Share via


Provisioning XML Considerations when Changing Security Settings

Send Feedback

Before you create a provisioning XML that will change Security Settings, you must take several things into considerations, including certificates and the level of access that you want to allow.

For information about Security policies that can be configured for Windows Mobile Version 5.0-based Smartphone and Pocket PC, see Security Policies and Security Policy Settings.

For considerations for provisioning XML that is not security related, see Provisioning XML Considerations.

Certificates

Do you want to allow unsigned .cab files to be installed on the device?

Yes or no. The Unsigned CABS Policy determines whether unsigned .cab files can be installed on the device.

For more information, see Security Policy Settings.

Do you want to allow unsigned programs or unsigned packages to run?

Yes or No. The Unsigned Applications Policy determines whether unsigned applications are allowed to run on a device. This policy determines the level of access assigned to an unsigned application. Single-tier mode allows full access to all programs, whereas two-tier mode allows full access only to programs signed by privileged certificate

For more information, see Security Policy Settingss.

If yes, consider the following:

  • Do you want user confirmation before installing or running unsigned programs?

    The Unsigned Prompt Policy configures whether the user is prompted to accept or reject unsigned cab, theme, .dll, and .exe files.

    For more information, see Security Policy Settings.

Ensure that you have the appropriate signing certificates.

You may need two signing certificates. It is highly recommended that you install at least one privileged and one unprivileged certificate.

Know the b64-encoded certificates used on the device. This information will be used to verify that applications are signed with privileged certificates before allowing access to device system files and APIs.

Note   The Root certificate used for SSL is generally not required because root certificates of all well-known Certification Authorities (CA's) are already in the root store.

The following table shows common questions about certificates.

Consideration Description
Which certificates are needed on the device? OEMs, Mobile Operators, and ISVs use certificates to sign applications and files that run on Windows Mobile-based Pocket PCs and Smartphones.

All OEMs and mobile operators currently include the Mobile2Market unprivileged certificates on the devices they ship. Most OEMs and mobile operators also include the Mobile2Market privileged certificates.

For information about the certificates that are included in the device, see the following topics:

For more information, see Signing an Application or Cabinet File for Release to the Public.

How are certificates installed and removed in the ROM? Only trusted processes can install certificates. Therefore, the device manager (the OEM or Mobile Operator) must set up a developer program that can be used to install certificates if Market-2-Market certificates are not available.

Do you want your Windows Mobile-based Smartphone to have greater flexibility in how applications are allowed to run on the device?

The Privileged Application policy specifies which security model, one tier or two tier, is implemented on the device.

Note   This policy applies only to Windows Mobile-based Smartphones.

The following table describes this security model.

Security model Description
One tier Distinguishes between signed and unsigned applications.

Applications are either allowed to run or not allowed to run.

Two tier Distinguishes between Trusted and Normal applications:
  • Signed applications running Trusted can access every aspect of the device.
  • Signed applications running Normal cannot access some registry keys and some system APIs.

For more information about security models, see Windows Mobile-based Device Security Model.

Security Policies and Roles

Security roles determine access to Windows Mobile-based device resources. The security role is based on the message origin and how the message is signed.

For information about security roles, see Security Roles.

Consider the following before changing security policies or roles. You may need to use this information when creating the provisioning XML file to change policies or roles.

Who should have the role of device manager?

The Manager role allows unrestricted access to system resources. If the device is bootstrapped to allow OMA over-the-air (OTA) client provisioning, the TPS server has the Manager role.

You can use the Grant Manager Policy to grant system administrative privileges (Manager role) to other security roles without modifying metabase role assignments. For more information, see Security Policy Settings.

Note   The Metabase Configuration Service Provider is set to the Manager role by default. Changing this role could elevate privileges, making the metabase less secure.

Who should have the role of authenticated user?   

You can use the Grant User Authenticated Policy to grant authenticated user privileges to other security roles. For more information, see Security Policy Settings.

What level of permission do you want to require for creating, modifying, and deleting a trusted proxy?

The Trusted WAP proxy policy specifies the level of permission required to create modify or delete a trusted proxy.

WAP proxies are configured using the PXLOGICAL characteristic inside of a WAP provisioning document. A WAP proxy is trusted when the TRUST parm is specified inside of the PXLOGICAL characteristic.

For more information, see Security Policy Settings.

Do you want applications to automatically run from an MMC card?

The Auto Run policy identifies whether applications stored on a multimedia card (MMC) will automatically run when inserted into a device.

For more information, see Security Policy Settings.

Do you want to identify which DRM rights messages are accepted on a Mobile-based Pocket PC device?

The DRM Security policy identifies which DRM rights messages are excepted by the DRM engine based on the role assigned to the message. DRM5 is required for all Windows Mobile-based Pocket PC devices and is used by Microsoft Reader and other applications to authenticate DRM5 secured content. File-Based Digital Rights Management (FDRM) describes a systematic approach to protecting digital-based content for files such as audio, video, and image files.

The default policy limits the messages processed by the FDRM engine and requires that rights are sent from a source trusted or authorized by a network's trusted push gateway.

For more information, see Security Policy Settings.

Do you want to set the maximum number of time a user is allowed to try a WAP user PIN-signed OTA provisioning message?

The Message Authentication Retry Number Policy identifies the maximum number of times the user is allowed to try authenticating Wireless Application Protocol (WAP) OMA Client Provisioning user PIN-signed message.

For more information, see Security Policy Settings.

Do you want to want to limit the OTA OMA Client Provisioning messages based on the security roles assigned to message?

OTA provisioning policy identifies which OTA OMA Client Provisioning messages the push router sends to the configuration host based on the roles assigned to the messages. The Configuration Host is the component that is responsible for loading and unloading Configuration Manager.

For more information, see Security Policy Settings.

Which policies are relevant for themes and ring tones?

The security policies in Windows Mobile-based Smartphone allow only the manager of the phone to make changes to the configuration and installed software, including sound files such as ring tones.

The Unsigned Themes policy indicates whether theme files can be installed on a device. The theme files are used for processing Home screens.

Unsigned Prompt policy indicates whether a user is prompted to accept or reject unsigned files such as themes.

For more information about these policies, see Security Policy Settings.

See Also

Security Policy Settings | Setting a Security Policy Example | Default Security Policy Settings for Windows Mobile-Based Devices | How To Change Security Policies

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.