11/11/2008

System Center Mobile Device Manager (MDM) policy-based security enforcement has ties to Active Directory\Group Policy.

A managed Windows Mobile device processes Group Policy settings in a manner similar to a standard Windows-based operating system desktop or portable computer. By using Group Policy management tools that support MDM, you can assign specific Group Policy objects (GPOs) to security groups.

Used with care, security groups provide an efficient way to assign access to resources on a network. By using security groups, you can do the following:

You can configure the settings to customize MDM through the MDM extensions to the Group Policy Management Console (GPMC) and Group Policy (GPO) Editor.

For more information on using Group Policy to manage devices in MDM, see Configuring Managed Devices with Group Policy.

For a list of MDM messaging settings available through Group Policy, see Messaging Policies in MDM.

Security Policies

The following sections show the security policies for MDM that are available under Computer Configuration\Administrative Templates\Windows Mobile Settings.

Password Policies

Policy Description

Require password

Lets you require users to set a password on the device:

  • If this setting is Enabled, users are required to create a password on their devices.

  • If this setting is Disabled, users can disable their password through Control Panel, and not lock their Windows Mobile device. However, users are not notified that the policy is disabled.

  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Password type

Lets you specify the type of password that users must create:

  • If this setting is Enabled, you can specify that passwords must be alphanumeric ( Strong), a numeric PIN ( PIN), or either type ( PIN or Strong).

  • If this setting is Disabled, users can set an alphanumeric password or a numeric PIN.

  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Password timeout

Lets you specify whether to have the device lock after the idle time that you configure.

The Require passwordpolicy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the idle time, in minutes, after which the device automatically locks. The user must then enter the password to use most device functionality. The user can modify the idle time-out to be a shorter duration than that specified through this policy setting by configuring it in the device lock settings panel on the device.

  • If this setting is Disabled, the user can set the idle time-out through the device lock settings panel, up to a maximum of 24 hours.

  • If this setting is Not Configured, password-related settings on the device are in effect.

The default setting is Not Configured.

Number of passwords remembered

Lets you prevent users from resetting their password to one of their previously set passwords.

As a best practice, when this policy is enabled, you should also enable the Password expirationpolicy.

  • If this setting is Enabled, you can set the number of passwords that the device maintains. The user cannot create a new password that matches any of these previous passwords.

  • If this setting is Disabled, users can reuse any of their previous passwords.

  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Password expiration

Lets you configure the device lock expiration period. After the password expires, the user must enter a new password.

  • If this setting is Enabled, you can specify the number of days after which the device password expires. After expiration, the user is prompted to renew the password.

  • If this setting is Disabled, the user can have the same password indefinitely.

  • If this setting is Not Configured, device-specific settings that control password expiration are in effect.

The default setting is Not Configured.

Minimum password length

Lets you to require that the device password is a minimum password length.

The Require passwordpolicy must also be enabled for this policy setting to take effect.

  • If this setting is Enabled, you can set the required minimum password length. After this policy is set on the device, the user is asked to create a new password if the current password does not meet the length requirement. You can set the minimum length to any integer between 1 and 40.

  • If this setting is Disabled, no minimum length is enforced and the default values are used. The default for Simple PIN is four digits, and for Strong Alphanumeric, it is seven characters.

  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Wipe device after failed attempts

This policy setting allows you to configure the number of incorrect password attempts to accept before the device wipes all of its mounted storage volumes. The Require Passwordpolicy setting MUST be enabled for this policy setting to take effect

  • If this setting is Enabled, you can set the number of incorrect tries to allow. The user is warned after every incorrect try and then displays the number of remaining tries. Before the last try, the user receives a warning that the device will be wiped.

  • If this setting is Disabled, the user can enter an infinite number of incorrect password tries and the device is never wiped.

  • If this setting is Not Configured, existing password-related settings on the device are in effect.

The default setting is Not Configured.

Code word frequency

Lets you specify how many times a user may enter an incorrect device lock password before the user is required to enter a code word. This policy can prevent a local device wipe caused by an accidental password entry.

  • If this setting is Enabled, you can set the Code word frequencyvalue to specify the number of incorrect password tries that the user can make before a code word is required. We recommend that you set this value to a number less than the number of incorrect password tries that cause the device to be wiped.

  • If this setting is Disabled, the user is not asked to enter a code word after incorrect password tries.

  • If this setting is Not Configured, the existing device wipe setting on the device remains in effect.

The default setting is Not Configured.

Code word

Lets you configure the code word that the user must enter after several incorrect device lock passwords have been tried. The threshold number of password tries that triggers the code word is specified in the Code word frequencypolicy. This policy can prevent a local device wipe caused by an accidental password entry.

  • If this setting is Enabled, you can specify the code word that the user is asked to enter.

  • If this setting is Disabled, the default code word is a1b2c3.

  • If this setting is Not Configured, existing device-specific settings that control the code word text on the device apply.

The default setting is Not Configured.

Block user reset of authentication on the device

Lets you block the user from resetting the device lock authentication (PIN or password) by using the capability that Microsoft Exchange Server 2007 provides.

  • If this setting is Enabled, the user cannot reset the device lock authentication (PIN or password). The only way to unlock the device is by doing a full reset of the device.

  • If this setting is Disabled, the user can reset the device lock authentication (PIN or password), if Exchange Server 2007 provides that capability.

  • If this setting is Not Configured, existing device-specific policies that control authentication reset on the device apply.

The default setting is Not Configured.

Platform Lockdown

Policy Description

Turn off POP and IMAP Messaging

Lets you specify if the user can use IMAP4 and POP3 e-mail accounts.

  • If this setting is Enabledor Not Configured, the user can use IMAP4 or POP3 e-mail accounts.

  • If this setting is Disabled, e-mail accounts that use IMAP4 or POP3 protocols are turned off. The user cannot synchronize existing IMAP4 or POP3 e-mail accounts that have the corresponding e-mail servers, and cannot set up a new IMAP4 or POP3 e-mail account. The user may be able to view e-mail messages for IMAP4 or POP3 e-mail accounts that were downloaded to the device before the policy setting was changed.

    You can still provision a new IMAP4 or POP3 e-mail account by using the Email2 Configuration Service Provider. However, if the new account was created after this policy is disabled, the user cannot synchronize that account with its e-mail server.

Note:
This policy affects only the Microsoft e-mail application. To prevent users from accessing IMAP4 or POP3 e-mail accounts by using a third-party application, you must block applications from running by configuring the Application Disablepolicies or by configuring security policies to allow only applications that are signed by trusted authorities to run.

The default setting is Not Configured.

Turn off SMS and MMS messaging

Lets you specify whether the user can send and receive SMS and MMS text messages.

Important:
The user may be charged for SMS messages that are blocked by this policy on the device.
  • If this setting is Enabledor Not Configured, the user can send and receive SMS and MMS text messages.

  • If this setting is Disabled, the user cannot send or receive new MMS text messages, and cannot send or receive SMS messages that use the following types: Text, class 1, class 2, class 3; Raw; or vCard. The user can view existing messages, and continue to receive special types of SMS messages that are not blocked, even if this policy is disabled.

Note:
This policy affects only built-in SMS and MMS applications. To prevent users from sending and receiving SMS and MMS text messages by using a third-party application, you must block applications from running by configuring the Application Disable policies or by configuring Security Policies to allow only those applications that are signed by trusted authorities to run.

The default setting is Not Configured.

Turn off removable storage

Lets you specify whether the user can use removable storage on the device.

Note:
When you change this setting, all devices that connect to MDM Gateway Server restart.
  • If this setting is Enabled, the user can use removable storage.

  • If this setting is Disabledor Not Configured, removable storage is disabled from the driver level and the user cannot use it.

The default setting is Not Configured.

Turn off camera

Lets you specify whether the user can use a camera on the device. This policy affects all camera functions. This includes, but is not limited to showing preview, taking pictures, and recording videos.

Note:
When you change this setting, devices restart when the policy is applied.
  • If this setting is Enabled, the user cannot use the camera in any way. The user cannot run the Microsoft Camera application, and may be unable to run third-party camera applications or capture images or videos with these applications. The user can use applications that use the camera, such as Microsoft Office Outlook Mobile and Mobile Address Book, but commands that work with the camera will not work.

  • If this setting is Disabledor Not Configured, the user can use the camera as usual, subject to existing restrictions imposed by the manufacturer.

The default setting is Not Configured.

Turn off wireless Local Area Network (LAN)

Lets you specify whether the user can use Wireless LANs (Wi-Fi) with the device.

Note:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use Wi-Fi.

  • If this setting is Disabled, or Not Configured, the user can use Wi-Fi as usual.

The default setting is Not Configured.

Turn off Infrared

Lets you specify whether the user can use Infrared (IrDA) communications on the device. This setting affects all IrDA functions on the device. This includes, but is not limited to beaming data and connecting to ActiveSync by using IrDA.

Note:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use IrDA.

  • If this setting is Disabledor Not Configured, the user can use IrDA as usual.

The default setting is Not Configured.

Turn off Bluetooth

Lets you specify whether the user can use Bluetooth on the device. This setting affects all Bluetooth functions on the device. This includes, but is not limited to pairing with Bluetooth headsets and Bluetooth car kits.

Note:
When you change this setting, the device restarts when the policy is applied.
  • If this setting is Enabled, the user cannot use Bluetooth.

  • If this setting is Disabledor Not Configured, the user can use Bluetooth as usual.

The default setting is Not Configured.

Allowed Bluetooth profiles

Lets you specify Bluetooth profiles that the user can use on the device.

Note:
If Turn off Bluetoothis enabled, this policy does not apply.
Note:
When you change this setting, devices restart when the policy is applied.
  • If this setting is Enabled, the user can use only the specified Bluetooth profiles. All other programs are blocked.

  • If this setting is Disabledor Not Configured, the user can use Bluetooth as usual.

The default setting is Not Configured.

Block Remote API access to ActiveSync

Lets you restrict remote applications that are using Remote API (RAPI) to implement ActiveSync operations on Windows Mobile devices.

  • If this setting is Enabled, desktop ActiveSync service is blocked and the user cannot synchronize e-mail, files, or applications from the desktop or change any settings.

  • If this setting is Disabled, desktop applications that use ActiveSync Remote API (RAPI) to access the device can perform only operations on the device that the user has permissions to perform.

  • If this setting is Not Configured, existing device-specific policies that manage access to the device by desktop applications by using ActiveSync RAPI operations are in effect.

The default setting is Not Configured.

Application Disable

Policy Description

Turn off blocked application notification

Lets you turn off the custom notification message that is set by the Blocked application notification messagepolicy.

  • If this setting is Enabled, the custom notification message is turned off and the system default message appears.

  • If this setting is Disabledor Not Configured, the system default notification message appears.

The default setting is Not Configured.

Blocked application notification message

Defines the custom notification message that appears when the user tries to run a built-in application that is blocked by Group Policy.

  • If this setting is Enabled, you can specify the custom text to use for the notification message.

  • If this setting is Disabledor Not Configured, a default notification message appears.

The default setting is Not Configured.

Block applications in-ROM

Lets you block in-ROM applications so that the user cannot run them.

  • If this setting is Enabled, in-ROM applications that are specified in this policy are blocked.

  • If this setting is Disabledor Not Configured, all in-ROM applications can run.

Note:
Take care not to block in-ROM applications that are required for basic device functionality, such as the ability to make a phone call or an emergency phone call. For example, do not block cdial.exe or cprog.exe.

The default setting is Not Configured.

Allow specified unsigned applications to run as privileged

Lets you specify whether RAM-installed unsigned applications run as privileged applications by default.

Note:
If an application is signed but the certificate needed to verify that the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
  • If this setting is Enabled, RAM-installed unsigned applications that are specified in this policy are can run as privileged applications. This is the default setting. We recommend that you also disable the Allow unsigned applications to run on devicespolicy to prevent the user from being able to decide whether an unsigned application can run.

  • If this setting is Disabledor Not Configured, the following policies determine whether a specific RAM-installed unsigned application can run:

    • Let unsigned applications to run on devices.

    • Turn off user prompts on unsigned .cab file installations.

The default setting is Not Configured.

Allow specified unsigned applications to run as normal

Lets you specify whether RAM-installed unsigned applications run as typical applications, by default.

Note:
If an application is signed but the certificate needed to verify the signature could not be found on the device, the application is treated as an unsigned application and the certificate defines the user rights level. This policy does not affect how application signing or the application revocation policy is applied to applications.
  • If this setting is Enabled, RAM-installed unsigned applications specified in this policy run as usual applications, by default. We recommend that you also disable the Allow unsigned applications to run on devicespolicy to prevent the user from being able to decide whether an unsigned application can run.

  • If this setting is Disabledor Not Configured, the following policies determine whether a specific RAM-installed unsigned application can run:

    • Lets unsigned applications run on devices.

    • Turn off user prompts on unsigned .cab file installations.

The default setting is Not Configured.

Security Policies

To apply the following security policies, push the certificate to the respective store. When Remove unmanaged Root certificatesis enabled, the Resultant Set of Policy (RSOP) report for a device shows this policy as Disabledinstead of Enabled, even though the policy was successfully applied to the devices.

Policy Description

Remove unmanaged SPC certificates

Lets you remove all certificates in the Software Publishing Certificate (SPC) store. The certificates in the SPC store authenticate application installation.

Important:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the SPC store are removed.

  • If this setting is Disabledor Not Configured, device certificates remain on the device and applications signed with these certificates install as usual.

The default setting is Not Configured.

Remove unmanaged privileged certificates

Lets you remove all certificates in the Privileged certificate store. For applications that require full device access, the certificates in the Privileged store control which applications can run.

Important:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all Privileged certificates are removed.

  • If this setting is Disabledor Not Configured, Privileged certificates remain on the device and all applications signed with these certificates will run.

The default setting is Not Configured.

Remove unmanaged normal certificates

Lets you remove all Normal certificates. For applications that do not require full device access, the Normal certificates control which applications can run.

Important:
Make sure that you do not remove certificates needed for typical device operation.
Note:
Most applications do not have to call privileged APIs.
  • If this setting is Enabled, all Normal certificates are removed.

