Setting the Grant Manager Policy
4/8/2010
You can use the Grant Manager Policy to grant system administrative privileges that are held by the Manager role to other security roles, without modifying metabase role assignments.
The Grant Manager policy (4119) is enforced by the Configuration Manager, and a Manager role is required to modify it.
The following list shows the possible values.
| Value | Description |
|---|---|
SECROLE_USER_AUTH |
Gives system administrative privileges to the SECROLE_USER_AUTH mask. |
SECROLE_NONE |
Does not give system administrative privileges to any other role. Only the manager is granted the Manager role. |
SECROLE_MANAGER |
Only the manager is granted the Manager role. |
SECROLE_ENTERPRISE |
The addition of the Enterprise role to Grant Manager enables Exchange and Microsoft System Center Mobile Device Manager (MDM) 2008 servers to manage all OS functionality on a device running Windows Mobile 6.1. |
<any role mask> |
A specified role mask indicates system administrative privileges are given to the role mask specified. |
The default value for this policy depends on the type of device. The following table shows the default values.
| Form factor | Default value |
|---|---|
Windows Mobile Professional |
SECROLE_OPERATOR_TPS (Trusted Provisioning Server), SECROLE_ENTERPRISE |
Windows Mobile Classic |
SECROLE_USER_AUTH (User Authenticated), SECROLE_ENTERPRISE |
Windows Mobile Standard |
SECROLE_OPERATOR_TPS (Trusted Provisioning Server), SECROLE_ENTERPRISE |
The following example shows how to change the security policy. In this example,
<characteristic type="SecurityPolicy">
<!-- Grant Manager Policy to SECROLE_USER_AUTH -->
<parm name="4119" value="16" />
</characteristic>
As shown in Security Policy Settings, the Grant Manager policy is 4119.
As shown in Security Roles, the value for User Authenticated is 16.
Best Practices
The best practice for the setting Grant Manager policy for bootstrap depends on the method of bootstrapping.
Using a .cpf file to bootstrap
The Grant Manager policy should be set to SECROLE_NONE so that only a message that is marked as Manager will be treated as such.The following example shows how to change the GRANT MANAGER policy to SECROLE_NONE:
<!-- Updating the Grant Manager policy so that only the message that is already assigned the Manager role can be worked as manager message. --> <characteristic type="SecurityPolicy"> <parm name="4119" value="0"/> </characteristic>For more information, see Bootstrapping To Use a CPF File.
Using Remote API (RAPI) to bootstrap
The Grant Manager policy should be set to SECROLE_USER_AUTH to enables the device to accept RAPI messages that require MANAGER privileges. The permissions associated with this role are determined by the settings that the user requires access to if he or she is not the manager of the device.The following example shows how to change the GRANT MANAGER policy to SECROLE_USER_AUTH:
<characteristic type="SecurityPolicy"> <parm name="4119" value="16"> </characteristic> <!-- other settings -->For more information, see Enabling Remote API (RAPI) Bootstrapping.
Over-the-air (OTA) bootstrap using the OMA Client Provisioning protocol
The Grant Manager policy should be set to SECROLE OPERATOR and SECROLE_OPERATOR_TPS.The following example shows how to change these settings:
<characteristic type="SecurityPolicy"> <parm name="4119" value="132"/> </characteristic>For more information, see Enabling OTA Bootstrapping.
Bootstrap the device to use an OMA Device Management server remote OTA provisioning
After the device is bootstrapped, the Grant Manager policy should be set to SECROLE_MANAGER to enable the device to accept a configuration request OTA from the OMA DM server.The following example shows how to change the GRANT MANAGER policy to SECROLE_MANAGER:
<characteristic type="SecurityPolicy"> <parm name="4119" value="8"/> </characteristic>For more information, see Bootstrapping To Use An OMA DM Server.
Bootstrap the device to use an OMA Client Provisioning server
After the device is bootstrapped, the Grant Manager policy should be set to SECROLE_OPERATOR_TPS to enable the device to accept a WAP push gateway, a Trusted Provisioning Server URL for continuous provisioning. The message coming from the OMA Client Provisioning TPS will be granted the Manager role after the device is bootstrapped.The following example shows how to change the GRANT MANAGER policy to SECROLE_USER_AUTH:
<characteristic type="SecurityPolicy"> <parm name="4119" value="16"> </characteristic> <!-- other settings -->For more information, see Bootstrapping To Use an OMA Client Provisioning Server.
Comments
One provisioning XML file typically contains configuration information for multiple Configuration Service Providers. To use this example, you must replace the values as appropriate, and add the node as a child of the OMA Client Provisioning file. For information about the syntax of this file, see OMA Client Provisioning Files. For examples, see OMA Client Provisioning XML File Examples.