Security Policy Settings

  • Article

4/8/2010

The possible configuration settings for the security policies, including the policy ID, default value, and roles, are listed in the following table.

Policy ID Policy Setting Description

2

Auto Run Policy

SECPOLICY_CFAUTORUN

This setting indicates whether applications stored on a Multimedia Card (MMC) are allowed to auto-run when inserted into the device.

Default value is 0 for Windows Mobile Professional. The value is not set for Windows Mobile Standard.

The following list shows the possible values:

  • 0 indicates that applications are allowed to run automatically
  • 1 indicates that applications are restricted from running automatically

The required role to modify this policy is SECROLE_MANAGER.

4097

RAPI Policy

SECPOLICY_RAPI

This setting restricts the access of remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile devices.

Default value is 2 for Windows Mobile.

The following list shows the possible values:

  • 0 indicates that the ActiveSync service is shut down. RAPI calls are rejected.
  • 1 indicates full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
  • 2 indicates that access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted.

The required role to modify this policy is SECROLE_MANAGER.

4101

Unsigned CABS Policy

SECPOLICY_UNSIGNEDCABS

This setting indicates whether unsigned .cab files can be installed on the device. On Windows Mobile Standard, accepted unsigned .cab files are installed with the role mask specified by the policy value.

For Windows Mobile Standard, if a signed .cab file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned.

You should always use SECPOLICY_UNSIGNEDCABS together with SECPOLICY_UNSIGNEDAPPS. This means that when you block unsigned application from running, you should also block unsigned cab files from getting installed.

> [!NOTE] > CAB Provisioning Format files — files with a .cpf extension — are processed the same as .cab files when the files are signed. However, when the .cpf file is unsigned the loader processes the .cpf files in silent mode, which means that the user will not get a prompt asking if the user wants to proceed with loading the unsigned file. In this case, the loading process fails.

Default value is SECROLE_USER_AUTH for Windows Mobile.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that Unsigned .cab files will be installed under the SECROLE_USER_AUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned .cab files can be installed.
  • A specified role mask indicates accepted unsigned .cab files are installed with the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.

4102

Unsigned Applications Policy

SECPOLICY_UNSIGNEDAPPS

This setting indicates whether unsigned applications are allowed to run on Windows Mobile devices. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authorities certificate store, the application is unsigned.

You should always use SECPOLICY_UNSIGNEDCABS together with SECPOLICY_UNSIGNEDAPPS policy. This means that when you block unsigned applications from running, you should also block unsigned cab files from getting installed on the device.

Default value is 1 for Windows Mobile.

The following list shows the possible values:

  • 0 indicates that unsigned applications are not allowed to run on the device.
  • 1 indicates that unsigned applications are allowed to run on the device.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.

4103

Unsigned Themes Policy

SECPOLICY_UNSIGNEDTHEMES

This setting indicates whether theme files can be installed on the device. Theme files are used for processing home screens. Accepted unsigned theme files are installed with the role mask specified by the policy value.

For Windows Mobile devices, if a signed theme file does not have a matching root certificate in the Software Publisher Certificate (SPC) store, the file is unsigned.

Default value is SECROLE_USER_UNAUTH for Windows Mobile.

The following list shows the possible values:

  • SECROLE_USER_UNAUTH indicates that Unsigned Theme files will be installed under the SECROLE_USER_UNAUTH role.
  • 0 is equivalent to having none of the role mask bits set, and means that no unsigned Theme files can be installed.
  • A specified role mask indicates accepted unsigned Theme files are installed with the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.

4104

Trusted Provisioning Server (TPS) Policy

SECPOLICY_TPSCARRIERROLE

This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) role.

Default value is 1 for Windows Mobile.

The following list shows the possible values:

  • 0 indicates assigning TPS role assignment is disabled.
  • 1 indicates TPS role assignment is enabled. Thus, the TPS role can be assigned to mobile operators.

The required role to modify this policy is SECROLE_MANAGER.

4105

Message Authentication Retry Number Policy

SECPOLICY_MAXAUTHENTICATIONRETRY

This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

Default value is 3 for Windows Mobile. Possible values are 1 through 256.

The required role to modify this policy is SECROLE_MANAGER.

4107

WAP Signed Message Policy

SECPOLICY_WAPSIGNEDMSG

This policy has been deprecated. Use SECPOLICY_OMACPNETWPINMSG (4141), SECPOLICY_OMACPUSERPINMSG (4142), and SECPOLICY_OMACPUSERNETWPINMSG (4143) instead. While this policy is still supported, you cannot query for 4107 policy value.

> [!NOTE] >   You cannot use the new security policies (4141, 4142, 4143) and 4107 in the same provisioning document.

The required role to modify this policy is SECROLE_MANAGER.

4108

Service Loading (SL) Message Policy

SECPOLICY_SL_MESSAGE

This setting indicates whether SL messages are accepted. An SL message downloads new services or provisioning XML to the Windows Mobile device.

You specify the security roles that can accept SL messages as a role mask.

Default value is SECROLE_PPG_TRUSTED for Windows Mobile.

The required role to modify this policy is SECROLE_MANAGER.

4109

Service Indication (SI) Message Policy

SECPOLICY_SI_MESSAGE

This setting indicates whether SI messages are accepted. An SI message is sent to Windows Mobile Standard to notify users of new services, service updates, and provisioning services.

You specify the security roles that can accept SI messages as a role mask.

Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED for Windows Mobile.

The required role to modify this policy is SECROLE_MANAGER.

4110

Unauthenticated Message Policy

SECPOLICY_UNAUTHMESSAGES

This setting indicates whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin. The message source must have one of the security roles specified by this policy.

You specify the security roles that the unsigned messages will be accepted from as a role mask.

Default value is SECROLE_USER_UNAUTH for Windows Mobile.

The required role to modify this policy is SECROLE_MANAGER.

4111

OTA Provisioning Policy

SECPOLICY_OTAPROVISIONING

This setting specifies which provisioning messages are accepted by the configuration host based on the roles assigned to the messages. This policy limits the provisioning messages that come from the push router.

The default is SECROLE_OPERATOR_TPS | SECROLE_PPG_TRUSTED | SECROLE_PPG_AUTH | SECROLE_TRUSTED_PPG | SECROLE_USER_AUTH | SECROLE_OPERATOR for Windows Mobile.

A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.

4113

WSP Push Policy

SECPOLICY_WSPNOTIFICATIONS

This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

Default value is 1 for Windows Mobile.

The following list shows the possible values:

  • 0 indicates that routing of WSP notifications is not allowed.
  • 1 indicates Routing of WSP notifications is allowed.

The required role to modify this policy is SECROLE_MANAGER.

4119

Grant Manager Policy

SECPOLICY_GRANTMANAGER

This setting grants the system administrative privileges held by SECROLE_MANAGER to other security roles, without modifying metabase role assignments.

The configuration manager enforces the Grant Manager policy.

Default value is SECROLE_OPERATOR_TPS for Windows Mobile Professional, SECROLE_USER_AUTH for Windows Mobile Classic, and OPERATOS_TPS for Windows Mobile Standard.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates system administrative privileges are given to the SECROLE_USER_AUTH mask.
  • SECROLE_NONE indicates that only the manager is granted the Manager role.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

The required role to modify this policy is SECROLE_MANAGER.

4120

Grant User Authenticated Policy

SECPOLICY_GRANTUSERAUTH

This setting grants privileges held by SECROLE_USER_AUTH to other security roles without modifying metabase role assignments.

Default value is SECROLE_USER_AUTH for Windows Mobile.

The following list shows the possible values:

  • SECROLE_USER_AUTH indicates that no additional administrative privileges are given.
  • A specified role mask indicates system administrative privileges are given to the role mask specified.

Configuration Manager enforces the Grant User Authenticated policy.

The required role to modify this policy is SECROLE_MANAGER.

4121

Trusted WAP Proxy Policy

SECPOLICY_TRUSTED_WAP_PROXY

This setting specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parameter is specified in the PXLOGICAL characteristic element.

You specify the security roles that can have Trusted WAP Proxy level permissions as a role mask.

Default value is SECROLE_OPERATOR | SECROLE_OPERATOR_TPS | SECROLE_MANAGER for Windows Mobile.

The required role to modify this policy is SECROLE_MANAGER.

4122

Unsigned Prompt Policy

SECPOLICY_UNSIGNEDPROMPT

This setting indicates whether a user is prompted to accept or reject unsigned .cab, theme, .dll and .exe files.

Default value is 0 for Windows Mobile. If the value is not set in the registry, then the behavior is the same as setting it to 0.

The following list shows the possible values:

  • 0 indicates user will be prompted.
  • 1 indicates user will not be prompted.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.

4123

Privileged Applications Policy

SECPOLICY_PRIVILEGEDAPPS

This setting specifies which security model is implemented on the device.

> [!NOTE] > This policy applies only to Windows Mobile Standard.

Default value is 1 for Windows Mobile Professional. The default value is 0 for Windows Mobile Standard. If the value is not set in the registry, then the behavior is the same as setting it to 0.

The following list shows the possible values:

  • 0 indicates that a two-tier security model is enabled.
  • 1 indicates that a one-tier security model is enabled.
  • Any value other than 1 is treated as 0.

The required role to modify this policy is SECROLE_MANAGER.

For information about how the one-tier and two-tier security models affect applications, see Windows Mobile Device Security Model.

4124

SL Security Policy

SECPOLICY_SLSECUREDOWNLOAD

This setting allows the operator to override https to use http, or wsps to use wsp.

The following list shows the possible values:

  • 0 use https or wsps.
  • 1 use http or wsp.

Default value is 1.

The required role to modify this policy is SECROLE_MANAGER.

4125

Signed Mail Policy

SECPOLICY_USESIGN

This policy has been deprecated. Use SECPOLICY_SMIMESIGNING (4137) and SECPOLICY_SMIMESIGNINGALGORITHM (4139) instead.

4126

Encrypted Message Policy

SECPOLICY_USEENCRYPT

This setting has been deprecated. Use SECPOLICY_SMIMEENCRYPTION (4138) and SECPOLICY_SMIMEENCRYPTIONALGORITHM (4140) instead.

4127

Software Certificates Policy

SECPOLICY_SOFTCERTS

This setting determines whether an outbound message that is sent over Secure/Multipurpose Internet Mail Extensions (SMIME) can be signed with a software certificate. You can use this security policy with a tool that you create to allow people to import certificates.

The following list shows the possible values:

  • 0 indicates that software certificates cannot be used to sign messages.
  • 1 indicates that software certificates can be used to sign messages.

The Default value is 1.

4129

DRM Security Policy

SECPOLICY_DRM_WAPRIGHTS

This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.

Default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED.

4131

Password Required Policy

SECPOLICY_LASS_PWD_REQUIRED

This policy indicates whether a password must be configured on the device.

The following list shows the possible values:

  • 0 indicates that a password is required.
  • A value other than 0 indicates that a password is not required.

The Default value is zero (0). The associated registry key does not exist by default.

The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

4132

Network PIN Prompt Policy

SECPOLICY_WAP_NETWPIN_PROMPT

This setting is used when the over the air (OTA) OMA Client Provisioning message is signed with only a network personal identification number (PIN). This setting indicates whether or not to prompt the user to accept device setting changes.

The following list shows the possible values:

  • 0 indicates that the device prompts the user for confirmation to accept changes to device settings.
  • 1 indicates that the user is not prompted.

The Default value is 1.

The Required role to modify this policy is SECROLE_MANAGER.

4133

Desktop Unlock

SECPOLICY_LASS_DESKTOP

This policy has been deprecated. Use SECPOLICY_LASS_DESKTOP_QUICK_CONNECT (4146) instead.

4134

Encrypt Removable Storage Policy

SECPOLICY_MENCRYPT_REMOVABLE

This setting specifies if the user is allowed to change mobile encryption settings for the removable storage media.

The default setting is 1.

  • 0 (POLICYVAL_MENCRYPT_REMOVABLE_NO_USER) indicates that the user is not allowed to change the encryption settings.
  • 1 (POLICYVAL_MENCRYPT_REMOVABLE_USER_ALLOW) indicates that the user can change the encryption settings.

The required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

4135

Bluetooth Policy

SECPOLICY_BLUETOOTH

This setting specifies if a Bluetooth enabled device allows other devices to perform a search on the device.

  • 0 (POLICYVAL_BLUETOOTH_VISIBLE_BLOCKED) blocks other devices from searching.
  • 1 (POLICYVAL_BLUETOOTH_VISIBLE_ALLOWED) allows other devices to search.

4136

HTML Message Policy

SECPOLICY_HTML_MESSAGE

This setting specifies whether message transports will allow HTML messages.

  • 0 (POLICYVAL_HTML_MESSAGE_DISABLED) indicates that HTML messages are not allowed.
  • 1 (POLICYVAL_HTML_MESSAGE_ENABLED) indicates that HTML messages are allowed.

4137

SMIME Signing Policy

SECPOLICY_SMIMESIGNING

This setting specifies whether the Inbox application will send all messaged signed.

  • 0 (POLICYVAL_SMIMESIGNING_FORCED) all messages must be signed.
  • 1 (POLICYVAL_SMIMESIGNING_OPTIONAL) signing messages is optional.

4138

SMIME Encryption Policy

SECPOLICY_SMIMEENCRYPTION

This setting specifies whether the Inbox application will send all messages encrypted.

  • 0 (POLICYVAL_SMIMEENCRYPTION_FORCED) all messages must be encrypted.
  • 1 (POLICYVAL_SMIMEENCRYPTION_OPTIONAL) encrypting messages is optional.

4139

SMIME Signing Algorithm Policy

SECPOLICY_SMIMESIGNINGALGORITHM

This setting specifies which algorithm to use to sign a message.

  • 0 (POLICYVAL_SMIMESIGNINGALGORITHM_DEFAULT) specifies the default algorithm.
  • 1 is an invalid value. Do not use this value.
  • 2 (POLICYVAL_SMIMESIGNINGALGORITHM_SHA_1) specifies SHA algorithm.
  • 3 (POLICYVAL_SMIMESIGNINGALGORITHM_MD5) specifies MD5 algorithm.

