The move to ActiveSync enables more connectivity options for customers, but doesn’t change the trusted security model that Enterprises rely on to protect their corporate data.
I’m Jeff Holleran, the Senior Director for Enterprise Product Management here at RIM. Since the launch of BlackBerry® PlayBook™ OS 2.0, which includes a native email and PIM client that is based on Microsoft’s Exchange ActiveSync protocol, one of the frequent questions that I am asked is, “Why ActiveSync?”
There are a number of reasons that RIM made the choice to go with ActiveSync as the sync engine for our next generation of messaging on BlackBerry tablets and smartphones. Over the past decade, ActiveSync has matured as a protocol. We are able to use ActiveSync to provide a capable sync engine that is supported for both the traditional Enterprise email platforms that RIM currently supports, and for additional email platforms that support the Microsoft ActiveSync protocol. This ability to build a single sync engine increases the reach of BlackBerry devices, while reducing the complexity of the custom sync engine that exists in today’s BlackBerry® Enterprise Server (BES). By selecting ActiveSync, we are able to provide a set of additional options for email connectivity to our customers including growth to support multiple devices for each user. In addition, we increased scalability with BlackBerry Mobile Fusion when compared to the BlackBerry Enterprise Server. Customers also have expressed interest in taking advantage of different levels of security, from the basics that come with Microsoft Exchange ActiveSync through to the advanced security and controls that come with BlackBerry Mobile Fusion and the BlackBerry Infrastructure.
What this change didn’t mean was a move away from our core BlackBerry DNA: our full end-to-end encrypted email solution that our customers have come to depend upon. In particular, there is no need to open additional firewall ports or make any other changes that would cause an IT group to change their infrastructure. BlackBerry Mobile Fusion allows each PlayBook (and BlackBerry 10 in the future) user to connect through the secure BlackBerry Infrastructure. This configuration provides the same level of security as today’s BlackBerry Enterprise Server solution, with the encrypted message traffic flowing between the device and the BlackBerry Mobile Fusion server behind the firewall. The only difference is that we connect to the email server using the ActiveSync interface instead of the proprietary MAPI protocol that we used previously. Some customers may not realize that ActiveSync is enabled on their Microsoft Exchange server by default and no changes are required to get a BlackBerry PlayBook tablet up and running on BlackBerry Mobile Fusion.
How does all of this work?
From an end-user perspective, the steps to connect are straightforward. Conceptually, from a management perspective, there are three options to connect your ActiveSync-enabled BlackBerry PlayBook into your work messaging environment (and these steps will also work for BlackBerry 10 smartphones when they are in market):
1. Direct Connection – If the ActiveSync interface of your email server is exposed to the Internet, a user can simply configure their account by adding the email address and password of the account from their PlayBook. This will provide full email and PIM connectivity and adhere to ActiveSync configured policies (listed in the Knowledge Base article below):
Read more: Exchange ActiveSync support for the BlackBerry PlayBook
2. BlackBerry Mobile Fusion managed – An administrator can enable and configure an end user to use BlackBerry Mobile Fusion for device management, and provision the email settings so that when a user activates their PlayBook, their corporate email is configured, a work perimeter is created, and the IT policies set on the BlackBerry Mobile Fusion server are adhered to. Once the device is managed by BlackBerry Mobile Fusion, the ActiveSync policies are no longer applied or adhered to with the exception of the wipe command. This option also supports management of a BlackBerry PlayBook connected into a hosted email system (i.e. Microsoft Office 365).
Read more: ActiveSync policy behavior when a tablet is activated on BlackBerry Device Service
3. BlackBerry Mobile Fusion with Mobile Data Services (MDS) – Similar to a BlackBerry Mobile Fusion activation, this option differs in that all work traffic on the device can be configured to route through the MDS component of BlackBerry Mobile Fusion, effectively extending the boundary of the corporate network to include the BlackBerry PlayBook without the need for a VPN solution or exposing ActiveSync to the Internet to allow for email/PIM access. One outbound connection over port 3101 provides secure connectivity to your PlayBook users for secure remote access to email and applications – just like the BlackBerry Enterprise Server. This is the solution recommended for security-conscious organizations that need to protect their corporate data.
- Security Technical Overview – BlackBerry Device Service 6.0 and BlackBerry PlayBook Tablet 2.0.1
- BlackBerry MDS Connection Service Helps Make Connectivity a Simple Task
In order to understand the connectivity and Email/PIM synchronization differences between BlackBerry Enterprise Server and BlackBerry Mobile Fusion, let’s first take a look at a BlackBerry 7 smartphone connected to a BlackBerry Enterprise Server:
The BlackBerry 7 smartphone connects to the BlackBerry Enterprise Server using a 256-bit AES encrypted connection that carries email and PIM traffic from the server behind the firewall to the BlackBerry smartphone. The BlackBerry Enterprise Server connects to the email server using native email vendor-specific protocols.
Examining the connection to the BlackBerry PlayBook below, you can see the same BlackBerry DNA in place; we maintain the 256-bit AES encryption between secure endpoints on the PlayBook and BlackBerry Mobile Fusion server when using the MDS functionality to route the traffic.
The key difference is that instead of using the Mobile Fusion server to translate the native messaging protocols into BlackBerry messaging traffic, the PlayBook is making a connection directly into the mail server using ActiveSync protocols to synchronize email and PIM data to the device. This connection is then encapsulated within the 256-bit AES encrypted BlackBerry security connection ensuring that the same level of security that you have depended on for BB7.0 devices is also delivered on the BlackBerry PlayBook.
The use of ActiveSync also provides support for customers who are using hosted or cloud-based email providers. End users are able to access their email while the IT group is able to maintain device security, as well as providing behind the firewall access to the Intranet and other applications.
Our Enterprise customers are very pleased that we have continued to use the trusted connectivity model in use today. With this model, there is no need to expose ActiveSync to the Internet or increase the investment in VPN solutions to include mobile devices—the PlayBook is simply able to access and synchronize email and PIM data from the server behind the firewall. Of course, email isn’t the only data that can be accessed. When using the MDS functions of BlackBerry Mobile Fusion, employees also have the ability to access enterprise data and applications that are hosted behind the firewall.
This same architecture will be in place to support the launch of BlackBerry 10 devices. We’ve made a small change to the synchronization engine, and we continue to leverage the convenient connectivity and world-class security that the BlackBerry solution has provided our enterprise and government customers for over a decade.
In summary, BlackBerry is as secure as ever.
- We are using ActiveSync to give us greater flexibility and scalability to support more devices per user and more email platforms
- The use of ActiveSync gives customers greater choice in how they connect BlackBerry PlayBooks and BlackBerry 10 smartphones to server-based, hosted and cloud email systems
- The secure BlackBerry DNA remains; single outbound connection over port 3101, 256-bit AES encryption between server and device, no need to invest in additional VPNs and no need to expose corporate data to the internet