|This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
The Remote API Security policy is set to RESTRICTED by default. Under this policy the device will only receive RAPI messages that are assigned the AuthenticatedUser role (SECROLE_USER_AUTH). By default the AuthenticatedUser role does not have MANAGER privileges. With this default setting, you cannot make all of the configuration changes required to bootstrap the device. For example, you cannot change security settings.
To enable bootstrapping by using RAPI you must first give MANAGER privileges to the AuthenticatedUser role. After bootstrapping the device you must then remove those privileges to ensure that subsequent RAPI messages will not have unrestricted access to the device.
In this procedure, you will provision the device. For information about the provisioning file syntax for different OMA Client Provisioning versions, see OMA Client Provisioning Files.
To enable RAPI bootstrapping
Before shipping, the OEM must add the SECROLE_USER_AUTH role to the Grant Manager policy.
This enables the device to accept RAPI messages that require MANAGER privileges. If needed, the OEM can provision the device with this setting after manufacture as described in How to Change Security Policies. The following example shows how to change the GRANT MANAGER policy to add SECROLE_USER_AUTH. The OEM would include this in the provisioning XML file that uses the SecurityPolicy Configuration Service Provider.
<wap-provisioningdoc> <characteristic type="SecurityPolicy"> <parm name="4119" value="144"> </characteristic> <!-- other settings --> </wap-provisioningdoc>
After you receive the device, you must do the following:
- Use the desktop configuration tool (rapiconfig.exe) to
bootstrap the device over ActiveSync.
For more information; see RapiConfig.exe.
- Use the desktop configuration tool (rapiconfig.exe) to bootstrap the device over ActiveSync.
- At the end of your bootstrap message change the Grant Manager
policy to remove SECROLE_USER_AUTH. This ensures that subsequent
RAPI messages will not have MANAGER privileges.
The following XML example shows how to change the Grant MANAGER policy to remove SSECROLE_USER_AUTH after the device has been bootstrapped.
<wap-provisioningdoc> <characteristic type="SecurityPolicy"> <parm name="4119" value="128"> </characteristic> <!-- other settings --> </wap-provisioningdoc>