Partager via


Security and Managing Devices

4/8/2010

The following list shows how security policies and roles are used to manage devices.

Settings Description of usage

Security Policies

Use to configure security settings that are then enforced with the help of security roles and certificates.

Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages.

The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed.

For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.

Security Roles

Use to allow or restrict access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.

You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

For general best practices, see Best Practices in Managing Devices.

General Security Best Practices

  • Use OMA DM whenever possible
    When using OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.

    The exception for using OMA DM is when you bootstrap a device. You can use OMA Client Provisioning for bootstrapping after OTA bootstrap is enabled.

  • Set appropriate access
    Set appropriate access for each configurable setting and establish what can be done with the setting if access has been granted. The following table shows the properties that you can use to manage Read/Write permission and access security roles for each configurable setting in a device:

    Property Description

    access-role

    Determines who can access the setting. Access roles determine which security roles are allowed to access a metabase entry.

    rw-access

    Determines what can be done with the setting once access has been granted. It is used to identify the roles that have Read/Write access to the entry.

    For more information about these properties, see Metabase Configuration Service Provider.

  • Follow the best practices for the protocol you use
    Follow the security best practices for OMA Client Provisioning and for OMA Device Management

In This Section

  • ** Wiping a Device **
    Describes how to clear flash memory locally and remotely.

See Also

Other Resources

Security for Windows Mobile Devices
Security Roles
Security Policies