Security Roles for Windows Mobile 5.0 and Windows Mobile 6

Article
06/02/2010

6/2/2010

Security roles allow or restrict access to device resources. For example, roles are used to determine whether a remote message is accepted, and if it is, what level of access it is allowed. Roles are also used to provide access to each Configuration Service Provider. Configuration Service Providers manage configuring the device during the provisioning process.

Note

OEMs and Mobile Operators control access to Configuration Service Providers.

The following table shows Windows Mobile 5.0 and Windows Mobile 6 security roles.

Security Roles	Description
None (SECROLE_NONE)	No role assigned.
Manager (SECROLE_MANAGER)	Setting can be changed by the manager or administrator. This role allows unrestricted access to system resources.
Enterprise (SECROLE_ENTERPRISE)	Applies to Windows Mobile 5.0 with MSFP and later Exchange Administrator role. The Enterprise role allows IT administrators to manage specific device settings, such as wiping a device, setting password requirements, and managing certificates. Example of use: Using this role with the Message Authentication Retry Number policy allows the Enterprise IT Professional to change the policy setting.
Operator (SECROLE_OPERATOR)	Setting can be changed by a Wireless Application Protocol (WAP) Trusted Provisioning Server (TPS). Example of use: Using this role with the Auto Run Policy allows the Mobile Operator to change the policy; the Operator would be able to allow or restrict applications stored on a Multimedia Card (MMC) to automatically run when inserted into the device.
Authenticated User (SECROLE_USER_AUTH)	Setting can be changed by an authenticated user. This role can be assigned to the device owner. Permissions are determined by the settings to which the user requires access. Typically, this setting is assigned to: User PIN-signed WAP push messages. Messages received through the Remote API (RAPI) by default. The user can query device information, manage files and directories, and change settings such as the home screen and sounds. Applies to Windows Mobile 6 The owner can manage user certificates and designated certificate stores. Example of use: Use this role with a security policy to allow the user to configure the setting associated with the policy.
Unauthenticated User (SECROLE_USER_UNAUTH)	Setting can be changed by anyone. Assigned to unsigned WAP push messages. This role provides permissions to install Home/Today screen or ring tones. Example of use: Use this role with the Unsigned Theme security policy to allow users to install unsigned themes on their device; Themes are used for processing homescreens.
Trusted Provisioning Server (SECROLE_OPERATOR_TPS)	OMA Client Provisioning messages that come from a WAP Push Initiator that is authenticated by a trusted Push Proxy Gateway, and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device. Example of use: Use this role to grant system administrative privileges to the Mobile Operator's trusted provisioning server (TPS).
Known Push Proxy Gateway (SECROLE_KNOWN_PPG)	Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway used in provisioning. Example of use: Using this role for the Service Indication Message Policy means that the device only accept SI message from known Push Proxy Gateway
Device Trusted Push Proxy Gateway (SECROLE_PPG_TRUSTED)	Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy. Example of use: Using this role along with SECROLE_PPG_AUTH and the DRM security policy means that unauthenticated messages are not accepted by the device. Content from the push router is filtered out based on the trust of the message origin.
Push Initiator Authenticated (SECROLE_PPG_AUTH)	Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device. Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device. Example of use: Using this role along with SECROLE_PPG_TRUSTED and the DRM security policy means that unauthenticated messages are not accepted by the device. Content from the push router is filtered out based on the trust of the message origin.
Trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG)	Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway. Example of use: Using this role for the Service Loading Message Policy means that the device only accept SL message from trusted Push Proxy Gateway. An SL message downloads new services or provisioning XML to the Windows Mobile powered device.
Any Push Message (SECROLE_ANY_PUSH_SOURCE).	Applies to Windows Mobile 6 Messages received by the push router will be assigned to this role. Example of use: Adding this role to OMA Client Provisioning Network PIN Policy means that the OMA Network PIN signed message will be accepted.

None

(SECROLE_NONE)

No role assigned.

Manager

(SECROLE_MANAGER)

Setting can be changed by the manager or administrator. This role allows unrestricted access to system resources.

Enterprise

(SECROLE_ENTERPRISE)

Applies to Windows Mobile 5.0 with MSFP and later

Exchange Administrator role. The Enterprise role allows IT administrators to manage specific device settings, such as wiping a device, setting password requirements, and managing certificates.

Example of use: Using this role with the Message Authentication Retry Number policy allows the Enterprise IT Professional to change the policy setting.

Operator

(SECROLE_OPERATOR)

Setting can be changed by a Wireless Application Protocol (WAP) Trusted Provisioning Server (TPS).

Example of use: Using this role with the Auto Run Policy allows the Mobile Operator to change the policy; the Operator would be able to allow or restrict applications stored on a Multimedia Card (MMC) to automatically run when inserted into the device.

Authenticated User

(SECROLE_USER_AUTH)

Setting can be changed by an authenticated user. This role can be assigned to the device owner.

Permissions are determined by the settings to which the user requires access. Typically, this setting is assigned to:

User PIN-signed WAP push messages.
Messages received through the Remote API (RAPI) by default.

The user can query device information, manage files and directories, and change settings such as the home screen and sounds.

Applies to Windows Mobile 6

The owner can manage user certificates and designated certificate stores.

Example of use: Use this role with a security policy to allow the user to configure the setting associated with the policy.

Unauthenticated User

(SECROLE_USER_UNAUTH)

Setting can be changed by anyone.

Assigned to unsigned WAP push messages. This role provides permissions to install Home/Today screen or ring tones.

Example of use: Use this role with the Unsigned Theme security policy to allow users to install unsigned themes on their device; Themes are used for processing homescreens.

Trusted Provisioning Server

(SECROLE_OPERATOR_TPS)

OMA Client Provisioning messages that come from a WAP Push Initiator that is authenticated by a trusted Push Proxy Gateway, and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device.

Example of use: Use this role to grant system administrative privileges to the Mobile Operator's trusted provisioning server (TPS).

Known Push Proxy Gateway

(SECROLE_KNOWN_PPG)

Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway used in provisioning.

Example of use: Using this role for the Service Indication Message Policy means that the device only accept SI message from known Push Proxy Gateway

Device Trusted Push Proxy Gateway

(SECROLE_PPG_TRUSTED)

Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy.

Example of use: Using this role along with SECROLE_PPG_AUTH and the DRM security policy means that unauthenticated messages are not accepted by the device. Content from the push router is filtered out based on the trust of the message origin.

Push Initiator Authenticated

(SECROLE_PPG_AUTH)

Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device.

Since WAP secure push is not supported, the Push Proxy Gateway is not currently authenticated. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.

Example of use: Using this role along with SECROLE_PPG_TRUSTED and the DRM security policy means that unauthenticated messages are not accepted by the device. Content from the push router is filtered out based on the trust of the message origin.

Trusted Push Proxy Gateway

(SECROLE_TRUSTED_PPG)

Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway.

Example of use: Using this role for the Service Loading Message Policy means that the device only accept SL message from trusted Push Proxy Gateway. An SL message downloads new services or provisioning XML to the Windows Mobile powered device.

Any Push Message

(SECROLE_ANY_PUSH_SOURCE).

Applies to Windows Mobile 6

Messages received by the push router will be assigned to this role.

Example of use: Adding this role to OMA Client Provisioning Network PIN Policy means that the OMA Network PIN signed message will be accepted.

Security Roles for Windows Mobile 5.0 and Windows Mobile 6

See Also

Concepts

Additional resources