11/11/2008

This section lists the policies you should set to block Internet access on a managed Windows Mobile device. This scenario lets you secure the network perimeter to allow information exchange only through a managed environment.

The following sections show the policies that you should configure under Computer Configuration\Administrative Templates\Windows Mobile Settings. The following shows the suggested settings for the restricted connection scenario.

Password Policies

Policy Enable Disable

Require password

X

Password time-out

Note:
Set the value to 15 minutes maximum

X

Platform Lockdown

Policy Enable Disable

Turn off POP and IMAP messaging

X

Turn off SMS and MMS messaging

X

Turn off removable storage

X

Turn off wireless LAN

X

Turn off infrared

X

Turn off Bluetooth

X

Block remote API access to ActiveSync

X

Application Disable

Policy Enable Disable

Block applications in-ROM

X

You should block the following applications:

  • Auto Data Config (adc.exe)

  • ModemLink (ATCIUI.exe)

  • IR Beam (beam.exe)

  • Internet Sharing (IntShrUI.exe)

  • Live Search (LiveSearch.exe)

  • SI\SL settings for WAP (sicInt.exe)

  • Sim Toolkit Application (tkitapp.exe)

  • Windows Live (WLMLauncher.exe)

  • Windows Live Messenger (WLMMessenger.exe)

  • Windows Live Setup (WLMSetup.exe)

  • Remote Desktop (wpctsc.exe)

You might also have to block other applications that the OEM or Mobile Operator installed on the device.

Security Policies

Caution:
Before you enable one of the Remove unmanaged certificatepolicies, make sure that you used System Center Mobile Device Manager (MDM) Group Policy Extensions to add root certificates to the managed device. If you did not, the device will no longer connect to MDM Gateway Server because this policy removes the root certificates that MDM Group Policy Extensions did not add.

Policy Enable Disable

Remove unmanaged SPC certificates

X

Remove unmanaged privileged certificates

X

Remove unmanaged normal certificates

X

Remove unmanaged Root certificates

X

Removed unmanaged intermediate certificates

X

Remove manager role permission from user

X

Block unsigned .cab file installation

X

Block unsigned theme installation

X

Block unsigned applications from running on device

X

Mobile VPN Settings

Policy Enable Disable

Allow user to turn off Mobile VPN

X

See Also