http://msdn.microsoft.com/en-us/library/bb384149(v=vs.90).aspx
Configuring Security on Windows Mobile Devices
Visual Studio 2008This topic has not yet been rated - Rate this topicA device's security model consists of a set of security settings and the certificates present in the device's certificate stores. The security model determines whether an application can run and/or install and the accompanying level of trust for applications that run and/or install.
For more information, see How Device Security Affects Application Execution.Developers often must change a device's security configuration for the following reasons:To simulate hypothetical security settings on a variety of devices.
To enable an application to run.To reset a device to its original security configuration.You can manage a device's security configuration from either the Device Security Manager in the Visual Studio integrated development environment (IDE) or by using the RapiConfig.exe configuration tool at a command prompt.The Device Security ManagerThe Device Security Manager is a graphical user interface (GUI) that enables you to perform the following tasks:View or change security settings on a connected device or emulator.Apply a standard security configuration to a device.Apply a custom configuration to a connected device.Export a device's security configuration settings to a desktop computer.
Add certificates from the development computer to the device's certificate store.Remove certificates from a device's certificate store.To start the Device Security Manager, click Device Security Manager on the Tools menu.
By default, the Device Security Manager shows the Security configuration pane. Click Certificate Management to switch to the Certificate Management pane. For more information, see Device Security Configuration Overview and Device Certificate Management Overview.RapiConfig.exeRapiConfig.exe is a desktop configuration tool that enables you to provision and query a device. For more information, see How to: Configure Security on Windows Mobile Devices from a Command Prompt.See Also
Reference
Windows Mobile-based Device Security ModelDevice Management ArchitectureDid you find this helpful?
How to: Configure Security on Windows Mobile Devices from a Command Prompt
Visual Studio 2008Other VersionsThis topic has not yet been rated - Rate this topicRapiConfig.exe is a desktop configuration tool that enables you to manage a Windows Mobile-based device's security model from a command prompt by using a Windows Mobile Device Center or ActiveSync connection.When running RapiConfig.exe, you must specify an XML configuration file that defines what actions to perform on the device.
Visual Studio includes several sample XML provisioning files to perform the following tasks:Provision a device with a security model.Query a device for its security model.Add and remove certificates.Sample XML provisioning files and RapiConfig.exe are located at drive:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools. For more information, see Provisioning From a Desktop Computer Using Remote API and ActiveSync and Provisioning for Windows Mobile-Based Devices.Provision a Device with a Security ModelYou can set the security model of a device explicitly to test an application under the various security models. If the device is already locked by the original equipment manufacturer (OEM), then provisioning a different security model might not be possible. However, if the device is not locked, you can provision it with any security model.The following security model XML files are included with Visual Studio. The default location is drive:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools\SecurityModels.Locked.xml sets the following two-tier security model:Prompt before running applications.Do not run unsigned applications.Prompt.xml sets the following two-tier security model:Prompt before running applications.Run unsigned applications as unprivileged.Open.xml sets the following one-tier security model:Do not prompt.Run signed and unsigned applications as privileged.
To provision a device with a security model
Establish an ActiveSync connection to the device.Type the following command at a command prompt, where securityfile.xml is the security model XML file:RapiConfig.exe /P /M <securityfile.xml>Query a Device for its Security ModelYou can query a device to see what certificates are already installed in the device certificate store. You can use that information to select a certificate to sign your application.Querying is accomplished by running RapiConfig.exe and passing in a StoreQuery XML file, which contains the certificate store query. RapiConfig.exe then outputs an XML file that contains the result of the query.RapiConfig.exe, CertStoreQuery.xml, and several sample xml query files are located by default at drive:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools.
