Security policy
OEMs can configure security policy settings for OMA Client Provisioning, MMS, Service Indication (SI), Service Loading (SL), and WAP push.
The following security policies are supported.
OMA Client Provisioning
Setting | Description |
---|---|
TrustedProvisioningServerRole |
Trusted Provisioning Server (TPS) policy indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role. Valid values are 0 (TPS role assignment is disabled) and 1 (TPS role assignment is enabled, and can be assigned to mobile operators). Default value is 1. |
MessageAuthenticationRetry |
Message Authentication Retry Number policy specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message. Valid value range is 0 through 256. Default value is 3. |
OTAProvisioningRoles |
OTA Provisioning policy determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in the NetwpinRoles, UserpinRoles, and UsernetwpinRoles policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client Provisioning messages are accepted by the device, if the UsernetwpinRoles policy is set to SECROLE_ANY_PUSH_SOURCE for a carrier-unlocked phone, this policy must also have the SECROLE_ANY_PUSH_SOURCE role set. Valid values are:
Default value is SECROLE_OPERATOR_TPS_OR _SECROLE_KNOWN_PPG. |
ProvisionMessageUserPrompt |
Network PIN Prompt policy specifies whether the device will prompt a UI to get the user confirmation before processing a pure network pin signed OTA Provisioning message. If prompt, the user has the ability to discard the OTA provisioning message. Valid values are 0 (the device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin) and 1 (no user prompt) Default value is 0. |
NetwpinRoles |
OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.
Warning
IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The Windows Phone OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. Valid values are:
|
UserpinRoles |
OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted. Valid values are: SECROLE_OPERATOR_TPS SECROLE_KNOWN_PPG SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG SECROLE_ANY_PUSH_SOURCE SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE |
UsernetwpinRoles |
OMA Client Provisioning User Network PIN policy determines whether the OMA user network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.
Warning
IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The Windows Phone OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. Valid values are:
|
The following sample shows how to configure OMA Client Provisioning security policies.
<Settings Path="DeviceManagement/Policies/OMACP">
<Setting Name="TrustedProvisioningServerRole" Value=""/>
<Setting Name="MessageAuthenticationRetry" Value=""/>
<Setting Name="OTAProvisioningRoles" Value=""/>
<Setting Name="ProvisionMessageUserPrompt" Value=""/>
<Setting Name="NetwpinRoles" Value=""/>
<Setting Name="UserpinRoles" Value=""/>
<Setting Name="UsernetwpinRoles" Value=""/>
</Settings>
MMS
Setting | Description |
---|---|
MMSMessageRoles |
Message Encryption Negotiation policy determines whether MMS messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the roles in the role mask, then the message is processed. Valid values are:
Default value is SECROLE_KNOWN_PPG. |
The following sample shows how to configure MMS policy.
<Settings Path="DeviceManagement/Policies/MMS">
<Setting Name="MMSMessageRoles" Value=""/>
</Settings>
Service loading and service indication
Setting | Description |
---|---|
ServiceLoadingRoles |
Service Loading (SL) Message policy indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone. Valid values are:
Default value is SECROLE_KNOWN_PPG. |
ServiceIndicationRoles |
Service Indication (SI) Message policy indicates whether SI messages are accepted, by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services. Valid values are:
Default value is SECROLE_KNOWN_PPG. |
The following sample shows how to configure service loading and service indication security policies.
<Settings Path="DeviceManagement/Policies/SISL">
<Setting Name="ServiceLoadingRoles" Value=""/>
<Setting Name="ServiceIndicationRoles" Value=""/>
</Settings>
Wireless Session Protocol (WSP)
Setting | Description |
---|---|
WSPPushAllowed |
WSP Push policy indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed. Valid values are 0 (Routing of WSP notifications is not allowed) and 1 (Routing of WSP notifications is allowed) Default value is 1. |
The following sample shows how to configure WSP policy.
<Settings Path="DeviceManagement/Policies/WSP">
<Setting Name="WSPPushAllowed" Value=""/>
</Settings>