Enabling Remote API (RAPI) Bootstrapping

  • Article

4/8/2010

The Remote API Security policy is set to RESTRICTED by default. Under this policy the device will only receive RAPI messages that are assigned the AuthenticatedUser role (SECROLE_USER_AUTH). By default the AuthenticatedUser role does not have MANAGER privileges. With this default setting, you cannot make all of the configuration changes required to bootstrap the device. For example, you cannot change security settings.

To enable bootstrapping by using RAPI you must first give MANAGER privileges to the AuthenticatedUser role. After bootstrapping the device you must then remove those privileges to ensure that subsequent RAPI messages will not have unrestricted access to the device.

In this procedure, you will provision the device. For information about the provisioning file syntax for different OMA Client Provisioning versions, see OMA Client Provisioning Files.

To enable RAPI bootstrapping

  1. Before shipping, the OEM must add the SECROLE_USER_AUTH role to the Grant Manager policy.

    This enables the device to accept RAPI messages that require MANAGER privileges. If needed, the OEM can provision the device with this setting after manufacture as described in How to Change Security Policies. The following example shows how to change the GRANT MANAGER policy to add SECROLE_USER_AUTH. The OEM would include this in the provisioning XML file that uses the SecurityPolicy Configuration Service Provider.

    <wap-provisioningdoc>
   <characteristic type="SecurityPolicy">
   <parm name="4119" value="144">
   </characteristic>
   <!-- other settings -->
</wap-provisioningdoc>

  2. After you receive the device, you must do the following:

    • Use the desktop configuration tool (rapiconfig.exe) to bootstrap the device over ActiveSync.
      For more information; see RapiConfig.exe.

  • At the end of your bootstrap message change the Grant Manager policy to remove SECROLE_USER_AUTH. This ensures that subsequent RAPI messages will not have MANAGER privileges.
    The following XML example shows how to change the Grant MANAGER policy to remove SSECROLE_USER_AUTH after the device has been bootstrapped.

    <wap-provisioningdoc>
   <characteristic type="SecurityPolicy">
      <parm name="4119" value="128">
   </characteristic>
   <!-- other settings -->
</wap-provisioningdoc>

See Also

Concepts

Bootstrapping a Device
Provisioning From a Desktop Computer Using Remote API and ActiveSync

Other Resources

Security Roles
Security Policies