Provisioning Windows Mobile devices
As Windows Mobile devices become more popular in the enterprise, the people responsible for Information Systems need to find quick and easy ways to set them up. This is particularly important in organizations that deploy hundreds or even thousands of these devices. This article explains the different options available to the MIS professional.
Understanding Windows Mobile's security architecture
Windows Mobile devices support a two-tier approach to security.
The first tier distinguishes between signed and unsigned applications. Signed apps are allowed full access to all privileged APIs and Registry keys. Unsigned apps cannot be run on the device.
The second tier further distinguishes between signed apps that run in Normal mode and specially signed applications (e.g., from the wireless carrier or enterprise) that can access all privileged APIs and Registry keys. Applications that are not signed cannot be run on the device. Microsoft describes the two-tier security architecture on the Web page titled "Selecting Security Configuration" (http://www.pocketpcmag.com/dl4/config.html).
Smartphones (Windows Mobile 5.0, 2003, and 2002) support a two-tiered security architecture which defines who can install applications and who can make registry changes. Windows Mobile 5.0 Pocket PCs support the first tier only; prior versions of the Pocket PC did not support either security tier. However, Pocket PCs and Smartphones are usually delivered to the enterprise without the security architecture being implemented. (You should ask the OEM to confirm this for the specific device.)
When you decide to implement security in your organization, you may choose to purchase a digital certificate so you can sign your provisioning XML files. This will prevent users from being able to change these settings and install applications. The digital certificate is the same as that used by application developers to sign their applications. The Microsoft document titled "Windows Mobile 5.0 Application Security" (http://www.pocketpcmag.com/dl4/appsec.html) covers how to sign applications.
Understanding Windows Mobile 5.0 security policies and roles
With Windows Mobile 5.0, Microsoft supports many different roles that can modify the device. The security roles define whether or not a specific configuration file has access to resources based on the role defined for it. The security policies specify the different policy settings that can be defined on the device to control a particular function. I suggest that all administrators read the Microsoft document titled "Security Policy and Roles" (http://www.pocketpcmag.com/dl4/roles.html).
Windows Mobile 5.0 provisioning
With Windows Mobile 5.0, Microsoft came up with a new process for provisioning devices. This process allows users to set up different types of settings all at once. Also, you can create XML entries that are compiled into a CPF file to make registry changes beyond the standard settings. It's critical that you understand the two-tier security architecture, security policies, and security roles that control who can modify the settings on the device. This process is fairly complex and requires you to consider how devices are managed in your environment. The downside to this provisioning process is that there is no option to automatically install applications; you will have to install them separately.
Creating an XML provisioning file
Printer-friendly version