Important:
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
4/8/2010

Security Policy settings define levels of security and whether Windows Mobile devices are configurable over the air (OTA). For information about setting security policies, see Security Policies.

Because the bootstrap process provides configuration data to Windows Mobile devices it is important that the server that is initiating the bootstrap process is authenticated. To provide more secure provisioning, Windows Mobile devices rely on one of the following:

The security roles of the DM server account are the same as the bootstrap message unless they are explicitly set by using Role parameters.

Note:
The DM server account cannot have more roles than those of the bootstrap message, and it cannot configure a role that it doesn't have.

The security roles for the DM server are assigned as follows:

For an OTA WAP push bootstrap that is initiated by a mobile operator, the message is signed with a user PIN and a network PIN known only by the mobile operator and the device. For example, the network PIN for Global System for Mobile Communications (GSM) is the International Mobile Subscriber Identity (IMSI) number from the device's Subscriber identity Module (SIM) card. For more information about how the device authenticates an OTA push provisioning message that is signed through one of the four methods defined in the OMA Provisioning Bootstrap Specification Version 1.1, see Security Policiesand Security Roles.

Note:
OTA bootstrapping is disabled by default in Windows Mobile devices. For more information, see Enabling OTA Bootstrapping.

When a business uses a .cab file for bootstrapping a corporate device over the air, the .cab file is signed with a private key from the corporate certificate. The corporate certificate is sent over the air to the device by the mobile operator and is processed by the CertificateStore configuration service provider. The mobile operator must use the format supported by the CertificateStore configuration service provider. The certificate itself is a base-64 encoded certificate. The Roleelement specifies that this certificate has a Manager role. For more information about this role, see Security Roles. For more information about CertificateStore configuration service provider, see CertificateStore Configuration Service Provider.

See Also