Export (0) Print
Expand All

Security Policies in MDM

2/9/2009

System Center Mobile Device Manager policy-based security enforcement has ties to Active Directory\Group Policy.

A managed Windows Mobile device processes Group Policy settings in a manner similar to a standard Windows-based operating system desktop or portable computer. By using Group Policy management tools that support MDM, you can assign specific Group Policy objects (GPOs) to security groups.

You can configure the settings to customize MDM through the MDM extensions to the Group Policy Management Console (GPMC) and Group Policy Object Editor.

Policy settings related to security, encryption and device management appear in the navigation pane under Computer Configuration/Administrative Templates/Windows Mobile Settings. User related settings, including messaging policies, are located under User Configuration/Administrative Templates/Windows Mobile Settings.

For more information on using Group Policy to manage devices in MDM, see Configuring Managed Devices with Group Policy.

For a list of MDM messaging settings available through Group Policy, see Messaging Policies in MDM.

The following sections show the security policies for MDM that are available under Computer Configuration\Administrative Templates\Windows Mobile Settings.

Password Policies

Policy Description

Require password

Lets you require users to set a password on the device:

  • If this setting is Enabled, users are required to create a password on their devices.
  • If this setting is Disabled, users can disable their password through Control Panel, and not lock their Windows Mobile device. However, users are not notified that the policy is disabled.
  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Password type

Lets you specify the type of password that users must create.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can specify that passwords must be alphanumeric (Strong), a numeric PIN (PIN), or either type (PIN or Strong).
  • If this setting is Disabled, users can set an alphanumeric password or a numeric PIN.
  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Allow simple password

Lets you control whether the user can create simple numeric passwords such as 1234 or 1111.

A simple numeric password is defined as any PIN or password in which the offset between each character is uniform. For example, the value 1111 has an offset of zero, and the value 2468 has an offset of two. The offset may be any number. This includes values that begin or end with zero, such as 0246 or 7890, but does not include values that wrap around in the middle of the string of digits, such as 9012 or 7913.

If you change this policy to Disabled so that a simple password is no longer allowed, and a device is configured with a password at the time the policy is applied, the user will be required to set a new non-simple password. A new password is required because it is not possible to determine if the existing password meets the standards of a non-simple password.

If you change this policy to Enabled so that a simple password is allowed, and a device is configured with a non-simple password at the time the policy is applied, the user is not notified of the change.

  • If this setting is Enabled, and the Password type policy is Disabled or set to PIN or PIN or Strong, users can create simple passwords.
  • If this setting is Disabled, users cannot create simple passwords.
  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Password timeout

Lets you specify whether to have the device lock after the idle time that you configure.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the idle time, in minutes, after which the device automatically locks. The user must then enter the password to use most device functionality. The user can modify the idle time-out to be a shorter duration than that specified through this policy setting by configuring it in the device lock settings panel on the device.
  • If this setting is Disabled, the user can set the idle time-out through the device lock settings panel, up to a maximum of 24 hours.
  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Number of passwords remembered

Lets you prevent users from resetting their password to one of their previously set passwords.

As a best practice, when this policy is enabled, you should also enable the Password expiration policy.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the number of passwords that the device maintains. The user cannot create a new password that matches any of these previous passwords.
  • If this setting is Disabled, users can reuse any of their previous passwords.
  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Password expiration

Lets you configure the device lock expiration period. After the password expires, the user must enter a new password.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can specify the number of days after which the device password expires. After expiration, the user is prompted to renew the password.
  • If this setting is Disabled, the user can have the same password indefinitely.
  • If this setting is Not Configured, device-specific settings that control password expiration are in effect.

The default setting is Not Configured.

