Security and Managing Devices

Article
11/18/2015

4/8/2010

The following list shows how security policies and roles are used to manage devices.

Settings	Description of usage
Security Policies	Use to configure security settings that are then enforced with the help of security roles and certificates. Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages. The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed. For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.
Security Roles	Use to allow or restrict access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed. You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

Use to configure security settings that are then enforced with the help of security roles and certificates.

Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages.

The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed.

For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.

Security Roles

Use to allow or restrict access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.

You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

For general best practices, see Best Practices in Managing Devices.

General Security Best Practices

Use OMA DM whenever possible
When using OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.

The exception for using OMA DM is when you bootstrap a device. You can use OMA Client Provisioning for bootstrapping after OTA bootstrap is enabled.

Set appropriate access
Set appropriate access for each configurable setting and establish what can be done with the setting if access has been granted. The following table shows the properties that you can use to manage Read/Write permission and access security roles for each configurable setting in a device:

Property	Description
access-role	Determines who can access the setting. Access roles determine which security roles are allowed to access a metabase entry.
rw-access	Determines what can be done with the setting once access has been granted. It is used to identify the roles that have Read/Write access to the entry.

For more information about these properties, see Metabase Configuration Service Provider.

Follow the best practices for the protocol you use
Follow the security best practices for OMA Client Provisioning and for OMA Device Management

In This Section

OMA Device Management Security Best Practices
Security features of the Open Mobile Alliance Device Management client and guidelines for its use.

OMA Client Provisioning Security Best Practices
Security features and guidelines for OMA Client Provisioning

** Setting the Grant Manager Policy **
Describes setting system administrative privileges.

** Wiping a Device **
Describes how to clear flash memory locally and remotely.

Security and Managing Devices

General Security Best Practices

In This Section

See Also

Other Resources

Additional resources