization
synchronization settings
support for different types of user
access
synchronization of contact pictures
Description
When the BlackBerry® Enterprise Server Express sends service books to
BlackBerry devices to turn on wireless data synchronization, an initial data
synchronization process starts. The process synchronizes the data for
calendar items and messages between users' BlackBerry devices and the
email applications on their computers. It also resolves conflicting or
duplicate entries to prevent data loss.
By default, the calendar on the BlackBerry device synchronizes up to 31 days
in the past from the activation date, and up to 28 years into the future from
the activation date.
You can configure settings for wireless data synchronization that apply to
specific users, user groups, or all users on all BlackBerry Enterprise Server
Express instances. You can define which organizer data items the BlackBerry
Synchronization Service synchronizes, how data conflicts are resolved, and
whether changes are synchronized in both directions or in one direction
only between BlackBerry devices and email applications. You can use IT
policies to configure the settings for wireless data synchronization.
The BlackBerry Enterprise Server Express requires access to the organizer
application databases for all users. You can define the location of the
database replicas in each user’s profile, create roaming user profiles, or use
web access templates in your organization's messaging environment.
The BlackBerry Synchronization Service synchronizes contact pictures
between users’ BlackBerry devices and the email applications on their
computers. If users use their BlackBerry devices to add, change, or delete
contact pictures, the contact lists in their email applications reflect the
changes.
The BlackBerry Synchronization Service cannot synchronize contact
pictures that exceed 32 KB.
26
Feature and Technical Overview
BlackBerry messaging and collaboration services
BlackBerry Attachment Service
The BlackBerry® Attachment Service converts supported message attachments into a format that users can view on
their BlackBerry devices. The BlackBerry Attachment Service processes attachments and converts them into a binary
format that retains most of the layout, appearance, and navigation of the original attachments. You do not have to
install the applications that are associated with the attachment formats on BlackBerry devices. The attachment viewer
installs automatically with the BlackBerry® Device Software.
The BlackBerry Attachment Service receives attachments that are embedded in messages from the messaging server,
through the BlackBerry Messaging Agent. The BlackBerry Attachment Service also receives attachments that are
accessed through links in the BlackBerry® Browser.
The BlackBerry Attachment Service enables users to play supported audio attachments on supported BlackBerry
devices that are running BlackBerry Device Software version 4.2 or later. The BlackBerry Attachment Service can
convert .wav files into an audio format that a BlackBerry device series supports (for example, .mp3 files on BlackBerry®
8700 Series devices).
If the BlackBerry Attachment Service is hosted on a computer that uses Windows Server® 2008, the BlackBerry
Attachment Service does not support .mp3 audio files on BlackBerry devices, and the BlackBerry Attachment Service
does not support any audio file formats on BlackBerry® 7100 Series devices that support CDMA networks. You must
host the BlackBerry Attachment Service on a computer that uses Windows Server 2003 if you want the BlackBerry
Attachment Service to support .mp3 audio files on BlackBerry devices and all audio formats on BlackBerry 7100 Series
devices that support CDMA networks.
Attachment file formats that the BlackBerry Attachment Service supports
Format
Adobe® Acrobat®
ASCII text
audio
Corel® WordPerfect® 7-10
HTML
images
Microsoft® Excel® 97-2003, 2007, and XP
Microsoft® PowerPoint® 97-2003, 2007, and XP
Microsoft® Word 97-2003, 2007, and XP
OpenOffice Format version 1.1
RTF
ZIP archives
Extension
.pdf
.txt
.amr, .mp3, .wav, .wma
.wpd
.htm, .html
.bmp, .gif, .jpeg, .jpg, .png, .ppm, .tif
, .tiff, .wmf
.xls, .xlsx
.pps, .ppsx, .ppt, .pptx
.doc, .dot, .dotx, .docx
.odp, .ods, .odt, .ott
.rtf
.zip
27
BlackBerry MDS Connection Service
Feature and Technical Overview
BlackBerry MDS Connection Service
The BlackBerry® MDS Connection Service connects wireless applications on BlackBerry devices to the applications
on an organization’s application servers or web servers. After a wireless application is installed on BlackBerry devices,
the application can receive data from push applications that are located on application servers or web servers. The
application can also receive data by sending pull requests from BlackBerry devices to applications that are located
on application servers or web servers. The BlackBerry MDS Connection Service processes push and pull requests and
delivers data and updates to BlackBerry Applications.
The BlackBerry MDS Connection Service also receives and responds to web requests from the BlackBerry® Browser
and other BlackBerry Applications, so that users can view Internet and intranet content on their BlackBerry devices.
Feature
protocol connections
encrypted communications
data conversion
data optimization
authentication methods
integration with proxy servers
28
Description
You can define connections to the web servers on your organization’s
intranet or the Internet using standard Internet protocols such as HTTP,
HTTPS, and TCP/IP.
The BlackBerry MDS Connection Service encrypts content using the same
standard BlackBerry encryption that the BlackBerry Dispatcher uses to
encrypt messages and other data.
The BlackBerry MDS Connection Service converts data from application
servers and web servers to a format that BlackBerry Applications can
interpret and display.
The BlackBerry MDS Connection Service processes content that users can
view in the BlackBerry Browser. For example, the BlackBerry MDS
Connection Service can change the data format or remove extraneous data
to reduce network traffic.
You can configure authentication requirements that match your
organization's sign-on scheme using standard methods such as NTLM,
Kerberos™, and LTPA. You can also define a period of time after which the
BlackBerry MDS Connection Service requests user information and caches
cookies.
You can use two-factor authentication to create VPN connections between
wireless applications on BlackBerry devices and your organization’s
application servers and web servers.
You can provide access to specific content through your organization's
proxy servers using the following items:
• proxy exclusion list, which defines the organization-specific URLs that
the BlackBerry MDS Connection Service uses to connect directly to
external web services instead of routing the connections through your
organization's proxy server
• proxy auto-configuration (.pac) file
BlackBerry Applications
Feature and Technical Overview
Feature
access control
media content management
Description
You can configure push initiators and push rules that define which serverside push applications can send application data and updates to BlackBerry
devices, and which users can receive push requests. You can configure pull
rules to specify which web servers users can access using the BlackBerry
Browser and other applications on BlackBerry devices.
You can control which media files users can receive and access using the
BlackBerry Browser and BlackBerry Applications. You can prevent users
from receiving specific media types (for example, video files) or specific
subtypes of media (for example, .mp3 files). You can also configure size
limits for media files that users can receive on their BlackBerry devices.
BlackBerry Applications
BlackBerry® devices support BlackBerry Java® Applications and BlackBerry® Browser Applications. Application
developers in your organization can create BlackBerry Applications using BlackBerry development tools or third-party
development tools. You can install and manage BlackBerry Java Applications on BlackBerry devices using the
BlackBerry Administration Service.
For more information about the options for developing BlackBerry Applications, visit www.blackberry.com/
developers.
BlackBerry Browser Applications
BlackBerry® Browser Applications are simplified, web-based applications that you can use to push web content to
the BlackBerry Browser on BlackBerry devices. Developers can create BlackBerry Browser Applications using
BlackBerry templates or standard web development tools.
The BlackBerry® Enterprise Server Express supports the following types of BlackBerry Browser Applications.
Type
browser channel push applications
Description
An icon displays on the Home screens of users' BlackBerry devices to
indicate whether users viewed the latest version of the web content that
the Browser Push Engine has pushed to their BlackBerry devices.
browser cache push applications
The Browser Push Engine pushes web content to the cache of the BlackBerry
Browser on users' BlackBerry devices. To view the web content, users
browse to the appropriate web address using the BlackBerry Browser.
browser message push applications A message appears in the message list on users' BlackBerry devices to
provide a link to new or updated web content.
For more information about developing BlackBerry Browser Applications and sending BlackBerry Browser
Applications to BlackBerry devices, visit www.blackberry.com/developers.
29
Feature and Technical Overview
Managing BlackBerry Java Applications and BlackBerry Device Software
BlackBerry Java Applications
BlackBerry® Java® Applications can range from simple applications, such as a game on BlackBerry devices, to complex
applications with advanced UIs and various options for data management, storage, and network communication.
BlackBerry Java Applications can use a client-only architecture (the applications do not send data to or receive data
from a content server) or they can use a client/server application model (the applications send data to and receive
data from a content server). For example, a developer can create a BlackBerry Java Application so that users can
send data to and receive data from a central sales database.
Developers can create BlackBerry Java Applications using BlackBerry developer tools or other Java authoring tools.
BlackBerry devices run BlackBerry Java Applications using BlackBerry APIs and Java ME, which are standard on
BlackBerry devices.
For more information about developing and customizing BlackBerry Applications, visit www.blackberry.com/
developers.
Managing BlackBerry Java Applications and BlackBerry
Device Software
You can use the BlackBerry® Administration Service to install and manage the BlackBerry® Device Software and
BlackBerry Java® Applications on BlackBerry devices.
To send BlackBerry Java Applications to devices, you must first add the applications to the application repository.
You can use the application repository to store and manage all versions of the BlackBerry Java Applications that you
want to install on, update on, or remove from devices.
In the BlackBerry Administration Service, you create software configurations to specify the versions of the BlackBerry
Device Software and BlackBerry Java Applications that you want to install on, update on, or remove from devices.
You also use software configurations to specify which applications are required, optional, or not permitted. When
you create a software configuration, you must also specify whether users can install applications that are not listed
in the software configuration.
When you add a BlackBerry Java Application to a software configuration, you must assign an application control
policy to the application to specify what resources the application can access. You can use default application control
policies or you can create and use custom application control policies. If you permit users to install unlisted
applications, you must create an application control policy for unlisted applications that specifies what resources the
applications can access.
When you assign a software configuration to a group or individual user accounts, the BlackBerry Administration
Service creates a deployment job to install the BlackBerry Device Software and BlackBerry Java Applications on devices
and to apply access control policies to the devices. A deployment job consists of a number of tasks. Each task manages
the delivery of a specific object (for example, a BlackBerry Java Application or an access control policy) by
communicating with the appropriate BlackBerry® Enterprise Server Express components.
30
BlackBerry device management
Feature and Technical Overview
If you assign more than one software configuration to a user account, all of the settings in the multiple software
configurations are applied to the user's device. The BlackBerry Enterprise Server Express resolves conflicting settings
using predefined reconciliation rules and prioritized rankings that you can specify using the BlackBerry Administration
Service. After you install the BlackBerry Device Software and BlackBerry Java Applications on devices, you can view
details about how the BlackBerry Administration Service resolved software configuration conflicts.
For more information about installing and managing the BlackBerry Device Software on devices, visit
www.blackberry.com/go/serverdocs to see the BlackBerry Device Software Update Guide.
BlackBerry device management
You can use the BlackBerry® Enterprise Server Express to control how you implement, maintain, and upgrade
BlackBerry devices across your organization.
Controlling third-party applications on BlackBerry devices
Feature
Description
control the installation and removal You can use the BlackBerry® Administration Service to install applications
of third-party applications
on BlackBerry devices over the wireless network, or you can permit users
to download and install third-party applications on their BlackBerry devices.
You can remove applications from BlackBerry devices over the wireless
network, and you can also prevent users from downloading applications.
control the resources that thirdYou can use standard application control policies or create custom
party applications can access
application control policies to specify the resources that third-party
applications can access on BlackBerry devices (for example, message,
phone, and key store).
You can create IT policies that specify the types of connections that thirdparty applications on BlackBerry devices can establish (for example,
opening network connections inside the firewall).