Minimum password length

Lets you require that the device password is a minimum password length.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the required minimum password length. After this policy is set on the device, the user is asked to create a new password if the current password does not meet the length requirement. You can set the minimum length to any integer between 1 and 40.
  • If this setting is Disabled, no minimum length is enforced and the default values are used. The default for Simple PIN is four digits, and for Strong Alphanumeric, it is seven characters.
  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Wipe device after failed attempts

Lets you configure the number of incorrect password attempts to accept before the device wipes all of its mounted storage volumes.

The Require Password policy setting MUST be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the number of incorrect tries to allow. The user is warned after every incorrect try and then displays the number of remaining tries. Before the last try, the user receives a warning that the device will be wiped.
  • If this setting is Disabled, the user can enter an infinite number of incorrect password tries and the device is never wiped.
  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Code word frequency

Lets you specify how many times a user may enter an incorrect device lock password before the user is required to enter a code word. This policy can prevent a local device wipe caused by an accidental password entry.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the Code word frequency value to specify the number of incorrect password tries that the user can make before a code word is required. We recommend that you set this value to a number less than the number of incorrect password tries that cause the device to be wiped.
  • If this setting is Disabled, the user is not asked to enter a code word after incorrect password tries.
  • If this setting is Not Configured, the existing device wipe setting on the device remains in effect.

The default setting is Not Configured.

Code word

Lets you configure the code word that the user must enter after several incorrect device lock passwords have been tried. The threshold number of password tries that triggers the code word is specified in the Code word frequency policy. This policy can prevent a local device wipe caused by an accidental password entry.

The Require password policy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can specify the code word that the user is asked to enter.
  • If this setting is Disabled, the default code word is a1b2c3.
  • If this setting is Not Configured, existing device-specific settings that control the code word text on the device apply.

The default setting is Not Configured.

User reset of password

Lets you specify whether the user can reset the device password or PIN by using MDM or Microsoft Exchange Server 2007.

  • If this setting is Enabled, you can choose whether to provide the password recovery functionality through MDM or Exchange Server.
    If you select MDM, a user can reset the device password by using a recovery password stored on MDM Device Management Server.
    Dd261828.note(en-us,TechNet.10).gifNote:
    MDM Password Reset Client, which is part of the MDM Resource Kit Tools, provides a .cab file that you install on Windows Mobile devices so that users can use the password reset feature in MDM. More information about installing the .cab file is included in the guide that is packaged with the tool download. To download the tool, see MDM Password Reset Client at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=127030.
    If you select Exchange Server and configure the Exchange Server to provide this capability, a user can reset the device password by using a recovery password stored on Exchange Server.
  • If this setting is Disabled, the user cannot reset the device password. To unlock the device, you must do a full device reset.
  • If this setting is Not Configured, then existing device-specific policies that control password reset on the device apply.
Dd261828.note(en-us,TechNet.10).gifNote:
The Wipe Device after failed attempts Group Policy setting controls the maximum number of failed password reset attempts before the device is wiped.

Platform Lockdown

Policy Description

Turn off POP and IMAP Messaging

Lets you specify if the user can use IMAP4 and POP3 e-mail accounts.

  • If this setting is Disabled, the user can use IMAP4 or POP3 e-mail accounts.
  • If this setting is Enabled, e-mail accounts that use IMAP4 or POP3 protocols are turned off. The user cannot synchronize existing IMAP4 or POP3 e-mail accounts that have the corresponding e-mail servers, and cannot set up a new IMAP4 or POP3 e-mail account. The user may be able to view e-mail messages for IMAP4 or POP3 e-mail accounts that were downloaded to the device before the policy setting was changed.
    You can still provision a new IMAP4 or POP3 e-mail account by using the Email2 Configuration Service Provider. However, if the new account was created after this policy is disabled, the user cannot synchronize that account with its e-mail server.
  • If the setting is Not Configured, existing POP and IMAP4 e-mail-related settings on the device are in effect.
Dd261828.note(en-us,TechNet.10).gifNote:
This policy affects only the Microsoft e-mail application. To prevent users from accessing IMAP4 or POP3 e-mail accounts by using a third-party application, you must block applications from running by configuring the Application Disable policies or by configuring security policies to allow only applications that are signed by trusted authorities to run.

