BlackBerry is one of the top choices for enterprise mobility management (EMM) today. While BlackBerry has dabbled in the consumer and SMB markets, large corporations and governments will derive the most benefit from its MDM.
View all our recommendations for mobile device management (MDM) solutions on our best picks page.
BlackBerry offers an entire ecosystem, encompassing branded devices (running native BBOS or Android), device and content management, mobile applications, and secure delivery service. This is a one-stop shop for enterprises looking to manage hardware (notably the excellent high-end BlackBerry PRIV and midrange DTEK50), software and services. The only thing missing is a mobile carrier contract, but this can be negotiated with providers.
BlackBerry offers a very secure and comprehensive unified mobile platform spanning various endpoints, ownership models and deployment methods. With a focus on mobile devices, BlackBerry is less concerned with PCs and 2-in-1s.
A great many BlackBerry component options are available to customers. This can quickly get confusing, but the bundled offerings mitigate this.
Capabilities and Key Features
BlackBerry focuses on the end user, drilling into secure, containerized applications. The end-user experience tends to vary based on a combination of device ownership models, corporate policies and device operating systems. This can range from very restrictive (workspace only), with the organization owning and controlling the entire device, to a loose style in which only containerized personal information management (PIM) apps are secured.
IT administrators can always lock or wipe workspaces without touching the personal space and content. BlackBerry offers a kiosk mode, which restricts the usage of the device to specific apps only. BlackBerry combines all PIM functionality into a single app that encompasses email, contacts, calendar, presence, document sharing and a secure web browser.
There are variable configurations – by user and device – that set how the technology is interfaced. BlackBerry satisfies all three categories of EMM: mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).
First, device management is performed using controls made available by the native OS. A separate workspace is not installed by default on the device. Administrators maintain control over the entire device using IT administration commands and IT policies (pushed down during activation). Users must install an MDM profile on the device to use this solution.
In BlackBerry parlance, MAM is a slightly different, less restrictive use case. Application inventory is available for all work apps across all activation types. For devices that are enrolled with the MDM use case, admins can also access the personal application inventory. Application provisioning and policy configuration follows group-based inheritance and can be applied to users and groups across the various activation types.
Compared with other MDM vendors and ecosystem providers Apple, Google, IBM and Microsoft, BlackBerry's number and variety of apps is severely limited. A softening in the enterprise app market (other than those which control things such as HVAC, industrial controls and fitness wearables), BlackBerry has seen the greatest percentage decline as app providers remove the limited support they once offered.
BlackBerry's BYOD feature has two modes: Full Control and User Privacy. The first offers IT full control of devices. A separate workspace is created on the device when it is provisioned, and users must create a specific password to access the workspace. Work data is encrypted and restricts access with strong password authentication. Mobile administrators can control the workspace and other aspects of the device using IT administration tools. A device-wide MDM profile is required to use this model.
The second type, User Privacy, restricts work access and control to the work data on devices while ensuring privacy for personal data. The use of the workspace is conceptually similar to above, but management and visibility by IT is restricted to the work content and apps.
Reporting and Analytics
Reporting is the second area of BlackBerry's portfolio that needs improvement. BlackBerry relies on excellence in device management, containerization and support, but the analytics piece falls behind newer tools. All of the information is available, but the presentation isn't as well organized or appealingly formatted as the reports in other MDMs.
There is some integration to speak of. BlackBerry has a partnership with GWAVA, packaged as the BlackBerry Auditing & Archival Service (BAAS). It's less about reporting than auditing and archiving critical data on mobile devices.
Functionally speaking, BlackBerry provides a preconfigured, graphical system dashboard consisting of various charts that display critical system information. You can reference real-time reports to pivot toward administrative actions on users, groups and devices.
The sample out-of-the-box reports include the following:
- Devices roaming and devices not roaming
- Top five managed apps installed
- Devices by platform
- Device compliance
- Devices by last contact time
- Devices by carrier
- Top five mobile device models
The reporting engine ties into a compliance framework, which allows custom actions (triggers) to be automatically executed based on compliance state. For use with third-party tools, data exports are available in CSV format.
Security and Administration
With device provisioning – which was initially only for RIM and BlackBerry-based devices – at its core, BlackBerry has one of the longest-standing provisioning capabilities. With BlackBerry Messenger, BlackBerry DTEK (for Android), BlackBerry Hub and other BlackBerry-specific applications in the mix, device provisioning is a bit more complex than it is with other MDM offerings.
