Share via

Security Policy Settings

  • Article

The possible configuration settings for the security policies, including the policy ID, default value, and roles, are listed in the following table.

 

Policy Setting Description
AutoRun This setting indicates whether applications stored on a MultiMedia Card (MMC) are allowed to auto-run when inserted into the device.

Default value is 0. The following list shows the possible values:

  • 0 indicates that applications are allowed to run automatically
  • 1 indicates that applications are restricted from running automatically

The Required role to modify policy is SECROLE_MANAGER.

The Policy ID is 2.
Grant Manager This setting grants the system administrative privileges held by SECROLE_MANAGER to other security roles, without modifying metabase role assignments.

Configuration Manager enforces the Grant Manager policy.

Default value is SECROLE_USER_AUTH. The following list shows the possible values:

  • SECROLE_USER_AUTH indicates system administrative privileges are given to the SECROLE_USER_AUTH mask.
  • SECROLE_NONE indicates that only the manager is granted the Manager role.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4119.
Grant User Authenticated This setting grants privileges held by SECROLE_USER_AUTH to other security roles without modifying metabase role assignments.

Default value is SECROLE_USER_AUTH. The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that no additional administrative privileges are given.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

Configuration Manager enforces the Grant User Authenticated policy.

The required role to modify policy is SECROLE_USER_AUTH.

The Policy ID is 4120.
Message Authentication This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

Default value is 3. Possible values are 1through 256.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4105.
OTA Provisioning This setting specifies which provisioning messages are accepted by the Configuration Host, based on the roles assigned to the messages. This policy limits the provisioning messages that come from the Push Router. For more information about the Configuration Host, see Data from Push Router.

The default is SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH.

A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4111.
PrivilegedApps This setting specifies which security model is implemented on the device.
Note   This policy applies only to Smartphones.

Default value is 0. The following list shows the possible values:

  • 0 indicates that a two-tier security model is enabled.
  • 1 indicates that a one-tier security model is enabled.
  • Any value other than 1 is treated as 0.

The required role to modify policy is SECROLE_MANAGER.

For information about how the one-tier and two-tier security models affect applications, see Security Overview (SP Only).
RAPI This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations on mobile devices.

Default value is 2. The following list shows the possible values:

  • 0 indicates that the ActiveSync service is shut down. RAPI calls are rejected.
  • 1 indicates Full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
  • 2 indicates that access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4097.
Service Indication Policy This setting indicates whether SI messages are accepted. A Service Indication (SI) message is sent to the Windows Mobile-based Smartphone to notify users of new services, service updates, and provisioning services.
Note   This policy applies only to Smartphones.

You specify the security roles that can accept SI messages as a role mask.

Default value is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4109.
Service Loading Policy This setting indicates whether SL messages are accepted. A Service Loading (SL) message downloads new services or provisioning XML to the Windows Mobile-based Smartphone.
Note   This policy applies only to Smartphones.

You specify the security roles that can accept SL messages as a role mask.

Default value is SECROLE_PPG_TRUSTED.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4108.
Trusted Provisioning Server This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role.

Default value is 1. The following list shows the possible values:

  • 0 indicates assigning TPS role assignment is disabled.
  • 1 indicates TPS role assignment is enabled. Thus, the TPS role can be assigned to mobile operators.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4104.
Trusted WAP This setting specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parm is specified in the PXLOGICAL characteristic element.

You specify the security roles that can have Trusted WAP Proxy level permissions as a role mask.

Default value is SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4121.
Unauthenticated Messages This setting indicates whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin. The message source must have one of the security roles specified by this policy.

You specify the security roles that the unsigned messages will be accepted from as a role mask.

Default value is SECROLE_USER_UNAUTH.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4110.
Unsigned Applications Policy This setting indicates whether unsigned applications are allowed to run on a Windows Mobile-based Smartphone. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authorities certificate store, the application is unsigned. For information about certificate stores, see Certificate Stores.
Note   This policy applies only to Smartphones.

Default value is 1. The following list shows the possible values:

  • 0 indicates that unsigned applications are not allowed to run on the device.
  • 1 indicates that unsigned applications are allowed to run on the device.
  • Any value other than 1 is treated as 0.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4102.
Unsigned CABS This setting indicates whether unsigned .cab files can be installed on the device. On the Windows Mobile-based Smartphone, Accepted unsigned .cab files are installed with the role mask specified by the policy value.

For Smartphone, if a signed .cab file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned. For information about certificate stores, see Certificate Stores.

Note   CAB Provisioning Format files — files with a .cpf extension — are processed the same as .cab files.

Default value is SECROLE_USER_AUTH. The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that Unsigned .cab files will be installed under the USER_AUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned .cab files can be installed.
  • A specified role mask indicates accepted unsigned .cab files are installed with the role mask specified.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4101.
Unsigned Prompt Policy This setting indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files.
Note   This policy applies only to Smartphones.

Default value is 0. The following list shows the possible values:

  • 0 indicates user will be prompted.
  • 1 indicates user will not be prompted.
  • Any value other than 1 is treated as 0.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4122.
Unsigned Themes Policy This setting indicates whether Theme files can be installed on the device. On the Windows Mobile-based Smartphone, Accepted unsigned Theme files are installed with the role mask specified by the policy value.

For Smartphone, if a signed Theme file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned. For information about certificate stores, see Certificate Stores.

Note   This policy applies only to Smartphones.

Default value is SECROLE_USER_UNAUTH. The following list shows the possible values:

  • SECROLE_USER_UNAUTH indicates that Unsigned Theme files will be installed under the USER_UNAUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned Theme files can be installed.
  • A specified role mask indicates accepted unsigned Theme files are installed with the role mask specified.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4103.
WAP Signed Message This setting indicates whether a WAP signed message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting.

Default value is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS | SECROLE_OPERATOR.

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4107.
WSP Push This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

Default value is 1. The following list shows the possible values:

  • 0 indicates that routing of WSP notifications is not allowed.
  • 1 indicates Routing of WSP notifications is allowed

The required role to modify policy is SECROLE_MANAGER.

The Policy ID is 4113.

 

See Also

Security for Windows Mobile Devices | Security Roles | Security Policies and Roles | Application Security

Last updated on Friday, April 22, 2005

© 2005 Microsoft Corporation. All rights reserved.

Send feedback on this topic to the authors.