Securing Exchange Online BlackBerry Devices with BlackBerry Business Cloud Service and Blocking BlackBerry Internet Service

Using the BlackBerry Business Cloud Service (BBCS) hosted by RIM allows Office 365 administrators to provision and manage BlackBerry device access to mailboxes. A savvy end user might realise the BlackBerry Internet Service (BIS) can also connect to mailboxes, historically this was just over IMAP but now also uses Exchange Web Services (EWS). As a business I would be concerned about unknown and unmanaged devices accessing corporate data.

BlackBerry Business Cloud Service

When the BBCS is enabled in the Office 365 portal a Foreign Principal Object (FPO) is created for RIM and authorized rights by Microsoft to access the tenant mailboxes. BBCS connects to Exchange Online using EWS. The administrator has access to the BlackBerry Administration Service Portal to set policy, create BlackBerry users and manage all BlackBerry devices. The end user gets access to the BlackBerry Web Desktop to configure and manage their own device.


BlackBerry Internet Service

With BIS the end user is in control of setup and device administration, there is no reference the user has even connected a device to Exchange (on-premise or Office 365). Accessing the carrier BIS portal the user enters email address and mailbox password, EWS or IMAP is then used to access the mailbox. Only the end user has the ability to manage or wipe the device.


Restrict Blackberry Internet Services

Using Exchange Online (or on-premise) PowerShell we can restrict EWS by either completely disabling it or by using allow/block lists for known applications. I mentioned an authorised FPO is created for BBCS access to mailboxes, so if we do disable EWS on the mailbox user object it will continue to function. We also need to make sure IMAP and POP are disabled.

Important Note: EWS is used by Outlook and other applications, I would not recommend completely disabling it.

I am going to connect to Exchange Online PowerShell:

$Sess1 = New-PsSession –ConfigurationName –ConnectionUri -AllowRedirection -Authentication basic -Credential (Get-Credential)
Import-PsSession $Sess1

Using the following PowerShell I am going to leave EWS enabled for Outlook and a custom app agent ID (CustomEWSAppAgentID) which also uses EWS, but everything else will be blocked:

Set-CasMailbox –Identity –EwsEnabled $True –EwsAllowOutlook $True –EwsAllowMacOutlook $True –EwsAllowEntourage $True   –EwsApplicationAccessPolicy: EnforceAllowList –EwsAllowList: {“*CustomEWSAppAgentID*”} -PopEnabled $False -ImapEnabled $False

Replacing Set-CasMailbox with Set-OrganizationConfig the EWS settings can be applied to all tenant mailboxes.

Important Note: I would test on a few mailboxes before applying organisation wide.

If the user is federated BIS will first have to authenticate on the ADFS Proxy so another solution could be to block RIM IP addresses. The IP addresses will be subject to change and can be found at the following locations.



I hope you find this useful, it took me a week to get confirmation that BIS now uses EWS.

Updated - 20/08/12:

If you want to be 100% sure BBCS will not be affected by the EWS Application Policy, use the following.

Set-OrganizationConfig –EwsEnabled $True –EwsAllowOutlook $True –EwsAllowMacOutlook $True –EwsApplicationAccessPolicy: EnforceAllowList –EwsAllowList: {“*BES/*”}

I received confirmation from RIM this week that “BES/<version>” is the application user agent used by BES and BBCS.