Security Policy Settings

  • Article

Send Feedback

The possible configuration settings for the security policies, including the policy ID, default value, and roles, are listed in the following table.

Policy Setting Policy ID Description
Auto Run Policy 2 This setting indicates whether applications stored on a Multimedia Card (MMC) are allowed to auto-run when inserted into the device.

Default value is 0 for Windows Mobile-based Pocket PC. The value is not set for Windows Mobile-based Smartphone.

The following list shows the possible values:

  • 0 indicates that applications are allowed to run automatically
  • 1 indicates that applications are restricted from running automatically

The Required role to modify this policy is SECROLE_MANAGER.
DRM Security Policy 4129 This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.

Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED.
Grant Manager Policy 4119 This setting grants the system administrative privileges held by SECROLE_MANAGER to other security roles, without modifying metabase role assignments.

The configuration manager enforces the Grant Manager policy.

Default value is SECROLE_OPERATOR_TPS for Windows Mobile-based Pocket PC Phone Edition and SECROLE_USER_AUTH for Pocket PC Premium and Standard. Default value is OPERATOS_TPS for Windows Mobile-based Smartphone.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates system administrative privileges are given to the SECROLE_USER_AUTH mask.
  • SECROLE_NONE indicates that only the manager is granted the Manager role.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.
Grant User Authenticated Policy 4120 This setting grants privileges held by SECROLE_USER_AUTH to other security roles without modifying metabase role assignments.

Default value is SECROLE_USER_AUTH for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that no additional administrative privileges are given.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

Configuration Manager enforces the Grant User Authenticated policy.

The required role to modify this policy is SECROLE_USER_AUTH.
Message Authentication Retry Number Policy 4105 This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

Default value is 3 for Windows Mobile-based Pocket PC and Smartphone. Possible values are 1 through 256.

The required role to modify this policy is SECROLE_MANAGER.
OTA Provisioning Policy 4111 This setting specifies which provisioning messages are accepted by the configuration host based on the roles assigned to the messages. This policy limits the provisioning messages that come from the push router. For more information about the configuration host, see Data from Push Router.

The default is SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH for Windows Mobile-based Pocket PC and Smartphone.

A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.
Privileged Applications Policy 4123 This setting specifies which security model is implemented on the device.
Note   This policy applies only to Windows Mobile-based Smartphones.

Default value is 1 for Windows Mobile-based Pocket PC. The default values is 0 for Windows Mobile-based Smartphone. If the value is not set in the registry, then the behavior is the same as setting it to 0.

The following list shows the possible values:

  • 0 indicates that a two-tier device configuration is enabled.
  • 1 indicates that a one-tier device configuration is enabled.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.

For information about how the one-tier and two-tier device configurations affect applications, see Windows Mobile-based Device Security Model.
RAPI Policy 4097 This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile-based devices.

Default value is 2 for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • 0 indicates that the ActiveSync service is shut down. RAPI calls are rejected.
  • 1 indicates full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
  • 2 indicates that access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted.

The required role to modify this policy is SECROLE_MANAGER.
Service Indication (SI) Message Policy 4109 This setting indicates whether SI messages are accepted. An SI message is sent to the Windows Mobile-based Smartphone to notify users of new services, service updates, and provisioning services.

You specify the security roles that can accept SI messages as a role mask.

Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED for Windows Mobile-based Pocket PC and Smartphone.

The required role to modify this policy is SECROLE_MANAGER.
Service Loading (SL) Message Policy 4108 This setting indicates whether SL messages are accepted. An SL message downloads new services or provisioning XML to the Windows Mobile-based device.

You specify the security roles that can accept SL messages as a role mask.

Default value is SECROLE_PPG_TRUSTED for Windows Mobile-based Pocket PC and Smartphone.

The required role to modify this policy is SECROLE_MANAGER.
SL Security Policy 4124 This setting allows the operator to override https to use http or wsps to use wsp.

The following list shows the possible values:

  • 0 use https or wsps.
  • 1 use http or wsp.

Default value is 1.

The required role to modify this policy is SECROLE_MANAGER.
Trusted Provisioning Server (TPS) Policy 4104 This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role.

Default value is 1 for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • 0 indicates assigning TPS role assignment is disabled.
  • 1 indicates TPS role assignment is enabled. Thus, the TPS role can be assigned to mobile operators.

The required role to modify this policy is SECROLE_MANAGER.
Trusted WAP Proxy Policy 4121 This setting specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parameter is specified in the PXLOGICAL characteristic element.

You specify the security roles that can have Trusted WAP Proxy level permissions as a role mask.

Default value is SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER for Windows Mobile-based Pocket PC and Smartphone.

The required role to modify this policy is SECROLE_MANAGER.
Unauthenticated Message Policy 4110 This setting indicates whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin. The message source must have one of the security roles specified by this policy.

You specify the security roles that the unsigned messages will be accepted from as a role mask.

Default value is SECROLE_USER_UNAUTH for Windows Mobile-based Pocket PC and Smartphone.

The required role to modify this policy is SECROLE_MANAGER.
Unsigned Applications Policy 4102 This setting indicates whether unsigned applications are allowed to run on a Windows Mobile-based devices. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authorities certificate store, the application is unsigned.

