|This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Security Policy settings define levels of security and whether Windows Mobile devices are configurable over the air (OTA). For information about setting security policies, see Security Policies.
Because the bootstrap process provides configuration data to Windows Mobile devices it is important that the server that is initiating the bootstrap process is authenticated. To provide more secure provisioning, Windows Mobile devices rely on one of the following:
- A PIN-based mechanism
- A custom signed .cab file
- A secure channel between an OMA DM server and the client
The security roles of the DM server account are the same as the bootstrap message unless they are explicitly set by using Role parameters.
|The DM server account cannot have more roles than those of the bootstrap message, and it cannot configure a role that it doesn't have.|
The security roles for the DM server are assigned as follows:
- If the DM server is bootstrapped at manufacture, the server is
assigned all roles implicitly.
- When bootstrapping a DM server account OTA or through Remote
API (RAPI), the DM server roles are set to the Role parameter of
the server account, as described in
Configuration Service Providerand the
Configuration Service Provider.
For an OTA WAP push bootstrap that is initiated by a mobile operator, the message is signed with a user PIN and a network PIN known only by the mobile operator and the device. For example, the network PIN for Global System for Mobile Communications (GSM) is the International Mobile Subscriber Identity (IMSI) number from the device's Subscriber identity Module (SIM) card. For more information about how the device authenticates an OTA push provisioning message that is signed through one of the four methods defined in the OMA Provisioning Bootstrap Specification Version 1.1, see Security Policiesand Security Roles.
|OTA bootstrapping is disabled by default in Windows Mobile devices. For more information, see Enabling OTA Bootstrapping.|
When a business uses a .cab file for bootstrapping a corporate device over the air, the .cab file is signed with a private key from the corporate certificate. The corporate certificate is sent over the air to the device by the mobile operator and is processed by the CertificateStore configuration service provider. The mobile operator must use the format supported by the CertificateStore configuration service provider. The certificate itself is a base-64 encoded certificate. The Roleelement specifies that this certificate has a Manager role. For more information about this role, see Security Roles. For more information about CertificateStore configuration service provider, see CertificateStore Configuration Service Provider.