I am getting quite tired of seeing
this a lot:

Ya see… here’s the thing.  In Europe,
people tend to cross borders.  A lot.  Especially business people.
 I know that the iPhone was made in the USA, and although us outsiders
have to practically audition to gain entry to the USA at this stage, once
you are in, your network coverage is relatively carrier static.

In Europe, its different.  Very
different.  Lets take my example.  I live in Northern Ireland
(aka the United Kingdom) and would use O2UK.  Once I cross the land
border to Southern Ireland, my phones would need to switch to Vodafone
or O2Ireland, or Metor.  Flying to other countries, which I am lucky
enough to do from time to time, means my phone needs to join many different
cellular networks.  This IS NOT data roaming.  This is just simple
GSM roaming (i.e. to make and take calls).   My blackberry just switches
network… as it needs to, and I can set preferred carriers if I want.
 I can cross borders over land and the phone switches network, and
I can be on a call for that period.  Easy.

When my iPhone loses it network carrier,
it barfs and displays "no service", until I manually switch it
to another network.. and that can easily take time as the unit has to scan
and find them all.  If you don’t believe me, drive from Newry to Dundalk
(border crossing between Northern and Southern Ireland) with an iPhone…
You are disconnected for up to 5 minutes.

When I land in another country, taking
my blackberry out of flight mode is simple.  It just finds the preferred
network.  My iPhone sits there, looking pretty and confused, and even
trying to get it to select a new network takes AGES, and sometimes even
a restart.  Imagine this was my full-time business phone.

The iPhone, is not corporate ready.

Band below, food on the way, mountain of
work to get done, beer beside laptop.  Its not that bad sometimes.

I will begin with the following important
points:
1. – This is true
2. – Nothing at all to do with me
3. – Names of all those involved are removed to prevent their removal from
the global gene pool (by death) or at the least some sort of Darwin award.

A businessman has a windows mobile device (Weapon of mass destruction -
whichever you want to call it).  He is using (quite happily) Lotus
Traveller to replicate mail/contacts/pim data down.  Unfortunately,
he loses the unit and contacts the support desk.  The support desk
asks third line support "what do I do to stop his data going to the
device?".  He is told to reset the internet password.  Support
guy does…. to the SAME password that is there already.  Ergo, traveller
is still working.

The businessman is unhappy he lost his
device, but will live on thinking the unit is disabled.  Then, he
starts to notice that his contacts are disappearing from his address book.
 A few at a time… disappearing.  

THEN he notices that new numbers are
appearing in his personal address book – people he does not even know.

The person that "found" the
device had deleted all the entries that were in the address book, and started
to enter his mates’ details.  Traveler was still working, so the deletions
and new entries started to go to the businessman’s personal address book.

One of these entries was "Dad",
and had a phone number.

The businessman phones "Dad"
and turns out that he knows him!  A frank discussion ensues and a
while later the son, who "found" the device returned it, redfaced…..

I laughed so hard I choked.

Considering Ireland is limbering
up for the wettest year in history, my view from the hotel room makes me
feel better in Malta.  Now, if only I could get out of working for
the week!

Over the past few weeks, I have
completed security audits in many sites, and in two particular sites, we
were asked to include the Blackberry environment in our realm.  The
blackberry server and policies allow for excellent control of the units
that your company has in the field. if you have compliance requirements,
security requirements, or you are just a bad-ass administrator, you cannot
beat blackberry.
You can have different policies for different users, and assigning a policy
can be scheduled or immediate.  There are some simple no brainers
that you may want to turn on, to secure your environment:

• Forcing device locking
• Forcing device locking even
  if in use (this makes the unit lock even if the person is using it, after
  a period of time)

• Disable camera
• Disable/restrict bluetooth
  
  and many many more..
  There are some that you can implement,
  but they make you unpopular!