The default setting is Not Configured.

Turn off SMS and MMS messaging

Lets you specify whether the user can send and receive SMS and MMS text messages.

Dd261828.note(en-us,TechNet.10).gifImportant:
The user may be charged for SMS messages that are blocked by this policy on the device.
  • If this setting is Disabled, the user can send and receive SMS and MMS text messages.
  • If this setting is Enabled, the user cannot send or receive new MMS text messages, and cannot send or receive SMS messages that use the following types: Text, class 1, class 2, class 3; Raw; or vCard. The user can view existing messages, and continue to receive special types of SMS messages that are not blocked, even if this policy is disabled.
  • If the setting is Not Configured, existing SMS and MMS messaging-related settings on the device are in effect.
Dd261828.note(en-us,TechNet.10).gifNote:
This policy affects only built-in SMS and MMS applications. To prevent users from sending and receiving SMS and MMS text messages by using a third-party application, you must block applications from running by configuring the Application Disable policies or by configuring Security Policies to allow only those applications that are signed by trusted authorities to run.

The default setting is Not Configured.

Turn off removable storage

Lets you specify whether the user can use removable storage on the device.

Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, all devices that connect to MDM Gateway Server restart.
  • If this setting is Disabled, the user can use removable storage.
  • If this setting is Enabled, removable storage is disabled from the driver level and the user cannot use it.
  • If the setting is Not Configured, existing removable storage-related settings on the device are in effect.

The default setting is Not Configured.

Turn off camera

Lets you specify whether the user can use a camera on the device. This policy affects all camera functions. This includes, but is not limited to showing preview, taking pictures, and recording videos.

Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, devices restart when the policy is applied.
  • If this setting is Enabled, the user cannot use the camera in any way. The user cannot run the Microsoft Camera application, and may be unable to run third-party camera applications or capture images or videos with these applications. The user can use applications that use the camera, such as Microsoft Office Outlook Mobile and Mobile Address Book, but commands that work with the camera will not work.
  • If this setting is Disabled, the user can use the camera as usual, subject to existing restrictions imposed by the manufacturer.
  • If the setting is Not Configured, existing camera-related settings on the device are in effect.

The default setting is Not Configured.

Turn off wireless LAN

Lets you specify whether the user can use Wireless (Wi-Fi) local area networks (LANs) with the device.

Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use Wi-Fi.
  • If this setting is Disabled, the user can use Wi-Fi as usual.
  • If the setting is Not Configured, existing wireless LAN-related settings on the device are in effect.

The default setting is Not Configured.

Turn off Infrared

Lets you specify whether the user can use Infrared (IrDA) communications on the device. This setting affects all IrDA functions on the device. This includes, but is not limited to beaming data and connecting to ActiveSync by using IrDA.

Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use IrDA.
  • If this setting is Disabled, the user can use IrDA as usual.
  • If the setting is Not Configured, existing Infrared-related settings on the device are in effect.

The default setting is Not Configured.

Turn off Bluetooth

Lets you specify whether the user can use Bluetooth on the device. This setting affects all Bluetooth functions on the device. This includes, but is not limited to pairing with Bluetooth headsets and Bluetooth car kits.

Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use Bluetooth.
  • If this setting is Disabled, the user can use Bluetooth as usual.
  • If the setting is Not Configured, existing Bluetooth-related settings on the device are in effect.

The default setting is Not Configured.

Allowed Bluetooth profiles

Lets you specify Bluetooth profiles that the user can use on the device.

Dd261828.note(en-us,TechNet.10).gifNote:
If Turn off Bluetooth is enabled, this policy does not apply.
Dd261828.note(en-us,TechNet.10).gifNote:
When you change this setting, devices restart when the policy is applied.
  • If this setting is Enabled, the user can use only the specified Bluetooth profiles. All other programs are blocked.
  • If this setting is Disabled, the user can use Bluetooth as usual.
  • If the setting is Not Configured, existing Bluetooth profile-related settings on the device are in effect.

The default setting is Not Configured.

Block Remote API access to ActiveSync

Lets you restrict remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile devices.

  • If this setting is Enabled, desktop ActiveSync service is blocked and the user cannot synchronize e-mail, files, or applications from the desktop or change any settings.
  • If this setting is Disabled, desktop applications that use ActiveSync Remote API (RAPI) to access the device can perform only operations on the device that the user has permissions to perform.
  • If this setting is Not Configured, existing device-specific policies that manage access to the device by desktop applications by using ActiveSync RAPI operations are in effect.

The default setting is Not Configured.

Application Disable

Policy Description

Turn off blocked application notification

Lets you turn off the custom notification message that is set by the Blocked application notification message policy.

  • If this setting is Enabled, neither the custom notification message nor the system default message appears.
  • If this setting is Disabled, the system default notification message appears.
  • If the setting is Not Configured, the existing settings on the device related to notification messages for blocked applications are in effect.

The default setting is Not Configured.

Blocked application notification message

Defines the custom notification message that appears when the user tries to run a built-in application that is blocked by Group Policy.

  • If this setting is Enabled, you can specify the custom text to use for the notification message.
  • If this setting is Disabled, a default notification message appears.
  • If the setting is Not Configured, the existing blocked application notification message–related settings on the device are in effect.

The default setting is Not Configured.

Block applications in ROM

Lets you block in-ROM applications so that the user cannot run them.

  • If this setting is Enabled, in-ROM applications that are specified in this policy are blocked.
  • If this setting is Disabled, all in-ROM applications can run.
  • If the setting is Not Configured, the existing settings on the device related to blocked in-ROM applications are in effect.
Dd261828.note(en-us,TechNet.10).gifNote:
Take care not to block in-ROM applications that are required for basic device functionality, such as the ability to make a phone call or an emergency phone call. For example, do not block cdial.exe or cprog.exe.

The default setting is Not Configured.

Allow specified unsigned applications to run as privileged

Lets you specify whether RAM-installed unsigned applications run as privileged applications by default.

Dd261828.note(en-us,TechNet.10).gifNote:
If an application is signed but the certificate needed to verify that the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
  • If this setting is Enabled, RAM-installed unsigned applications that are specified in this policy can run as privileged applications. This is the default setting. We recommend that you also disable the Allow unsigned applications to run on devices policy to prevent the user from being able to decide whether an unsigned application can run.
  • If this setting is Disabled, the following policies determine whether a specific RAM-installed unsigned application can run:
    • Block unsigned applications from running on devices
    • Turn off user prompts on unsigned files
  • If the setting is Not Configured, the existing settings on the device related to application privilege are in effect.

The default setting is Not Configured.

Allow specified unsigned applications to run as normal

Lets you specify whether RAM-installed unsigned applications run as typical applications, by default.

Dd261828.note(en-us,TechNet.10).gifNote:
If an application is signed but the certificate needed to verify the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
  • If this setting is Enabled, RAM-installed unsigned applications specified in this policy run as usual applications, by default. We recommend that you also disable the Allow unsigned applications to run on devices policy to prevent the user from being able to decide whether an unsigned application can run.
  • If this setting is Disabled, the following policies determine whether a specific RAM-installed unsigned application can run:
    • Block unsigned applications from running on devices
    • Turn off user prompts on unsigned files
  • If the setting is Not Configured, the existing settings on the device related to application privilege are in effect.

The default setting is Not Configured.

Security Policies

To apply the following security policies, push the certificate to the respective store. When Remove unmanaged Root certificates is enabled, the Resultant Set of Policy (RSoP) report for a device shows this policy as Disabled instead of Enabled, even though the policy was successfully applied to the devices.

Policy Description

Remove unmanaged SPC certificates

Lets you remove all certificates in the Software Publishing Certificate (SPC) store. The certificates in the SPC store authenticate application installation.

Dd261828.note(en-us,TechNet.10).gifImportant:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the SPC store are removed.
  • If this setting is Disabled or Not Configured, device certificates remain on the device and applications signed with these certificates install as usual.

The default setting is Not Configured.

Remove unmanaged privileged certificates

Lets you remove all certificates in the Privileged certificate store. For applications that require full device access, the certificates in the Privileged store control which applications can run.

Dd261828.note(en-us,TechNet.10).gifImportant:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all Privileged certificates are removed.
  • If this setting is Disabled or Not Configured, Privileged certificates remain on the device and all applications signed with these certificates will run.

The default setting is Not Configured.

Remove unmanaged normal certificates

Lets you remove all Normal certificates. For applications that do not require full device access, the Normal certificates control which applications can run.

Dd261828.note(en-us,TechNet.10).gifImportant:
Make sure that you do not remove certificates needed for typical device operation.
Dd261828.note(en-us,TechNet.10).gifNote:
Most applications do not have to call privileged APIs.
  • If this setting is Enabled, all Normal certificates are removed.
  • If this setting is Disabled or is Not Configured, Normal certificates remain on the device and applications that are signed with these certificates will run.

The default setting is Not Configured.

Remove unmanaged Root certificates

Lets you remove all certificates in the Root store. The certificates in the Root certificate store are used for authentication, such as SSL.

Dd261828.note(en-us,TechNet.10).gifImportant:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the Root certificate store are removed.
  • If this setting is Disabled or is Not Configured, device Root certificates remain on the device.

The default setting is Not Configured.

Remove unmanaged intermediate certificates

Lets you remove all certificates in the Intermediate store. The certificates in the Intermediate certificate store are used for authentication such as SSL.

Dd261828.note(en-us,TechNet.10).gifImportant:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the Intermediate certificate store are removed.
  • If this setting is Disabled or is Not Configured, existing device Intermediate certificates remain provisioned on the device.

The default setting is Not Configured.

Remove manager role permission from user

Lets you specify whether a user has system administrative credentials on the device, without modifying metabase role assignments.

  • If this setting is Enabled, the user does not have administrative credentials. Only someone with a SECROLE_MANAGER security role has full administrative access to the device.
  • If this setting is Disabled, the user and manager have full administrative access. This means that the user can change device security settings.
  • If this setting is Not Configured, existing device-specific policies for system administrative credentials apply.

The default setting is Not Configured.

Block unsigned .cab file installation

Lets you specify whether unsigned .cab files can install on the device.

  • If this setting is Enabled, only signed .cab files install on the device.
  • If this setting is Disabled, unsigned .cab files are installed on the device under the SECROLE_USERAUTH security role.
  • If this setting is Not Configured, existing device-specific policies apply.

The default setting is Not Configured.

Block unsigned theme installation

Lets you specify whether unsigned themes can install on the device.

  • If this setting is Enabled, only signed themes install on the device.
  • If this setting is Disabled, unsigned themes install on the device under the SECROLE_USERAUTH security role.
  • If this setting is Not Configured, existing device-specific policies for installing themes apply.

The default setting is Not Configured.

Block unsigned applications from running on devices

Lets you specify whether unsigned applications can run on the device.

  • If this setting is Enabled, only signed applications and unsigned applications that have specific permissions can run on the device.
  • If this setting is Disabled, all unsigned applications can run on the device. Depending on the existing device-specific policies, the user may be prompted for consent before an unsigned application can run.
  • If this setting is Not Configured, existing device-specific policies that control whether unsigned applications can run apply.

The default setting is Not Configured.

Turn off user prompts on unsigned files

Lets you specify whether to prompt a user to accept or reject unsigned .cab, theme, .dll, and .exe files.

