New BlackBerry, old BlackBerry: A half step forward

Online meetings, cloud IDs, and VPN tokens show the better BlackBerry; the Knox deal and two-line phones, not so much


As BlackBerry executives sketched out the mobile pioneer's revised enterprise strategy at a press and analyst briefing yesterday, I got more and more frustrated at the superficial presentations, the vapid happy talk with "special guests," and the "mobile is a war zone" sales pitch for its latest mobile management server, BES12.

Of course, I've been frustrated with BlackBerry for several years, first by the stubborn, head-in-the-sand idiocy of its founders that almost destroyed the company, then new CEO John Chen's mixed messages about whether BlackBerry was retrenching to a tiny market or growing the company in new areas that leveraged but was not caged by its technology roots.

Despite that frustration, I'm more optimistic about BlackBerry than I have been in a long time. I am finally seeing evidence that it is figuring out how to leverage its expertise to grow in new areas. That cautious optimism comes from the good hour I spent after the superficial event with a bevy of technology managers at BlackBerry to find out what their new technology actually does — and doesn't do.

Some of what BlackBerry is doing is worth considering for adoption in your enterprise, and some is not. Some is stuck in a pre-iOS 4.2 mindset (devices are either BlackBerry or insecure) that is simply not valid, whereas some is truly forward-thinking.

Let me walk you through the key technologies that are here or coming soon and show which reflect the old BlackBerry and which reflect the new BlackBerry. (Unfortunately, both BlackBerrys still exist.)

BES12 is both old and new

There's not much new to say about BES12 itself since its original February 2014 announcement: It better supports iOS and Android, adds support for Windows Phone (only for less-advanced features, due to Windows Phone's own limitations), cleans up its complex user interface, integrates the formerly separate management consoles, and gets rid of the old "hot server/cold server" approach in factor of a dual-hot-sever for high availability and scaling.

Now shipping, BES12 awkwardly mixes per-device pricing for core features and per-user fees for new features. Ironically, one of the pitches BlackBerry execs made yesterday was that BlackBerry manages users, not devices -- except when it doesn't, obviously.

BES12 device management for iOS devices BlackBerry

The BES12 pane for managing an iOS device. Each device has its own because even when they share policies, their constraints often differ, so policies can't be realistically provisioned across multiple device types.

What's interesting about BES12 are the new uses outside of well-known device management that it enables, as I describe later.

BlackBerry will support Samsung's Knox in BES12 — so what?

The deal between BlackBerry and Samsung is where the two BlackBerrys come together. Samsung's Knox management service uses an approach similar to BlackBerry's: It builds some security directly into the hardware, then creates an integrated security stack that goes to at least the user-facing OS and some apps. (BlackBerry extends that stack to the network via its network operations centers installed at carriers throughout the world, that creates essentially a global VPN. Knox does not.)

BlackBerry's integrated security stack is why it remains the most secure mobile platform on the planet, the only one trusted for use by presidents, prime ministers, and senior defense and spy officials. Samsung hoped to get some of that market, or at least the next level of folks, by having a similar, if smaller, stack via Knox on its own hardware.

But Knox has been a market failure, partly because it didn't work as advertised (security is not Samsung's expertise) and partly because it's available for only a handful of devices, not for Android at large. Samsung hoped Knox would make its Galaxys the corporate Android standard, but that didn't happen. Now it won't because Google has decided to build in a similar — though less capable — security stack into Android Lollipop via its as-yet-unreleased Android at Work technology.

So, around the time Google shoved Knox to the side, Samsung and BlackBerry began discussing a partnership, since BES is designed to work with a security stack like Samsung's, and most companies have BES in use. That's a forward-thinking partnership for both.

I wouldn't expect anything to come of it. After all, Samsung opened Knox management to other mobile management vendors, with nothing to show for it. BlackBerry and Samsung argue that because BES uses those secure network operations centers, BES-managed Galaxys should be more secure than those managed by Samsung's own mobile management server or that of another Knox-capable management server.

BBM Meetings might finally make online meetings work

The announcement yesterday that excited me most was BBM Meetings, a hosted meeting service for BlackBerrys, Android phones, Windows PCs, Macs, and soon iPhones. (There's no native tablet version for Android or iPads — a dumb omission that should be corrected pronto.) It's available now and costs $12 per host user per month.

There are dozens of meeting systems, so who needs another one? I do. My company uses Microsoft's Office 365, but Lync is so unreliable and awkward that we had to bring back Citrix's GoToMeeting. Like Cisco's WebEx, that tool is OK, but it litters your application folder with endless variants, seems to require a new download for each meeting, and doesn't integrate well with calendars.

