What can a BES Administrator “see” on my BB...

Discussion in 'General Discussion' started by stevetaz, Aug 8, 2009.

  1. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    What can a BES Administrator “see” on my BB, personal or company-owned, if connected to a BES System?

    This is a frequently asked question, both by users provided with a work-owned BB as well as those thinking about connecting (or already connecting) their personal BB to a work BES system.

    The BES can “see” most things, but one would have to know what is actually being logged and then being reviewed to truly know the answer. While the system is capable of logging many activities and functions, the reality is who has time to spend looking at all the data?

    HOWEVER, you must bear in mind that data which is stored can be reviewed at almost any time so if, for example, you piss off your boss enough that he/she begins to distrust you for any reason they could, in theory, request the Admin to produce logs that can be reviewed after-the-fact.

    The simplest way to look at this is to understand that given the proper motivation and time, almost anything done on a BES-connected BB can be monitored or viewed. The question of what actually is being watched can only be answered by the Admin….And they probably are not talking.

    DISCLAIMER: Please note that I am NOT a BES Admin and what follows is information I have gleaned from trolling sites that Admins hang out at. I certainly do not claim that the list is 100% complete or accurate, especially as new versions of BES are released. I have tried to make the list as accurate as possible, but you must take responsibility for checking into your own personal situation.

    IF IN DOUBT, ASSUME WHAT YOU WANT TO INSTALL OR DO ON A BB CONNECTED TO A BES CAN BE VIEWED AND KNOWN BY YOUR ADMINISTRATOR.

    What could be accessed/logged/viewed by the BES System Admin includes, but may not limited to:
    • Corporate Email
    • Corporate PIM data including Address Book, Memo Pad and Tasks
    • Corporate calendar entries
    • Browser site history using the BlackBerry Browser
    o SPECIAL NOTE: If the Company utilizes a firewall, then the BB Browser will probably be controlled by the firewall. For example, if dating service sites are blocked in your office then they will also be blocked to the BB Browser
    o You can often get around this by changing the Default Browser Configuration to Internet Browser….Only if the option is available of course…..Options > Advanced Options > Browser > Default browser configuration > Change to Internet Browser > Save your changes
    • PIN messages
    • Phone call data, NOT the actual calls. No, they are not recording the calls, but they could see the date, time, numbers called, numbers received, length of call, etc.
    • Text message data including the actual messages, the times, dates, screen name sent to and the carriers involved
    • Blackberry Messenger data
    • All applications installed on the device including any IM apps, RSS feeds, games, etc.
    • The OS version installed on the BB. The Admin can tell if you upgraded from what had been originally installed
    • Don’t forget that the Admin may also have IT Policies installed, which can restrict many functions of the BB and that would include your personal device if you choose to connect to the BES server and it Is permitted. You could find yourself unable to install any add-on applications or certain apps. You may be forced to use a password to wake the device. You could even be told how “strong” a password has to be as well as how often it has to be changed.

    What a BES Admin can't see includes, but may not limited to:
    • BIS Email messages. However, keep in mind that the Admin can restrict use of BIS Email preventing you from being able to send it
    • Email using separate Email Apps such as the Gmail App
    • Browser site history using Internet Browser (see above)
    • Third-party IM messages such as AIM, MSN, Yahoo!, etc. Remember that the Admin will know you have the App installed though. The Admin can block your ability to even install these apps so they won’t have to worry about messaging if that is done

    Something I am not sure about:
    • Password Keeper data. As far as I understand it, the Admin cannot view any of the details as the data is encrypted. I believe that without the encryption key or password, NO ONE but you can view what you have stored
    • I believe that all the Admin can “see” is that you have information stored

    I hope this is of help and if there are any Admins in the audience and I have errors or omissions, please let me know so I can correct it and keep our members properly informed.
  2. naviwilliams New Member

    Message Count:
    8
    Likes Received:
    0
    Brilliant post! My users at work ask me this all the time. I think I'll have to give them a link to this post from now on :)
  3. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    Aw shucks, thanks! :009:blush Glad you find it of value and by all means, have your users stop by...