• Disable MMS
• Disable SMS
• Disable browser/phone
• Disable installation of any thrid party
  product, or restrict social network products (e.g. facebook/twitter)

• Disable usage as an external hard disk
• Disable SD support internally
• Disable GPS
• Disable Blackberry Maps
  
  Believe me, there are hundreds of them.
   Look at these:
  
  

  Some of them, are not highly documented
  and could get you in trouble!  For example, look at this screenshot:
  
  
  Ahem… enterprise location tracking will
  activate the GPS on the unit, and send back location information (read:
  where you are) to the SQL back-end.  At this point, I can hear eyebrows
  rising….  This may be useful in specific environments, but this
  could also seriously get yourself in trouble as you are now "big brother".
   This feature is available since 4.1.4 but there is not much available
  online.  Expect more on this as I have enabled it for my blackberry,
  and want to see what information it records.

  I have documented a list of what options
  in Blackberry policies are available, and listed them in order of "Should
  enable", "maybe enable" and "totally optional".
   If you would like it, drop me a line.

This, in short, is a feature that will
have Domino administrators, help desk staff and help desk managers dancing
in the aisle at Lotusphere.  While playing around with the beta, I
setup and configured the id vault and thought I would post some screenshots/thoughts.
 And, of course its a beta, so what you see here may not be what you
get!

It requires Notes 8.5 on the server
and client.

Im not going to go into details on how
it works just yet, but I had it up and running in about 10 minutes in a
lab.

Administrators can create one, or multiple
vault databases to store passwords, and assign id files created by specific
Organisation units to the databases.  Admins have to also be assigned
rights to reset passwords, and these rights can be vault specific.

From a users’ perspective, what does
the id vault let you do.  Well, two simple things at the moment.  

1 – It allows you to change your password
on your Notes client, and that, in turn means your password is changed
on any other copy of your id file from now on.

2 – It allows you to easily get your
password reset.

From an administrator’s perspective,
it gives us the functionality to:

Keep an storage of id files in an encrypted
database on the server.  These id files are provisioned to the notes
clients upon logon (i.e. the id file is sent down to the client).  When
a user changes his password, the id file goes up to the vault/database
with the new password, so if he logs on from another machine, the updated
id file is sent down (ergo – password syncing accross Lotus Notes clients).

Have custom, policy based information
given to users telling them how to ask to have their password reset.

Reset the password in two clicks.

Here are some pictures of what the user
can see:

Note the Forgotton password button!  We
can give customised messages to the clients based on policies applied,
for example:

Now, what does an administrator have?, well, from the people tab of
the client, permitted Administrators are allowed do this:

And then do this:

And, it works… even in beta.  I have reset the password and
immediately the user can log in using that password.  Nice eh?

Seen in Terminal 4 in Heathrow

Using the iPhone to fix a blackberry enterprise server issue.
Over the weekend I was working on a BES and forgot to make one small change last night. This morning, after landing in Heathrow, and whilst on the move I managed to buy and install Mocha VNC software on my iPhone, log into the server and resolve the issue. Mocha VNC lite is available for free from the App store, but does NOT allow you to CTRL ALT DEL, which, effectively makes it useless if you lock machines.
The iPhone has a long way to go to catch up with the BES in the corporate world (including functionality and security) but it often makes you smile!

I know the golden rule is to never apologise for blogging (so I won’t) but for the first time in ages, when I sit in front of the 8.5 Notes client, I find it very hard to write.. em… anything. Its a rut, and I know it is, and it happens to everyone from time to time (especially people keeping their own site going over 2-3 years), but although I do want to contribute to this, much larger IBM/Lotus community at the moment, the energy currently is not there. Twitter is like the ultimate “short blog post” fix and that drains a lot of posts from sites – and sometimes makes what would be “gems” on a blog site disappear into the noise of following over 200 tweeters. I am as guilty twittering useful stuff instead of blogging as anyone else is.
I have a few things I wanted to write about, Warren’s fantastic work with UKLUG (seriously…go!), any of the 4 events I am speaking at before the end of the year, Blackberry server policies (which I have done a lot of work with recently), iPhone stuff, Connections and Foundations configurations I have worked on, and some cool admin features that have appeared in 802/8.5 domino directories. Looking at recent posts of mine, there are very few technical ones and that is pissing me off. So, its either walk away for a while or get my ass in gear! Normal abnormal posts will resume.

I actually meant it! – I’m testing something new here….. Nothing to see here.. no sirree