Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Enabling Remote API (RAPI) Bootstrapping

Send Feedback

The Remote API Security policy is set to RESTRICTED by default. Under this policy the device will only receive RAPI messages that are assigned the Authenticated User role (SECROLE_USER_AUTH). By default the Authenticated User role does not have MANAGER privileges. With this default setting, you cannot make all of the configuration changes required to bootstrap the device. For example, you cannot change security settings.

To enable bootstrapping by using RAPI you must first give MANAGER privileges to the Authenticated User role. After bootstrapping the device you must then remove those privileges to ensure that subsequent RAPI messages will not have unrestricted access to the device.

To enable RAPI bootstrapping do the following:

  1. Before shipping, the OEM must add the SECROLE_USER_AUTH role to the Grant Manager policy.

    This enables the device to accept RAPI messages that require MANAGER privileges. If needed, the OEM can provision the device with this setting after manufacture as described in How To Change Security Policies.

    The following example shows how to change the GRANT MANAGER policy to add SECROLE_USER_AUTH. The OEM would include this in the provisioning XML file that uses the SecurityPolicy Configuration Service Provider.

    <wap-provisioningdoc>
       <characteristic type="SecurityPolicy">
       <parm name="4119" value="144">
       </characteristic>
       <!-- other settings -->
    </wap-provisioningdoc>
    
  2. After you receive the device, you must do the following:
    • Use the desktop configuration tool (rapiconfig.exe) to bootstrap the device over ActiveSync. For more information, see RapiConfig.exe.
    • At the end of your bootstrap message change the Grant Manager policy to remove SECROLE_USER_AUTH. This ensures that subsequent RAPI messages will not have MANAGER privileges.

      The following XML example shows how to change the Grant MANAGER policy to remove SSECROLE_USER_AUTH after the device has been bootstrapped.
      <wap-provisioningdoc>
         <characteristic type="SecurityPolicy">
            <parm name="4119" value="128">
         </characteristic>
         <!-- other settings -->
      </wap-provisioningdoc>
      

See Also

Bootstrapping Windows Mobile-Based Devices | Provisioning From a Desktop Computer Using Remote API and ActiveSync | Security Roles | Security Policies


Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.


Show:
© 2015 Microsoft