BlackBerry 10 Workspace – The Practical Network Connections Guide

ENTERPRISE / 11.12.14 / BlackBerry

Co-authored by Ed Bourne and Roberto Speranza


If you’re building an application for deployment in the Workspace that requires network access, you know that like all things in the workspace, it’s designed to be secure.  If you’re simply using the work browser for your HTML5 app, or WebWorks/Cordova, all the connectivity is handled for you, but unlike the personal space, you now have access BEHIND the firewall.  This means you can reach all the internal websites and datasources that the BES your workspace is tied to can see.  For example, we can see the internal BlackBerry portals with all the great stuff coming in the future!

But what if you want to do things a little closer to the hardware?  What about socket connections, TCP vs UDP, ports other then 443 or 80, etc, etc.  That’s what this guide is all about.

The simplest explanation of what is going on:  The personal perimeter and the work perimeter are running entirely different network connections.  You can find an overview here, with details on both:

We often get questions about the practical differences to design in the workspace, so for the work perimeter or if you like, the workspace, here is our guide:

Your connections are restricted to the following secure channels:

  • Carrier via BES
  • Wi-Fi via BES
  • Enterprise Wi-Fi (direct to BES)
  • Wi-Fi or carrier via VPN

Connections 1 and 2 happen outside your corporate network, are routed through the cloud to the end point of your BES, typically behind your corporate firewall.  Item 4 is less efficient to the battery life of your device and isn’t recommended, but is here for completeness. The end point is wherever your VPN ends, also typically behind your corporate firewall.  Note that Push (see below) doesn’t work over VPN.

Finally, item 3 is new to BlackBerry 10 and it allows you to connect directly from your BlackBerry to your BES, while you are on your corporate Wi-Fi network without going through the cloud.  The endpoint is again your BES.

What is the difference between 2 and 3?  Item 2 refers to the user setting up a Wi-Fi connection (a home or in a hotel for example).  Scenario 3 is setup by your BES admin and is pushed to your device, you cannot configure it by yourself.

Further, connections in the workspace are restricted to TCP/IP only, UDP will not work.  Why?  UDP inherently is not secure so we chose not to support it in the workspace.


Push applications in the workspace should go through the BES.  For detail on this, see: , and read the sections on Enterprise.  A sample app using Push can be found on Github here:

Okay now that we know all this, how do we use these connections from the BlackBerry NDK?

BESSafeTcp was written to help one of our partners get their app working properly in the work perimeter.  The current sample app shows developers how to create working TCP / SSL sockets in the work perimeter with the following APIs:

  • Qt – QTcpSockets and QSslSockets
  • BSD Sockets / OpenSSL
  • cURL

In each case, the concept is the same.  The utility classes provided lookup the IP address hostname / port to which you want to connect to determine if a proxy is required.  If so, an HTTP CONNECT request is made to the proxy to setup a tunnel and then the connection continues normally after that and the connect functions returns the socket to the caller to continue using as normal.  The utility classes were designed to be plugged in easily into other’s code but developers are free to extract what they need and incorporate it their own way.  The following table summarizes the different utility classes and which networking APIs they apply to:

Utility Class Networking API
BESConnect Covers the QT APIs with cases for QTcpSockets and QSslSockets
SSLSocketThread Covers the BSD / OpenSSL APIs for SSL connections
TCPSocketThread Covers the BSD socket APIs (no SSL)
CurlConnectThread Covers the cURL API

UDP sockets will not work with the BES proxy so they are not covered in this sample.  However, BES deployments with corporate VPN should be able to support UDP sockets because VPN deployments do not use the proxy mechanism and network connections are transparent in that case.  Utilizing these utility classes will allow your app to work with TCP sockets for both the proxy case and direct since it checks to see whether a proxy is required or not at runtime.

The sample app logs most of its debug output to a log file under shared/documents/logs in the work perimeter.  The files are text files that are viewable in File Manager.

The BESSafeTcp sample can be retrieved from Github here:

If you have any questions, feel free to comment here on the Blog, and if you find this useful, compliments are welcome as well!  You can follow us on twitter: Ed on @ed_bourne and Roberto @RSSessantotto.


About BlackBerry

BlackBerry is an enterprise software and services company focused on securing and managing IoT endpoints.