BlackBerry Policy Service
The BlackBerry® Policy Service sends IT policies and IT administration commands to BlackBerry devices and provisions
service books over the wireless network. When you activate a BlackBerry device, change an IT policy, or request that
a BlackBerry® Enterprise Server Express resend service books, the BlackBerry Enterprise Server Express uses the
BlackBerry Policy Service to send the updates to the BlackBerry device.
An IT policy consists of rules that define BlackBerry device security, settings for synchronizing data over the wireless
network, and other behaviors for the individual groups or user accounts that you define. You can configure IT policies
using the BlackBerry Administration Service.
31
Feature and Technical Overview
Feature
wireless delivery
IT policy coverage
IT policy assignment
resend options
security enforcement
BlackBerry Router
Description
When you configure an IT policy, all rules take effect when the BlackBerry
Policy Service delivers the IT policy to a BlackBerry device over the wireless
network. The BlackBerry device stores new IT policy rule values in the user
configurations on the BlackBerry device automatically.
To keep the IT policy rules current, a BlackBerry Enterprise Server Express
sends the IT policy to the BlackBerry device over the wireless network
periodically.
When you add a user account to a BlackBerry Enterprise Server Express,
the BlackBerry Policy Service applies the Default IT policy to the user
account automatically. The user account is not active on the BlackBerry
Enterprise Server Express until a BlackBerry device accepts the IT policy.
You can apply a different IT policy to a user account. If you delete an IT
policy that you applied to a user account, the BlackBerry Policy Service
applies the user account to the Default IT policy automatically.
You can apply an IT policy to a group or an individual user account.
If a BlackBerry Enterprise Server Express cannot send an updated IT policy
to a BlackBerry device immediately (for example, if a user is outside of a
wireless coverage area), you can resend the IT policy manually or
configure when the BlackBerry Policy Service resends the IT policy. The
BlackBerry Enterprise Server Express continues to resend the IT policy
until it delivers the IT policy.
You can configure IT polices that define security settings for BlackBerry
devices, the BlackBerry® Desktop Software and the BlackBerry® Web
Desktop Manager, and that override security settings that users define
on their BlackBerry devices. For example, you can configure whether a
password is required for a BlackBerry device, the length of time that the
password can exist before it becomes invalid, and the length and
composition of the password. You can also use IT policies to specify
encryption key details.
BlackBerry Router
The BlackBerry® Router connects to the wireless network and sends data to and receives data from the BlackBerry®
Infrastructure on behalf of the BlackBerry® Enterprise Server Express. The BlackBerry Router also sends data to and
receives data from BlackBerry devices that are connected to the BlackBerry® Device Manager or a Wi-Fi® network.
The BlackBerry Device Manager is included with the BlackBerry® Device Software, BlackBerry® Web Desktop
Manager, and BlackBerry Administration Service.
32
BlackBerry Web Desktop Manager
Feature and Technical Overview
When the BlackBerry Enterprise Server Express detects a BlackBerry Router, it identifies the IP address of the
computer that hosts the BlackBerry Router and writes the IP address to the BlackBerry Configuration Database. When
BlackBerry device users activate devices that are running BlackBerry Device Software 4.0 or later, the BlackBerry
Router sends the IP address to the devices in a service book.
If you change the IP address of the computer that hosts the BlackBerry Router, devices detect the change
automatically. Users do not need to reconnect devices to the BlackBerry Device Manager to receive the new IP
address and a new service book. However, a delay occurs before devices detect the change. During the delay, devices
cannot connect to the BlackBerry Device Manager or a Wi-Fi network.
The BlackBerry Router supports the use of multiple network cards on users’ computers, which is also known as
multihoming.
BlackBerry Web Desktop Manager
The BlackBerry® Web Desktop Manager is a web application that provides many of the same features that the
BlackBerry® Desktop Manager does. Users can connect their BlackBerry devices to their computers using a USB
connection or Bluetooth® connection, and log in to BlackBerry Web Desktop Manager to activate and manage their
BlackBerry devices, back up and restore data, define email settings, and update the BlackBerry® Device Software.
Feature
access
application management
BlackBerry Device Software
management
control user's access to features
Description
Users can access device management and configuration capabilities from
any computer that can access the intranet.
Users can use the BlackBerry Web Desktop Manager to install, manage, and
remove the applications that are installed on their BlackBerry devices.
Users can use the BlackBerry Web Desktop Manager to update the
BlackBerry Device Software on their BlackBerry devices.
You can specify the BlackBerry Web Desktop Manager features that users
can access using IT policies and settings in the BlackBerry Administration
Service.
33
Feature and Technical Overview
Feature
customizable interface
device activation
switch devices
folder redirection
language support
simplified administration
service statistics
synchronization of contact folders
BlackBerry Web Desktop Manager
Description
You can customize the appearance of the UI to match your organization's
requirements. You can customize the font colors, logo, and the help.
Users can use the BlackBerry Web Desktop Manager to set activation
passwords and activate their BlackBerry devices.
Users can use the BlackBerry Web Desktop Manager to switch BlackBerry
devices, and migrate from third-party devices that have BlackBerry®
Application Suite installed, to BlackBerry devices.
Users can use the BlackBerry Web Desktop Manager to select the folders
that the BlackBerry® Enterprise Server Express redirects messages from.
The BlackBerry Web Desktop Manager is available in English, French,
German, Italian, Spanish, and Japanese. Users can select a language before
they log in to the BlackBerry Web Desktop Manager.
The web UI does not require you to deploy, support, and maintain clientside software such as the BlackBerry Desktop Manager.
The BlackBerry Web Desktop Manager provides users with statistics about
the message status (forwarded, sent, pending, expired, filtered), last
contact time, and information about the last message sent or received.
Users can use the BlackBerry Web Desktop Manager to select the public or
private contact folders that they want to synchronize to their BlackBerry
devices over the wireless network.
Comparison of BlackBerry Web Desktop Manager and BlackBerry Desktop
Software features
Supported feature
BlackBerry Web Desktop Manager BlackBerry Desktop Software
ability to view the BlackBerry®
supported
supported
Desktop Software that is installed on
the users' computers
application loader tool
supported with the following
supported with the following
conditions:
conditions:
• option to choose not to save the • no option to choose whether to
backup file
save the backup file
• BlackBerry services are not
• BlackBerry services are
maintained if the users
maintained if the users
disconnect their BlackBerry
disconnect their BlackBerry
devices before completing the
devices before clicking the
process
Close button in the Load was
successful dialog box
BlackBerry® Desktop Redirector
not included
included
34
Feature and Technical Overview
Supported feature
BlackBerry® Device Software
updates
certificate synchronization
changing the email profile options
connections to BlackBerry devices
device activation
BlackBerry Web Desktop Manager
BlackBerry Web Desktop Manager BlackBerry Desktop Software
supported with the following
supported with the following
conditions:
conditions:
• you install the software on a
• users install the software on
shared network drive
their computers and run the
application loader tool
• BlackBerry® Web Desktop
Manager forces users to update • BlackBerry Desktop Manager
the BlackBerry® Device
notifies the users when a newer
Software when a software
version of BlackBerry Device
configuration is assigned to the
Software is available on their
user accounts
computers
not supported
supported
not supported
supported
supported with the following
supported with the following
conditions:
conditions:
• users can connect to multiple
• users can connect to only one
BlackBerry devices at the same
BlackBerry device at a time
time
• BlackBerry Desktop Software
• BlackBerry Web Desktop
prompts users if they want to
Manager does not prompt
switch from using a Bluetooth
users if they want to switch
connection to using a USB
from using a Bluetooth®
connection
connection to using a USB
connection
supported with the following
supported with the following
conditions:
conditions:
• occurs automatically for new
• occurs automatically each time
users
users plug in a BlackBerry
device
• if users without active
BlackBerry devices connect
• if users without active
BlackBerry devices that belong
BlackBerry devices connect
to other users, the BlackBerry
BlackBerry devices that belong
Web Desktop Manager
to other users, the BlackBerry
prompts the users who
Desktop Software notifies the
connected the BlackBerry
users who connected the
devices if they want to switch to
BlackBerry devices that an
the BlackBerry devices
activation process is underway
by asking the users whether an
encryption key should be
created
35
BlackBerry Web Desktop Manager
Feature and Technical Overview
Supported feature
switching devices
email message settings
media management
modem support for devices
prompt for BlackBerry device
password
statistics for user accounts
supported BlackBerry Device
Software versions
36
BlackBerry Web Desktop Manager
supported with the following
conditions:
• users can switch from thirdparty devices that are running
BlackBerry® Application Suite
to BlackBerry devices
• users can switch between
BlackBerry devices
• BlackBerry services are not
maintained if users disconnect
their BlackBerry devices before
completing the process
supported with the following
conditions:
• users can import data from the
address book when creating or
changing a filter
• users cannot turn off message
redirection while their
BlackBerry devices are
connected
• users cannot generate
encryption keys
• users cannot override email
addresses
not supported
not supported
BlackBerry devices can connect
without a prompt for the device
password
supported with the following
conditions:
• all supported messaging
environments
• users cannot clear the
redirection queue
• users cannot clear the
redirection statistics
BlackBerry Device Software version
4.0 and later
BlackBerry Desktop Software
supported with the following
conditions:
• users can switch from thirdparty devices to BlackBerry
devices
• BlackBerry services are
maintained if users disconnect
their BlackBerry devices before
clicking the Close button in the
Switch was successful dialog
box
supported with the following
conditions:
• users can import data for
filtering
• users can turn off message
redirection while their
BlackBerry device are
connected
• users can generate encryption
keys
• users can override email
addresses
supported
supported
required before BlackBerry devices
can connect to the users' computers
supported with the following
conditions:
• Microsoft® Exchange
environments only
• users can clear the redirection
queue
• users can clear the redirection
statistics
all
Managing a distributed environment for BlackBerry Enterprise Server Express components
Feature and Technical Overview
Supported feature
supported IT policies
BlackBerry Web Desktop Manager
BlackBerry Desktop Software
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
synchronization over a serial
connection
Auto Backup Enabled
Auto Backup Exclude Messages
Auto Backup Exclude Sync
Auto Backup Frequency
Auto Backup Include All
Desktop Allow Device Switch
Desktop Password Cache
Timeout
Do Not Save Sent Messages
Force Load Message
users cannot synchronize the
following data over a serial
connection:
• organizer data
• email messages
• third-party application data
• date and time
Auto Backup Enabled
Auto Backup Exclude Messages
Auto Backup Exclude Sync
Auto Backup Frequency
Auto Backup Include All
Desktop Allow Device Switch
Desktop Password Cache
Timeout
• Disable Media Manager
• Do Not Save Sent Messages
• Force Load Count
• Forward Message In Cradle
• Message Prompt
• Show AppLoader
• Show Web Link
users can synchronize the following
data over a serial connection:
• organizer data
• email messages
• third-party application data
• date and time
Managing a distributed environment for BlackBerry
Enterprise Server Express components
You can install the BlackBerry® Enterprise Server Express components on multiple computers so that you can manage
the size of your organization's BlackBerry Domain. For example, you can install the BlackBerry Attachment Service
and BlackBerry MDS Connection Service on separate computers to provide the computer that hosts the BlackBerry
Enterprise Server Express with additional resources that the BlackBerry Enterprise Server Express can use to process
email messages.
Wireless activation
The wireless activation process activates BlackBerry® devices that are associated with a BlackBerry® Enterprise Server
Express over the wireless network. Neither you nor the BlackBerry device users are required to connect the BlackBerry
devices to a computer in your organization's network to complete the activation process.
