Security and Device Management

Article
08/28/2006

The following list shows how security policies and roles are used to manage devices.

Settings	Description of usage
Security Policies	Use to configure security settings that are then enforced with the help of security roles and certificates. Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages. The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed. For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.
Security Roles	Use to allow or restrict access to Windows Mobile-based device resources. The security role is based on the message origin and how the message is signed. You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

Use to configure security settings that are then enforced with the help of security roles and certificates.

Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages.

The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed.

For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.

Security Roles

Use to allow or restrict access to Windows Mobile-based device resources. The security role is based on the message origin and how the message is signed.

You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

For general best practices, see Best Practices in Managing Devices .

General Security Best Practices

Use OMA DM whenever possible.
When using OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.

The exception for using OMA DM is when you bootstrap a device. You can use OMA Client Provisioning for bootstrapping after OTA bootstrap is enabled.

Set appropriate access for each configurable setting and establish what can be done with the setting if access has been granted.
The following table shows the properties that you can use to manage Read/Write permission and access security roles for each configurable setting in a device:

Property	Description
access-role	Determines who can access the setting. Access roles determine which security roles are allowed to access a metabase entry.
rw-access	Determines what can be done with the setting once access has been granted. It is used to identify the roles that have Read/Write access to the entry.

For more information about these properties, see Metabase Configuration Service Provider.

Follow the security best practices for the DM protocol that you use.
Follow the security best practices for the appropriate protocol:
- OMA Client Provisioning Security Best Practices
- OMA Device Management Security Best Practices

Security and Device Management

General Security Best Practices

See Also

Additional resources