Dd261828.note(en-us,TechNet.10).gifNote:
This policy applies only if you let unsigned applications or .cab files on the device.
  • If this setting is Enabled, the user is prompted for consent before unsigned applications run.
  • If this setting is Disabled, the user is not prompted for consent before unsigned applications run.
  • If this setting is Not Configured, device-specific policies that exist determine whether the user is prompted before unsigned applications run apply.

The default setting is Not Configured.

File Encryption

Policy Description

Turn on device encryption

Lets you turn on or off device encryption.

  • If this setting is Enabled, device encryption is turned on and password use is enforced.
  • If this setting is Disabled, device encryption is turned off.
  • If the setting is Not Configured, the existing settings on the device related to device encryption are in effect.

The default setting is Not Configured.

Specify device encryption file list

Lets you specify files to encrypt, in addition to those in the default encryption list, when device encryption is turned on.

Dd261828.note(en-us,TechNet.10).gifNote:
This policy is in effect only when Turn on device encryption is enabled.
  • If this setting is Enabled, the files specified are added to the encryption list.
  • If this setting is Disabled, no files are added to the encryption list.
  • If the setting is Not Configured, the existing settings on the device related to the device encryption file list are in effect.

The default setting is Not Configured.

Exclude files from device encryption

Lets you specify files that should not be encrypted when device encryption is turned on.

Dd261828.note(en-us,TechNet.10).gifNote:
This policy is in effect only when Turn on device encryption is enabled.
  • If this setting is Enabled, the files specified will not be encrypted.
  • If this setting is Disabled, no files are added to the encryption list.
  • If the setting is Not Configured, the existing settings on the device related to excluding files from device encryption are in effect.

The default setting is Not Configured.

Turn on storage card encryption

Lets you enable the encryption of removable media and not let the user change this setting.

  • If this setting is Enabled, newly created files on the storage card are encrypted with a key that is tied to the device. The user cannot disable this setting.
    Dd261828.note(en-us,TechNet.10).gifImportant:
    If the user performs a cold reset on the device, encrypted files on the storage card are not recoverable.
  • If this setting is Disabled, the user decides whether to encrypt files put on the storage card.
  • If this setting is Not Configured, existing device-specific policies for storage card encryption apply.

The default setting is Not Configured.

Device Management

Policy Description

Configure the Windows Update for Windows Mobile Service

Lets you configure the level of user control for the Windows Update for Windows Mobile download service. You can turn off the update service, leave it to be configured by the user, or configure it to be turned on with predefined settings that the user cannot change.

  • If this setting is Enabled, you can select from the following options:
    Switch Off: The update service is turned off for the device. The user cannot change the configuration.
    Switch On for User Config: The update service is turned on for the device. The user can change the settings.
    Dd261828.note(en-us,TechNet.10).gifNote:
    This option is identical to the behavior of the update service when it is turned on in an unmanaged device.
    Switch On for Admin Lockdown: The update service is turned on for the device and is configured to work in automatic mode. Important security updates download automatically over any network connection, except when the device is roaming. The user is prompted to install updates that download automatically. The user cannot change this configuration.
  • If this setting is Disabled, the update service is turned on for the device. This shows the same behavior as if you enabled the policy and selected Switch On for User Config. The user can change the settings.
  • If this setting is Not Configured, how the device was configured at manufacture determines whether the update service is turned on.

The default setting is Not Configured.

Configure device management when roaming

Lets you configure how devices manage updates when roaming.

