BES12 v12.2 and the BlackBerry Secure Connect Plus transport

ENTERPRISE / 07.29.15 / michaelwinke1


Hello y’all, greetings from wintery Cape Town! I thought I would follow on from Ed’s BES12 v12.2 : What’s New for Enterprise Developers blog post and introduce you a bit more to the new BlackBerry Secure Connect Plus transport that is available now for use after upgrading your BES12 to v12.2.

A short history of BlackBerry Enterprise Server (BES) connectivity

I know I may be showing my age here but I remember a time before BES had a Mobile Data Service (MDS) component. Before the addition of MDS we were strictly speaking about email and calendar redirection from the corporate messaging system to the mobile device. Of course the mobile device in those days was little more than a dressed up two-way pager, not the snazzy all-touch glass slabs most people carry nowadays.

With more capable screens and devices came the desire to consume corporate content other than text based emails and calendar entries. Access to the intranet was on our sights and with the introduction of BES for Exchange v3.5/v3.6 and BES for Domino v2.1 we added a new component, Mobile Data Service (MDS), which everybody that is familiar with the BES architecture now knows as MDS. MDS, you understand, was a giant leap forward in the realm of enterprise connectivity!

Alas due to device, network and other limitations we were looking at a very limited, if functional, cousin of web browsing into the intranet that we came to appreciate from desktop browsers. Some of you will remember the, then state-of-the-art, Wireless Mark-up Language (WML) as a mobile friendly subset of HTML. Some may shudder at the memory… 🙂

With the introduction of BES v5.0 the MDS component was renamed to MDS Connection Service and formally recognised as your TCP proxy for BlackBerry devices to communicate with your intranet applications.

In 2013 with BES10 we also added the BlackBerry Communication Proxy (BCP) which adds the same TCP proxy functionality for Android and iOS devices (note the alphabetic order). And now we are happy to release the BlackBerry Secure Connect Plus (BSCP) component as part of the v12.2 upgrade to BES12. BSCP provides a new secure communication transport for applications on the device.

What is BlackBerry Secure Connect Plus?

Figure 1 – BES12 Device Management components

The BlackBerry Secure Connect Plus component that was added to BES12 v12.2 provides a secure IP tunnel for the supported devices into corporate’s network. What are the supported devices you ask? At the moment BSCP is supported as a transport for BlackBerry 10 devices, Samsung KNOX devices activated against BES12 (currently KNOX v2.4 is required) and Android for Work (Android OS v5.1 or higher) also activated devices against BES12 naturally.

Once BSCP is installed as part of the v12.2 upgrade for BES12 and enable for the supported users, the device will create a secure tunnel between itself and the BSCP component on the BES12 instance. That means the device has an internal/private IP address which is used for all application needs on that device.

All the administrator has to do is enable BSCP in an enterprise connectivity profile and assign that to the intended users. For more detailed server and device requirements see the following page: Using BlackBerry Secure Connect Plus for secure connections to work resources – Server and device requirements

What are the benefits of BlackBerry Secure Connect Plus?

The BES transports prior to BSCP acted essentially as a TCP proxy and as such were limited to TCP traffic. BSCP takes this further and provides secure behind the firewall connectivity and does so by providing a true IP interface for developers to use on the device. Now the device when it establishes the secure tunnel gets an internal IP address assigned which is used for all applications that need to communicate via BES12 with enterprise network resources. This opens up potentially a whole new field of enterprise applications that previously were hard to imagine without elaborate workarounds.

One of the possibilities is that BSCP enabled devices can now make use of UDP as a protocol, provided that a STUN server is available and configured to allow the NAT’ing of the UDP traffic between the device and BES12. With that VoIP applications, media streaming and other applications that make use of UDP can become a reality and that securely in the context of the Enterprise. And the best from a developer’s perspective is that this is transparent!

Architecture and Signalling Overview

BSCP signallingFigure 2 – BSCP signalling

Let’s have a look at the signaling. Once the BES12 and the device have determined that BSCP is the best available connection method, meaning that no corporate Wi-Fi or BES12 VPN profile are available, then the device will send a request via a TLS connection through the BlackBerry Infrastructure that an IP tunnel should be established. BES12 receives this request through it’s connection to the BlackBerry Infrastructure on port 3101.

After the request has been received the device and BES12 use the TURN protocol to negotiate the tunnel parameters. For the communication one tunnel is established and use for all the apps from within the work perimeter to the Enterprise resources.

What next?

Be sure to checkout to check out the Administration section of the BES12 v12.2 support site and stay in touch with your BES administrator to find out when you can make use of this new feature of BES12!

About michaelwinke1