Share via


Setting the Grant Manager Policy

4/8/2010

You can use the Grant Manager Policy to grant system administrative privileges that are held by the Manager role to other security roles, without modifying metabase role assignments.

The Grant Manager policy (4119) is enforced by the Configuration Manager, and a Manager role is required to modify it.

The following list shows the possible values.

Value Description

SECROLE_USER_AUTH

Gives system administrative privileges to the SECROLE_USER_AUTH mask.

SECROLE_NONE

Does not give system administrative privileges to any other role. Only the manager is granted the Manager role.

SECROLE_MANAGER

Only the manager is granted the Manager role.

SECROLE_ENTERPRISE

The addition of the Enterprise role to Grant Manager enables Exchange and Microsoft System Center Mobile Device Manager (MDM) 2008 servers to manage all OS functionality on a device running Windows Mobile 6.1.

<any role mask>

A specified role mask indicates system administrative privileges are given to the role mask specified.

The default value for this policy depends on the type of device. The following table shows the default values.

Form factor Default value

Windows Mobile Professional

SECROLE_OPERATOR_TPS (Trusted Provisioning Server), SECROLE_ENTERPRISE

Windows Mobile Classic

SECROLE_USER_AUTH (User Authenticated), SECROLE_ENTERPRISE

Windows Mobile Standard

SECROLE_OPERATOR_TPS (Trusted Provisioning Server), SECROLE_ENTERPRISE

The following example shows how to change the security policy. In this example,

<characteristic type="SecurityPolicy">
     <!-- Grant Manager Policy to SECROLE_USER_AUTH --> 
     <parm name="4119" value="16" />
</characteristic>

As shown in Security Policy Settings, the Grant Manager policy is 4119.

As shown in Security Roles, the value for User Authenticated is 16.

Best Practices

The best practice for the setting Grant Manager policy for bootstrap depends on the method of bootstrapping.

  • Using a .cpf file to bootstrap
    The Grant Manager policy should be set to SECROLE_NONE so that only a message that is marked as Manager will be treated as such.

    The following example shows how to change the GRANT MANAGER policy to SECROLE_NONE:

    <!-- Updating the Grant Manager policy so that only the message that is already assigned the Manager role can be worked as manager message. -->
    <characteristic type="SecurityPolicy">
       <parm name="4119" value="0"/>
    </characteristic>
    

    For more information, see Bootstrapping To Use a CPF File.

  • Using Remote API (RAPI) to bootstrap
    The Grant Manager policy should be set to SECROLE_USER_AUTH to enables the device to accept RAPI messages that require MANAGER privileges. The permissions associated with this role are determined by the settings that the user requires access to if he or she is not the manager of the device.

    The following example shows how to change the GRANT MANAGER policy to SECROLE_USER_AUTH:

    <characteristic type="SecurityPolicy">
       <parm name="4119" value="16"> 
    </characteristic>
    <!-- other settings -->
    

    For more information, see Enabling Remote API (RAPI) Bootstrapping.

  • Over-the-air (OTA) bootstrap using the OMA Client Provisioning protocol
    The Grant Manager policy should be set to SECROLE OPERATOR and SECROLE_OPERATOR_TPS.

    The following example shows how to change these settings:

    <characteristic type="SecurityPolicy">
       <parm name="4119" value="132"/>
    </characteristic>
    

    For more information, see Enabling OTA Bootstrapping.

  • Bootstrap the device to use an OMA Device Management server remote OTA provisioning
    After the device is bootstrapped, the Grant Manager policy should be set to SECROLE_MANAGER to enable the device to accept a configuration request OTA from the OMA DM server.

    The following example shows how to change the GRANT MANAGER policy to SECROLE_MANAGER:

    <characteristic type="SecurityPolicy">
       <parm name="4119" value="8"/>
    </characteristic>
    

    For more information, see Bootstrapping To Use An OMA DM Server.

  • Bootstrap the device to use an OMA Client Provisioning server
    After the device is bootstrapped, the Grant Manager policy should be set to SECROLE_OPERATOR_TPS to enable the device to accept a WAP push gateway, a Trusted Provisioning Server URL for continuous provisioning. The message coming from the OMA Client Provisioning TPS will be granted the Manager role after the device is bootstrapped.

    The following example shows how to change the GRANT MANAGER policy to SECROLE_USER_AUTH:

    <characteristic type="SecurityPolicy">
       <parm name="4119" value="16"> 
    </characteristic>
    <!-- other settings -->
    

    For more information, see Bootstrapping To Use an OMA Client Provisioning Server.

Comments

One provisioning XML file typically contains configuration information for multiple Configuration Service Providers. To use this example, you must replace the values as appropriate, and add the node as a child of the OMA Client Provisioning file. For information about the syntax of this file, see OMA Client Provisioning Files. For examples, see OMA Client Provisioning XML File Examples.

See Also

Other Resources

Security Roles
Security Policy Settings