37
Feature and Technical Overview
Wireless activation
You can use wireless activation to activate a large number of BlackBerry devices over the wireless network. When
BlackBerry device users want to activate new or replacement BlackBerry devices that are associated with the
BlackBerry Enterprise Server Express over the wireless network, they must notify you or access the provisioning
server console. You or the BlackBerry device user can create activation passwords.
The BlackBerry® Enterprise Solution can begin the wireless activation process automatically or when BlackBerry
device users open the activation application on their BlackBerry devices and type their activation passwords and
email addresses. When the activation process completes, the BlackBerry device users are activated and can send
email messages from and receive email messages on their BlackBerry devices.
For more information about activating devices that are associated with the BlackBerry Internet Service on the
BlackBerry Enterprise Server Express over the wireless network, visit www.blackberry.com/go/serverdocs to see the
Activating Devices That are Associated With the BlackBerry Internet Service Over the Wireless Network Technical
Note.
38
Feature and Technical Overview
BlackBerry Enterprise Solution security
BlackBerry Enterprise Solution security
4
The BlackBerry® Enterprise Solution consists of various products and components that are designed to extend your
organization’s communication methods to BlackBerry devices. The BlackBerry Enterprise Solution is designed to help
protect data that is in transit at all points between a device and the BlackBerry® Enterprise Server Express. To help
protect data that is in transit over the wireless network, the BlackBerry Enterprise Server Express and device use
symmetric key cryptography to encrypt the data sent between them. The BlackBerry Enterprise Solution is designed
to prevent third parties, including wireless service providers, from accessing your organization's potentially sensitive
information in a decrypted format.
The BlackBerry Enterprise Solution uses confidentiality, integrity, and authenticity, which are principles for
information security, to help protect your organization from data loss or alteration.
Principles
confidentiality
integrity
authenticity
Description
The BlackBerry Enterprise Solution uses symmetric key cryptography to help
make sure that only intended recipients can view the contents of email
messages.
The BlackBerry Enterprise Solution uses symmetric key cryptography to help
protect every email message that the device sends and to help prevent third
parties from decrypting or altering the message data.
Only the BlackBerry Enterprise Server Express and the device know the
value of the keys that they use to encrypt messages and recognize the
format of a decrypted and decompressed message. The BlackBerry
Enterprise Server Express or the device rejects a message automatically if
it is not encrypted with keys that they recognize as valid.
Before the BlackBerry Enterprise Server Express sends data to the device,
the device authenticates with the BlackBerry Enterprise Server Express to
prove that the device knows the device transport key that is used to encrypt
data.
Security features of the BlackBerry Enterprise Solution
Feature
data protection
Description
The BlackBerry® Enterprise Solution is designed to protect data that is in
transit between the BlackBerry® Enterprise Server Express and a BlackBerry
device and data that is in transit between your organization’s messaging
server and the email application on a user’s computer. The BlackBerry
Enterprise Solution encrypts data that is stored on the device and in the
BlackBerry Configuration Database. To help protect data that is stored on
the device, you can require a user to authenticate to the device using a
password, a smart card, or both.
39
Feature and Technical Overview
Encrypting data that the BlackBerry Enterprise Server Express and a BlackBerry device send to each
other
Feature
encryption key protection
control of device connections
control of the behavior of the device
and BlackBerry® Desktop Software
Description
The device is designed to protect the encryption keys that are stored on the
device. The device encrypts the encryption keys when the device is locked.
The BlackBerry Enterprise Solution is designed to control the following
connections:
• connections using Bluetooth® technology to and from the device
• connections from a Wi-Fi® enabled device to enterprise Wi-Fi networks
The BlackBerry Enterprise Solution is designed to control which devices can
connect to the BlackBerry Enterprise Server Express.
To control the behavior of the device and BlackBerry Desktop Software, you
can send IT administration commands, IT policies, and application control
policies to the device. You can use IT administration commands, IT policies,
and application control policies to perform the following actions:
• You can send IT administration commands to lock the device,
permanently delete work data, permanently delete user information
and application data, and return the device settings to the default
values.
• You can send an IT policy to a device to change security settings. For
example, you can use an IT policy to enforce the device password.
• You can send an application control policy to a device to control
whether third-party applications are available and can connect to the
device and whether third-party applications or add-on applications
developed by Research In Motion can access work data.
Encrypting data that the BlackBerry Enterprise Server
Express and a BlackBerry device send to each other
To encrypt data that is in transit between the BlackBerry® Enterprise Server Express and a BlackBerry device in your
organization, the BlackBerry® Enterprise Solution uses BlackBerry transport layer encryption. BlackBerry transport
layer encryption is designed to encrypt data from the time that a BlackBerry device user sends a message from the
BlackBerry device to when the BlackBerry Enterprise Server Express receives the message, and from the time that
the BlackBerry Enterprise Server Express sends a message to when the BlackBerry device receives the message.
Before the BlackBerry device sends a message, it compresses and encrypts the message using the device transport
key. When the BlackBerry Enterprise Server Express receives a message from the BlackBerry device, the BlackBerry
Dispatcher decrypts the message using the device transport key, and then decompresses the message.
Algorithms that the BlackBerry Enterprise Solution uses to encrypt data
The BlackBerry® Enterprise Solution uses AES or Triple DES as the symmetric key cryptographic algorithm for
encrypting data. By default, the BlackBerry® Enterprise Server Express uses the strongest algorithm that both the
BlackBerry Enterprise Server Express and the BlackBerry device support for BlackBerry transport layer encryption.
40
Feature and Technical Overview
Extending messaging security to a BlackBerry device
If you configure the BlackBerry Enterprise Server Express to support AES and Triple DES, by default, the BlackBerry
Enterprise Solution generates device transport keys using AES encryption. If a BlackBerry device uses BlackBerry®
Device Software version 3.7 or earlier or BlackBerry® Desktop Software version 3.7 or earlier, the BlackBerry
Enterprise Solution generates the device transport keys of the BlackBerry device using Triple DES.
How the BlackBerry Enterprise Solution uses AES to encrypt data
By default, when a BlackBerry® device supports AES, the BlackBerry® Enterprise Solution uses AES for BlackBerry
transport layer encryption. The BlackBerry Enterprise Solution uses AES in CBC mode to generate the message keys
and device transport keys. The keys consist of 256 bits of data.
BlackBerry® Device Software version 4.0 or later and BlackBerry® Desktop Software version 4.0 or later support AES.
For more information about how the BlackBerry Enterprise Server Express uses AES for BlackBerry transport layer
encryption to communicate with BlackBerry devices, visit www.blackberry.com/support to read article KB05429.
How the BlackBerry Enterprise Solution uses Triple DES to encrypt data
The BlackBerry® Enterprise Solution uses a two-key Triple DES encryption algorithm to generate message keys and
device transport keys. In the three iterations of the DES algorithm, the first 56-bit key in outer CBC mode encrypts
the data, the second 56-bit key decrypts the data, and the first key encrypts the data again.
The BlackBerry Enterprise Solution stores the message keys and device transport keys as 128-bit binary strings with
each parity bit in the least significant bit of each of the 8 bytes of key data. The message keys and device transport
keys have overall key lengths of 112 bits and include 16 bits of parity data.
All versions of the BlackBerry® Enterprise Server Express, BlackBerry® Device Software, and BlackBerry® Desktop
Software support Triple DES.
For more information about Triple DES, see Federal Information Processing Standard - FIPS PUB 81 [3].
Extending messaging security to a BlackBerry device
If your organization's messaging environment supports highly secure messaging technology such as PGP® encryption
or S/MIME encryption, you can configure the BlackBerry® Enterprise Solution to encrypt a message using PGP
encryption or S/MIME encryption so that the message remains encrypted when the BlackBerry® Enterprise Server
Express forwards the message to the email applications of recipients. To extend messaging security, the sender and
recipient must install highly secure messaging technology on the computers that host the email applications and on
their BlackBerry devices, and you must configure the BlackBerry devices to use the highly secure messaging
technology.
Encrypting user data on a locked BlackBerry device
If you or a BlackBerry® device user turns on content protection, you or the user can configure a locked BlackBerry
device to encrypt stored user data and data that the locked BlackBerry device receives. When you or a user turns on
content protection, a locked BlackBerry device is designed to use AES-256 encryption to encrypt stored data and an
ECC public key to encrypt data that the locked BlackBerry device receives.
41
Feature and Technical Overview
Managing BlackBerry device access to the BlackBerry Enterprise Server Express
For example, the locked BlackBerry device uses content protection to encrypt the following items:
• subject, location, meeting organizer, attendees, and any notes in all appointments or meeting requests
• all contact information in the contact list except for the contact title and category
• subject, email addresses of intended recipients, message body, and attachments in all email messages
• title and information that is included in the body of a note for all memos (also known as posted messages)
• subject and all information that is included in the body of tasks (also known as posted all day appointments)
• if you use software tokens, contents of the .sdtid file seed that is stored in flash memory
• all data that is associated with third-party applications that a user installs on the BlackBerry device
• in the BlackBerry® Browser, content that web sites or third-party applications push to the BlackBerry device,
any web sites that the user saves on the BlackBerry device, and the browser cache
• all text that replaces the text automatically that the user types on the BlackBerry device
Managing BlackBerry device access to the BlackBerry
Enterprise Server Express
You can use the Enterprise Service Policy to control which BlackBerry® devices can connect to a BlackBerry® Enterprise
Server Express. By default, after you turn on the Enterprise Service Policy, the BlackBerry Enterprise Server Express
permits connections from any BlackBerry device that you previously associated with the BlackBerry Enterprise Server
Express. The BlackBerry Enterprise Server Express also prevents connections from any BlackBerry device that you
associate with the BlackBerry Enterprise Server Express after you turn on the Enterprise Service Policy.
You can configure an allowed list to determine which BlackBerry devices can access a BlackBerry Enterprise Server
Express. A BlackBerry device that meets the criteria that you specify in the allowed list can associate with the
BlackBerry Enterprise Server Express when the BlackBerry device activates over the wireless network.
You can define the following types of criteria:
• specific BlackBerry device PINs
• range of BlackBerry device PINs
• specific manufacturers
• specific BlackBerry device models
The BlackBerry Administration Service includes lists of permitted manufacturers and models of BlackBerry devices
that you associated with the BlackBerry Enterprise Server Express previously.
You can permit a user to override the Enterprise Service Policy so that a BlackBerry device can connect to the
BlackBerry Enterprise Server Express even if you configure the allowed list with criteria that exclude that BlackBerry
device.
42
Feature and Technical Overview
Using an IT policy to manage BlackBerry Enterprise Solution security
Using an IT policy to manage BlackBerry Enterprise
Solution security
You can use an IT policy to control and manage BlackBerry® devices, the BlackBerry® Desktop Software, and the
BlackBerry® Web Desktop Manager in your organization's environment. An IT policy consists of multiple IT policy
rules that manage the security and behavior of the BlackBerry® Enterprise Solution. For example, you can use IT
policy rules to manage the following security features and behaviors of the device:
• encryption (for example, encryption of user data and messages that the BlackBerry® Enterprise Server Express
forwards to message recipients) and encryption strength
• use of a password or pass phrase
• protection of user data and device transport keys on the device
• control of device resources, such as the camera or GPS, that are available to third-party applications
The Default IT policy includes IT policy rules that are configured to indicate the default behavior of the device or
BlackBerry Desktop Software.
After a device user activates a device, the BlackBerry Enterprise Server Express automatically sends to the device the
IT policy that you assigned to the user account or group. By default, if you do not assign an IT policy to the user
account or group, the BlackBerry Enterprise Server Express sends the Default IT policy. If you delete an IT policy that
you assigned to the user account or group, the BlackBerry Enterprise Server Express automatically re-assigns the
Default IT policy to the user account and resends the Default IT policy to the device.