  • If this setting is Enabled, you can specify the following:
    Allow software download and Windows Update settings:
    • If selected, managed downloads that automatically start when a device is in roaming mode continue as they would when it is not roaming. Additionally, the device checks for new updates on Windows Update servers, as when it is not roaming.
    • If cleared, managed downloads that automatically start when a device is in roaming mode are paused. Additionally, the device does not check for new updates on any firmware update server. When the device is no longer roaming, then downloading continues normally.
    Change device management schedule when roaming:
    • If selected, the device checks for updates when roaming based on the value of Check frequency multiplier.
    • If cleared, the device uses the default schedule to check for device management tasks while roaming.
    Check frequency multiplier: If you select Change device management schedule when roaming, this value specifies the time between server checks. You can select an integer from 0 to 10. The device multiplies the default server connection frequency by this value. For example, if the default server connection frequency is eight hours and this value is 4, the device checks for updates every 32 hours. If you set this value to zero, the device does not check for updates when roaming. The default value is 4. If you do not select Change device management schedule when roaming this value is ignored.
  • If this setting is Disabled, the device checks for device management tasks while roaming, but does not accept managed downloads from MDM Device Management Server or updates from Windows Server Update Services (WSUS).
  • If this setting is Not Configured, the default device settings for roaming will apply.

The default setting is Not Configured.

Management session reset reminder timeout

Lets you specify a time interval after policies that require a restart are provisioned on the device until the user is prompted to restart the device.

  • If this setting is Enabled, you can specify the number of minutes until the user is prompted to restart the device
  • If this setting is Disabled, the user is not reminded to reboot the device.
  • If this setting is Not Configured, existing device-specific policies that control the reboot prompt apply.

The default setting is Not Configured.

Mobile VPN Settings

Policy Description

Mobile VPN Name

Lets you specify the display name for the Mobile VPN on Windows Mobile devices. Specify a name that is 30-characters maximum. If you do not specify a name, MyMobileVPN is displayed.

The default setting is MyMobileVPN.

MDM Gateway Server name

Lets you change the fully qualified name or IP address for the MDM Gateway Server that was specified during enrollment. Typically, you do not have to change this name. A fully qualified name is 255 characters maximum, and must be ASCII characters.

Corporate proxy server name for internet access

Lets you specify information for a proxy server. A company can decide to have all Internet access pass through a proxy server to filter, audit, or restrict access.

With this setting, you can specify the fully qualified name or IP address for the proxy server that is used for Internet access when the Mobile VPN is active. A fully qualified name is 255 characters maximum, and must be ASCII characters.

If you do not specify a proxy server, the Windows Mobile device forwards all Internet traffic to the MDM Gateway Server for appropriate routing. By default, no proxy server is specified.

Allow user to turn off Mobile VPN

Lets you specify whether the user can turn off the Mobile VPN on Windows Mobile devices.

Dd261828.note(en-us,TechNet.10).gifNote:
If the Mobile VPN is disconnected, the user can manually trigger a connection retry. An example of when the Mobile VPN is disconnected is when the base channel in a Windows Mobile device fails.
  • If this setting is Enabled, the user can turn off the Mobile VPN.
  • If this setting is Disabled, the user cannot turn off the Mobile VPN.
  • If the setting is Not Configured, the existing settings on the device related to allowing the user to turn off Mobile VPN-related settings are in effect.

The default setting is Not Configured.

Always connected when roaming

Lets you send keep-alive packets associated with the Mobile VPN while roaming. The Mobile VPN application automatically sends keep-alive packets to keep the connection on always.

Sending keep-alive packets enables push applications, such as remote device immediate wipe, to work. If keep-alive packets are not sent, applications that require push functionality do not work.

Dd261828.note(en-us,TechNet.10).gifImportant:
Depending on the service plan, sending keep-alive packets while roaming may incur additional data transmission costs.

Disabling this setting does not block all traffic while roaming. Traffic that is started by applications, or the user, may flow over the Mobile VPN connection.

  • If this setting is Enabled, the device sends Mobile VPN keep-alive packets while roaming.
  • If this setting is Disabled, the device does not send Mobile VPN keep-alive packets while roaming. In this case, the Mobile VPN sends traffic only on demand, as specified by applications on the device.
  • If the setting is Not Configured, the existing device settings related to remaining connected while roaming are in effect.

