This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Mobile Operators can change Security Policies after manufacture.

By following these steps, you will know how to:

The following list shows the tasks that you must perform to provision a device.

Step Topic

If you have not already done so, decide on a method of delivery.

Deciding on a Method of Delivery

If you have not already done so, query the device to determine the current policies and roles that are configured.

You should always query a device before changing the settings.

How to Query Security Policies

Determine the settings or changes that you want to make.

There is a trade-off between application compatibility and device security. Although there are many policies, the following four policy options show the balance of compatibility and security.

  • Security OFF — no security checks are performed.

    For this level of security, you would set policy 4101 (Unsigned CAB) to 16 (allow USER_AUTH) and security policy 4102 (Unsigned Applications) to 1 (Enabled).

  • Prompt — The user is prompted when the source is unknown or is anonymous.

  • 3rdPartySigned — Third-party vendors that are identified though the Mobile-2-Market program are allowed access.

  • Locked — Only the OEM and Mobile Operator, or their licensed vendors, are allowed access.

    For this level of security, you would set policy 4101 (Unsigned CAB) to 0 (do not allow) and security policy 4102 (Unsigned Applications) to 0 (Disabled).

For details about each policy, see Security Policy Settings.

Selecting Security Configuration

Create a provisioning XML file that uses the SecurityPolicy Configuration Service Provider to change device settings.

SecurityPolicy Configuration Service Provider

The following list shows some examples:

Test that the provisioning XML changes a Windows Mobile device similar to the ones that you want to update.

Thoroughly test the security settings on the device.


If you chose to deliver the XML file by using either a cabinet (.cab) or cabinet provisioning format (.cpf) file, you must do the following:

  • Package the XML file for delivery

  • Sign the cab or .cpf file.

Packaging the XML File for Delivery

Deliver the provisioning XML file to the device. Typically, the file is installed upon delivery.

Delivering the Provisioning XML File to the Device

See Also