Security Policies in MDM
10/3/2008
System Center Mobile Device Manager (MDM) policy-based security enforcement has ties to Active Directory\Group Policy.
A managed Windows Mobile powered device processes Group Policy settings in a manner similar to a standard Windows-based operating system desktop or portable computer. By using Group Policy management tools that support MDM, you can assign specific Group Policy objects (GPOs) to security groups.
Used with care, security groups provide an efficient way to assign access to resources on a network. By using security groups, you can do the following:
- Assign user rights to security groups in Active Directory Domain Services
- Assign permissions to security groups on resources
You can configure the settings to customize MDM through the MDM extensions to the Group Policy Management Console (GPMC) and Group Policy (GPO) Editor.
For more information on using Group Policy to manage devices in MDM, see Configuring Managed Devices with Group Policy.
For a list of MDM messaging settings available through Group Policy, see Messaging Policies in MDM.
Security Policies
The following sections show the security policies for MDM that are available under Computer Configuration\Administrative Templates\Windows Mobile Settings.
Password Policies
Policy | Description |
---|---|
Require password |
Lets you require users to set a password on the device:
The default setting is Not Configured. |
Password type |
Lets you specify the type of password that users must create:
The default setting is Not Configured. |
Password timeout |
Lets you specify whether to have the device lock after the idle time that you configure. The Require password policy must also be enabled for this policy setting to take effect.
The default setting is Not Configured. |
Number of passwords remembered |
Lets you prevent users from resetting their password to one of their previously set passwords. As a best practice, when this policy is enabled, you should also enable the Password expiration policy.
The default setting is Not Configured. |
Password expiration |
Lets you configure the device lock expiration period. After the password expires, the user must enter a new password.
The default setting is Not Configured. |
Minimum password length |
Lets you to require that the device password is a minimum password length. The Require password policy must also be enabled for this policy setting to take effect.
The default setting is Not Configured. |
Wipe device after failed attempts |
This policy setting allows you to configure the number of incorrect password attempts to accept before the device wipes all of its mounted storage volumes. The Require Password policy setting MUST be enabled for this policy setting to take effect
The default setting is Not Configured. |
Code word frequency |
Lets you specify how many times a user may enter an incorrect device lock password before the user is required to enter a code word. This policy can prevent a local device wipe caused by an accidental password entry.
The default setting is Not Configured. |
Code word |
Lets you configure the code word that the user must enter after several incorrect device lock passwords have been tried. The threshold number of password tries that triggers the code word is specified in the Code word frequency policy. This policy can prevent a local device wipe caused by an accidental password entry.
The default setting is Not Configured. |
Block user reset of authentication on the device |
Lets you block the user from resetting the device lock authentication (PIN or password) by using the capability that Microsoft Exchange Server 2007 provides.
The default setting is Not Configured. |
Platform Lockdown
Policy | Description |
---|---|
Turn off POP and IMAP Messaging |
Lets you specify if the user can use IMAP4 and POP3 e-mail accounts.
Note:
This policy affects only the Microsoft e-mail application. To prevent users from accessing IMAP4 or POP3 e-mail accounts by using a third-party application, you must block applications from running by configuring the Application Disable policies or by configuring security policies to allow only applications that are signed by trusted authorities to run.
The default setting is Not Configured. |
Turn off SMS and MMS messaging |
Lets you specify whether the user can send and receive SMS and MMS text messages.
Important:
The user may be charged for SMS messages that are blocked by this policy on the device.
Note:
This policy affects only built-in SMS and MMS applications. To prevent users from sending and receiving SMS and MMS text messages by using a third-party application, you must block applications from running by configuring the Application Disable policies or by configuring Security Policies to allow only those applications that are signed by trusted authorities to run.
The default setting is Not Configured. |
Turn off removable storage |
Lets you specify whether the user can use removable storage on the device.
Note:
When you change this setting, all devices that connect to MDM Gateway Server restart.
The default setting is Not Configured. |
Turn off camera |
Lets you specify whether the user can use a camera on the device. This policy affects all camera functions. This includes, but is not limited to showing preview, taking pictures, and recording videos.
Note:
When you change this setting, devices restart when the policy is applied.
The default setting is Not Configured. |
Turn off wireless Local Area Network (LAN) |
Lets you specify whether the user can use Wireless LANs (Wi-Fi) with the device.
Note:
When you change this setting, the device restarts when the policy is applied.
The default setting is Not Configured. |
Turn off Infrared |
Lets you specify whether the user can use Infrared (IrDA) communications on the device. This setting affects all IrDA functions on the device. This includes, but is not limited to beaming data and connecting to ActiveSync by using IrDA.
