replacing blackberries..questions about passwords

C

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
Running BES Express.
Currently about 20 BB's
Windows environment
Exchange 2010 SP1

Looking to try and ditch these blackberries and open ourselves to allow our users to have whatever phone they want. Iphone, Droid, etc.
Most phones have an exchange connector now, but the one thing that we've been having problems with is once the user sets up the account we have password policies that require they change their windows password every 90 days.

How are you allowing your users to continue using their phones without having to manually change the password on their phones every 90 days? With the blackberries we've never had to worry about it, but as soon as our users start using different phones we run into that problem.

This 1 feature has been the final obstacle in providing corp phones that are not BB's. Has anyone overcome this?
 
You cant. If they are using the exchange active sync built into the phone they will have to manually change the password on the phone when they change it on the computer. Just educate your users and you will be fine. We ditched about 150 BB's for iPhones and every one figured it out just fine after the first time.

Some MDM servers may offer this but it costs big money.
 
why can blackberry do it but other phones can't? what is so special.
 
I remember reading something about BES supporting other phones, did this happen? Might be worth looking into. I can't imagine managing lot of phones without BES. One other nice thing with BES is ability to remote kill a phone, see status, etc... and the fact you don't need to create a pop account with a forward.
 
the whole point is we are sick of maintaining the BES server. It only runs on 2003, doesnt support 2008 or 64 bit, and it constantly has problems.

@schnell, "educating" our users is not an option. These phones go to maintenance and custodial people who have ZERO computer skills. They can barley speak english. We need phones that we can give them that is idiot proof. That we put an icon on the phone and say this is your email. click on it to read.
We can't be having them go into settings and change passwords. They never log into computers so the password just expires.
 
The reason BES works without needing users to update passwords is that it doesn't use them to connect to the User's mailboxes in the first place. It connects to exchange directly via a Service account in a similar manner to how you would connect to other user's mailboxes with an administrator account. This wont be possible with active sync \ oma because everyone is connecting directly to their own mailboxes with no intermediary.

Setup a group for these specific folks and then set their passwords not to expire. Make random generated passwords and don't pass them out. Also I would create a GPO and add Deny Local Login, so if of one of these accounts is compromised you minimize access.
 
Personally my preference is opposite of red squirrel's. I can't see adding an additional layer of management that doesn't need to exist.

In a correctly setup Exchange environment the phones are significantly easier to add, I don't need to mess with pin resets or having blackberry software installed on workstations to get a new user going. All the end user should need is their email address and password to setup the device. Also current exchange features include remote wipe as well as being able to require the user to have a password on the device.

I would say in the pre Exchange 2k3 days.. heck even pre 2k8 BES was the way to go. After Microsoft added the current feature set for mobile devices I can't see anyone willingly wanting to stick with BES. At this point its just added overhead with no real benefits.
 
Oh so exchange has features like that built in now? Did not know that. I'm used to win2k3 environments as that's what all our customers use. Been out of the server scene for about a year though so perhaps some of them have upgraded.
 
Red Squirrel said:
I remember reading something about BES supporting other phones, did this happen? Might be worth looking into. I can't imagine managing lot of phones without BES. One other nice thing with BES is ability to remote kill a phone, see status, etc... and the fact you don't need to create a pop account with a forward.
Click to expand...

Ya mobile fusion is their server product that will let them manage other devices.

http://us.blackberry.com/business/software/blackberry-mobile-fusion.html#tab-1
 
MrGoat said:
In a correctly setup Exchange environment the phones are significantly easier to add, I don't need to mess with pin resets or having blackberry software installed on workstations to get a new user going. All the end user should need is their email address and password to setup the device. Also current exchange features include remote wipe as well as being able to require the user to have a password on the device.
Click to expand...

Setup is not the problem here. What the OP wants is a way to not have to change the PW on the phone every time the user changes it on the domain.

Unfortunately cyr0n_k0r the only way to accomplish this is to shell out big bucks for an MDM solution and I don't even know for sure if they can accomplish this or not. I know the one I am using can not.

The only other solution here is what was already mentioned; set the pw to something ridiculous and long, remove computer login privileges and set it to never expire. The problem here is that it is still a security risk and it wont work if they are logging into a computer with that account.

Its a shame to say, but this is the one thing that Blackberry got right and still does the best.
 
As stated above, short of a Mobile Device Managment software (of which BES was their own), your solution doesn't exist with a straight MS Exchange 2007/2010 environment. As I mentioned, you can use an MDM software, but they still require the user to authenticate either every time or on a scheduled basis, and in the OP's scenario, what benefit is that?
 
cyr0n_k0r said:
the whole point is we are sick of maintaining the BES server. It only runs on 2003, doesnt support 2008 or 64 bit, and it constantly has problems.
Click to expand...

Umm, I have installed BESx on plenty of 2008 R2 64 bit machines in both exchange and lotus domino environments. It supports it just fine and if setup properly and restarted in the correct order once it runs, it keeps running.
 
You must log in or register to reply here.
Back
Top