BlackBerry Balance is a new feature from RIM designed to give administrators the control they need over BlackBerry devices connected to a corporate BES deployment, whilst simultaneously allowing users to enjoy the more personal capabilities of their devices, such as social networking services.
With the increasing trend for employees to own their Smartphones but use them for business purposes, the need to be able to secure corporate data without interfering with a user's personal content is a burgeoning one. It is this aspect of personal ownership of a business-capable device that RIM are addressing with Balance.
As I detailed with the release of Service Pack 3 for BlackBerry Enterprise Server 5, the BES solution already features a number of IT policies that allow the administrator to define that "work" content should be kept separate from "personal" content on supported devices:
This essentially means that "work" content (email, calendar, documents, etc accessed on the device via the connection to the BES) can only be accessed by applications defined as "work" applications (which can also be defined on the BES) and also cannot be copied and pasted or otherwise shared via a "personal" application (Twitter, Facebook, Hotmail, GMail, etc).
Users can also optionally be prevented from backing up work data locally.
If a user attempts an action that is prohibited by IT policy, they will receive a notification on their device indicating so.
Applications can be classed as falling into either "work" or "personal" categories by the administrator.
The solution also gives administrators the ability to only remove all work content from a device should that user leave the company, leaving any personal content on that device untouched:
RIM have confirmed that this same functionality will also be coming to the BES Express product in the very near future.
The latest version of BlackBerry device software 6.0 is required. Future software releases will include the feature as standard. Supported devices include:
If the policy is enabled on the BES, a BlackBerry device will consider the following as "work" content:
It is not possible for the user to reclassify work content as personal content.
NOTE - phone data (call history, etc) is NOT considered as work data, but IS removed from the device when a command to erase all work data is issued.
Enable separation of work content
If this policy is enabled, the user will not be able paste content from a work application into a personal application. Data can still be copied and pasted between 2 work applications and between 2 personal applications. Users can transfer data from a personal application to a work application, but not vice versa.
Disable forwarding of work content using personal channels
Personal channels include the BlackBerry Internet Service (BIS), SMS, MMS, PIN messages and BlackBerry Messenger. Once enabled, this policy prevents users from forwarding work email messages, contacts, calendar entries, tasks or memos over any of these channels.
Require work resources or conducting work activities
This policy prevents the user from sending email messages to a member of the work contacts list from a personal email account, and also prevents them from arranging meetings with a member of the work contacts list from a personal calendar.
BES administrators have long had the ability to prevent users from using the BlackBerry Desktop Manager software to create backups of device data locally on their PC. This control has now been updated to include as well as the options for "Yes" and "No", the option for "No organizational databases"
If the option to "enable separation of work content" is enabled on the BES by the administrator, all work content saved to the device memory card is automatically encrypted using an encryption key generated by the device
After the option to "enable separation of work content" is enabled, to grant an application access to corporate resources it must be defined on the BES in a software configuration policy with the rule "IS access to the corporate data API allowed" to "Allow".
By default any application developed by RIM will be granted access. If you want to prevent bundled applications such as Facebook and MySpace from accessing work data, you should set the separate BES IT policy rule "Disable Organizer Data Access for Social Networking Applications" to Yes. Any other bundled application that you wish to block must be defined in a Software Configuration with the "IS access to the corporate data API allowed" rule set to "Deny".
You can read more on the RIM web site - http://us.blackberry.com//apps-software/business/server/full/balance.jsp
The below video provides an overview of the key features Balance offers: