Device Security Configuration Overview
The Security configuration pane is part of the Device Security Manager. Use the Security configuration pane to view, change, import, and export Security Configurations on Windows Mobile devices and emulators. To open the Device Security Manager, click Device Security Manager on the Tools menu.
List of Security Configurations
The security configuration of a device determines the behavior of the application loader, which can prevent certain applications from installing and executing. Every Windows Mobile device or emulator uses one of seven possible security configurations in the following table.
Configuration |
Description |
---|---|
Locked |
This is the most restrictive security configuration. Only applications that are signed with a certificate that is present in the device’s certificate store have permission to run. All remote API (RAPI) calls from desktop applications are rejected.
Caution:
Provisioning the Locked configuration to a physical device is irreversible. The device will reject subsequent connection attempts from the Device Security Manager. You will not be able to unlock the device or change the security configuration. Unlike physical devices, emulators can always be unlocked.
|
Security Off |
The device has the least restrictive security model. Applications from any source can install and run with full access to system resources. RAPI calls from desktop applications can process without restrictions. |
Third Party Signed Two Tier |
Unsigned applications are not permitted to run. Applications that are signed with a certificate in the privileged certificate store run with elevated permissions. Applications that are signed with a certificate in the normal certificate store have lower permissions. For example, such applications cannot access system APIs and cannot access protected registry keys. RAPI calls are checked against the SECROLE_USER_AUTH role mask before they are granted. |
Third Party Signed One Tier |
Unsigned applications are not permitted to run. Applications that are signed with a certificate in the certificate store can install and run with full access to system resources. RAPI calls are checked against the SECROLE_USER_AUTH role mask before they are granted. |
Prompt Two Tier |
Users are prompted to give unsigned applications permission to install. If granted permission, unsigned applications can run with normal permissions. This means the applications cannot access system APIs and cannot access protected registry keys. Applications that are signed with a certificate in the privileged certificate store run with privileged permission. Applications that are signed with a certificate in the normal certificate store run with normal permission. RAPI calls are checked against the SECROLE_USER_AUTH role mask before they are granted. |
Prompt One Tier |
Users are prompted to give unsigned applications permission to install and run with full access to system resources. RAPI calls are checked against the SECROLE_USER_AUTH role mask before they are granted. |
Custom |
Security policy settings do not match any of the standard security configurations. See individual security policy settings to determine the device’s security configuration. |
What is a Security Configuration?
A security configuration is a descriptive name that is given to a set of five security policies. For an example, the Locked security configuration has policy settings of one tier, no prompt, no unsigned cabs, no unsigned applications, and no RAPI access. The following table lists the security policies that define each security configuration.
Configuration |
Policy ID 4102 (Can unsigned apps run?) |
Policy ID 4101 (Can unsigned CABs run?) |
Policy ID 4122 (Prompt User?) |
Policy ID 4123 (One-tier?) |
Policy ID 4097 (RAPI) |
---|---|---|---|---|---|
Locked |
No (0) |
No (0) |
No (1) |
Two-tier (0) or one-tier (1) |
Disabled (0) |
Third-Party-Signed One-Tier |
No (0) |
No (0) |
No (1) |
one-tier (1) |
Restricted (2) |
Third-Party-Signed Two-Tier |
No (0) |
No (0) |
No (1) |
Two-tier (0) |
Restricted (2) |
Prompt Two Tier |
Yes (1) |
Yes (1) |
Yes (0) |
Two-tier (0) |
Restricted (2) |
One-Tier-Prompt |
Yes (1) |
Yes (1) |
Yes (0) |
One-tier (1) |
Restricted (2) |
Security-Off |
Yes (1) |
Yes (1) |
No (1) |
One-tier (1) |
Allowed (1) |
Note
The name, Custom, applies to any set of security policy settings that do not conform to a standard security configuration in the table above.
For a description of each security policy and policy ID, see Security Policy Settings.
Format of XML Provisioning Import/Export file
The name attribute corresponds to the Policy ID column in the Security Policy Settings table.
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<parm name="4123" value="1" />
<parm name="4122" value="1" />
<parm name="4101" value="16" />
<parm name="4102" value="1" />
<parm name="4097" value="1" />
</characteristic>
</wap-provisioningdoc>
See Also
Tasks
How to: Change Device Security Configuration
How to: Import/Export Security Configurations (Devices)