How to Change Security Policies

Article
11/18/2015

4/8/2010

Mobile Operators can change Security Policies after manufacture.

By following these steps, you will know how to:

Choose a method of delivery.
Query device policies before changing them.
Determining the settings that you want to make
Create a provisioning XML file that queries the device settings.
Optionally package the XML file for delivery and sign the package file.
Deliver the provisioning XML file to the device.

The following list shows the tasks that you must perform to provision a device.

Step	Topic
If you have not already done so, decide on a method of delivery.	Deciding on a Method of Delivery
If you have not already done so, query the device to determine the current policies and roles that are configured. You should always query a device before changing the settings.	How to Query Security Policies
Determine the settings or changes that you want to make. There is a trade-off between application compatibility and device security. Although there are many policies, the following four policy options show the balance of compatibility and security. Security OFF — no security checks are performed. For this level of security, you would set policy 4101 (Unsigned CAB) to 16 (allow USER_AUTH) and security policy 4102 (Unsigned Applications) to 1 (Enabled). Prompt — The user is prompted when the source is unknown or is anonymous. 3rdPartySigned — Third-party vendors that are identified though the Mobile-2-Market program are allowed access. Locked — Only the OEM and Mobile Operator, or their licensed vendors, are allowed access. For this level of security, you would set policy 4101 (Unsigned CAB) to 0 (do not allow) and security policy 4102 (Unsigned Applications) to 0 (Disabled). For details about each policy, see Security Policy Settings.	Selecting Security Configuration
Create a provisioning XML file that uses the SecurityPolicy Configuration Service Provider to change device settings.	SecurityPolicy Configuration Service Provider The following list shows some examples: Setting a Security Policy Example using OMA Client Provisioning Deleting a Security Policy Example using OMA Client Provisioning Setting a Security Policy Example for OMA DM
Test that the provisioning XML changes a Windows Mobile device similar to the ones that you want to update. Thoroughly test the security settings on the device.	N/A
If you chose to deliver the XML file by using either a cabinet (.cab) or cabinet provisioning format (.cpf) file, you must do the following: Package the XML file for delivery Sign the cab or .cpf file.	Packaging the XML File for Delivery
Deliver the provisioning XML file to the device. Typically, the file is installed upon delivery.	Delivering the Provisioning XML File to the Device

See Also

Tasks

SecurityPolicy Configuration Service Provider Examples for OMA Client Provisioning

Reference

SecurityPolicy Configuration Service Provider

Concepts

Provisioning Security Settings
Setting the Grant Manager Policy

Other Resources

Security Policy Settings
SecurityPolicy Configuration Service Provider Examples for OMA DM