Security and Managing Devices
The following list shows how security policies and roles are used to manage devices.
|Settings||Description of usage|
Use to configure security settings that are then enforced with the help of security roles and certificates.
Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages.
The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed.
Use to allow or restrict access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.
You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)
For general best practices, see Best Practices in Managing Devices.
- Use OMA DM whenever possible
When using OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.
The exception for using OMA DM is when you bootstrap a device. You can use OMA Client Provisioning for bootstrapping after OTA bootstrap is enabled.
- Set appropriate access
Set appropriate access for each configurable setting and establish what can be done with the setting if access has been granted. The following table shows the properties that you can use to manage Read/Write permission and access security roles for each configurable setting in a device:
Determines who can access the setting. Access roles determine which security roles are allowed to access a metabase entry.
Determines what can be done with the setting once access has been granted. It is used to identify the roles that have Read/Write access to the entry.
For more information about these properties, see Metabase Configuration Service Provider.
- Follow the best practices for the protocol you use
Follow the security best practices for OMA Client Provisioning and for OMA Device Management
- OMA Device Management Security Best Practices
Security features of the Open Mobile Alliance Device Management client and guidelines for its use.
- OMA Client Provisioning Security Best Practices
Security features and guidelines for OMA Client Provisioning
- Setting the Grant Manager Policy
Describes setting system administrative privileges.
- Wiping a Device
Describes how to clear flash memory locally and remotely.