Plus, the demo of BBM Meeting showed a much nicer interface for presenting and taking meeting "calls" than I've seen elsewhere. Even better, BBM Meeting does not require you to use BES, so you can test it out no matter how you manage your mobile devices — and even if you don't.

BBM Meetings BlackBerry

BBM Meetings supports video chats (left) and text chats (right) on BlackBerrys, iPhones, Android phones, Windows PCs, and Macs.

Online meetings is an area where a better mousetrap is needed. Maybe BBM Meetings is that better mousetrap. We'll see.

Speaking of BBM (BlackBerry Messenger), no, it still doesn't allow simultaneous active sessions across multiple devices, such as on your phone and tablet. You have to sign out of a device to sign into another. Sigh.

Carry less because VPN authentication uses your phone as a token

If you use a hardware token like SecurID for second-factor authentication, you know what a pain it is to always have that device with you, and to be able to read its code in dim lights. Why can't your phone be that second factor?

Well, it can — a lot of services will text a one-time code to a phone number, but that's not as secure as a hardware token, and it's still not very convenient. BlackBerry has an approach I like: Your phone is the second factor, and it doesn't need to send you a code.

VPN Authentication by BlackBerry (awkward name, I know) takes advantage of the fact that BES12 manages employees' iPhones, Android phones, and BlackBerrys, so it knows which devices belong to which employees. It doesn't need a code to confirm who the recipient is — the managed phone itself provides that validation.

The user does have to tap an acknowledgment to gain access, so VPN tunnels are opened only affirmatively. As always, the user has to have the VPN access and credentials on the computer, tablet, or smartphone they are accessing the VPN from — that doesn't change.

The notion of mobile devices as hardware tokens makes a lot of sense to me. I'm not alone: Google is using the same concept in a different way — using an Android phone as a car fob replacement. So is Apple — as a credit card replacement. It's good to see BlackBerry find another use case for the concept.

The VPN feature will be available in December for an extra fee per BES-managed user; pricing depends on the service bundle you get.

Pre-federate and manage user IDs with cloud services

VPN Authentication by BlackBerry isn't the only new BES12 optional service that leverages the knowledge in BES12 of who's a user. Enterprise Identity by BlackBerry does, too.

Using SAML connections, Enterprise Identity can pre-federate your user identities, such as those in Active Directory, to cloud services that your company might provide employee access to, from to Box.

Lots of companies offer such identity connectors, but the appeal of doing it in BES is that you already manage BES, so you reduce the number of tools to keep up to date. Remove a user from BES because she left the company, her credentials at Salesforce are revoked at the same time. Ditto with updates such as to password — you can use Enterprise Identity to enforce not only password standards but also bring single sign-on to those outside services.

Enterprise Identity also will be available in December for an extra fee per BES-managed user; pricing depends on the service bundle you get.

One phone, two lines: A good idea that probably won't work

Finally, BlackBerry previewed something called WorkLife, which is a set of apps that you can operate in business or personal mode. Specifically, you can tell it when a call, text, or data connection is personal or business-related, and BlackBerry will allocate the costs between your personal account and your business account.

Although there's a lot of misunderstanding of a recent California court ruling that said employers must pay their fair share for required usage of employees' personal phones, many companies want to separate the personal and business expenses accurately for accounting reasons, without the high cost and hassle of reviewing expense reports. And many employees want to stop subsidizing their employers' telecom costs.

In the case of phone calls and texts, that means you can have separate numbers on the same device. That's a big deal for users who don't want to carry multiple devices but also want to be accessible without giving up personal numbers to business colleagues. Enterprises likewise should want to encourage customers to use employees' business numbers, so if an employee leaves the customer can still reach the company easily.

I love the concept, but it's a service that the carriers will deploy — which likely means it won't work well. Already, BlackBerry admits that service works only if the business and personal account are with the same carrier — an uncommon occurrence in a BYOD environment. And it hasn't fully worked out how this feature will work in iOS.

You can bet that carriers will charge a premium for this service if they make it available, or otherwise make it unappealing, such as by requiring everyone at a company simply use them. That's what they do whenever they get the chance.

This carrier centrism unfortunately won't change. BlackBerry has a long history with the carriers — it needed their support to set up those network operation centers, after all — and that tight relationship is a key reason BlackBerry meets the most stringent security requirements.

Nor is BlackBerry in Apple's position, where it can force carriers to treat everyone fairly. Apple forced carriers to let Apple control iOS updates, which is why we all get those updates at the same time no matter our carrier or device model. Apple also forced carriers to provide pay-as-you-go service for cellular iPads, which is why you don’t need a contract for those tablets.

The carrier relationship is a necessary part of the old BlackBerry's strength. But it will get in the way of new-era innovations like WorkLife.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform