Security and Managing Devices

Windows Mobile 6.5

The following list shows how security policies and roles are used to manage devices.

Settings Description of usage

Security Policies

Use to configure security settings that are then enforced with the help of security roles and certificates.

Security policies enforce security requirements for all OTA data messages that a mobile device receives, including push messages.

The policies use roles to determine whether or not a message is accepted, and if it is accepted, what level of access it is allowed.

For the security policies that are used for Device Management, see Security Policies and Security Policy Settings.

Security Roles

Use to allow or restrict access to Windows Mobile device resources. The security role is based on the message origin and how the message is signed.

You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE_OPERATOR and SECROLE_OPERATOR_TPS roles, use the decimal value 132 (4+128)

For general best practices, see Best Practices in Managing Devices.

Use OMA DM whenever possible

When using OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.

The exception for using OMA DM is when you bootstrap a device. You can use OMA Client Provisioning for bootstrapping after OTA bootstrap is enabled.

Set appropriate access

Set appropriate access for each configurable setting and establish what can be done with the setting if access has been granted. The following table shows the properties that you can use to manage Read/Write permission and access security roles for each configurable setting in a device:

Property Description


Determines who can access the setting. Access roles determine which security roles are allowed to access a metabase entry.


Determines what can be done with the setting once access has been granted. It is used to identify the roles that have Read/Write access to the entry.

For more information about these properties, see Metabase Configuration Service Provider.

Follow the best practices for the protocol you use

Follow the security best practices for OMA Client Provisioning and for OMA Device Management

OMA Device Management Security Best Practices

Security features of the Open Mobile Alliance Device Management client and guidelines for its use.

OMA Client Provisioning Security Best Practices

Security features and guidelines for OMA Client Provisioning

Setting the Grant Manager Policy

Describes setting system administrative privileges.

Wiping a Device

Describes how to clear flash memory locally and remotely.