11/11/2008

This section describes the policies you should set on a single-purpose device, such as a device that is used only to track deliveries. In this scenario, you disable applications to prevent use other than the intended purpose.

The following sections show the policies that are available under Computer Configuration\Administrative Templates\Windows Mobile Settings. The following shows the suggested settings for the single purpose scenario.

Password Policies

Policy Enable Disable

Require password

X

Password time-out

Note:
Set the value to 15 minutes maximum

X

Platform Lockdown

Policy Enable Disable

Turn off POP and IMAP messaging

X

Turn off SMS and MMS messaging

X

Turn off removable storage

X

Turn off wireless LAN

X

Turn off infrared

X

Turn off Bluetooth

X

Block remote API access to ActiveSync

X

Application Disable

Policy Enable Disable

Block applications in-ROM

X

You should block the following applications:

  • Modem Link (ATCIUI.exe)

  • Automatic profile (autoprof.exe)

  • Network Identity and Time Zone update (autotimeupdate.exe)

  • Windows Update (autoupdate.exe)

  • OBEX transfer (beam.exe)

  • Bluetooth bond (bthbond.exe)

  • BubbleBreaker Game (BubbleBreaker.exe)

  • Calendar (calendar.exe)

  • Call notification (calnot.exe)

  • Calendar notification (calupd.exe)

  • Application catalog (catalog.exe)

  • Catalog installer (cataloginstaller.exe)

  • Customer Experience Improvement Program User Interface (ceipui.exe)

  • Event log flusher (celogflush.exe)

  • Certificate installer (CertInstaller.exe)

  • WAP provisioning provider (cfghost.exe)

  • Clock alarms (clocknot.exe)

  • Call history (clog.exe)

  • Control Panel (ctlpnl.exe)

  • Windows Application Installer upgrade for Windows Mobile 6 Professional (d0b41563-b345-4444-aa15-986e7c7fff99.exe)

  • Windows Application Installer upgrade for Windows Mobile 6 Professional (D5AB0034-8AAC-4a19-B5C4-A8B01B5BBE87.exe)

  • Diagnostic information for the event log (diaginfo.exe)

  • Watson Logging (dw.exe)

  • Fax Viewer (FaxView.exe)

  • Help system (helpstub.exe)

  • Voice tags for contacts (hotvoice.exe)

  • Pictures and video screen saver (idledetect.exe)

  • Internet Explorer (iexplore.exe)

  • Internet Sharing (IntShrUI.exe)

  • Application Catalog (launchman.exe)

  • Live Search (LiveSearch.exe)

  • Mobile Calculator (MobileCalculator.exe)

  • Microsoft Today screen helper (mstli.exe)

  • Notes (notes.exe)

  • One Note (OneNoteMobile.exe)

  • Help program (peghelp.exe)

  • Performance Manager (perfman.exe)

  • Photo Application (pimg.exe)

  • Contacts (poutlook.exe)

  • Power Point Mobile (ppt.exe)

  • Profile Manager (profiles.exe)

  • Word Mobile (pword.exe)

  • Word Excel (pxl.exe)

  • Quicklist (quickapp.exe)

  • Remote Network/Connection Manager UI (remnet.exe)

  • Rights Management Activation (rmactivate.exe)

  • Run DLL (rundll32.exe)

  • Smartphone Settings (settings.exe)

  • Find Application (shfind.exe)

  • SI\SL Client for WAP (sicInt.exe)

  • Solitaire (solitare.exe)

  • SQM event trigger (sqmevent.exe)

  • Task Manager (taskmgr.exe)

  • Tasks (tasks.exe)

  • Microsoft® SQL Server® 2000 Windows® CE Edition (tdsserver.exe)

  • SIM Toolkit (tkitapp.exe)

  • Outlook (tmail.exe)

  • Smartphone Solitaire (TPCsolitare.exe)

  • Desktop passthrough networking (udp2tcp.exe)

  • SQM uptime tracking (uptimesqm.exe)

  • Voice Command Configuration (VCConifg_SP.exe)

  • Voice mail (vmail.exe)

  • Voice Command (voicecmd.exe)

  • Welcome Center (wcsan.exe)

  • Welcome Startup (welcome.exe)

  • Welcome Center (WelcomeCenter.exe)

  • Windows Live Launcher (WLMLauncher.exe)

  • Windows Live Messenger (WLMMessenger.exe)

  • Windows Live Setup (WLMSetup.exe)

  • Windows Media Player (wmplayer.exe)

  • Remote Desktop (wpctsc.exe)

  • Wireless Manager (wrlsmgr.exe)

  • Zip Viewer (ZipView.exe)

You may also have to block other applications that the OEM or Mobile Operator installed on the device.

Security Policies

Caution:
Before you enable one of the Remove unmanaged certificatepolicies, make sure that you used MDM Group Policy Extensions to add root certificates to the managed device. If you did not, the device will no longer connect to MDM Gateway Server because this policy removes the root certificates that MDM Group Policy Extensions did not add.

Policy Enable Disable

Remove unmanaged SPC certificates

X

Remove unmanaged privileged certificates

X

Remove unmanaged normal certificates

X

Remove unmanaged root certificates

X

Removed unmanaged intermediate certificates

X

Remove manager role permission from user

X

Block unsigned .cab file installation

X

Block unsigned theme installation

X

Block unsigned applications from running on device

X

Mobile VPN Settings

Policy Enable Disable

Allow user to turn off Mobile VPN

X

See Also