Modifying the Security Policy Provisioning Document
You can modify the default security policy document provided with Windows Mobile-based devices by replacing it with a custom security policy document. This XML provisioning document contains the current values for all of the security policies implemented on the device. The manager role is required for modifying this document.
Note An XML provisioning document may not install on a Windows Mobile device if the .cab file containing the document is not signed. You use the Microsoft Authenticode tools to sign .cab files. For information about Microsoft Authenticode tools, see the Authenticode documentation under "Security" in the MSDN library. For information about .cab files, see Application Security.
You can base the custom security policy document on one of the following security templates provided by Microsoft:
- High level security template — Incorporate the restricted application security configuration.
- Medium level security template — Incorporate the standard application security configuration.
- Low level security template — Incorporate the unrestricted application security configuration.
For information about application security configurations, see Application Security.
To modify the security policy provisioning document
Open Notepad to create a custom security policy document.
Add provisioning XML to specify the security policies and policy values for the Windows Mobile-based device, as shown in the following example. The
nameandvalueattributes specify the policy ID and value, respectively. For certain security policies, the value is a security role that you reference using a decimal value.For Smartphone, use the following code example:
<wap-provisioningdoc> <characteristic type="SecurityPolicy"> <!-- AutoRun Policy: 0 --> <parm name="2" value="0"/> <!-- RAPI Policy: protected mode --> <parm name="4097" value="2"/> <!-- Unsigned CAB Policy: USER_AUTH --> <parm name="4101" value="16"/> <!-- Unsigned Applications Policy: enabled --> <parm name="4102" value="1"/> <!-- Unsigned Themes Policy: USER_UNAUTH --> <parm name="4103" value="64"/> <!-- Trusted Provisioning Server (TPS) Policy: enabled --> <parm name="4104" value="1"/> <!-- Message Authentication Policy: maximum 3 retries allowed --> <parm name="4105" value="3"/> <!-- WAP Signed Message Policy: PPG_AUTH | PPG_TRUSTED | OPERATOR_TPS | OPERATOR --> <parm name="4107" value="3204"/> <!-- Service Loading Policy: PPG_TRUSTED --> <parm name="4108" value="2048"/> <!-- Service Indication Policy: PPG_TRUSTED | PPG_AUTH --> <parm name="4109" value="3072"/> <!-- Unauthenticated Messages Policy: USER_UNAUTH --> <parm name="4110" value="64"/> <!-- OTA Provisioning Policy: USER_AUTH | TRUSTED_PPG | PPG_AUTH | PPG_TRUSTED | OPERATOR_TPS | OPERATOR --> <parm name="4111" value="3732"/> <!-- WSP Push Policy: enabled --> <parm name="4113" value="1"/> <!-- Grant Manager Policy: USER_AUTH --> <parm name="4119" value="16"/> <!-- Grant User Authenticated Policy --> <parm name="4120" value="USER_AUTH"/> <!-- Trusted WAP Proxy Policy: OPERATOR | OPERATOR_TPS --> <parm name="4121" value="140"/> <!-- Unsigned Prompt Policy: USER_UNAUTH --> <parm name="4122" value="0"/> <!-- PrivilegedApps Policy: Two-Tier Security Model--> <parm name="4123" value="0"/> </characteristic> </wap-provisioningdoc>For Pocket PC, use the following code example:
<wap-provisioningdoc> <characteristic type="SecurityPolicy"> <!-- RAPI Policy: protected mode --> <parm name="4097" value="2"/> <!-- Unsigned CAB Policy: USER_AUTH --> <parm name="4101" value="16"/> <!-- Trusted Provisioning Server (TPS) Policy: enabled --> <parm name="4104" value="1"/> <!-- Message Authentication Policy: maximum 3 retries allowed --> <parm name="4105" value="3"/> <!-- WAP Signed Message Policy: PPG_AUTH | PPG_TRUSTED | OPERATOR_TPS | OPERATOR --> <parm name="4107" value="3204"/> <!-- Unauthenticated Messages Policy: USER_UNAUTH --> <parm name="4110" value="64"/> <!-- OTA Provisioning Policy: USER_AUTH | TRUSTED_PPG | PPG_AUTH | PPG_TRUSTED | OPERATOR_TPS | OPERATOR --> <parm name="4111" value="3732"/> <!-- WSP Push Policy: enabled --> <parm name="4113" value="1"/> <!-- Grant Manager Policy: USER_AUTH --> <parm name="4119" value="16"/> <!-- Grant User Authenticated Policy: USER_AUTH --> <parm name="4120" value="16"/> <!-- AutoRun Policy: 0 --> <parm name="2" value="0"/> <!-- Trusted WAP Proxy Policy: OPERATOR | OPERATOR_TPS | MANAGER--> <parm name="4121" value="140"/> </characteristic> </wap-provisioningdoc>
Save the XML document as an ASCII file**.**
Add the .xml file to an installation .cab file by doing the following:
At a command prompt, change to the appropriate folder:
C:\Program Files\Windows CE Tools\wce<version>\<SMARTPHONE 2003 or POCKET PC 2003>\Tools folder.
Run makecab.exe as follows:
For Smartphone: makecab XML file name myprovxml.cab
For Pocket PC: makecab /D COMPRESS=OFF XML file name myprovxml.cab
Note For Pocket PC, /D COMPRESS=OFF turns off file compression, which Windows Mobile software for Pocket PCs requires.
To sign the .cab file, use Microsoft Authenticode tools. For information about Microsoft Authenticode tools, see the Authenticode documentation under "Security" in the MSDN library.
For Smartphone, if you're adding a certificate to the SPC store with a specific security role mask, you must sign the .cab file with a root certificate that maps to the same role mask in the SPC store.
Whichever store you're adding a certificate to, you might need to sign the .cab file, depending on the Unsigned Themes for Smartphone and Unsigned CABS policy settings for Pocket PC. For Smartphone, If the policy settings require signed .cab files, you must also verify the certificate chain and check the revocation list. For more information, see Application Security.
Change the extension of the file to .cpf.
See Also
Metabase Provisioning | Application Security | Security Policies and Roles | Security Roles | SecurityPolicy Configuration Service Provider | SecurityPolicy Configuration Service Provider Examples
Send feedback on this topic to the authors.
© 2005 Microsoft Corporation. All rights reserved.