For more information, see the BlackBerry Enterprise Server Express Policy Reference Guide.
Using IT administration commands to protect a lost or
stolen device
The BlackBerry® Enterprise Server Express includes IT administration commands that you can send over the wireless
network to protect sensitive data on a BlackBerry device. You can use the commands to lock the device, permanently
delete work data, permanently delete user information and application data, and return the device settings to the
default values.
IT administration command
Specify new device password and
lock device
Description
This command creates a new password and locks a device over the wireless
network. You can communicate the new password to the user verbally when
the BlackBerry device user locates the device. When the user unlocks the
device, the device prompts the user to accept or reject the new password.
You can use this command if the device is lost. If you or a user turned on
content protection and a device is running BlackBerry® Device Software
4.3.0 or later, you can use this command. If you or a user turned on twofactor content protection, you cannot use this command.
43
Feature and Technical Overview
IT administration command
Delete only the organization data
and remove device
Using IT administration commands to protect a lost or stolen device
Description
This command permanently deletes all work data that the device stores and
removes the device from the BlackBerry Enterprise Server Express. All
personal data remains on the device.
You can send this command to a personal device when a user no longer
works at your organization and you want to delete work data from the
device.
Delete all device data and remove
device
You can also specify whether you want to delete or disable a user account
from the BlackBerry Enterprise Server Express after the device deletes all
work data.
This command permanently deletes all user information and application
data that the device stores. You can configure the following options when
you use this command:
• specify a delay, in hours, that must occur before the device starts to
delete all the user information and application data
• require the device to return to its factory default settings when it
receives this command
• specify whether to permit the user to stop permanently deleting data
from the device and making the device unavailable during the delay
period
You can send this command to a device that you want to distribute to
another user in your organization, or to a device that is lost and that the
user might not recover.
You can also specify whether you want to delete or disable a user account
from the BlackBerry Enterprise Server Express after the device deletes all
user information and application data.
44
Wi-Fi enabled BlackBerry devices
Feature and Technical Overview
Wi-Fi enabled BlackBerry devices
5
Wi-Fi® enabled BlackBerry® devices permit users with qualifying data plans to access BlackBerry services over a
mobile network, Wi-Fi network, or both networks simultaneously.
When users can access a mobile network and Wi-Fi network simulaneously, users can perform multiple tasks over
both networks. For example, a user with a BlackBerry® 8820 smartphone can send messages over a Wi-Fi network
and can make a call over the mobile network at the same time.
If users' mobile network providers make UMA technology (GAN technology) available, and users have subscribed to
the UMA feature, Wi-Fi enabled BlackBerry devices can access the mobile network providers' voice services and data
services over a mobile network or a Wi-Fi network.
Wi-Fi enabled BlackBerry devices can open a Wi-Fi connection from an enterprise Wi-Fi network or, with a VPN
session, from a home Wi-Fi network or Wi-Fi hotspot to connect directly to the BlackBerry Router.
Wi-Fi enabled BlackBerry devices are designed to open a connection to the BlackBerry® Internet Service to access
the BlackBerry MDS Connection Service, BlackBerry® Messenger, and other BlackBerry devices for PIN messaging.
You can verify with your organization's wireless service provider whether your organization's service plan provides
access to these services over a Wi-Fi network.
Types of Wi-Fi networks
Wi-Fi® enabled BlackBerry® devices can access BlackBerry services using enterprise Wi-Fi networks, home Wi-Fi
networks, or hotspots.
Type
enterprise Wi-Fi networks
Description
An enterprise Wi-Fi network has multiple wireless access points to provide
ubiquitous coverage, hotspot coverage, or ubiquitous and hotspot
coverage. You can use a Wi-Fi enabled BlackBerry device in any coverage
area.
You can configure an enterprise Wi-Fi network to require layer 2
authentication. An organization might consider an enterprise Wi-Fi network
to be untrusted and require that all Wi-Fi connections to the organization's
network occur through a VPN concentrator. You must configure Wi-Fi
enabled BlackBerry devices to support the authentication type that your
organization uses.
home Wi-Fi networks
An enterprise Wi-Fi network permits optimized access to the BlackBerry®
Enterprise Server Express over a direct IP connection to the BlackBerry
Router.
A home Wi-Fi network uses a single access point to provide Internet access
through a broadband gateway. The broadband gateway can implement NAT
and permit VPN connections through the firewall. You can configure a home
45
Wireless access points
Feature and Technical Overview
Type
hotspots
Description
Wi-Fi network with layer 2 security and password authentication. You must
configure BlackBerry devices to support the authentication that the home
Wi-Fi network requires.
A home Wi-Fi network permits users to access all BlackBerry services from
Wi-Fi enabled BlackBerry devices using the BlackBerry® Infrastructure.
A hotspot offered by an ISP, a mobile network provider, or a property owner
can provide a Wi-Fi connection in public and semipublic areas. The network
can be an open network without layer 2 security and use a captive portal
for authentication. The captive portal blocks all network traffic except traffic
that uses HTTP and it redirects HTTP requests to a login page.
After a user logs in to the hotspot, the captive portal permits the user to
access wireless network services.
Hotspots can use a firewall and they can permit VPN connections. A hotspot
permits users to access all BlackBerry services from their Wi-Fi enabled
BlackBerry devices using the BlackBerry Infrastructure.
Wireless access points
Wi-Fi® enabled BlackBerry® devices use wireless access points to connect to the Wi-Fi network. An access point must
conform to the IEEE® 802.11a™, IEEE® 802.11b™, or IEEE® 802.11g™ wireless networking standard.
Type
thin access point
thick access point
Description
A thin access point (or controller-based access point) is part of an enterprise
Wi-Fi network that you can manage from a central location. This type of
access point requires an external controller to manage network traffic. You
can administer one or more thin access points through the controller.
Thin access points with an external controller can provide a more seamless
roaming experience for users with Wi-Fi enabled BlackBerry devices during
data and voice sessions.
A thick access point (or intelligent or autonomous access point), has the
intelligence to operate as a standalone component without a controller.
Connections that BlackBerry devices make to mobile and
Wi-Fi networks
Wi-Fi® enabled BlackBerry® devices connect to different components in the the mobile and Wi-Fi networks so that
they can communicate with the BlackBerry® Enterprise Server Express and provide BlackBerry services for users.
46
Feature and Technical Overview
Component
BlackBerry Enterprise Server
Express
BlackBerry® Infrastructure
BlackBerry® Internet Service
UNC/GANC
wireless access point for a
home Wi-Fi network or
hotspot
wireless access point for an
enterprise Wi-Fi network
Connections that BlackBerry devices make to mobile and Wi-Fi networks
Description
The BlackBerry Enterprise Server Express provides productivity tools and data
from an organization's applications to BlackBerry devices over the wireless
network, and processes, routes, compresses, and encrypts data.
The BlackBerry Infrastructure is designed to communicate with the BlackBerry
Enterprise Server Express using a RIM proprietary protocol SRP.
The BlackBerry Internet Service is an email and Internet service for BlackBerry
devices that is designed to provide subscribers with automatic delivery of email
messages, mobile access to email message attachments, and convenient access
to Internet content.
The UNC/GANC is the gateway for Wi-Fi or mobile communications. The UNC/
GANC exists in your organization’s gateway only if the wireless service provider
supports UMA.
An access point for a home Wi-Fi network or hotspot permits the BlackBerry
device to connect to a home Wi-Fi network or hotspot.
An access point for an enterprise Wi-Fi network permits a BlackBerry device to
connect to an enterprise Wi-Fi network using strong authentication and link layer
security.
47
Feature and Technical Overview
Component
wireless service provider
Wi-Fi enabled BlackBerry
device
Connecting Wi-Fi enabled BlackBerry devices to the BlackBerry Enterprise Server Express over a WiFi connection
Description
A wireless service provider is a telephone company that provides services for
BlackBerry devices.
A Wi-Fi enabled BlackBerry device permits a user to access voice and data services
across multiple radio technologies.
Connecting Wi-Fi enabled BlackBerry devices to the
BlackBerry Enterprise Server Express over a Wi-Fi
connection
Direct connections between BlackBerry devices and the BlackBerry Router
over an enterprise Wi-Fi network
Wi-Fi® enabled BlackBerry® devices can open a direct connection to the BlackBerry Router over an enterprise Wi-Fi
network after you configured a Wi-Fi profile for the user accounts. You can use direct connections to the BlackBerry
Router when Wi-Fi enabled BlackBerry devices are located in your organization’s existing Wi-Fi environment. When
BlackBerry devices connect to the BlackBerry Router, they can bypass SRP connectivity and authentication to connect
to the BlackBerry® Enterprise Server Express directly.
After BlackBerry devices connect to the Wi-Fi network using a Wi-Fi profile, the BlackBerry devices try to make a
direct IP connection to the BlackBerry Router. With some network architectures, a VPN session might be required
to complete the direct connection to the BlackBerry Router.
Wi-Fi enabled BlackBerry devices include a built-in VPN client that you can configure and assign to any Wi-Fi profile
on the BlackBerry devices. If a direct connection to the BlackBerry Router is possible (with or without a VPN session),
the BlackBerry Enterprise Server Express starts sending data.
Wi-Fi connection when a VPN connection or direct connection between
BlackBerry devices and the BlackBerry Router is not possible
If Wi-Fi® enabled BlackBerry® devices cannot connect directly to the BlackBerry Router (with or without a VPN
connection) over a Wi-Fi network that can access the Internet (for example, a home Wi-Fi network or hotspot), the
Wi-Fi enabled BlackBerry devices open SSL connections over the Internet to the BlackBerry® Infrastructure. After the
Wi-Fi enabled BlackBerry devices connect to the BlackBerry Infrastructure, the users' provisioned data services start
to send data to the Wi-Fi enabled BlackBerry devices.
Priority for connections that BlackBerry devices make over a Wi-Fi network
Wi-Fi® enabled BlackBerry® devices connect over a Wi-Fi network to the BlackBerry Router or BlackBerry®
Infrastructure using the best possible connection or combination of available connections in the following order:
• connection to the BlackBerry® Enterprise Server Express or BlackBerry MDS Connection Service over a serial,
USB, or Bluetooth® connection that uses the BlackBerry® Device Manager
• connection to the BlackBerry Router from a Wi-Fi network, with or without a VPN connection
48
BlackBerry services that are available over Wi-Fi connections
Feature and Technical Overview
•
•
SSL connection through the Internet to the BlackBerry Infrastructure over a Wi-Fi network
connection to the BlackBerry Infrastructure provided by a wireless service provider that uses the GSM® network,
EDGE network, or UMA
The order of connections assumes that all routes to the BlackBerry Router and Internet are available when the WiFi enabled BlackBerry devices connect to the Wi-Fi network.
BlackBerry services that are available over Wi-Fi
connections
For more information about supported services and features, contact your organization's wireless service provider.
Not all BlackBerry® data plans support Wi-Fi® access to BlackBerry data services.
When you configure a Wi-Fi network to open a connection (with or without a VPN connection) to the BlackBerry
Router, you can keep all data transfers entirely within the enterprise Wi-Fi network and reduce the routing required.
