To allow a user's device to join the BlackBerry Enterprise Server, we need to activate the device for the user when we create a user and assign the user an activation password. The user will enter his or her corporate e-mail address and the activation password into the device in the Enterprise Activation screen, which can be reached on the device by going to Options | Advance Options | Enterprise Activation. Once the user types in the information and selects Activate, the BlackBerry device will generate an ETP.dat message. It is important that if you have any virus scanning or e-mail sweeping systems running in your organization, we ensure that this type of filename with extension is added to the safe list. Please note that this ETP.dat message is only generated when we activate a device over the air. If we use other methods where the device is plugged in via a cable to activate it, NO ETP.dat file is generated. The ETP.dat message is then sent to the user's mailbox on the Exchange Server over the wireless network. To ensure that the activation occurs smoothly, make sure the device has good battery life and the wireless coverage on the device is less than 100db. This can be checked by pressing the following combination on the device Alt + NMLL. The BlackBerry Enterprise Server then confirms that the activation password is correct and generates a new permanent encryption key and sends it to the BlackBerry device. The BlackBerry Policy service then receives a request to send out an IT policy, which we will be covering at depth in Chapter 4, IT Policies, and allows service books to access the BlackBerry device.
Service books control the wireless synchronization data. Data is now transferred between the BlackBerry device and the user's mailbox using a slow synch process. The information that is sent to the BlackBerry device is stored in databases on the device, and each application database is shown with a percentage completed next to it during the slow synch. Once the activation is complete, a message will pop up on the device stating 'Activation complete'. The device is now fully in synch with the user's mailbox and is ready to send and receive data.
Now that we have got a general grasp of the device activation process, we are going to look at the five options mentioned previously, in more detail.
This method provides a higher level of control over the device, but is more labor-intensive on the administrator as it requires no user interaction.
Connect the device to a computer that can access the BlackBerry Administration Service, and log in to the service using an account that has permissions to assign devices.
Under the Devices section, expand Attached devices. Click on Manage current device and then select Assign current device. This will then prompt you to search for the user's account that we want to assign the device to. Once we have found the user, we can click on User and then select Associate user and finally click on Assign current device.
The wireless enterprise activation method allows a device to be associated with a user and provisioned to access the BES without connecting the device physically to your network. Using this method, the administrator provides the user with an activation password that they enter along with their e-mail address, into the Enterprise Activation program stored on the device, as described in the previous process. The password is created by the administrator and can be communicated to the user via an autogenerated e-mail or over the telephone.
The wireless activation password is created for each individual user account. It is a single use password, meaning that once the password has been used to activate a device, it is no longer valid. The password is only valid for 48 hours by default and is invalidated if the user unsuccessfully attempts to activate a device with the password five times. Let's have a look at some of the options available regarding this password.
In BlackBerry Administration Service, expand Wireless activations, click on Device activation settings, and on the right-hand pane select Edit activation settings.
The e-mail initialization section enables us to customize the automessage that is sent to users if we choose to generate and e-mail an activation password to the user. We can change the sender details to match the organization's administrative account and add a message to inform the users of the steps that need to be taken to activate the device, possibly including the helpdesk number and e-mail address, in case users run into any difficulties. In the Password settings section, we can enter the length of the password that users have to type into the device, which is by default set to six. We can also depict the type of password — SureType passwords help users that have devices, which don't support a full qwerty keyboard, such as the Pearl, making the entering of the password easier. We can also make sure that the autogenerated password is always in lowercase, or we can choose the setting that makes sure that the passwords are all alphanumeric characters. The default lifespan of the activation password is set to 48 hours. Once the 48 hours have passed, the activation password becomes invalid.
In Lab 3, we will look at generating activation password for users within the Sales group, and also setting activation password manually for a user.
Users can activate their device by plugging it into a machine in the corporate LAN and running BlackBerry Desktop Manager. Once the device is connected and BlackBerry Desktop Manager is started, a wizard will pop up asking the user to select the type of account they want the Desktop Manager to function with. The activation process using this method is described further:
- Connect the device to the PC in the LAN and launch BlackBerry Desktop Manager.
- From the wizard select the work e-mail account. It will then prompt you to move the mouse cursor, as mentioned earlier-this will generate the transport encryption keys.
- Once the keys are generated, the BlackBerry router will start the synch process by sending the user's e-mail messages and organizer data to the BlackBerry device; if the device is unplugged then the synch will still continue over the wireless network.
