SecurityPolicy DDF File
The following shows the DDF file for the SecurityPolicy Configuration Service Provider.
Note RThis code has not been tested and is subject to change.
Note The first line of the DDF is the namespace reference for Microsoft custom properties. For more information, see Managing Microsoft Custom Properties (OMA DM).
<MgmtTree xmlns:MSFT="https://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.1.2</VerDTD>
<Node>
<NodeName>SecurityPolicy</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description></Description>
</DFProperties>
<Node>
<NodeName>2</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Autorun Policy
This security policy determines whether applications stored on a removable storage card are allowed to auto-run when inserted into the device.
Possible Values:
1 -- Applications on a removable storage card card are restricted from auto running.
0 -- Applications on a removable storage card card are allowed to auto-run.
Default Value: 0.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4097</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>RAPI Policy
This policy restricts access to the device using RAPI over ActiveSync.
Possible Values:
0 -- All RAPI calls are disabled.
1 -- All RAPI calls are allowed.
2 -- RAPI is in restricted mode. RAPI calls are processed according to ActiveSync's security access role. ActiveSync's security role is SECROLE_USER_AUTH, and all resource requests are checked against this role mask before they are granted.
Default Value: 2</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4101</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Unsigned CABs Policy
This security policy determines whether Unsigned CABs can be installed on the device, and, if so, what role mask should be assigned to the CAB.
This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no unsigned CABs can be installed.
Default Value: 16 (SECROLE_USER_AUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4102</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Unsigned Application Policy
This policy setting enforces whether unsigned applications are allowed to run on the device.
Possible Values:
0 -- Unsigned applications are NOT allowed to run on the device.
1 -- Unsigned applications ARE allowed to run on the device.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4103</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Unsigned Themes Policy
This security policy determines whether theme files can be installed on the device, and if so, what role mask they will be installed with. Theme files are home screen cab files that are given more restricted access to the device resources by default.
This policy's value specifies a role mask.
Default Value: 40 (SECROLE_USER_UNAUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4104</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Trusted Provisioning Server Policy
This policy setting determines whether a message can be assigned the SECROLE_OPERATOR_TPS role if the message has been deemed as coming from a TPS.
Possible Values:
0 -- Disable assigning SECROLE_OPERATOR_TPS role.
1 -- Enable assigning TPS role.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4105</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Message Authentication Retry Policy
This policy setting defines the maximum allowed number of retry times for the user to authenticate a pin-signed WAP OTA provisioning message.
The minimum value is 1. The maximum value is 256.
Default Value: 3</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4107</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>WAP-Signed Message Policy
This policy setting determines the set of allowed roles that an OTA Provisioning message must have in order to be routed for processing.
This policy's value specifies a role mask. (If the message contains at least one of the roles in the role mask, then the message is routed.)
Default Value: 3200 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, SECROLE_OPERATOR_TPS)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4108</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Service Loading (SL) Message Policy
This policy setting determines whether SL messages are to be processed.
This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 2048 (SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4109</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Service Indication (SI) Message Policy
This policy setting determines whether SI messages are to be processed.
This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 3072 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4110</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Unauthenticated Message Policy
This policy setting determines the security role assigned to non WAP-signed messages.
This policy's value specifies a role mask.
Default Value: 64 (SECROLE_USER_UNAUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4111</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>OTA Provisioning Policy
This policy setting determines which provisioning messages are accepted, based on the message's role(s). This policy is used to filter provisioning messages routed from the Push Router.
This policy's value specifies a role mask. (If a message contains at least one of the roles in the role mask, then the message is processed.)
Default Value: 3728 (SECROLE_OPERATOR_TPS, SECROLE_PPG_TRUSTED, SECROLE_PPG_AUTH, SECROLE_TRUSTED_PPG, SECROLE_USER_AUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4113</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>WSP Push Policy
This policy setting determines whether a WAP push message over WSP is allowed.
Possible Values:
0 -- WSP push source is blocked.
1 -- Routing of WSP push message is allowed.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4119</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Grant Manager Policy
This security policy permits mapping a particular role mask to the SECROLE_MANAGER role without having to modify the security role assigned to every setting in the Metabase accessible only to the manager role. This policy allows other roles to impersonate the SECROLE_MANAGER role.
This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no roles can impersonate the SECROLE_MANAGER role.
Default Value: 128 (SECROLE_OPERATOR_TPS) for Windows Mobile-based Pocket PC Phone Edition and Smartphone; 16 (SECROLE_USER_AUTH) for all other devices</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4120</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Grant User Authenticated Policy
This security policy permits mapping a particular role mask to the SECROLE_USER_AUTH role without having to modify the security role assigned to every setting in the Metabase accessible to the SECROLE_USER_AUTH role. This policy allows other roles to impersonate the SECROLE_USER_AUTH role.
This policy's value specifies a role mask, and a value of '0' (equivalent to having none of the role mask's bits set) means that no roles can impersonate the SECROLE_USER_AUTH role.
Default Value: 16 (SECROLE_USER_AUTH)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4121</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Trusted WAP Proxy Policy
This security policy specifies the level of permissions required to create, modify, and delete a trusted proxy using the PXLOGICAL Configuration Server Provider.
This policy's value specifies a role mask.
Default Value: 140 (SECROLE_OPERATOR, SECROLE_OPERATOR_TPS, SECROLE_MANAGER)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4122</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Unsigned Prompt Policy
This policy setting determines whether a user will be prompted if an unsigned application is installed or executed.
Possible Values:
0 -- Enable user prompt for unsigned application.
1 -- Disable user prompt.
Default Value: 0</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4123</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Privileged Applications Policy
This security policy controls which security model is implemented on the device.
Possible Values:
0 -- 2-tier security is enabled.
1 -- 1-tier security is enabled. Apps run privileged if they are allowed to run at all.
Default Value: 0 (for Smartphone devices); 1 (for Pocket PC devices)</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4124</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>Service Loading (SL) Security Policy
This setting allows the operator to override https to use http, or wsps to use wsp.
Possible Values:
0 -- Use https or wsps.
1 -- Use http or wsp.
Default Value: 1</Description>
</DFProperties>
</Node>
<Node>
<NodeName>4129</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<MSFT:RWAccess>3</MSFT:RWAccess>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:MinValue></MSFT:MinValue>
<MSFT:MaxValue></MSFT:MaxValue>
<MSFT:MaxLength></MSFT:MaxLength>
<Description>DRM Security Policy
This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.
This policy's value specifies a role mask.
Default Value: 3072 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED)</Description>
</DFProperties>
</Node>
</Node>
</MgmtTree>
See Also
SecurityPolicy Configuration Service Provider
Send Feedback on this topic to the authors