BlackBerry
services
Service provider
with GSM®/EDGE
network or UMA
network
Wi-Fi network
and service
provider with
GSM/EDGE
network
Enterprise Wi-Fi
network and
service provider
with GSM/EDGE
network, and no
UMA, and no
UMA available
X
Enterprise Wi-Fi
network and no
service provider
with GSM/EDGE
network, and no
UMA available
X
Wi-Fi network
and no service
provider with
GSM/EDGE
network or UMA,
and no UMA
available
X
services from
the BlackBerry®
Enterprise
Server Express
(for example,
messaging,
organizer data
synchronization)
services from
the BlackBerry®
Internet Service
(for example,
messaging,
browsing)
services from
the BlackBerry
MDS Connection
Service (for
example,
X
X
X
X
X
X
X
X
X
X
X
X
49
BlackBerry services that are available over Wi-Fi connections
Feature and Technical Overview
BlackBerry
services
application
push,
application
access,
browsing)
BlackBerry®
Messenger
PIN messaging
instant
messaging using
a third-party
instant
messaging
application (for
example,
Windows®
Messenger)
BlackBerry®
Maps
service provider
messaging (for
example, SMS)
content
downloading
provided by a
wireless service
provider (for
example, ring
tones)
web browsing
provided by a
wireless service
provider (for
example, WAP)
50
Service provider
with GSM®/EDGE
network or UMA
network
Wi-Fi network
and service
provider with
GSM/EDGE
network
Wi-Fi network
and no service
provider with
GSM/EDGE
network or UMA,
and no UMA
available
Enterprise Wi-Fi
network and
service provider
with GSM/EDGE
network, and no
UMA, and no
UMA available
Enterprise Wi-Fi
network and no
service provider
with GSM/EDGE
network, and no
UMA available
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
IEEE 802.11 wireless networking standards that Wi-Fi enabled BlackBerry devices support
Feature and Technical Overview
BlackBerry
services
Service provider
with GSM®/EDGE
network or UMA
network
Wi-Fi network
and service
provider with
GSM/EDGE
network
voice plan
provided by a
wireless service
provider
X
X
Wi-Fi network
and no service
provider with
GSM/EDGE
network or UMA,
and no UMA
available
Enterprise Wi-Fi
network and
service provider
with GSM/EDGE
network, and no
UMA, and no
UMA available
X
Enterprise Wi-Fi
network and no
service provider
with GSM/EDGE
network, and no
UMA available
IEEE 802.11 wireless networking standards that Wi-Fi
enabled BlackBerry devices support
Wi-Fi® enabled BlackBerry® devices support the IEEE® 802.11a™, IEEE® 802.11b™, and IEEE® 802.11g™ wireless
networking standards.
Characteristics of the IEEE 802.11a wireless networking standard that Wi-Fi
enabled BlackBerry devices support
Characteristic
fallback speeds
frequency
maximum speed
nonoverlapping channels
sources of interference
throughput speed
Description
48, 36, 24, 18, 12, 9, and 6 Mbps
5 GHz
54 Mbps
up to 19
• Bluetooth® wireless technology
• some satellite systems
• 5 GHz cordless phones
23 Mbps
Characteristics of the IEEE 802.11b wireless networking standard that Wi-Fi
enabled BlackBerry devices support
Characteristic
fallback speeds
frequency
maximum speed
nonoverlapping channels
Description
5.5, 2, and 1 Mbps
2.4 GHz
11 Mbps
3
51
Security features of a Wi-Fi enabled BlackBerry device
Feature and Technical Overview
Characteristic
sources of interference
throughput speed
Description
• Bluetooth® wireless technology
• microwave ovens
• 2.4 GHz cordless phones
4.5 Mbps
Characteristics of the IEEE 802.11g wireless networking standard that Wi-Fi
enabled BlackBerry devices support
Characteristic
fallback speeds
frequency
maximum speed
nonoverlapping channels
sources of interference
throughput speed
Description
48, 36, 24, 18, 12, 9, and 6 Mbps
2.4 GHz
54 Mbps
3
• Bluetooth® wireless technology
• microwave ovens
• 2.4 GHz cordless phones
19 Mbps
Security features of a Wi-Fi enabled BlackBerry device
Feature
activation of BlackBerry® devices
over an enterprise Wi-Fi® network
authenticated connection with
BlackBerry Router
BlackBerry transport layer
encryption
52
Description
Activation of BlackBerry devices over an enterprise Wi-Fi network is
designed to simplify the actions of activating or updating BlackBerry
devices.
For more information about activating devices that are associated with the
BlackBerry Internet Service over the wireless network, visit
www.blackberry.com/go/serverdocs to see the Activating Devices That are
Associated With the BlackBerry Internet Service Over the Wireless Network
Technical Note.
An authenticated connection with a BlackBerry Router permits BlackBerry
devices to open a direct connection to the BlackBerry® Enterprise Server
Express after they authenticate with the BlackBerry Router.
BlackBerry devices connected to an enterprise Wi-Fi network do not use an
SRP connection to send data to the BlackBerry Enterprise Server Express.
BlackBerry transport layer encryption is designed to encrypt messages that
the BlackBerry device and the BlackBerry Enterprise Server Express send
between each other after they open an authenticated connection.
Feature and Technical Overview
Feature
direct access to the BlackBerry®
Infrastructure over a Wi-Fi
connection
encrypted communication over the
Wi-Fi network
expanded groups of Wi-Fi and VPN
configuration settings
limited connections
multiple Wi-Fi and VPN profiles
proxy server
software token provisioning
wireless backup of Wi-Fi and VPN
profiles
wireless software updates
Security features of a Wi-Fi enabled BlackBerry device
Description
Direct access to the BlackBerry Infrastructure over a Wi-Fi connection
permits Wi-Fi enabled BlackBerry devices to access BlackBerry services over
the Internet, even if UMA is not available.
You can verify with your organization's wireless service provider that your
organization's service plan supports access to BlackBerry services over a WiFi connection.
BlackBerry devices support multiple security methods that are designed to
encrypt communication over the enterprise Wi-Fi network between the
BlackBerry device and wireless access points or a network firewall on the
enterprise Wi-Fi network.
Expanded groups of Wi-Fi and VPN configuration settings permit you to
control Wi-Fi connections from BlackBerry devices.
Wi-Fi enabled BlackBerry devices are designed to reject incoming
connections, to support limited connections in infrastructure mode only,
and to prevent ad-hoc mode (also known as peer-to-peer) connections.
Multiple Wi-Fi and VPN profiles are designed to address user requirements
in a variety of different environments.
The BlackBerry device supports the use of a transparent proxy server that
you can configure between the enterprise Wi-Fi network and the BlackBerry
device.
Software token provisioning is designed to permit you to provision and
manage the seed for software token authentication (for example, for VPN
connections) centrally on BlackBerry devices.
The BlackBerry Enterprise Server Express is designed to work with the RSA®
Authentication Manager to provide software token support for use with
layer 2 and layer 3 authentication on supported BlackBerry devices.
Wireless backup of Wi-Fi and VPN profiles on BlackBerry devices over a WiFi connection permits users to restore the profiles, if necessary.
Wireless software updates permits users to update the BlackBerry® Device
Software without using the BlackBerry® Desktop Software or first
downloading the software update to a computer.
53
Feature and Technical Overview
BlackBerry Enterprise Server process flows
BlackBerry Enterprise Server process flows
6
Messaging process flows
Process flow: Sending a message to a BlackBerry device
1.
2.
3.
4.
5.
6.
7.
8.
54
A message arrives in a user’s mailbox. Microsoft® Exchange notifies the BlackBerry® Messaging Agent.
The BlackBerry Messaging Agent applies global filter rules to the messages in the user’s mailbox and filters the
messages that match the filter criteria.
If global filter rules do not apply, the BlackBerry Messaging Agent applies filter rules that the user specified to
the messages in the user’s mailbox.
The BlackBerry Messaging Agent sends the first 2 KB of the message (plain text, or in an HTML message, the
equivalent to 2 KB of plain text) to the BlackBerry Dispatcher.
The BlackBerry Dispatcher compresses the first 2 KB of the message, encrypts it using the device transport key
of the BlackBerry device, and sends the encrypted data to the BlackBerry Router.
The BlackBerry Router sends the encrypted data to the wireless network over port 3101, or over port 4101 if
the BlackBerry device is a Wi-Fi® enabled BlackBerry device that is connected to the enterprise Wi-Fi network.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network, and sends the message data to the BlackBerry device.
The BlackBerry device sends a delivery confirmation to the BlackBerry Dispatcher. The BlackBerry Dispatcher
sends the delivery confirmation to the BlackBerry Messaging Agent.
If the BlackBerry Messaging Agent does not receive a delivery confirmation within four hours, it sends the
message to the wireless network again.
The delivery confirmation verifies that the wireless network delivered the message to the BlackBerry device,
but it does not verify that the user received or opened the message.
The BlackBerry device decrypts and decompresses the message so that the user can view it, and notifies the
user that the message arrived.
Feature and Technical Overview
Messaging process flows
Process flow: Sending a message from a BlackBerry device
This process flow applies to new messages, reconciled messages (messages that a user moved, deleted, or marked
as read or unread), and wireless calendar entries.
1.
A user sends a message from a BlackBerry® device.
2.
The BlackBerry device assigns a RefId to the message. If the message is a meeting invitation or calendar entry,
the BlackBerry device appends the calendar information to the message. The BlackBerry device compresses and
encrypts the message, and sends the message to the wireless network over port 3101, or over port 4101 if the
BlackBerry device is a Wi-Fi® enabled BlackBerry device that is connected to the enterprise Wi-Fi network.
The wireless network sends the message to the BlackBerry® Enterprise Server Express.
3.
The BlackBerry Enterprise Server Express accepts only encrypted messages from the BlackBerry device.
The BlackBerry Dispatcher uses the device transport key of the BlackBerry device to decrypt and decompress
the message.
4.
5.
If the BlackBerry Dispatcher cannot decrypt the message using the device transport key, the BlackBerry
Enterprise Server Express ignores the message and sends an error message to the BlackBerry device.
The BlackBerry Messaging Agent sends the message to the user’s email application.
The BlackBerry Messaging Agent sends a copy of the message to the Sent Items view in the user’s email
application.
The messaging server delivers the message to the recipients.
6.
Process flow: Sending a message that contains an attachment from a
BlackBerry device
1.
A user attaches a file to a message on a BlackBerry® device and sends the message.
55
Feature and Technical Overview
•
•
2.
3.
4.
5.
6.
7.
Messaging process flows
If the BlackBerry device is not running BlackBerry® Device Software version 4.2 or later, and if the BlackBerry
device does not have a CMIME service book that indicates that the BlackBerry® Enterprise Server Express
supports attachment uploads, the Add Attachment menu item does not appear on the BlackBerry device.
If the user tries to attach a file that exceeds the maximum file size that you specified, a notification appears
and the user cannot attach the file.
The BlackBerry device compresses and encrypts the message, and sends the message to the wireless network
over port 3101.
The BlackBerry device formats the header of the message to indicate that a large attachment is part of the
message. The BlackBerry device does not send the attachment content.
The wireless network sends the message to the BlackBerry Enterprise Server Express.
The BlackBerry Dispatcher decrypts and decompresses the message using the device transport key of the
BlackBerry device.
If the BlackBerry Dispatcher cannot decrypt the message using the device transport key, the BlackBerry
Enterprise Server Express ignores the message and sends an error message to the BlackBerry device.
The BlackBerry Messaging Agent stores the message properties in the user’s mailbox.
The BlackBerry Messaging Agent sends a request for the attachment content through the BlackBerry Dispatcher
to the BlackBerry device.
The BlackBerry device sends the attachment content through the BlackBerry Dispatcher to the BlackBerry
Messaging Agent.
If the file size of the attachment content exceeds a single data packet, the BlackBerry device divides the content
into multiple data packets and sends the data packets to the BlackBerry Messaging Agent.
