What is it?

In a nutshell, the Enterprise Activation feature of the Blackberry Enterprise Server links a specific Blackberry handheld to a user account on the BES: it is the equivalent of connecting a handheld to the BES server via a USB or RS232 cable. Once activated, the contents of that user’s mailbox are wirelessly synchronised to the handheld. The beauty of the feature is that the Blackberry doesn’t need to be physically connected to the BES before it can be used. In fact, it doesn’t even need to ever set foot on the company premises – it can be activated wirelessly over the cellular network, in theory from anywhere in the world!

Before I describe how this process works, it is first necessary to explain how the end-to-end Blackberry solution works.
Research In Motion, the company that develops the Blackberry solution, has deployed in different parts of the globe, elements of hardware accessible to each mobile network operator that offers Blackberry service: the RIM Relay. This device acts as a proxy server, proxying requests from the handheld devices and the BES servers deployed throughout the world. It is this proxy-based architecture that is the reason why the BES server itself does not require a public IP address, unlike other remote email solutions, but it does also mean that you are dependent upon a third-party’s hardware for your messaging solution to operate.
Each Blackberry handheld device has a unique identifying number assigned to it – its PIN number. When the handheld registers on the cellular network, it sends this PIN number to the RIM Relay so that the Relay ‘knows’ that the device is available and ready to send and receive data. The BES server also has a unique identifier: the SRP key entered during the installation process. Provided that the BES has a connection to the Internet, when the Blackberry services are started, the server also registers with the Relay.

What does the process involve?

Before a handheld can be activated wirelessly, the administrator of the BES first needs to add the user to the BES and then assign an activation password to the user via the Blackberry Manager on the BES itself:

The Administrator selects the entry for the user account, and then clicks on the option to Generate and Email Activation Password within the Service Access task.

This causes an email to be sent to the target user, from the BESAdmin user account, containing the activation password. A typical email would look something like this:

The user now has all they need to activate the handheld.

On Blackberry handheld devices, if you open the Options menu and then select Advanced Options, in this menu you will see an option for Enterprise Activation.
If you select this option, depending on which version of the handheld software you are running, you will see either two or three fields:

• Email
• Password
• Activation Server

The Activation Server field does not need to be completed if the device is being activated via a cellular connection, I will look at this option later.

The user needs to enter their full email address, and their activation password that they were emailed by the BESAdmin user. NOTE – it is important that the user does not get confused and use their NT domain password; it must be the Blackberry enterprise activation password. Also note, if the password contains capital letters, the password IS case-sensitive.

Once the Email and Password fields have been completed, press the jogwheel and select Activate from the menu.
If the phone element of the handheld is currently turned off, you will be prompted to enable it, and the activation process will then proceed.

How does it work?

On the handheld device, when the option to Activate is selected, the handheld examines the email address that has been entered in the Email field. It identifies the domain (the text after the @ sign in the email address), and performs an MX-lookup on that domain, using DNS, to locate the mail server for that domain. Once located, it then sends an email to the email address containing specific text in the subject and body of the message. A typical email might look something like this:

When a user is added to the BES server, the BESAdmin user account monitors the user’s mailbox from that moment on, looking for changes that need to be mirrored on the handheld device.
When this email from the handheld is delivered to the mailbox, the BES detects it, and knows from the text in the subject and body fields that it is a command message, and acts on it accordingly, linking the PIN number of the handheld to that user account. This information is then updated to the Relay so that it ‘knows’ that the PIN of the handheld is linked to the SRP key of the BES server, and that data should be relayed between the two whenever both are online and authenticated. Once this process has completed, the email is then automatically deleted from the user’s mailbox.
This process usually occurs so quickly that the user never actually sees the email arrive or disappear again.
The contents of the user’s mailbox is then synchronised to the handheld. The length of time this process can take will vary depending on the amount of data that is held in the user’s mailbox, but 10 minutes is a normal figure.

What might cause this process to fail?

Mobile Network Operator

The handheld device itself will clearly need to be registered on the cellular network: the user should see the signal strength indicated on the screen, and should also see the type of service indicated: ideally the user should see GPRS or EDGE on the handheld. If the user is out of coverage then the process will fail.

The SIM in the handheld will also need to be enabled for the Blackberry service with the network operator: it is not sufficient to be merely enabled for GPRS or 3G service. If the user receives an error on the handheld along the lines of ‘service connection not available’, despite indicating GPRS service, then the SIM is not enabled correctly for Blackberry service.

DNS

For the enterprise activation process to succeed, the handheld must be able to resolve the MX record for the domain from the email address entered.
MX records are Mail eXchange records, they are the email equivalent of DNS entries for web sites that map, say ‘wwww.bbc.co.uk’ to ‘212.58.253.67’.
The DNS entries for your domain must be configured correctly.
To be honest, this is unlikely to be the cause of the problem as, if your DNS entries were not configured correctly, it is likely that you would not be receiving ANY email, not just emails from Blackberry handhelds. But this worth taking into consideration when troubleshooting the activation process in case your email delivery architecture has anything ‘funny’ in it.

Spam filters & anti-virus software

The activation confirmation email generated from the handheld needs to arrive in the end user’s mailbox, for it to be picked up by the BES server.
If the mail is identified as being spam by a filtering system and ‘quarantined’ the process will fail. Ideally the RIM Relay will need to be added as a ‘safe sender’ to the whitelist. How this is done depends on the filtering system in place – adding the entire domain ‘blackberry.net’ as a safe sender would be one solution.
If the mail does arrive in the user’s mailbox, but has been altered in some way, the process will fail. The text contained in the subject and body of the message is specifically intended for the BES server, therefore if an anti-virus system prefixes the word [SCANNED] to the subject of a message, this will cause the BES to not recognise the mail correctly as being a command message and will ignore it, causing the process to fail.

User permissions

If the command email is not able to be read by the BESAdmin user, then the process will fail. This is normally indicated by the fact that the command email appears in the user’s mailbox, but then never disappears again.
The BESAdmin user needs to be a ‘View-Only Exchange Administrator’, and needs ‘Send As’, ‘Receive As’ and ‘Administer Information Store’ rights on the Exchange Server to be able to properly send and receive emails from user mailboxes to the remote handhelds.

Outlook or desktop email client configuration

If the user's desktop email client is configured to download mails from the user's Exchange mailbox and then remove them - either via POP or to a local PST file, then this can cause the process to fail as the BES won't be able to retrieve the mail if it has already been removed from the user's mailbox.

User error, or ‘ the MD Factor’

Network Administrators out there – if you have verified all of the above and are still at a loss to explain why the process isn’t working, don’t be afraid to suggest that your user is a numpty!

So what is the Activation Server?

I mentioned above that on newer handheld devices, the Enterprise Activation wizard allows for the entry of an activation server address. This field is not required if the device is being activated over a cellular connection, as the device locates the address of the BES by sending the command email to the domain’s mail server for the BES to detect and act on.
The Activation Server field is designed to be used if the handheld is being activated locally via a WiFi connection – provided that activations via WiFi are permitted on the BES itself. This can be configured within the Blackberry Manager.