BlackBerry directly supports the Apple Device Enrollment Program for activation types where MDM is used. There is also flexible configuration and onboarding for mobile devices and users. IT can provision, or users can self-provision, including fully over the air. There is integration with Active Directory and LDAP to properly sync users and groups.
The process is straightforward, with users receiving an activation email, downloading a client app from the public app stores (Apple, Google or Amazon), and finally running the app and entering credentials received in an email. Synchronization begins immediately, with email flowing to the containerized PIM app and the contacts and calendar quickly synchronizing.
Administrators can configure activation profiles, which define enrollment mode as MDM Controls (No MAM), MDM + MAM, and MAM (without MDM). Activation profiles can be applied to users or groups, which can sync with Active Directory.
The BlackBerry Discovery Service simplifies and automates email account setup and enterprise device activation, which often requires server addresses and port numbers. Many users encounter differences with these settings; Discovery Service helps by using learned configurations.
Configuration can be automated and done at the user level, with attributes inherited via local or directory-synced groups, and can be overridden at the individual user level. Configuration attributes include policy, Wi-Fi and VPN profiles, and applications. A user can have multiple devices and will typically wirelessly enroll a new device through a quick and seamless process in a couple of minutes.
On the administrative management and console front, BlackBerry does a good job. It is a flat, stylized interface, which is generally simple, fast and easy to use. It can be hosted by BlackBerry – up in minutes – or installed in an organization's private data center. The list of devices can be arranged by user group; otherwise, the entire list gets cumbersome.
BlackBerry has four facets of security: internal, perimeter, transport and handheld security.
- Internal security refers to traffic control and is based on access lists, domain name filtering, and the ability to quickly detect devices that are jailbroken or infected with rootkits or malware. By doing this early, your organization can protect your data and prevent the spread of bad code through your company.
- Perimeter security is the mechanism to utilize more traditional schemes at the center of the network or areas of egress and ingress. BlackBerry directly integrates with firewalls and VPNs to prevent illicit outbound connects, apply policy groups, and offer role-based administration of devices.
- Transport security applies AES encryption and uses government-based or -approved FIPS 140-2 certificates. With the removal of FIPS 140-2 by original device manufacturers such as Apple, compliance is left to the EMM providers. There is also guaranteed delivery – leveraging the power of the BlackBerry network – and authorized device checks, somewhat overlapping with the internal security capabilities.
- Handheld security encrypts enterprise data and enforces application passwords. BlackBerry administrators can use this to prevent data loss through policies and to trigger a remote erase in cases of lost, replaced or compromised devices. Remote erase does require coordination with original design manufacturers like Apple (which controls this action for iOS devices), and it also requires the device to communicate to the network at least once after the command is issued.
Documentation and Support
BlackBerry has always been an enterprise-first organization (with only small steps into the consumer market), and its documentation and support reflect this. Documentation for BlackBerry is no exception, although parts of it show some dated information.
To help new customers get started, BlackBerry has a variety of guides and wizards, including online training, a dedicated YouTube help channel and FAQs. Full documentation is available on BlackBerry's help site.
Rounding out the end-user tools, there is in-line (context-aware) help from within the BlackBerry console, and a configuration wizard with text and videos.
BlackBerry's EMM service is sold as an annual subscription for one year, with some customers opting for two- or three-year terms to gain more favorable pricing. There are two levels of support: Advantage and Premium. Generally speaking, Premium increases the number of named customer contacts, includes Tier 3 analysts for severe technical issues and faster response to critical incidents, and the option to pay for dedicated support personnel and a program manager.
API and SOA
Continuing its dedication to extensibility, BlackBerry has a robust integration framework that includes BlackBerry Web Services. This allows developers to build process automation, including for events such as employee onboarding and terminations (both of which are often overlooked in HR process overhauls). BWS allows developers to automate the process of adding or removing users, while simultaneously performing user creation in the enterprise directory, HR system, ERP and other applications.
Beyond hiring and firing, developers of customized enterprise solutions can use the BWS API to automate the process of reassigning and changing policies for employees switching organizations within the same company. Third-party software vendors leverage BWS API to obtain data from the BlackBerry MDM to augment their internal capabilities.
Editor's Note: Looking for a mobile device management solution? Click the Compare Quotes button below to have our sister site Buyer Zone connect you with vendors that can help.
How Does Your Business Stack Up? Get a Free Business Report Card!Get My Report Card