The BlackBerry Messaging Agent verifies the validity of the attachment content, and stores the content in
memory as the content arrives.
During the delivery of the attachment content, if the BlackBerry Messaging Agent does not receive content from
the BlackBerry device for 15 minutes, the BlackBerry Messaging Agent cancels the message, deletes the partial
attachment content from temporary storage, and sends an error message to the BlackBerry device.
After all of the attachment content arrives, the BlackBerry Messaging Agent checks for other attachments that
might be part of the same message.
• If other attachments exist, the BlackBerry Messaging Agent requests the attachment content.
• If no additional attachments exist, the BlackBerry Messaging Agent finishes processing the message and
sends the message to the user’s email application.
The messaging server delivers the message to the intended recipients.
56
Feature and Technical Overview
Messaging process flows
Process flow: Searching an organization's address book from a BlackBerry
device
1.
2.
3.
4.
5.
6.
7.
8.
9.
A user searches for a contact on a BlackBerry® device.
The BlackBerry device assigns a RefId to the search request, compresses and encrypts the request, and sends
the request to the BlackBerry® Enterprise Server Express over port 3101.
The BlackBerry Dispatcher decrypts and decompresses the request using the device transport key of the
BlackBerry device, and sends the request to the BlackBerry Messaging Agent.
The BlackBerry Messaging Agent searches the GAL on the Microsoft® Exchange server and retrieves the 20
closest matches for the contact lookup request.
The BlackBerry Messaging Agent sends the contact lookup results to the BlackBerry Dispatcher.
The BlackBerry Dispatcher encrypts the results using the device transport key of the BlackBerry device,
compresses the encrypted data, and sends it to the BlackBerry Router for delivery to the BlackBerry device.
The BlackBerry Router sends the encrypted data to the wireless network over port 3101.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network, and sends the encrypted data to the BlackBerry device.
The BlackBerry device sends a delivery confirmation to the BlackBerry Dispatcher, which sends it to the
BlackBerry Messaging Agent.
If the BlackBerry Enterprise Server Express does not receive a delivery confirmation within four hours, it
resubmits the contact lookup results to the wireless network.
The BlackBerry device decrypts and decompresses the contact lookup results with the device transport key so
that the user can view them on the BlackBerry device or add them to the contact list on the BlackBerry device.
57
Feature and Technical Overview
Message attachment process flows
Message attachment process flows
Process flow: Viewing a message attachment
1.
2.
3.
4.
5.
6.
A user receives a message with an attachment on a BlackBerry® device.
The BlackBerry Messaging Agent verifies that the format of the attachment is valid for conversion.
If the format is not valid and the user’s BlackBerry device is Java® based, the Open Attachment menu item does
not appear on the user’s BlackBerry device.
The user clicks the Open Attachment menu item to view the attachment on the BlackBerry device.
The attachment viewer sends the request to the BlackBerry Messaging Agent.
The BlackBerry Messaging Agent connects to the BlackBerry Attachment Service over port 1900.
The BlackBerry Attachment Service retrieves the attachment in binary format from the user’s message store
using the BlackBerry Messaging Agent link to the messaging server.
The BlackBerry Attachment Service distills the attachment and extracts the content, layout, appearance, and
navigation information from the attachment.
The BlackBerry Attachment Service organizes, stores, and links the information in a proprietary DOM in a binary
XML style.
The BlackBerry Attachment Service formats the attachment for the BlackBerry device and converts it to UCS
format. The formatting is based on the request for content (for example, page and paragraph information, or
search words) and the available BlackBerry device information (for example, screen size, display, or available
space).
The BlackBerry Attachment Service sends the UCS data to the BlackBerry Messaging Agent using a TCP/IP
connection over port 1900.
7. The BlackBerry Messaging Agent sends the converted attachment to the BlackBerry Dispatcher.
8. The BlackBerry Dispatcher compresses the first portion of the attachment, encrypts it using the device transport
key of the BlackBerry device, and sends the first portion of the attachment to the BlackBerry Router.
9. The BlackBerry Router sends the first portion of the attachment to the wireless network over port 3101.
10. The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network.
58
Feature and Technical Overview
Message attachment process flows
11. The wireless network delivers the attachment to the BlackBerry device.
12. The BlackBerry device sends a delivery confirmation to the BlackBerry Dispatcher, which sends it to the
BlackBerry Messaging Agent. If the BlackBerry® Enterprise Server Express does not receive a delivery
confirmation within 4 hours, it sends the attachment data to the wireless network again.
13. The BlackBerry device uses its device transport key to decrypt and decompress the attachment so that the user
can view the attachment.
14. The user views the attachment on the BlackBerry device by selecting a section from the table of contents, or by
viewing the full attachment. The original formatting of the attachment, including indents, tables, fonts, and
bullets, is reflected on the BlackBerry device.
Process flow: Viewing an attachment using a link
1.
2.
3.
4.
5.
6.
7.
8.
A user clicks the Get Link menu item to view an attachment on a BlackBerry® device.
The BlackBerry device sends the request to the BlackBerry® Enterprise Server Express over port 3101.
The BlackBerry Dispatcher sends the request to the BlackBerry MDS Connection Service over port 3200.
The BlackBerry MDS Connection Service creates an HTTP session for the user and sends the request to the web
server.
The BlackBerry MDS Connection Service retrieves the requested content and sends it to the BlackBerry
Attachment Service.
The BlackBerry Attachment Service extracts the content, layout, appearance, and navigation information from
the attachment and organizes, stores, and links the information in a proprietary DOM in a binary XML style.
The BlackBerry Attachment Service formats the attachment for the BlackBerry device and converts it to UCS
format.
The formatting is based on the request for content (for example, page and paragraph information, or search
words) and the available BlackBerry device information (for example, screen size, display, or available space).
The BlackBerry Attachment Service sends the converted attachment to the BlackBerry MDS Connection Service
using HTTP.
The BlackBerry MDS Connection Service sends the first 250 KB of content to the BlackBerry Dispatcher over port
3200.
59
Feature and Technical Overview
Organizer data process flows
9.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router.
10. The BlackBerry Router sends the encrypted content to the BlackBerry device.
11. The BlackBerry device uses its device transport key to decrypt and decompress the attachment content so that
the user can view the attachment.
12. The user views the attachment on the BlackBerry device using the browser plug-in for the attachment viewer.
The attachment viewer processes 3 KB at a time.
Organizer data process flows
Process flow: Synchronizing organizer data for the first time on a BlackBerry
device
1.
2.
3.
A user activates a new BlackBerry® device or upgrades an existing BlackBerry device and receives the service
book for the BlackBerry Synchronization Service.
The BlackBerry device requests the synchronization configuration information from the BlackBerry
Synchronization Service.
The configuration information indicates whether wireless data synchronization on the BlackBerry® Enterprise
Server Express is turned on, and which database can be synchronized. The configuration information also
provides database synchronization types and conflict resolution settings. All data that the BlackBerry device and
BlackBerry Enterprise Server Express send between each other is compressed and encrypted.
The BlackBerry Synchronization Service returns the configuration information and synchronizes the databases
using that information.
A synchronization agent on the BlackBerry device tracks which databases can be synchronized over the wireless
network. If data already exists on both the BlackBerry device and BlackBerry Enterprise Server Express, the
BlackBerry Synchronization Service merges, adds, or updates the records during the synchronization process. If
data exists on only the BlackBerry device or BlackBerry Enterprise Server Express, the BlackBerry Synchronization
Service restores the data from the appropriate location. The BlackBerry device and BlackBerry Enterprise Server
Express do not delete records during the initial synchronization process.
After the BlackBerry Synchronization Service registers a database for wireless data synchronization, it can no
longer be synchronized or restored using the BlackBerry® Desktop Software.
60
Feature and Technical Overview
Organizer data process flows
The initial synchronization process is complete when the data on the BlackBerry device and the data on the BlackBerry
Enterprise Server Express are synchronized. Future changes on the BlackBerry device or BlackBerry Enterprise Server
Express are synchronized over the wireless network.
If the user changes data on the BlackBerry device or in the organizer application on the user's computer during the
initial synchronization process, the BlackBerry Synchronization Service synchronizes the changes after the initial
synchronization completes.
If the user connects the BlackBerry device to a computer that is running the BlackBerry® Device Manager, the initial
synchronization process can occur over the connection to the BlackBerry Router instead of over the wireless network.
Process flow: Synchronizing subsequent changes to organizer data
1.
2.
3.
A user saves a change to the organizer data or BlackBerry® device settings (for example, a new AutoText entry)
on a BlackBerry device or in the organizer application on the user's computer.
Depending on where the user made the change, the BlackBerry device or the BlackBerry® Enterprise Server
Express adds the change to a changelist and sends the changelist to the BlackBerry Synchronization Service.
The changelist includes the target database and record information for the organizer application.
The BlackBerry Synchronization Service sends a change to organizer data over the wireless network, along with
other entries in the changelist for the user.
The BlackBerry Synchronization Service sends other changes, including BlackBerry device information, time zone
information, and backup and restore data, at the batch synchronization interval that is set on the BlackBerry
Enterprise Server Express. By default, the batch synchronization interval is 10 minutes.
To prevent synchronization errors, the BlackBerry Enterprise Server Express and BlackBerry device can send only
a single changelist at a time for a user account.
4.
5.
The BlackBerry Synchronization Service writes a synchronization request entry to the SynchRequest table of the
BlackBerry Configuration Database, and sends the changed records to the BlackBerry Dispatcher.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router for delivery to the BlackBerry device.
The BlackBerry device sends a delivery confirmation to the BlackBerry Synchronization Service for each record
that it receives.
61
Feature and Technical Overview
6.
Organizer data process flows
The BlackBerry Synchronization Service receives delivery confirmations, deletes the corresponding
synchronization request entries from the SyncRequest table, and writes an entry to the SyncRecordState table
for each delivery confirmation.
Each organizer database record has a unique identifier that is mapped to a corresponding record on the
BlackBerry device.
Process flow: Adding a contact picture on a BlackBerry device
1.
2.
3.
4.
5.
A user adds a picture to a contact in the address book on a BlackBerry® device and saves the change.
The BlackBerry device creates a changelist request to synchronize the changed record. The changelist request
includes the updated record information and identifies the address book as the target for the update.
The BlackBerry device compresses and encrypts the request, and sends the request to the BlackBerry Dispatcher
over port 3101.
The BlackBerry Dispatcher uses the device transport key of the BlackBerry device to decrypt and decompress
the request, and sends the request to the BlackBerry Synchronization Service.
The BlackBerry Synchronization Service receives the changelist request, writes a synchronization request entry
in the SynchRequest table of the BlackBerry Configuration Database, and sends the changed record to the
BlackBerry Dispatcher.
The BlackBerry Dispatcher sends the changed record, in XML format, to the BlackBerry Messaging Agent.
If the file size of the picture exceeds 32 KB, the BlackBerry Messaging Agent rejects the synchronization request.
6. The BlackBerry Messaging Agent sends the changed record to the messaging server.
7. The messaging server updates the user’s personal contact list.
8. The BlackBerry Messaging Agent sends a delivery confirmation to the BlackBerry Dispatcher.
9. The BlackBerry Dispatcher sends the delivery confirmation to the BlackBerry Synchronization Service.
10. The BlackBerry Synchronization Service deletes the synchronization request entry from the SyncRequest table,
writes an entry in the SyncRecordState table, and sends the delivery confirmation to the BlackBerry Dispatcher.
11. The BlackBerry Dispatcher encrypts the results using the device transport key of the BlackBerry device,
compresses them, and sends them to the BlackBerry Router.