    I take it you are a BES Admin?
  4. naviwilliams New Member

    Message Count:
    8
    Likes Received:
    0
    Yes, a basic one :) Supporting about 110 users at present. But, trying to convince them to allow certain policies for their (the company) own good is like pulling teeth!

    Maybe I should just apply said policies and wait and see what happens - LOL
  5. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    That's one approach. Of course it will depend on who is on the BES System and how high up the food chain they are.

    Looking for a career change? :026:eek:h_no
  6. naviwilliams New Member

    Message Count:
    8
    Likes Received:
    0
    well, at present I have two I.T. Policy's -

    1. General users
    2. Partners / CEO's, etc

    and the default for I.T :)
  7. JackBeBerry New Member

    Message Count:
    4
    Likes Received:
    0
    Hi. I know this is an old thread, but I have a question about this BES stuff. Maybe someone can help.

    There are some people who work in my networking department that I don't necessarily trust. I was given a new BB for my work, but when I'm not working, I am using my BB at home (which they said is alright). At home, I get no cell signal, and I do all my browsing through my Wi-Fi. If I do banking (or other private stuff) at home through my Wi-Fi (meaning not the cell network but instead my cable connection), and then clear all my history and stuff, is there still a way for the BES to record my browsing data the next time my BB syncs with the BES server?

    Please note that up until about 10 minutes ago, I had no idea that using a different browser makes a difference.

    Thanks for any help given!
  8. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    Hi JackBeBerry and welcome to EB:

    It may be an old thread, but still quite current. You say there are some people. Do all act as the BB Admin? it would be a bit unusual to have more than two (One Admin and a back-up) with full access, but not unheard of.

    Regarding your question about browser history using your home network and WiFi, you are probably using the HotSpot Browser, yes? If so the Admin cannot see any trail. If for some reason you are able to use the BB Browser over WiFi you should assume the Admin will have access to the history. Note that encrypted data cannot be seen without the encryption key so your password and account information should be safe. That applies the the BB Browser and others. The Admin can see the fact you connected and the page history, but not the content of the encrypted files/data.

    You could also test to see if you can download and install either OperaMini or Bolt to do browsing while on your company network as the history would also not be visible. That said, be very careful with what you do and don't do on a device that is company owned.

    Many refuse to even run the risk and carry their own BB to conduct all personal business. That is the safest route.

    Visit and post often and thanks for registering.....
  9. JackBeBerry New Member

    Message Count:
    4
    Likes Received:
    0
    Thanks!

    I don't know, actually, how many are BES admins. I'm not even sure we use BES. Can I tell just by looking at my phone settings?

    If I would have to manually go to that particular browser in order to use it, then no I don't believe I am. Does BB Browser not work when accessing the Internet through a wireless router signal? And does it automatically switch to the HotSpot browser when using this type of signal? Is there a way to tell which browser is being used while you are using it?

    Even if I delete it before my phone syncs up again with the BES server? I guess all this stuff is stored in a file that the end user does not have access to, huh?

    Yeah it is. I guess you could say I'm a bit paranoid. For instance, I don't want my work to be able to see anything I'm doing on my personal time, no matter how innocent. That includes things such as visiting discussion forums (which I'm doing from my home computer, btw)! lol
  10. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    Options > Advanced Options > Enterprise Activation > Do you see "Desktop Activated On ...." or

    Options > Security Options > General Settings > Scroll toward bottom, after Message Outline Colors > Do yiou see IT Policy Name: with an entry there (often DEFAULT)?

    Options > Advanced Options > Browser > Default Browser Configuration and Default MDS browser configuration set to ?

    This can be controlled by the BES Admin to force use of the BB Browser. Depends on how the system is set up at your place. Just because you are not using the carrier network does not mean a WiFi connection is not established with the BES Server. Maybe this link will give you a bit more info or overview....