The default setting is Disable.

Time interval between keepalive packets

Lets you specify the time interval between keep-alive packets.

  • If you specify a value, keep-alive packets are sent to the device. The value is specified in seconds. You can specify a value of up to 604,800 seconds.
    Dd261828.note(en-us,TechNet.10).gifNote:
    Setting the value too low causes increased data traffic and decreased battery power on the device. If the value that is too high, the Mobile VPN can disconnect and then require reconnection.
  • If you do not define this setting, the default value is 0 (zero). This lets the device detect the optimal time interval and use it.

The default setting is 0.

Allow AES data encryption algorithm

Lets you specify whether you can use the AES cipher to encrypt data that is sent over the Mobile VPN.

Dd261828.note(en-us,TechNet.10).gifNote:
If both AES and 3DES encryption are explicitly not enabled, the Mobile VPN fails.
  • If this setting is Enabled, the Mobile VPN can use AES data encryption.
  • If this setting is Disabled, the Mobile VPN cannot use AES data encryption.
  • If the setting is Not Configured, the existing settings on the device related to the use of AES data encryption are in effect.

The default setting is Enabled.

Allow Triple DES data encryption algorithm

Lets you specify whether you can use the Triple Data Encryption Standard (3DES) cipher to encrypt data that is sent over the Mobile VPN.

Dd261828.note(en-us,TechNet.10).gifNote:
If both Advanced Encryption Standard (AES) and 3DES are explicitly not enabled, the Mobile VPN fails.
  • If this setting is Enabled, the Mobile VPN can use 3DES data encryption.
  • If this setting is Disabled, the Mobile VPN cannot use 3DES data encryption.
  • If the setting is Not Configured, the existing settings on the device related to the use of 3DES data encryption are in effect.

The default setting is Enabled.

Key Exchange Algorithms

These policies let you specify which Diffie-Hellman Group protocols the Internet Key Exchange (IKE) protocol uses during Mobile VPN key exchange negotiations. By default, Diffie-Hellman Group 2, Group 5, and Group 14 are all enabled.

Dd261828.note(en-us,TechNet.10).gifNote:
If not all Diffie-Hellman groups are explicitly enabled, the Mobile VPN fails.

Policy Description

Allow Diffie Hellman group 2

Lets you specify whether the Diffie-Hellman Group 2 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 2 key exchange algorithms.
  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 2 key exchange algorithms.
  • If the setting is Not Configured, the existing settings on the device related to the use of Diffie-Hellman Group 2 protocol are in effect.

The default setting is Enabled.

Allow Diffie Hellman group 5

Lets you specify whether the Diffie-Hellman Group 5 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 5 key exchange algorithms.
  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 5 key exchange algorithms.
  • If the setting is Not Configured, the existing settings on the device related to the use of Diffie-Hellman Group 5 protocol are in effect.

The default setting is Enabled.

Allow Diffie Hellman group 14

Lets you specify whether the Diffie-Hellman Group 14 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 14 key exchange algorithms.
  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 14 key exchange algorithms.
  • If the setting is Not Configured, the existing settings on the device related to the use of Diffie-Hellman Group 14 protocol are in effect.

The default setting is Enabled.

Software Distribution

Policy Description

Enable client-side targeting

Lets you specify the target group names to use to receive updates from MDM software distribution. You can specify multiple group names separated by semicolons.

Dd261828.note(en-us,TechNet.10).gifNote:
This policy applies only when the MDM software distribution for this device is configured to support client-side targeting.
  • If this setting is Enabled, the target group information is sent to the Software Distribution service. This service uses the group information to determine the updates to deploy to the device.
  • If this setting is Disabled, no target group information is sent to MDM software distribution.
  • If this setting is Not Configured, the settings on the device related to client-side targeting are in effect.

The default setting is Not Configured.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft