11/11/2008

If the Block unsigned applications from running on devicepolicy setting is enabled, then unsigned applications will not be allowed to run on the device.

To allow an unsigned application to run on the device at the privileged level you must use the Allow specified unsigned applications to run as privilegedpolicy setting. This policy setting adds the application's executable file name and hash value to a list of unsigned applications that are allowed to run at the privileged level. If the unsigned applications are contained in a .cab file, then you must add the file name and hash for each executable file inside the .cab file. An executable file is a file that has an .exe or .dll extension.

You can use the Revoke.exe command-line tool or the Allowlist.exe command-line tool to generate an SHA-1 (Secure Hash Algorithm-1) Base64 encoded hash of an application file. The behavior of both tools is the same when applied to a single executable file. However, when applied to a .cab file, Allowlist.exe will open the .cab file and generate a hash value for each file it contains as well as the .cab file itself. The tool displays two lists at the console. The first list contains the file names. The second list contains the hash values, which are displayed in the same order as the file names.

Note:
Currently, Allowlist.exe, when used with the -[xml] option, writes only the list of hash values—not the list of corresponding files—to the specified .xml file.

Revoke.exe does not automatically generate the hash values for each executable file contained within the .cab file. You must manually run the tool for the .cab file and each of its internal executable files.

Revoke.exe is part of the Windows Mobile 6 Standard SDK; you can find it in \Windows Mobile 6 SDK\Tools\Security. Allowlist.exe is included in the MDM Server Tools suite. It is called Application Hash Code Tool. You can download MDM Server Tools at this Microsoft web page: http://go.microsoft.com/fwlink/?LinkID=108953&clcid=0x409 .

The following procedure shows you how to enable an unsigned application to run as a privileged application on a managed Windows Mobile device.

To allow an unsigned application to run as privileged

  1. In the Group Policy Management Console, expand Group Policy Objectsand then locate the target GPO.

  2. Right-click the GPO and then select Edit.

  3. In the Group Policy Object Editor, expand Computer Configuration, and then expand Administrative Templates.

  4. Expand Windows Mobile Settingsand then select Application Disable.

  5. In the details pane, right-click Allow specified unsigned applications to run as privilegedand then select Properties.

  6. In the dialog box, on the Settingstab, choose Enabledand then choose Show.

  7. In the Show Contentsdialog box, choose Add.

  8. In the Add Itemdialog box, in the Enter the name of the item to be addedbox, type the application hash value, and then in the Enter the value of the item to be addedbox, type the complete file name of the application.

    Note:
    The complete file name includes the extension. For example MyExecutable or MyDll should be specified as MyExecutable.exe and MyDll.dll. The complete file name of the application is displayed in Task Manager. It is also displayed in the list of file names that is generated after running Allowlist.exe to produce application hash values.

  9. Choose OK. In the Show Contentsdialog box, the application hash value will appear in the Value Namebox and the file name will appear in the Valuebox.

  10. Choose OKtwo times to complete the procedure and close the program.

See Also

Other Resources