    Keep in mind that if you are on BES you are subject to all kinds of possible monitoring, but I am not an Admin so I do not know all the fine points. What you have to remember is that just because this, that and the other thing CAN be seen does NOT mean it will be. Often settings in the server have to be set to log and save and then someone has to have the time to troll databases to look for the info.

    Again, if there is a BES connection to the server over WiFi it is logged as it occurs. Better to assume it is rather than be surprised.

    Just to make you even a bit more paranoid......With the BES update in 2008 or so, your [BB's] location coordinates is being sent to the server periodically allowing your movements to be laid out on a map if they choose to. I believe that logging was set to ON as a default. Just to remind you they would have to be logging and then inclined to use the information.

    Remember that whatever they log can also be stored if they devote server space for two years or more. That means if you anger a big boss or give them reasons to make them suspicious of you a year or two from now they can go back to see what you were up long ago.....If they choose to spend the time and IT payroll budget.

    With BES, installed applications can be removed or disabled remotely, the camera function can be disabled as well as the calling funtion and anything else regarding the operation of a BB.

    That is why corporations like BlackBerry so much, CONTROL and security. If they own it assume they are watching even if they are not and you will be safer......
  11. JackBeBerry New Member

    Message Count:
    4
    Likes Received:
    0
    Thanks for such a thorough reply, stevetaz!

    Yes.

    BlackBerry Browser. But I am able to change it.

    OK yeah. I was trying to understand if you were implying that BB Browser is unable to use Wi-Fi or not.

    Thanks for the link. I'll have a look at it. For some reason I had this crazy notion that they cannot (legally) monitor data being sent through on my own Wi-Fi network, even if it is through their phone.

    I guess this would have to be done through a satellite service if I have no cell signal, right? And this happens even if my GPS settings are set for emergency location only?

    Thanks again for all the helpful information!

    Edited to Add: Another reason I suspected that my Wi-Fi network at home is not communicating with the BES server is because I'm not getting my company email automatically when I am at home. Is my thinking mixed up here as well?
  12. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    My pleasure....We aim to please.

    It does not. If you have a WiFi signal the WiFi Browser is selected automatically.

    Legally? They own the hardware, but it is unlikely they could see much of what you are exchanging via your WiFi network. You will probably leave a trail of links if anything.

    If no carrier cell signal AND no BES connection it can't transmit the coordinates. Remember that data transmits easier than voice so while you can't make calls the BES connection may still be there. If you want to see the effect of no cell signal, check the three connection's status:
    Manage Connections > Services Status > Look for what each status is shown as, Voice Services, BlackBerry Internet Services (BIS) and BlackBerry Enterprise Server (BES).

    If there is a BES connection even if set to Emergency Location Only I believe it can send your coordinates. Turning off the handset stops the transmission of location data.

    The WiFi Browser is a direct connection to the Internet. It does NOT go through the BES server and I am guessing you will see that service status as Not Connected if you check as I described above.

    Here is a link that has some good descriptions of the various Browsers.....
  13. JackBeBerry New Member

    Message Count:
    4
    Likes Received:
    0
    So even though it says "BlackBerry Browser" In the upper left-hand corner when I'm running through my WiFi, it's actually using the HotSpot Browser?

    Forgive me, but I am confused again. I thought you said that, if I am using the HotSpot browser (which I'm still not sure about), they can't see any of my activity. Again, forgive my dimwittidness (is that a word??)

    Mobile Voice status is emergency only, Connection: not connected
    Blackberry Internet Service Connection: Wi-Fi
    Blackberry Enterprise Server Connection: Wi-Fi

    So that seems to be saying I'm connecting to the BES through my Wi-Fi. But I am once more confused, as I had gathered thus far that it is only when using BlackBerry Browser that they can collect my data, that BB Browser can't use Wi-Fi, and so therefore, there is no way they can collect my data when I'm using Wi-Fi. Missing link in my brain here somewhere... maybe several missing links. lol

    Nope. I'm using Wi-Fi at my home and it seems that the settings are saying that BES is connected via Wi-Fi...