Note:
When you change this setting, the device restarts when the policy is applied.
The default setting is Not Configured. |
Turn off Bluetooth |
Lets you specify whether the user can use Bluetooth on the device. This setting affects all Bluetooth functions on the device. This includes, but is not limited to pairing with Bluetooth headsets and Bluetooth car kits.
Note:
When you change this setting, the device restarts when the policy is applied.
The default setting is Not Configured. |
Allowed Bluetooth profiles |
Lets you specify Bluetooth profiles that the user can use on the device.
Note:
If Turn off Bluetooth is enabled, this policy does not apply.
Note:
When you change this setting, devices restart when the policy is applied.
The default setting is Not Configured. |
Block Remote API access to ActiveSync |
Lets you restrict remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile powered devices.
The default setting is Not Configured. |
Application Disable
Policy | Description |
---|---|
Turn off blocked application notification |
Lets you turn off the custom notification message that is set by the Blocked application notification message policy.
The default setting is Not Configured. |
Blocked application notification message |
Defines the custom notification message that appears when the user tries to run a built-in application that is blocked by Group Policy.
The default setting is Not Configured. |
Block applications in-ROM |
Lets you block in-ROM applications so that the user cannot run them.
Note:
Take care not to block in-ROM applications that are required for basic device functionality, such as the ability to make a phone call or an emergency phone call. For example, do not block cdial.exe or cprog.exe.
The default setting is Not Configured. |
Allow specified unsigned applications to run as privileged |
Lets you specify whether RAM-installed unsigned applications run as privileged applications by default.
Note:
If an application is signed but the certificate needed to verify that the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
The default setting is Not Configured. |
Allow specified unsigned applications to run as normal |
Lets you specify whether RAM-installed unsigned applications run as typical applications, by default.
Note:
If an application is signed but the certificate needed to verify the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
The default setting is Not Configured. |
Security Policies
To apply the following security policies, push the certificate to the respective store. When Remove unmanaged Root certificates is enabled, the Resultant Set of Policy (RSOP) report for a device shows this policy as Disabled instead of Enabled, even though the policy was successfully applied to the devices.
Policy | Description |
---|---|
Remove unmanaged SPC certificates |
Lets you remove all certificates in the Software Publishing Certificate (SPC) store. The certificates in the SPC store authenticate application installation.
Important:
Make sure that you do not remove certificates that you must have for typical device operation.
The default setting is Not Configured. |
Remove unmanaged privileged certificates |
Lets you remove all certificates in the Privileged certificate store. For applications that require full device access, the certificates in the Privileged store control which applications can run.
Important:
Make sure that you do not remove certificates that you must have for typical device operation.
The default setting is Not Configured. |
Remove unmanaged normal certificates |
Lets you remove all Normal certificates. For applications that do not require full device access, the Normal certificates control which applications can run.
Important:
Make sure that you do not remove certificates needed for typical device operation.
Note:
Most applications do not have to call privileged APIs.
The default setting is Not Configured. |
Remove unmanaged Root certificates |
Lets you remove all certificates in the Root store. The certificates in the Root certificate store are used for authentication, such as SSL.
Important:
Make sure that you do not remove certificates that you must have for typical device operation.
The default setting is Not Configured. |
Remove unmanaged intermediate certificates |
Lets you remove all certificates in the Intermediate store. The certificates in the Intermediate certificate store are used for authentication such as SSL.
Important:
Make sure that you do not remove certificates that you must have for typical device operation.
The default setting is Not Configured. |
Remove manager role permission from user |
Lets you specify whether a user has system administrative credentials on the device, without modifying metabase role assignments.
The default setting is Not Configured. |
Block unsigned .cab file installation |
Lets you specify whether unsigned .cab files can install on the device.
The default setting is Not Configured. |
Block unsigned theme installation |
Lets you specify whether unsigned themes can install on the device.
The default setting is Not Configured. |
Block unsigned applications from running on devices |
Lets you specify whether unsigned applications can run on the device.
The default setting is Not Configured. |
Turn off user prompts on unsigned files |
Lets you specify whether to prompt a user to accept or reject unsigned .cab, theme, .dll, and .exe files.
Note:
This policy applies only if you let unsigned applications or .cab files on the device.
The default setting is Not Configured. |
File Encryption
Policy | Description |
---|---|
Turn on device encryption |
Lets you turn on or off device encryption.
The default setting is Not Configured. |
Specify device encryption file list |
Lets you specify files to encrypt, in addition to those in the default encryption list, when device encryption is turned on.
Note:
This policy is in effect only when Turn on device encryption is enabled.
The default setting is Not Configured. |
Exclude files from device encryption |
Lets you specify files that should not be encrypted when device encryption is turned on.