12. The BlackBerry Router sends the results to the wireless network over port 3101.
62
Feature and Technical Overview
Mobile data process flows
13. The wireless network verifies that the PIN belongs to a valid BlackBerry device and sends the delivery
confirmation to the BlackBerry device.
If the BlackBerry device does not receive the delivery confirmation from the wireless network within 20 minutes,
it sends the synchronization request to the wireless network again. If the BlackBerry device does not receive
the delivery confirmation within 8 hours, it stops resending the synchronization request to the wireless network.
Mobile data process flows
Process flow: Requesting BlackBerry Browser content on a BlackBerry
device
1.
2.
3.
4.
5.
6.
7.
8.
A user requests Internet or intranet content from your organization's content server using the BlackBerry®
Browser on a BlackBerry device.
The BlackBerry device sends the request to the BlackBerry® Enterprise Server Express over port 3101.
The BlackBerry Dispatcher sends the request to the BlackBerry MDS Connection Service over port 3200.
The BlackBerry MDS Connection Service creates an HTTP session for the user and retrieves the requested Internet
or intranet content from the content server.
The BlackBerry MDS Connection Service converts the content so that the user can view it on the BlackBerry
device, and sends the content to the BlackBerry Dispatcher over port 3200.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router.
The BlackBerry Router sends the encrypted content to the wireless network over port 3101.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network and sends the encrypted content to the BlackBerry device.
The BlackBerry device sends a delivery confirmation to the BlackBerry Router, and decrypts and decompresses
the content so that the user can view it in the BlackBerry Browser.
If the BlackBerry MDS Connection Service does not receive a delivery confirmation within the flow control
timeout limit, it sends a message to the wireless network to delete the pending content.
63
Feature and Technical Overview
Mobile data process flows
Process flow: Requesting BlackBerry Browser content while access control
is turned on for the BlackBerry MDS Connection Service
1.
2.
3.
4.
5.
6.
7.
8.
9.
A user requests Internet or intranet content from your organization's content server using the BlackBerry®
Browser on a BlackBerry device.
The BlackBerry device sends the request to the BlackBerry® Enterprise Server Express over port 3101.
The BlackBerry Dispatcher sends the request to the BlackBerry MDS Connection Service over port 3200.
The BlackBerry MDS Connection Service checks the BlackBerry Configuration Database to verify whether pull
authorization is turned on, and whether the user has permission to pull content from the specified content
server.
If the user does not have permission to pull content from the specified content server, the BlackBerry MDS
Connection Service rejects the request and sends an error message to the BlackBerry device.
The BlackBerry MDS Connection Service creates an HTTP session for the user and sends the user’s authentication
credentials to the content server. If the user authenticates, the BlackBerry MDS Connection Service sends the
HTTP request to the content server. If the user does not authenticate, the BlackBerry Browser displays an "HTTP
403 Error" message, and prompts the user to type the correct credentials.
The BlackBerry MDS Connection Service retrieves the content from the content server, converts it so that the
user can view it on the BlackBerry device, and sends the content to the BlackBerry Dispatcher over port 3200.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router.
The BlackBerry Router sends the encrypted content to the wireless network over port 3101.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network and sends the encrypted content to the BlackBerry device.
10. The BlackBerry device sends a delivery confirmation to the BlackBerry Router, and decrypts and decompresses
the content so that the user can view it in the BlackBerry Browser.
If the BlackBerry MDS Connection Service does not receive a delivery confirmation within the flow control
timeout limit, it sends a message to the wireless network to delete the pending content.
64
Feature and Technical Overview
Mobile data process flows
Process flow: Requesting BlackBerry Browser content with two-factor
authentication turned on
1.
2.
3.
4.
5.
6.
7.
8.
A user requests Internet or intranet content from your organization's content server using the BlackBerry®
Browser on a BlackBerry device.
The BlackBerry device sends the request to the BlackBerry® Enterprise Server Express over port 3101.
The BlackBerry Dispatcher sends the request to the BlackBerry MDS Connection Service over port 3200.
The BlackBerry MDS Connection Service checks whether the user's BlackBerry device is running an authenticated
connection that can support the content request.
If the BlackBerry device is not running an authenticated connection, the BlackBerry MDS Connection Service
redirects the user to a login web page. If the user logs in, using an RSA SecurID® user name and passcode, the
BlackBerry MDS Connection Service creates a connection to the content server. By default, the BlackBerry device
caches the user’s information for 24 hours of activity on the authenticated connection, or 60 minutes of inactivity.
The BlackBerry MDS Connection Service creates an HTTP session for the user and retrieves the Internet or
intranet content from the content server. The BlackBerry MDS Connection Service converts the content so that
the user can view it on the BlackBerry device, and sends the content to the BlackBerry Dispatcher over port
3200.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router.
The BlackBerry Router sends the encrypted content to the wireless network over port 3101.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network and sends the encrypted content to the BlackBerry device.
The BlackBerry device sends a delivery confirmation to the BlackBerry Router, and decrypts and decompresses
the content so that the user can view it in the BlackBerry Browser.
If the BlackBerry MDS Connection Service does not receive a delivery confirmation within the flow control
timeout limit, it sends a message to the wireless network to delete the pending content.
65
Feature and Technical Overview
Mobile data process flows
Process flow: Pushing application content to a BlackBerry device
1.
A push application on an application server or a content server behind your organization's firewall sends an
HTTP POST request to a central push server over the listen port for the content server. The default port number
is 8080.
2.
You can define one or more instances of the BlackBerry® MDS Connection Service in a BlackBerry Domain as a
central push server. A push application specifies the BlackBerry® Enterprise Server Express host name and the
connection port number that the BlackBerry MDS Connection Service listens on.
The central push server checks the BlackBerry Configuration Database for the following information about the
intended recipients of the application content: the PINs that are associated with the user accounts, whether the
PINs are enabled for the BlackBerry MDS Connection Service, and the active BlackBerry Enterprise Server Express
instances that the users are located on.
3.
User accounts that do not appear in the BlackBerry Configuration Database, or that are pending deletion, cannot
receive the push content.
The central push server responds to the push application to acknowledge that it is processing the request, and
sends the push content to the BlackBerry MDS Connection Service instances that have active, primary
connections to the BlackBerry Enterprise Server Express instances.
The BlackBerry MDS Connection Service converts the content so that the user can view it on the BlackBerry
device, and sends the content to the BlackBerry Dispatcher over port 3200.
The BlackBerry Dispatcher compresses the content, encrypts it using the device transport key of the BlackBerry
device, and sends the encrypted content to the BlackBerry Router.
The BlackBerry Router sends the encrypted content to the wireless network over port 3101.
4.
5.
The wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network, and sends the encrypted content to the BlackBerry device.
6.
The BlackBerry device sends a delivery confirmation to the BlackBerry Router.
7.
If the BlackBerry MDS Connection Service does not receive a delivery confirmation within the flow control
timeout limit, it sends a message to the wireless network to delete the pending content.
The BlackBerry device decrypts and decompresses the content.
66
Feature and Technical Overview
Mobile data process flows
The BlackBerry Application detects the incoming content by listening on a port number that the application
developer specified. For example, the BlackBerry® Browser listens for push application connections on port
7874. The application displays the content on the BlackBerry device when the user runs the application.
Process flow: Installing a BlackBerry Java Application on a BlackBerry
device over the wireless network
1.
2.
3.
4.
5.
6.
7.
8.
A developer creates a BlackBerry® Java® Application using the BlackBerry® Java® Development Environment or
another Java authoring tool. The developer produces an application bundle.
The application bundle contains an .alx file that stores information about the attributes of the BlackBerry Java
Application, including the author name, a description of the application, and copyright information.
In the BlackBerry Administration Service, you publish the application bundle to the application repository.
You create a software configuration and add the BlackBerry Java Application to the software configuration. You
specify that the application is required, assign an application control policy to the application, and specify
wireless delivery to BlackBerry devices.
You assign the software configuration to a group.
The BlackBerry Administration Service creates a deployment job.
A deployment job represents the objects that must be sent to each user's BlackBerry device and consists of
multiple tasks. Each task manages the delivery of an object (for example, a BlackBerry Java Application, an access
control policy, or an IT policy) to a BlackBerry device.
The delivery manager component of the BlackBerry Administration Service receives tasks to send a BlackBerry
Java Application to BlackBerry devices.
The BlackBerry Administration Service exports the files for the BlackBerry Java Application to a shared network
folder.
The delivery manager converts the tasks into send module commands, queues send module commands into
logical groups for each user, and sends the send module commands to the BlackBerry Policy Service. Separate
applications are queued in separate groups.
The BlackBerry Policy Service processes the send module commands in the queue in sequence. When the
BlackBerry Policy Service processes a group of send module commands, it retrieves the data for the BlackBerry
Java Application from the shared network folder, and sends the send module commands with the application
data to the BlackBerry Dispatcher.
67
Feature and Technical Overview
9.
10.
11.
12.
13.
14.
15.
BlackBerry device management process flows
If the send module commands are less than 56 KB, the BlackBerry Policy Service sends them in one data packet.
If the send module commands exceed 56 KB, the BlackBerry Policy Service sends them in multiple data packets.
The BlackBerry Dispatcher sends the send module commands to the BlackBerry Router.
The BlackBerry Router sends the send module commands to a BlackBerry device over the wireless network.
The BlackBerry device installs the BlackBerry Java Application. The BlackBerry device sends an acknowledgement
packet for the BlackBerry Java Application to the BlackBerry Router.
The BlackBerry Router sends the acknowledgement packet to the BlackBerry Dispatcher.
The BlackBerry Dispatcher delivers the acknowledgement packet to the BlackBerry Policy Service.
The BlackBerry Policy Service clears the send module commands for the BlackBerry device from the queue and
processes the next group of send module commands that are in the queue.
The BlackBerry Administration Service displays that the BlackBerry Java Application was delivered to the
BlackBerry device.
If the BlackBerry device does not receive all of the send module commands within 4 hours, the BlackBerry device
sends a failure acknowledgement packet to the BlackBerry Policy Service. The BlackBerry Administration Service
detects the failure acknowledgement packet and displays an installation failure message for the BlackBerry device.
BlackBerry device management process flows
Process flow: Activating a BlackBerry device over the wireless network
A user receives or purchases a new BlackBerry® device.
1.
2.
3.
4.
5.
The user contacts your organization's IT department to activate the BlackBerry device.
You create a temporary activation password for the user account and communicate the password to the user.
The password applies to the user account only.
To activate the BlackBerry device over the wireless network, the user opens the activation application on the
BlackBerry device and types the appropriate email address and activation password. If the device is associated
with the BlackBerry® Internet Service, the user must download and install the Enterprise Activation application
for BlackBerry® smartphones from the BlackBerry App World™ storefront. The user must run the application
and type the appropriate work email address and activation password.
The BlackBerry device sends an activation request message to the email account. The message contains
information about the BlackBerry device, such as routing information and the public keys for the BlackBerry
device.
The BlackBerry® Enterprise Server Express sends the BlackBerry device an activation response that contains
routing information about the BlackBerry Enterprise Server Express and the public keys for the BlackBerry
Enterprise Server Express.
The BlackBerry Enterprise Server Express and BlackBerry device establish a device transport key. The BlackBerry
Enterprise Server Express and BlackBerry device confirm knowledge of the device transport key to each other.
If the confirmation is successful, the activation proceeds and further communication between the BlackBerry
Enterprise Server Express and BlackBerry device is encrypted.