    My head hurts. ha!

    Thanks! I will be reading that link very shortly over some milk and cookies.:dft010:big_smile
  14. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    I am sorry for being confusing, but that's what I get for trying to do this while working and when exhausted after work.

    It appears to be that your BES setup allows for WiFi connection, which is an option as I understand it. There are provisions with some BES systems and I think you should read this article from RIM's site. It is a bit dated, but I think it will help you to understand why you seem to have connection to the BES Server and data services even though you might not think you would. The matrix on page 6 is especially helpful. Looking at the middle column of the matrix where you have WiFi, but no carrier coverage it is indicating you will have full data service including the BB MDS Internet Browsing, which indicates the BB Browser would be operable even though we have all been trained to "know" that if in a WiFi area the WiFi browser is automatically selected.

    It is a very confusing topic and if one is not a BES Admin with the knowledge of how a network is set up, it is almost impossible to know many of the little nuances that are a part of the big picture.

    That is probably why you may often see advice like "Assume everything you are doing can be seen by the BES Admin". It is because we non-Admins are trying to guess at information I am not even sure all Admins are really fully aware of and completely understand.

    You have my interest and I will continue to explore this puzzling topic....
  15. marsville New Member

    Message Count:
    2
    Likes Received:
    0
    stevetaz, thanks for all the info on this topic.

    You mentioned in your first post that the BB admins cannot see any content on separate email apps like Gmail. Can you confirm this? I've read elsewhere (on another forum response) that emails sent and received using the Gmail app can be accessed by the BB administrators.

    Can you possibly explain how Gmail content using the Gmail app is handled by the BB and BES?

    This is the key point for me so any further insight you can provide on this would be very helpful.
  16. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    Hi marsville and welcome to EB:

    Let me first say I am not a BES Admin. I can't give you a guarantee of anything. I can say that people I respect have told me BES Admins cannot see email outside the BES server and BIS mail as well as third-party apps do not route through the BES server.

    That said, I am sure you have also seen the caution that if you are afraid that something MIGHT be seen, then assume it can.

    In practical terms I think you might notice a pattern of those items which definitely can be seen are those most closely tied to the BB OS and system. What is unknown to us non BES Admins is as the BES versions get more refined, do the abilities get enhanced?

    Here is a site and explanation you should take a look at as it was written by BES Admins.

    In the end you have to decide how confident you are and act accordingly.

    Thanks for registering and please visit and post often.....
  17. marsville New Member

    Message Count:
    2
    Likes Received:
    0
    Thanks SteveTaz. That post by Joolie seems to be one of the most referred to posts regarding what BES Admins can see.

    When she mentioned that Admins can't see BIS email messages, I'm assuming that means they can't see email in the Gmail app. I'm a newbie to this stuff.

    Thanks.
  18. daventis New Member

    Message Count:
    1
    Likes Received:
    0
    Hello All,

    I admin the BES Express server 5 in my company.

    this post is very interresting. could you please let me how can I see these logs (calls, sms, PIN messages etc...) on the server ?

    thank You!
  19. stevetaz Moderator

    Message Count:
    5,358
    Likes Received:
    5
    Hi daventis and welcome to EB:

    I am not a BES Admin so I can't tell you the exact process. I am also not sure if the BES Express system gives you the same amount of information. Here is a link to a good Wiki article that will give you some solid information. The RIM BlackBerry site is also an excellent place to find great help. Their BES Enterprise Server Resource Kit may be of interest to you, but again, I am not sure of limitations the Express setup may have.

    This link will give you BES Server Express tutorials and links to various manuals that should answer any questions you may have.

    Thanks for registering and please visit and post often. Let us know how you make out....
  20. DanielTodaro New Member

    Message Count:
    5
    Likes Received:
    0
    BlackBerry Enterprise Server (BES) is the name of middleware software, which is part of the BlackBerry wireless platform from Research In Motion.

Share This Page