SecurityPolicy DDF File
4/8/2010
This topic shows the Device Description Framework (DDF) file for the SecurityPolicy Configuration Service Provider. Open Mobile Alliance Device Management (OMA DM) DDF files and the example in this topic are used only for OMA DM provisioning.
<MgmtTree xmlns:MSFT="https://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>SecurityPolicy</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>2</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Autorun Policy
This security policy determines whether applications stored on a removable storage card are allowed to auto-run when inserted into the device.
Possible Values:
1 -- Applications on a removable storage card card are restricted from auto running.
0 -- Applications on a removable storage card card are allowed to auto-run.
Default Value: 0.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4097</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>RAPI Policy
This policy restricts access to the device using RAPI over ActiveSync.
Possible Values:
0 -- All RAPI calls are disabled.
1 -- All RAPI calls are allowed.
2 -- RAPI is in restricted mode. RAPI calls are processed according to ActiveSync's security access role.
ActiveSync's security role is SECROLE_USER_AUTH, and all resource requests are checked against this role
mask before they are granted.
Default Value: 2</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4101</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Unsigned CABs Policy
This security policy determines whether Unsigned CABs can be installed on the device, and, if so, what role mask should be assigned to the CAB.
This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no unsigned CABs can be installed.
Default Value: 16 (SECROLE_USER_AUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4102</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Unsigned Application Policy
This policy setting enforces whether unsigned applications are allowed to run on the device.
Possible Values:
0 -- Unsigned applications are NOT allowed to run on the device.
1 -- Unsigned applications ARE allowed to run on the device.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4103</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Unsigned Themes Policy
This security policy determines whether theme files can be installed on the device, and if so, what role mask they will be installed with. Theme files are home screen cab files that are given more restricted access to the device resources by default.
This policy's value specifies a role mask.
Default Value: 40 (SECROLE_USER_UNAUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4104</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Trusted Provisioning Server Policy
This policy setting determines whether a message can be assigned the SECROLE_OPERATOR_TPS role if the message has been deemed as coming from a TPS.
Possible Values:
0 -- Disable assigning SECROLE_OPERATOR_TPS role.
1 -- Enable assigning TPS role.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4105</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Message Authentication Retry Policy
This policy setting defines the maximum allowed number of retry times for the user to authenticate a pin-signed WAP OTA provisioning message.
The minimum value is 1. The maximum value is 256.
Default Value: 3</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4107</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>1</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>WAP-Signed Message Policy
This policy setting determines the set of allowed roles that an OTA Provisioning message must have in order to be routed for processing.
This policy's value specifies a role mask. (If the message contains at least one of the roles in the role mask, then the message is routed.)
Default Value: 3200 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, SECROLE_OPERATOR_TPS)
This policy is deprecated in Windows Mobile 6. Use SECPOLICY_OMACPNETWPINMSG, SECPOLICY_OMACPUSERPINMSG and
SECPOLICY_OMACPUSERNETWPINMSG instead. You cannot use the new security policies (4141, 4142, 4143) and
4107 in the same provisioning document. Query on policy 4107 will return an error.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4108</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Service Loading (SL) Message Policy
This policy setting determines whether SL messages are to be processed.
This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 2048 (SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4109</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Service Indication (SI) Message Policy
This policy setting determines whether SI messages are to be processed.
This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 3072 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4110</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Unauthenticated Message Policy
This policy setting determines the security role assigned to non WAP-signed messages.
This policy's value specifies a role mask.
Default Value: 64 (SECROLE_USER_UNAUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4111</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>OTA Provisioning Policy
This policy setting determines which provisioning messages are accepted, based on the message's role(s). This policy is used to filter provisioning messages routed from the Push Router. This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 3732 (SECROLE_OPERATOR_TPS, SECROLE_PPG_TRUSTED, SECROLE_PPG_AUTH, SECROLE_TRUSTED_PPG, SECROLE_USER_AUTH, SECROLE_OPERATOR)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4113</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>WSP Push Policy
This policy setting determines whether a WAP push message over WSP is allowed.
Possible Values:
0 -- WSP push source is blocked.
1 -- Routing of WSP push message is allowed.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4119</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Grant Manager Policy
This security policy permits mapping a particular role mask to the SECROLE_MANAGER role without having to modify the security role assigned to every setting in the Metabase accessible only to the manager role. This policy allows other roles to impersonate the SECROLE_MANAGER role. This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no roles can impersonate the SECROLE_MANAGER role.