68
Feature and Technical Overview
BlackBerry device management process flows
The BlackBerry Enterprise Server Express sends an IT policy to the BlackBerry device. If the BlackBerry device
cannot accept the IT policy, the activation process does not complete.
6.
The BlackBerry Enterprise Server Express sends the appropriate service books (for example, the messaging
service book, wireless calendar service book, browser service book, and other service books) to the BlackBerry
device. The user can now send messages from and receive messages on the BlackBerry device.
If the user account is configured for wireless synchronization, and if wireless backup and wireless calendar
synchronization on the BlackBerry device are turned on, the BlackBerry Enterprise Server Express sends user
data to the BlackBerry device.
Process flow: Resending an IT policy to a BlackBerry device manually
1.
2.
You click a user account, and then click Resend IT Policy.
The BlackBerry® Policy Service reads the current IT policy settings for the user account from the BlackBerry
Configuration Database to determine which IT policy to send to the BlackBerry device.
The BlackBerry Policy Service prepares to send the IT policy using the GME protocol by adding the unique
identifier and BlackBerry® Enterprise Server Express version.
The BlackBerry Policy Service adds the unique key that the BlackBerry Domain uses to sign IT policy data packets
to the IT policy data packet.
3.
4.
The BlackBerry Policy Service sends the IT policy data packet to the BlackBerry Dispatcher.
The BlackBerry Dispatcher encrypts the IT policy data packet using the device transport key of the BlackBerry
device, compresses the content, and sends it to the BlackBerry Router for delivery to the BlackBerry device.
The BlackBerry Router sends the encrypted IT policy data packet to the wireless network over port 3101. The
wireless network verifies that the PIN belongs to a valid BlackBerry device that is registered with the wireless
network.
Process flow: Authenticating data on a BlackBerry device without
connecting to the BlackBerry Infrastructure
1.
2.
3.
A user connects a BlackBerry® device to a computer that the BlackBerry® Device Manager is running on.
The BlackBerry Router uses a unique authentication protocol to verify that the user is a valid BlackBerry device
user.
The authentication sequence uses the same authentication information for the BlackBerry® Enterprise Server
Express and BlackBerry device that the SRP authentication sequence uses to validate the BlackBerry Enterprise
Server Express before permitting it to connect to the BlackBerry® Infrastructure. The BlackBerry Router cannot
access the value of the device transport key of the BlackBerry device and BlackBerry Enterprise Server Express.
The BlackBerry device and BlackBerry Router use the BlackBerry Device Manager to send data to each other
over the physical connection, behind the firewall. All the data that the BlackBerry device and BlackBerry
Enterprise Server Express send to each other is compressed and encrypted. This data bypasses the wireless
network.
69
Feature and Technical Overview
BlackBerry device management process flows
The transfer of wireless data over an SRP connection is restored when the user disconnects the BlackBerry device
from the computer or closes the BlackBerry Device Manager.
70
Feature and Technical Overview
Glossary
Glossary
7
AES
Advanced Encryption Standard
API
application programming interface
ASCII
American Standard Code for Information Interchange
BlackBerry Domain
A BlackBerry Domain consists of the BlackBerry Configuration Database with its users and any BlackBerry®
Enterprise Server instances that connect to it.
BlackBerry MDS
BlackBerry® Mobile Data System
BlackBerry transport layer encryption
BlackBerry transport layer encryption (formerly known as standard BlackBerry encryption) uses a symmetric key
encryption algorithm to help protect data that is in transit between a BlackBerry device and the BlackBerry®
Enterprise Server when the data is outside an organization's firewall.
CBC
cipher block chaining
CDMA
Code Division Multiple Access
CMIME
Compressed Multipurpose Internet Mail Extensions
content protection
Content protection helps protect user data on a locked BlackBerry device by encrypting the user data using the
content protection key and ECC private key.
DES
Data Encryption Standard
device transport key
The device transport key (formerly known as the master encryption key) is unique to a BlackBerry device. The
BlackBerry device and BlackBerry® Enterprise Server use the device transport key to encrypt the message keys.
DMZ
71
Feature and Technical Overview
Glossary
A demilitarized zone (DMZ) is a neutral subnetwork outside of an organization's firewall. It exists between the
trusted LAN of the organization and the untrusted external wireless network and public Internet.
DOM
Document Object Model
ECC
Elliptic Curve Cryptography
EDGE
Enhanced Data Rates for Global Evolution
Enterprise Service Policy
The Enterprise Service Policy controls which BlackBerry devices can connect to a BlackBerry® Enterprise Server.
GAL
Global Address List
GAN
generic access network
GANC
generic access network controller
gateway message envelope
The gateway message envelope protocol is a Research In Motion proprietary protocol that allows the transfer
of compressed and encrypted data between the wireless network and BlackBerry devices. The protocol defines
a routing layer that specifies the types of message contents allowed and the addressing information for the data.
Gateways and routing components use this information to identify the type and source of the BlackBerry device
data, and the appropriate destination service to route the data to.
GPS
Global Positioning System
GSM
Global System for Mobile Communications®
HTML
Hypertext Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
72
Feature and Technical Overview
Glossary
Hypertext Transfer Protocol over Secure Sockets Layer
IEEE
Institute of Electrical and Electronics Engineers
IMAP
Internet Message Access Protocol
ISP
Internet service provider
IP
Internet Protocol
IP address
An Internet Protocol (IP) address is an identification number that each computer or mobile device uses when it
sends or receives information over a network, such as the Internet. This identification number identifies the
specific computer or mobile device on the network.
IT administration command
An IT administration command is a command that you can send over the wireless network to protect sensitive
information on a BlackBerry device or delete all BlackBerry device data.
IT policy
An IT policy consists of various IT policy rules that control the security features and behavior of BlackBerry
smartphones, BlackBerry® PlayBook™ tablets, the BlackBerry® Desktop Software, and the BlackBerry® Web
Desktop Manager.
IT policy rule
An IT policy rule permits you to customize and control the actions that BlackBerry smartphones, BlackBerry®
PlayBook™ tablets, the BlackBerry® Desktop Software, and the BlackBerry® Web Desktop Manager can perform.
Java ME
Java® Platform, Micro Edition
JDBC
Java® Database Connectivity
Kerberos protocol
The Kerberos™ protocol is a Microsoft® Active Directory® authentication protocol that permits a trusted thirdparty application to authenticate clients by exchanging encrypted service tickets with Microsoft Active Directory.
LAN
73
Feature and Technical Overview
Glossary
A local area network (LAN) is a computer network shared by a group of computers in a small area, such as an
office building. Any computer in this network can communicate with another computer that is part of the same
network.
LDAP
Lightweight Directory Access Protocol
LTPA
Lightweight Third-Party Authentication
MAPI
Messaging Application Programming Interface
message keys
The message keys encrypt the data that is sent to and from a BlackBerry device.
messaging server
A messaging server sends and processes messages and provides collaboration services, such as updating and
communicating calendar and address book information.
MSDE
Microsoft® SQL Server® Desktop Engine
NAT
network address translation
NTLM
NT LAN Manager
PIN
personal identification number
principal encryption key
The principal encryption key encrypts the device transport key when a BlackBerry device is locked if content
protection is turned on.
RPC
remote procedure call
RTF
Rich Text Format
service books
Service books determine which services are available on BlackBerry devices or BlackBerry enabled devices.
74
Feature and Technical Overview
Glossary
S/MIME
Secure Multipurpose Internet Mail Extensions
SMS
Short Message Service
SQL
Structured Query Language
SRP
Server Routing Protocol
SSL
Secure Sockets Layer
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of communication protocols that is used to
transmit data over networks, such as the Internet.
Triple DES
Triple Data Encryption Standard
UCS
Universal Content Stream
UMA
Unlicensed Mobile Access
UNC
Universal Naming Convention
USB
Universal Serial Bus
VPN
virtual private network
WAP
Wireless Application Protocol
XML
Extensible Markup Language
75
Feature and Technical Overview
Provide feedback
To provide feedback on this deliverable, visit www.blackberry.com/docsfeedback.
76
Provide feedback
8
Feature and Technical Overview
Legal notice
Legal notice
9
©2011 Research In Motion Limited. All rights reserved. BlackBerry®, RIM®, Research In Motion®, and related
trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the
U.S. and countries around the world.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Bluetooth is a trademark of Bluetooth SIG. Corel
and WordPerfect are trademarks of Corel Corporation. GSM is a trademark of the GSM MOU Association. IBM, Lotus,
and Domino are trademarks of International Business Machines Corporation. IEEE 802.11a, IEEE 802.11b, IEEE
802.11g and IEEE are trademarks of the Institute of Electrical and Electronics Engineers, Inc. Java, JDBC, and JavaScript
are trademarks of Oracle America, Inc. Kerberos is a trademark of the Massachusetts Institute of Technology.
Microsoft, Hyper-V, ActiveX, Active Directory, Excel, PowerPoint, SQL Server, RSA Authentication Manager, Windows,
and Windows Server are trademarks of Microsoft Corporation. Novell and GroupWise are trademarks of Novell, Inc.
PGP is a trademark of PGP Corporation. RSA and RSA SecurID are trademarks of RSA Security. Wi-Fi is a trademark
of the Wi-Fi Alliance. All other trademarks are the property of their respective owners.
This documentation including all documentation incorporated by reference herein such as documentation provided
or made available at www.blackberry.com/go/docs is provided or made accessible "AS IS" and "AS AVAILABLE" and
without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited
and its affiliated companies ("RIM") and RIM assumes no responsibility for any typographical, technical, or other
inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential
information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized
terms. RIM reserves the right to periodically change information that is contained in this documentation; however,
RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this
documentation to you in a timely manner or at all.
This documentation might contain references to third-party sources of information, hardware or software, products
or services including components and content such as content protected by copyright and/or third-party web sites
(collectively the "Third Party Products and Services"). RIM does not control, and is not responsible for, any Third
Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility,
performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The
inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by
RIM of the Third Party Products and Services or the third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR
WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE
QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR
A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE
OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR
PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE
77
Feature and Technical Overview
Legal notice
DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE
HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM
THAT IS THE SUBJECT OF THE CLAIM.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE
LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NONPERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES
REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT,
CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES
FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS
OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO
TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH
RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION
THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES,
COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR
UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER
OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY
LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE
CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT,
NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH
OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED
HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS
(INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE
PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE,
AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY
LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure
that your airtime service provider has agreed to support all of their features. Some airtime service providers might
not offer Internet browsing functionality with a subscription to the BlackBerry® Internet Service. Check with your
service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party
Products and Services with RIM's products and services may require one or more patent, trademark, copyright, or
other licenses in order to avoid infringement or violation of third party rights. You are solely responsible for
determining whether to use Third Party Products and Services and if any third party licenses are required to do so.
If required you are responsible for acquiring them. You should not install or use Third Party Products and Services
until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM's
products and services are provided as a convenience to you and are provided "AS IS" with no express or implied
conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability
78
Feature and Technical Overview
Legal notice
whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to
you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except
to the extent expressly covered by a license or other agreement with RIM.
Certain features outlined in this documentation require a minimum version of BlackBerry® Enterprise Server,
BlackBerry® Desktop Software, and/or BlackBerry® Device Software.
The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable
thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR
WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS
DOCUMENTATION.
Certain features outlined in this documentation might require additional development or Third Party Products and
Services for access to corporate applications.
Research In Motion Limited
295 Phillip Street
Waterloo, ON N2L 3W8
Canada
Research In Motion UK Limited
Centrum House
36 Station Road
Egham, Surrey TW20 9LF
United Kingdom
Published in Canada
79
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising