Your Blackberry sucks
As a consultant I frequently encounter customers that either have or want to have Blackberry handhelds, the primary reason being mobile e-mail. If it’s a small company that wants to set up Blackberry Internet Service to pull their mail from POP, IMAP, or now even through OWA, it usually works fine. It’s when they want to put an Blackberry Enterprise Server in that things get messy. 100% of my customers are running Microsoft Exchange 2003 SP2 or later, systems which fully support Exchange ActiveSync with Direct Push (shortened to just Exchange ActiveSync in Exchange 2007.) Exchange ActiveSync is a built-in mobile e-mail platform that only requires you to expose an Outlook Web Access portal to the Internet, something 99% of organizations running Exchange are doing anyways. You can even self-sign the SSL certificate if you don’t mind dealing with the hassle of manually loading it onto the phones. Exchange ActiveSync then allows a user to authenticate directly to their mailbox and have their e-mails delivered to their handheld as they arrive.
My main problem with Blackberry Enterprise Server’s e-mail functionality is that, at its core, it’s a hack. Instead of granting the individual user the ability to access their e-mail from their handheld, you’re granting a separate user account the ability to read all the mailboxes in your organization and the ability to send as those users (which was the cause of a lot of grief for Exchange admins running Blackberry when Microsoft released some patches a few years back that modified the behavior of the “Full Mailbox Access” permission http://support.microsoft.com/kb/912918/.) When you send an e-mail from your Blackberry through a BES, you’re not really sending the e-mail, you’re instructing the Blackberry service account to send the e-mail and essentially spoof your name as the sender. Same thing goes for receiving e-mails, your user account isn’t accessing your mailbox and delivering the message to your handheld, the Blackberry service account is going in to your mailbox, grabbing the message, and forwarding it to your handheld.
As an attacker, if I was interested in surreptitiously monitoring a company’s e-mail system, the Blackberry service account would be a great place to start. An account that has been delegated the right to access other user’s mailboxes would be doing that on a regular basis so it wouldn’t be a glaring entry on an audit log….oh and that account can send as anyone too. The possibilities…
The other problem with Blackberry is the amount of resources required to run it. Not only does it require its own OSE (operating system environment to borrow Microsoft’s terminology since we’re not always dealing with physical servers) but the Blackberry admin account uses MAPI to access mailboxes which places additional load on the Exchange server. This is akin to running Outlook on a computer and opening up hundreds of mailboxes at the same time. If a few of those mailboxes are a couple gigabytes in size, goodbye Exchange server.
When sizing an Exchange environment for an organization that runs Blackberry, I’ll place less physical users on an Exchange server since each person that uses Blackberry places about two user’s worth of load on the system. While this may not be a big issue in smaller environments, in large environments this will increase the amount of mail server resources required to support the same number of users.
As a side note, Blackberry isn’t the only one guilty of this, GoodLink (now owned by Motorola) functions much the same way with a delegated admin account.
Blackberry servers do have their place in some organizations, some companies require 3DES or AES encryption, some require the extremely granular security controls you can impose on a Blackberry handheld, and some require the mobile data access and application functionality that is also included with a BES. The majority of customers I support running Blackberry use it exclusively for e-mail and I believe that Exchange ActiveSync provides a simpler and cheaper alternative that supports a wider range of handhelds. With Apple’s addition of Exchange ActiveSync to the iPhone, I hope we’ll begin to see more mobile platforms (not just Windows Mobile) support Exchange.
We’ve had good results with IMAP on Linux. Free free free.
Peter Sujamison said this on December 5, 2008 at 2:52 pm |
I agree with you. I work for about 100 companies in the IT support. It never fails that a user goes and buys a blackberry on their own and it will fail to work with email. 80% of the time. The users that get a windows or apple based phone I call tell them the instructions over the phone to put into the phone and it works 99% of the time. From a support side blackberries SUCK. I do make a lot of money from supporting them by the hour but I would rather not support them.
blackberry failure said this on June 3, 2009 at 11:39 am |