Tip
If you deploy this method as an administrator to activate the devices, create outlook profiles for all your users on one PC, and then when you launch the BlackBerry Desktop Manager, select the user profile for that device — you will need to make sure that the service account has full mailbox rights to read the user's outlook data.
The principle is the same as the previous one except this option does not need any software installed on the user's PC, and can be used to activate multiple devices by the Administrator by just logging in as the user. This can be done by browsing to the web desktop manager site that was created during the installation, the login page looks the same as the BlackBerry administration site except the fields are coloured green. You can log in as a user and activate the BlackBerry device, without having to install any additional software. To use this site you must be running Internet Explorer as the site will need to install a RIM Active X component that only functions in Internet Explorer. Once you have logged into the site you can select Activate Device from the menu, and also select the Troubleshooting tab to resend service books which will also force the activation if you are experiencing any issues.
It is vital that when you are carrying out over-the-air (OTA) activations that the ETP.dat file can traverse through your network infrastructure without being dropped or scanned by firewalls, filtering rules, or anti-virus protection. Before starting a corporate-wide wireless activation, it is always good to test by sending a test.dat file to a mail account on the Exchange server to ensure nothing is blocking the delivery of the file. Remember that the ETP.dat file is the main building block in enterprise activation — it's this file that kick starts the activation process.
Another common issue with activating devices is that they are not provisioned correctly by the wireless carrier to join a BlackBerry Enterprise Server. Each carrier has its own tariffs and options regarding provisioning a device to use a BES. Once you receive the device, before commencing activation download the Enterprise Activation Readiness tool, to see if the device is correctly provisioned by the wireless carrier to join a BES network.
There is a difference between the device being registered on the wireless network and the provisioning of the device to use a BES. A device that is registered on the wireless network means it can send and receive data — we can check this by sending a PIN message, as shown in Lab 3. If the device is not registered, we can manually register it from the device by carrying out the following:
- Go to Options | Advance options | Hosting routing table, click on the BlackBerry button and select Register now.
- To see if the device is provisioned correctly for the BES, use the readiness tool mentioned, check with the wireless carrier. Also, you can see if the device has been sent the provisioning service book by clicking on Options | Service books | Provisioning.
- Once you download the tool, select the BlackBerry Enterprise Server, enter the PIN and IMEI number of the device (both information can be found on the device by going to Options | Status). The tool will indicate if the device is ready to be activated. To activate a device on BlackBerry Enterprise Server 5.0 or higher, you need to make sure that the device is running BlackBerry device software version 4.0 or higher, some features are only available on device software 5.0. Chapter 5, Software Configuration and Java Applications describes the process of upgrading the software on devices.
- It is also advisable to make sure that no instant forwarding is set on the user's mailbox that we are trying to activate — as when the device sends the
ETP.datfile to the Exchange server and then on to the user's mailbox, if the message is forwarded instantly then the BlackBerry router and other BlackBerry components would not have enough time to process the message and the activation will just hang on the device. It will finally report an error message to contact the System Administrator. - As mentioned before, it's important that the service account has the correct permissions so it can tap into the user's mailbox to process the
ETP.datfile. - In our case, we have to also remember that we have set an Enterprise Server Policy, which means that we must whitelist the device on the BES, using its PIN and making sure we have allowed that device model to join the BES.
- During activation, if the device is hung on 'waiting for services', it usually indicates that the device already has an IT policy applied to it (see Chapter 4, IT Policies for an in-depth look into IT policies) or the BlackBerry Policy service is not started. For the latter, check servers on the BES server to see if the BlackBerry Policy service is started and is logged in using the service account we created — BESAdmin. For the first issue, it is best to wipe the device. This can be done by following the procedure:
- Go to Options | Security options | General settings, click the BlackBerry button on the device and select Wipe Handheld.
- It will then prompt you to enter the word 'blackberry' to confirm the wipe.
- Finally, to avoid slow synch issues when the device is synching the address book, make sure that the contact has at least one of the following three fields populated:
- First Name
- Last Name
- Company Name
- Content protection is disabled. It can be enabled once the activation is completed. A new feature in BES 5 allows the administrator to view the activations that are taking place. There are three stages of the act.
- Now that we have activated our BlackBerry device, we need to take a look at what options we have regarding the e-mails, contacts, tasks, and calendars-collectively known as PIM (Personal Information Management) or Organizational data.