To query a device for its security model
Establish an ActiveSync connection to the device.Type the following command at a command prompt, where certstorequery.xml is the certificate store query XML file:Rapiconfig.exe /P /M <certstorequery.xml>View the generated RapiConfigOut.xml file.See Also
Other Resources
http://msdn.microsoft.com/en-us/library/30dtsstx(v=vs.90).aspx
Security in Device Projects
Device Management Architecture
3 out of 4 rated this helpful - Rate this topicSend FeedbackYou can manage a device by provisioning it. Provisioning a device involves creating a provisioning XML file that contains configuration information, and then sending the file to the device, Configuration Manager and Configuration Service Providers configure the device based on the contents of the provisioning XML file.There are a number of options for delivering provisioning files to Windows Mobile-based devices. The following table shows various delivery methods.Delivery MethodDescriptionSend over the air (OTA)
| DescriptionSend over the air (OTA)A device can be provisioned OTA by either a one-time push, or by using a two-way communication between server and client called continuous provisioning. Windows Mobile Version 5.0 uses Open Mobile Alliance (OMA) device management standards for OTA provisioning.The form of the Provisioning file is dependent upon the protocol you use to manage devices. The following list shows the protocols used:OMA Client Provisioning -- A one-way Wireless Application Protocol (WAP) push.OMA Device Management (DM) -- Continuous provisioning.The provisioning file can be sent over the air from a provisioning server to the device over a Global System for Mobile Communications (GSM) Short Message Service (SMS) wireless network that uses a WAP push gateway.Service Indication (SI) and Service Loading (SL) can also be used to send and load provisioning XML files. The provisioning file is downloaded in a CAB Provisioning Format (.cpf) file.A provisioning XML file in a cpf file can also be pulled by the device using the following mechanisms:Over HTTP or HTTPS (Internet Explorer Mobile)Using a Secure Digital Multimedia Card (SD/MMC).Download in a CAB Provisioning Format (.cpf) fileProvisioning XML can be downloaded in a CAB Provisioning Format (.cpf) file. For more information, see the Creating a .cpf File.Send through Remote API (RAPI)Provisioning XML can be downloaded from the desktop, using the RAPI in ActiveSync to push the file to a device.Send through DMProcessConfigXML APIOEMs and application developers can provision a device by using the DMProcessConfigXML function. For information, see DMProcessConfigXML.Provision during manufactureThe OEM can burn the file in flash memory and configure the device such that the file is loaded during the cold or warm boot procedure. For more information, see Bootstrapping Windows Mobile-Based Devices.The most common method of provisioning a device after deployment is OTA. The following figure shows the overall architecture of OTA provisioning. The actual path traveled will depend on the protocol used. The following sections explain this in more detail:
Security Note For OMA Client Provisioning, configuration data is not encrypted when sent over the air (OTA). Be aware of this potential security risk when sending sensitive configuration data, such as passwords. OMA DM sessions are encrypted.The following table shows the differences between how OMA Client Provisioning and OMA DM handle various features in Windows Mobile-based devices:FeatureOMA Client ProvisioningOMA DMTransportWAP-based Push over binary Short Message Service (SMS)HTTPr Secure Sockets Layer (SSL).DM sessionOne way push. There is no response channel, so you cannot get execution results or perform a remote query.Two way communication allows a request-response exchange.Message formatWAP Client Provisioning XMLOMA-DM XMLCompressionwbxml (tokenization)xmlDM commandsAddWindows Mobile extends the commands with update, delete, query-local usage.Add, replace, get, exec, delete, and responseManaged settingsData connectivity, WAP gateway, and application access informationWindows Mobile extends with other custom settings.DMAcc, DevInfo, DevDetailNo restriction, extendable DM tree. Windows Mobile extends with custom settings.SecurityData integrity and server authentication by using a OMA Client Provisioning standard, PIN signed message. There is no built-in encryption. For information about security roles, see Security Roles.Mutual authentication at the application and transport level. Encryption and data integrity check relies on SSL transport.Access controlNone.Windows Mobile extends with role-based access control.Supports Windows Mobile role-base access controlFor examples of OMA DM continuous provisioning, see OMA Device Management Provisioning.
See Also
Managing Devices | Security Roles
Bootstrapping Windows Mobile-Based Devices
This topic has not yet been rated - Rate this topicSend FeedbackContinuous provisioning is the on-going provisioning of a mobile device. That is, updating or changing configuration settings and applications, as required, over time. Bootstrapping is initially configuring a device so that it can be continuously provisioned by a trusted agent.Bootstrapping a Windows Mobile-based device usually involves configuring the device with the following information:Trusted Provisioning Server (TPS)Trusted Push Proxy GatewayWAP ConnectivityGPRS/1xRTT connectivityChanges to the default security modelIt may also include configuring other settings such as Browser Favorites, TAPI, Locale, Clock, and Registry.
In This Section
Bootstrapping To Use An OMA DM ServerDiscusses how to configure a device to recognize an OMA DM server as a Trusted Provisioning Server for continuous provisioningBootstrapping To Use an OMA Client Provisioning ServerDiscusses how to initially configure a device for OMA Client Provisioning continuous provisioning.Bootstrapping To Use a CPF FileDiscusses how to initially configure a device to be continuously provisioned by allowing a user to pull a CAB Provisioning Format (.cpf) file to the device rather than using a OMA Client Provisioning or OMA DM server to push the provisioning files.Enabling OTA BootstrappingDiscusses how to enable OTA bootstrapping which is disabled by default.Enabling Remote API (RAPI) BootstrappingDiscusses how to enable RAPI, which is restricted by default, for bootstrapping via a desktop computer and ActiveSync.Bootstrap SecurityProvides a brief overview of the security issues that must be considered during the bootstrap process.Send Feedback on this topic to the authorsFeedback FAQs
|
No comments:
Post a Comment