Note:
This policy is in effect only when Turn on device encryption is enabled.
The default setting is Not Configured. |
Turn on storage card encryption |
Lets you enable the encryption of removable media and not let the user change this setting.
The default setting is Not Configured. |
Device Management
Policy | Description |
---|---|
Configure the Windows Update for Windows Mobile Service |
Lets you configure the level of user control for the Windows Update for Windows Mobile Service. You can turn off the update service, leave it to be configured by the user, or configure it to be turned on with predefined settings that the user cannot change.
The default setting is Not Configured. |
Configure device management when roaming |
Lets you configure how devices manage updates when roaming.
The default setting is Not Configured. |
Management session reset reminder timeout |
Lets you specify a time interval after policies that require a restart are provisioned on the device until the user is prompted to restart the device.
The default setting is Not Configured. |
Mobile VPN Settings
Policy | Description |
---|---|
Mobile VPN Name |
Lets you specify the display name for the Mobile VPN on Windows Mobile powered devices. Specify a name that is 30-characters maximum. If you do not specify a name, MyMobileVPN is displayed. The default setting is MyMobileVPN. |
MDM Gateway Server name |
Lets you change the fully qualified name or IP address for the MDM Gateway Server that was specified during enrollment. Typically, you do not have to change this name. A fully qualified name is 255 characters maximum, and must be ASCII characters. |
Corporate proxy server name for internet access |
Lets you specify information for a proxy server. A company can decide to have all Internet access pass through a proxy server to filter, audit, or restrict access. With this setting, you can specify the fully qualified name or IP address for the proxy server that is used for Internet access when the Mobile VPN is active. A fully qualified name is 255 characters maximum, and must be ASCII characters. If you do not specify a proxy server, the Windows Mobile powered device forwards all Internet traffic to the MDM Gateway Server for appropriate routing. By default, no proxy server is specified. |
Allow user to turn off Mobile VPN |
Lets you specify whether the user can turn off the Mobile VPN on Windows Mobile powered devices.
Note:
If the Mobile VPN is disconnected, the user can manually trigger a connection retry. An example of when the Mobile VPN is disconnected is when the base channel in a Windows Mobile powered device fails.
The default setting is Not Configured. |
Always connected when roaming |
Lets you send keep-alive packets associated with the Mobile VPN while roaming. The Mobile VPN application automatically sends keep-alive packets to keep the connection on always. Sending keep-alive packets enables push applications, such as remote device immediate wipe, to work. If keep-alive packets are not sent, applications that require push functionality do not work.
Important:
Depending on the service plan, sending keep-alive packets while roaming may incur additional data transmission costs.
Disabling this setting does not block all traffic while roaming. Traffic that is started by applications, or the user, may flow over the Mobile VPN connection.
The default setting is Disable. |
Time interval between keepalive packets |
Lets you specify the time interval between keep-alive packets.
The default setting is 0. |
Allow AES data encryption algorithm |
Lets you specify whether you can use the AES cipher to encrypt data that is sent over the Mobile VPN.
Note:
If both AES and 3DES encryption are explicitly not enabled, the Mobile VPN fails.
The default setting is Enabled. |
Allow Triple DES data encryption algorithm |
Lets you specify whether you can use the Triple Data Encryption Standard (3DES) cipher to encrypt data that is sent over the Mobile VPN.
Note:
If both Advanced Encryption Standard (AES) and 3DES are explicitly not enabled, the Mobile VPN fails.
The default setting is Enabled. |
Key Exchange Algorithms
These policies let you specify which Diffie-Hellman Group protocols the Internet Key Exchange (IKE) protocol uses during Mobile VPN key exchange negotiations. By default, Diffie Hellman Group 2, Group 5, and Group 14 are all enabled.
Note
If not all Diffie-Hellman groups are explicitly enabled, the Mobile VPN fails.
Policy | Description |
---|---|
Allow Diffie Hellman group 2 |
Lets you specify whether the Diffie-Hellman Group 2 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.
The default setting is Enabled. |
Allow Diffie Hellman group 5 |
Lets you specify whether the Diffie-Hellman Group 5 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.
The default setting is Enabled. |
Allow Diffie Hellman group 14 |
Lets you specify whether the Diffie-Hellman Group 14 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.
The default setting is Enabled. |
Software Distribution
Policy | Description |
---|---|
Enable client-side targeting |
Lets you specify the target group names to use to receive updates from MDM software distribution. If MDM software distribution supports multiple target groups, this policy can specify multiple group names, separated by semicolons. Otherwise, you must specify a single group.
Note:
This policy applies only when the MDM software distribution for this device is configured to support client-side targeting.
The default setting is Not Configured. |