4140

SMIME Encryption Algorithm Policy

SECPOLICY_SMIMEENCRYPTIONALGORITHM

This setting specifies which algorithm to use to encrypt a message.

  • 0 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_DEFAULT) specifies the default algorithm.
  • 1 is an invalid value. Do not use this value.
  • 2 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_3DES) specifies triple DES algorithm.
  • 3 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_DES) ) specifies DES algorithm.
  • 4 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_128) ) specifies RC2 128-bit algorithm.
  • 5 (POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_64) ) specifies RC2 64-bit algorithm.
  • 6 ()POLICYVAL_SMIMEENCRYPTIONALGORITHM_RC2_40) specifies RC2 40-bit algorithm.

4141

OMA CP Network PIN Policy

SECPOLICY_OMACPNETWPINMSG

This setting determines whether the OMA network PIN signed message will be accepted to be processed. The message that is accepted to be processed is still subject to network PIN signing authentication. If the authentication fails, the message will be dropped.

The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS.

You can also use the following security roles:

  • SECROLE_KNOWN_PPG
  • SECROLE_TRUSTED_PPG
  • SECROLE_ANY_PUSH_SOURCE

You cannot use any other role than those specified above, otherwise the request will fail.

The required role to modify this policy is SECROLE_MANAGER.

> [!NOTE] > You cannot use 4141 and 4107 in the same provisioning document. The old security policy 4107 is deprecated.

4142

OMA CP User PIN Policy

SECPOLICY_OMACPUSERPINMSG

This setting determines whether the OMA user PIN or MAC signed message will be accepted to be processed. The message that is accepted to be processed is still subject to user PIN or MAC signing authentication. If the authentication fails, the message will be dropped.

The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS

You can also use the following security roles:

  • SECROLE_TRUSTED_PPG
  • SECROLE_ANY_PUSH_SOURCE
  • SECROLE_KNOWN_PPG

You cannot use any other role than those specified above, otherwise the request will fail.

The required role to modify this policy is SECROLE_MANAGER.

> [!NOTE] > You cannot use 4142 and 4107 in the same provisioning document. The old security policy 4107 is deprecated.

4143

OMA CP User Network PIN Policy

SECPOLICY_OMACPUSERNETWPINMSG

This setting determines whether the OMA user network PIN signed message will be accepted to be processed. The message that is accepted to be processed is still subject to the user network PIN signing authentication. If the authentication fails, the message will be dropped.

The default is SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS.

You can also use the following security roles:

  • SECROLE_KNOWN_PPG
  • SECROLE_TRUSTED_PPG
  • SECROLE_ANY_PUSH_SOURCE

You cannot use any other role than those specified above, otherwise the request will fail.

The required role to modify this policy is SECROLE_MANAGER.

> [!NOTE] > You cannot use 4143 and 4107 in the same provisioning document. The old security policy 4107 is deprecated.

4144

Message Encryption Negotiation Policy

SECPOLICY_SMIMEENCRYPTIONNEGOTIATION

This setting specifies whether the Inbox application can negotiate the encryption algorithm in case a recipient's certificate does not support the specified encryption algorithm.

  • 0 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_NONE) does not allow negotiation.
  • 1 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_ALLOWSTRONG) allows negotiation to a strong algorithm.
  • 2 (POLICYVAL_SMIMEENCRYPTIONNEGOTIATION_ALLOWALL) allows negotiation to any algorithm.

4145

SharePoint Access Policy

SECPOLICY_SHAREPOINTUNCPROTOCOLACCESS

This setting enables or disables Outlook Mobile SharePoint or UNC access through ActiveSync protocol to get documents.

  • 0 (POLICYVAL_SHAREPOINTUNCPROTOCOLACCESS_DISALLOW) does not allow SharePoint or UNC file access.
  • 1 (POLICYVAL_SHAREPOINTUNCPROTOCOLACCESS_ALLOW) allows Outlook Mobile to get documents on a corporate SharePoint site or UNC.

4146

Desktop Quick Connect Authentication Policy

SECPOLICY_LASS_DESKTOP_QUICK_CONNECT

This setting specifies how device authentication is handled when connecting to the desktop..

  • 0 (POLICYVAL_LASS_DESKTOP_QUICK_CONNECT_DISALLOWED) user must authenticate on the device upon connection, if the device lock is active.
  • 1 (POLICYVAL_LASS_DESKTOP_QUICK_CONNECT_ALLOWED) if user chooses quick connect, the desktop uniquely identifies the device and allows device to connect without requiring the user to manually unlock their device.

See Also

Concepts

Security Roles
Security Policies
Windows Mobile Device Security Model

Other Resources

RAPI Restricted Mode Security