Default Value: 128 (SECROLE_OPERATOR_TPS) for Windows Mobile Professional and Windows Mobile Standard; 16 (SECROLE_USER_AUTH) for all other devices</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4120</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Grant User Authenticated Policy
This security policy permits mapping a particular role mask to the SECROLE_USER_AUTH role without having to modify the security role assigned to every setting in the Metabase accessible to the SECROLE_USER_AUTH role. This policy allows other roles to impersonate the SECROLE_USER_AUTH role. This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no roles can impersonate the SECROLE_USER_AUTH role.
Default Value: 16 (SECROLE_USER_AUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4121</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Trusted WAP Proxy Policy
This security policy specifies the level of permissions required to create, modify, and delete a trusted proxy using the PXLOGICAL Configuration Server Provider. This policy's value specifies a role mask.
Default Value: 140 (SECROLE_OPERATOR, SECROLE_OPERATOR_TPS, SECROLE_MANAGER)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4122</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Unsigned Prompt Policy
This policy setting determines whether a user will be prompted if an unsigned application is installed or executed.
Possible Values:
0 -- Enable user prompt for unsigned application.
1 -- Disable user prompt.
Default Value: 0</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4123</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Privileged Applications Policy
This security policy controls which security model is implemented on the device.
Possible Values:
0 -- 2-tier security is enabled.
1 -- 1-tier security is enabled. Apps run privileged if they are allowed to run at all.
Default Value: 0 (for a device running Windows Mobile Standard); 1 (for a device running Windows Mobile Professional)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4124</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Service Loading (SL) Security Policy
This setting allows the operator to override https to use http, or wsps to use wsp.
Possible Values:
0 -- Use https or wsps.
1 -- Use http or wsp.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4125</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Signed Mail Policy
This policy is used in S/MIME, and indicates whether the Inbox application will send all messages signed. If messages are sent signed, this policy identifies which algorithm to use.
Possible Values:
0 -- Messages are signed with the default algorithm (SHA-1).
1 -- Messages are not signed at all.
2 -- Messages are signed using the SHA-1 algorithm.
3 -- Messages are signed using the MD5 algorithm.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4126</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Encrypted Mail Policy
This policy is used in S/MIME, and indicates whether the Inbox application sends all messages encrypted. If messages are encrypted, it identifies the algorithm to use.
Possible Values:
0 -- Messages are encrypted using the default algorithm (RC2).
1 -- Messages are not encrypted at all.
2 -- Messages are encrypted using 3DES.
3 -- Messages are encrypted using DES.
4 -- Messages are encrypted using RC2_128.
5 -- Messages are encrypted using RC2_64.
6 -- Messages are encrypted using RC2_40.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4127</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Software Certificates Policy
This setting determines whether software certificates can be used to sign outgoing messages.
Possible Values:
0 -- Software certificates cannot be used to sign messages.
1 -- Software certificates can be used to sign messages.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4129</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>DRM Security Policy
This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.
This policy's value specifies a role mask.
Default Value: 3072 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4131</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Password Required Policy
This policy indicates whether a password must be configured on the device.
Possible Values:
0 -- A password is required.
Non-zero -- A password is not required.
Default Value: 0</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4132</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>Network PIN Prompt Policy
This policy indicates whether or not to prompt the user to accept device setting changes from a
provisioning message WAP-signed only with a network-PIN.
Possible Values:
0 -- The device prompts the user for confirmation to accept changes to device settings.
1 -- The user is not prompted.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4135</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>Bluetooth Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy specifies whether Bluetooth on the device can be set to a discoverable
state.
Possible Values:
0 -- The device Bluetooth cannot be set to discoverable status
1 -- The device Bluetooth could be set to discoverable status
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4136</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>HTML Message Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy specifies whether the device can accept HTML email messages.
Possible Values:
0 -- HTML message is disabled. Message is processed as plain text
1 -- HTML message is enabled
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4134</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>Encrypt Removable Storage Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This security policy determines whether removable storage is always
encrypted, or whether the user can control the encryption in Settings.
Possible Values:
0 -- User cannot control the state of removable encryption from Settings.
1 -- User can control the state of removable encryption from Settings.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4138</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SMIME Encryption Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This security policy determines whether the Inbox app will send all messages encrypted.
Possible Values:
0 -- The encryption is enforced.
1 -- The encryption is optional.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4139</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SMIME Signing Algorithm Policy</DFTitle>
<DFType>
<MIME>MIME:text/plain</MIME>
</DFType>
<Description>This policy determines which algorithm will be used by the Inbox app when a message is to be signed. It uses the same value range specified for policy 4125. The algorithm specified by policy 4125 overrides this policy.
