Share via

Security policy

  • Article

OEMs can configure security policy settings for OMA Client Provisioning, MMS, Service Indication (SI), Service Loading (SL), and WAP push.

The following security policies are supported.

OMA Client Provisioning

Setting Description

TrustedProvisioningServerRole

Trusted Provisioning Server (TPS) policy indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.

Valid values are 0 (TPS role assignment is disabled) and 1 (TPS role assignment is enabled, and can be assigned to mobile operators).

Default value is 1.

MessageAuthenticationRetry

Message Authentication Retry Number policy specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

Valid value range is 0 through 256.

Default value is 3.

OTAProvisioningRoles

OTA Provisioning policy determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in the NetwpinRoles, UserpinRoles, and UsernetwpinRoles policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client Provisioning messages are accepted by the device, if the UsernetwpinRoles policy is set to SECROLE_ANY_PUSH_SOURCE for a carrier-unlocked phone, this policy must also have the SECROLE_ANY_PUSH_SOURCE role set.

Valid values are:

  • SECROLE_OPERATOR_TPS

  • SECROLE_KNOWN_PPG

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

Default value is SECROLE_OPERATOR_TPS_OR _SECROLE_KNOWN_PPG.

ProvisionMessageUserPrompt

Network PIN Prompt policy specifies whether the device will prompt a UI to get the user confirmation before processing a pure network pin signed OTA Provisioning message. If prompt, the user has the ability to discard the OTA provisioning message.

Valid values are 0 (the device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin) and 1 (no user prompt)

Default value is 0.

NetwpinRoles

OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

Warning  

IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The Windows Phone OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM.

Valid values are:

  • SECROLE_OPERATOR_TPS

  • SECROLE_KNOWN_PPG

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

UserpinRoles

OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

Valid values are:

SECROLE_OPERATOR_TPS

SECROLE_KNOWN_PPG

SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG

SECROLE_ANY_PUSH_SOURCE

SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE

SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

UsernetwpinRoles

OMA Client Provisioning User Network PIN policy determines whether the OMA user network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

Warning  

IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The Windows Phone OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM.

Valid values are:

  • SECROLE_OPERATOR_TPS

  • SECROLE_KNOWN_PPG

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

  • SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

 

The following sample shows how to configure OMA Client Provisioning security policies.

<Settings Path="DeviceManagement/Policies/OMACP">
    <Setting Name="TrustedProvisioningServerRole" Value=""/>
    <Setting Name="MessageAuthenticationRetry" Value=""/>
    <Setting Name="OTAProvisioningRoles" Value=""/>
    <Setting Name="ProvisionMessageUserPrompt" Value=""/>
    <Setting Name="NetwpinRoles" Value=""/>
    <Setting Name="UserpinRoles" Value=""/>
    <Setting Name="UsernetwpinRoles" Value=""/>
</Settings>

MMS

Setting Description

MMSMessageRoles

Message Encryption Negotiation policy determines whether MMS messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the roles in the role mask, then the message is processed.

Valid values are:

  • SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

Default value is SECROLE_KNOWN_PPG.

 

The following sample shows how to configure MMS policy.

<Settings Path="DeviceManagement/Policies/MMS">
    <Setting Name="MMSMessageRoles" Value=""/>
</Settings>

Service loading and service indication

Setting Description

ServiceLoadingRoles

Service Loading (SL) Message policy indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone.

Valid values are:

  • SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

Default value is SECROLE_KNOWN_PPG.

ServiceIndicationRoles

Service Indication (SI) Message policy indicates whether SI messages are accepted, by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services.

Valid values are:

  • SECROLE_KNOWN_PPG

  • SECROLE_ANY_PUSH_SOURCE

  • SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE

Default value is SECROLE_KNOWN_PPG.

 

The following sample shows how to configure service loading and service indication security policies.

<Settings Path="DeviceManagement/Policies/SISL">
    <Setting Name="ServiceLoadingRoles" Value=""/>
    <Setting Name="ServiceIndicationRoles" Value=""/>
</Settings>

Wireless Session Protocol (WSP)

Setting Description

WSPPushAllowed

WSP Push policy indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

Valid values are 0 (Routing of WSP notifications is not allowed) and 1 (Routing of WSP notifications is allowed)

Default value is 1.

 

The following sample shows how to configure WSP policy.

<Settings Path="DeviceManagement/Policies/WSP">
    <Setting Name="WSPPushAllowed" Value=""/>
</Settings>

 

 

Send comments about this topic to Microsoft