Default value is 1 for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • 0 indicates that unsigned applications are not allowed to run on the device.
  • 1 indicates that unsigned applications are allowed to run on the device.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.
Unsigned CABS Policy 4101 This setting indicates whether unsigned .cab files can be installed on the device. On the Windows Mobile-based Smartphone, accepted unsigned .cab files are installed with the role mask specified by the policy value.

For Windows Mobile-based Smartphone, if a signed .cab file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned.

Note   CAB Provisioning Format files — files with a .cpf extension — are processed the same as .cab files. However, .cpf files are processed in silent mode and the user is not prompted for any options or decisions. An example of how this affects the user is if security requirements are not met, such as the .cpf is unsigned, then the processing fails.

Default value is SECROLE_USER_AUTH for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that Unsigned .cab files will be installed under the SECROLE_USER_AUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned .cab files can be installed.
  • A specified role mask indicates accepted unsigned .cab files are installed with the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.
Unsigned Prompt Policy 4122 This setting indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files.

Default value is 0 for Windows Mobile-based Pocket PC and Smartphone. If the value is not set in the registry, then the behavior is the same as setting it to 0.

The following list shows the possible values:

  • 0 indicates user will be prompted.
  • 1 indicates user will not be prompted.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.
Unsigned Themes Policy 4103 This setting indicates whether theme files can be installed on the device. Theme files are used for processing homescreens. Accepted unsigned theme files are installed with the role mask specified by the policy value.

For Windows Mobile-based devices, if a signed theme file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned.

Default value is SECROLE_USER_UNAUTH for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • SECROLE_USER_UNAUTH indicates that Unsigned Theme files will be installed under the SECROLE_USER_UNAUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned Theme files can be installed.
  • A specified role mask indicates accepted unsigned Theme files are installed with the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.
WAP Signed Message Policy 4107 This setting indicates whether a WAP signed message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting. All messages are assigned role masks based on its security level and origin. The result of AND combination of the message role mask with the policy role mask determines how the message is processed. If the result is non-zero, the message is accepted.

Default value is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS for Windows Mobile-based Pocket PC and Smartphone.

The required role to modify this policy is SECROLE_MANAGER.
WSP Push Policy 4113 This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

Default value is 1 for Windows Mobile-based Pocket PC and Smartphone.

The following list shows the possible values:

  • 0 indicates that routing of WSP notifications is not allowed.
  • 1 indicates Routing of WSP notifications is allowed

The required role to modify this policy is SECROLE_MANAGER.

Applies to Windows Mobile 5.0 AKU2.0 (build number 14847) and later

The following table shows the additional policy settings that apply to AKU2.

Policy Setting Policy ID Description
Signed Mail Policy 4125 This policy is used in S/MIME. It indicates whether the Inbox application will send all messages signed. If message are sent signed, this policy identifies which algorithm to use.

The following list shows the possible values:

  • 0 indicates that messages are signed with the default algorithm (SHA-1.
  • 1 indicates that messages are not signed.
  • 2 indicates that messages are signed by using SHA-1 algorithm.
  • 3 indicates that messages are signed using MD5 algorithm.

The Default value is 1.

The Required role to modify this policy is SECROLE_MANAGER.
Encrypted Mail Policy 4126 This policy is used in S/MIME. It indicates whether the Inbox application sends all messages encrypted. If messages are encrypted, it identifies the algorithm to use.

The following list shows the possible values:

  • 0 indicates that messages are encrypted using a default encryption. Default encryption is RC2..
  • 1 indicates that messages are not encrypted.
  • 2 indicates that messages are encrypted using 3DES.
  • 3 indicates that messages are encrypted using DES.
  • 4 indicates that messages are encrypted using RC2_128.
  • 5 indicates that messages are encrypted using RC2_64.
  • 6 indicates that messages are encrypted using RC2_40.

The Default value is 1.

The Required role to modify this policy is SECROLE_MANAGER.
Software Certificates Policy 4127 This setting determines whether software certificates can be used to sign outgoing messages. You can use this security policy with a tool that you create to allow people to import certificates.

The following list shows the possible values:

  • 0 indicates that software certificates cannot be used to sign messages.
  • 1 indicates that software certificates can be used to sign messages.

The Default value is 1.
Password Required Policy 4131 This policy indicates whether a password must be configured on the device.

The following list shows the possible values:

  • 0 indicates that a password is required.
  • A value other than 0 indicates that a password is not required.

The Default value is zero (0). The associated registry key does not exist by default.

The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.
Desktop Unlock 4133 This policy indicates how the desktop must handle authentication when the device is locked.

The following list shows the possible values:

  • 0 indicates that the user must authenticate on the device if it is locked upon connect.
  • 1 indicates the user can authenticate by using a PIN on desktop.

The Default value is 1.

The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

In Windows Mobile 5.0 AKU2 and later, operators and administrators can enable a local wipe policy when a user has entered an incorrect password too many times.

See Also

Security Roles | Security Policies | Windows Mobile-based Device Security Model

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.