Possible Values:
0 -- Sign messages with the default algorithm
1 -- Invalid (Do NOT set the policy with this value)
2 -- Sign messages with SHA1
3 -- Sign messages with MD5
Default Value: 0
NOTE:
1.If policy 4125 or policy 4126 has a bad value specified, check to see if policy 4139 or policy 4140 has a value set (other than None). If yes, use it, if no use the default algorithm.
2.If policy 4139 or policy 4140 has a bad value specified, use the default algorithm.
3.If policy 4125 or policy 4126 have been provisioned with garbage values we will force signing and/or encryption.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4140</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SMIME Encryption Algorithm Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy determines which algorithm will be used by the Inbox app when a message is to be encrypted. It uses the same value range specified for policy 4126. The algorithm specified by policy 4126 overrides this policy.
Possible Values:
0 -- Encrypt messages with the default algorithm
1 -- Invalid (Do NOT set the policy with this value)
2 -- Encrypt messages with 3DES
3 -- Encrypt messages with DES
4 -- Encrypt messages with 128-bit RC2
5 -- Encrypt messages with 64-bit RC2
6 -- Encrypt messages with 40-bit RC2
Default Value: 0
NOTE:
1.If policy 4125 or policy 4126 has a bad value specified, check to see if policy 4139 or policy 4140 has a value set (other than None). If yes, use it, if no use the default algorithm.
2.If policy 4139 or policy 4140 has a bad value specified, use the default algorithm.
3.If policy 4125 or policy 4126 have been provisioned with garbage values we will force signing and/or encryption.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4137</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SMIME Signing Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This security policy determines whether the Inbox app will send all messages signed.
Possible Values:
0 -- The signing is enforced.
1 -- The signing is optional.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4141</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>OMA CP NETWPIN Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy setting determines whether OMA CP NETWPIN signed message can be accepted. The message's role mask is then AND-ed with the policy's role mask. If the result is non-zero, the message is accepted.
This policy's value specifies a role mask.
Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Note:
1. You cannot use policy 4141 and 4107 in the same provisioning document. The old security policy 4107 is deprecated.
2. The acceptable security roles for this policy are: SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, and SECROLE_OPERATOR_TPS.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4142</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>OMA CP USERPIN Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This setting determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.
This policy's value specifies a role mask.
Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Note: The acceptable security roles for this policy are: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG, ,SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, SECROLE_OPERATOR_TPS</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4143</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>OMA CP USERNETWPIN Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy setting determines whether OMA Client provisioning USERNETWPIN signed message can be accepted. The message's role mask is then AND-ed with the policy's role mask. If the result is non-zero, the message is accepted. WAP Signed Policy 4107 is depreciated.
This policy's value specifies a role mask.
Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_OPERATOR_TPS
Note:
1. The acceptable security roles for this policy are: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG, SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, SECROLE_OPERATOR_TPS
2. You cannot use 4142 and 4107 in the same provisioning document. The old security policy 4107 is deprecated.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4144</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SMIME Encryption Negotiation Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy allows/disallows "negotiating down" of encryption algorithms SMIME message encryption. During SMIME encryption, certificates of recipients are fetched. When a recipient's public certificate cannot be used to encrypt the message using the algorithm the sender would like, messaging will check this policy to decide the next action to take.
Possible Values:
0 -- Do not negotiate at all. Only send mail if the specified algorithm can be used.
In this case, we do not allow negotiation to any encryption algorithm. If we cannot encrypt the message using the algorithm specified we will fail in sending.
1 -- Allow negotiation, but do not allow the use of encryption algorithms.
In this case, any algorithm not mentioned on the exclusion list can be used for encryption
2 -- Allow negotiation, but allow the use of encryption algorithms.
In this case any algorithm, including those mentioned on the exclusion list, can be used for encryption.
Default Value: 0</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4145</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>SharePoint Access Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy enables/disables Outlook Mobile SharePoint/UNC access via the Activesync protocol to fetch documents.
Possible Values:
0 -- The device behaves as if the server does not support SharePoint/UNC file access.
1 -- Outlook Mobile has the ability to fetch documents on a corporate SharePoint site or UNC share via ActiveSync.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4146</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:AccessRole>40</MSFT:AccessRole>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFTitle>Desktop Quick Connect Authentication Policy</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Description>This policy specifies how the desktop should handle quick connect authentication.
Possible Values:
0 -- User must authenticate on device upon connect, if device lock is active
1 -- User can authenticate through a shared secret on desktop
Default value: 1</Description>
</DFProperties>
</Node>
</Node>
</MgmtTree>