  • If this setting is Disabledor is Not Configured, Normal certificates remain on the device and applications that are signed with these certificates will run.

The default setting is Not Configured.

Remove unmanaged Root certificates

Lets you remove all certificates in the Root store. The certificates in the Root certificate store are used for authentication, such as SSL.

Important:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the Root certificate store are removed.

  • If this setting is Disabledor is Not Configured, device Root certificates remain on the device.

The default setting is Not Configured.

Remove unmanaged intermediate certificates

Lets you remove all certificates in the Intermediate store. The certificates in the Intermediate certificate store are used for authentication such as SSL.

Important:
Make sure that you do not remove certificates that you must have for typical device operation.
  • If this setting is Enabled, all certificates in the Intermediate certificate store are removed.

  • If this setting is Disabledor is Not Configured, existing device Intermediate certificates remain provisioned on the device.

The default setting is Not Configured.

Remove manager role permission from user

Lets you specify whether a user has system administrative credentials on the device, without modifying metabase role assignments.

  • If this setting is Enabled, the user does not have administrative credentials. Only someone with a SECROLE_MANAGER security role has full administrative access to the device.

  • If this setting is Disabled, the user and manager have full administrative access. This means that the user can change device security settings.

  • If this setting is Not Configured, existing device-specific policies for system administrative credentials apply.

The default setting is Not Configured.

Block unsigned .cab file installation

Lets you specify whether unsigned .cab files can install on the device.

  • If this setting is Enabled, only signed .cab files install on the device.

  • If this setting is Disabled, unsigned .cab files are installed on the device under the SECROLE_USERAUTH security role.

  • If this setting is Not Configured, existing device-specific policies apply.

The default setting is Not Configured.

Block unsigned theme installation

Lets you specify whether unsigned themes can install on the device.

  • If this setting is Enabled, only signed themes install on the device.

  • If this setting is Disabled, unsigned themes install on the device under the SECROLE_USERAUTH security role.

  • If this setting is Not Configured, existing device-specific policies for installing themes apply.

The default setting is Not Configured.

Block unsigned applications from running on devices

Lets you specify whether unsigned applications can run on the device.

  • If this setting is Enabled, only signed applications and unsigned applications that have specific permissions can run on the device.

  • If this setting is Disabled, all unsigned applications can run on the device. Depending on the existing device-specific policies, the user may be prompted for consent before an unsigned application can run.

  • If this setting is Not Configured, existing device-specific policies that control whether unsigned applications can run apply.

The default setting is Not Configured.

Turn off user prompts on unsigned files

Lets you specify whether to prompt a user to accept or reject unsigned .cab, theme, .dll, and .exe files.

Note:
This policy applies only if you let unsigned applications or .cab files on the device.
  • If this setting is Enabled, the user is prompted for consent before unsigned applications run.

  • If this setting is Disabled, the user is not prompted for consent before unsigned applications run.

  • If this setting is Not Configured, device-specific policies that exist determine whether the user is prompted before unsigned applications run apply.

The default setting is Not Configured.

File Encryption

Policy Description

Turn on device encryption

Lets you turn on or off device encryption.

  • If this setting is Enabled, device encryption is turned on and password use is enforced.

  • If this setting is Disabledor Not Configured, device encryption is turned off.

The default setting is Not Configured.

Specify device encryption file list

Lets you specify files to encrypt, in addition to those in the default encryption list, when device encryption is turned on.

Note:
This policy is in effect only when Turn on device encryptionis enabled.
  • If this setting is Enabled, the files specified are added to the encryption list.

  • If this setting is Disabledor Not Configured, no files are added to the encryption list.

The default setting is Not Configured.

Exclude files from device encryption

Lets you specify files that should not be encrypted when device encryption is turned on.

Note:
This policy is in effect only when Turn on device encryptionis enabled.
  • If this setting is Enabled, the files specified will not be encrypted.

  • If this setting is Disabledor Not Configured, no files are added to the encryption list.

The default setting is Not Configured.

Turn on storage card encryption

Lets you enable the encryption of removable media and not let the user change this setting.

  • If this setting is Enabled, newly created files on the storage card are encrypted with a key that is tied to the device. The user cannot disable this setting.

    Important:
    If the user performs a cold reset on the device, encrypted files on the storage card are not recoverable.
  • If this setting is Disabled, the user decides whether to encrypt files put on the storage card.

  • If this setting is Not Configured, existing device-specific policies for storage card encryption apply.

The default setting is Not Configured.

Device Management

Policy Description

Configure the Windows Update for Windows Mobile Service

Lets you configure the level of user control for the Windows Update for Windows Mobile Service. You can turn off the update service, leave it to be configured by the user, or configure it to be turned on with predefined settings that the user cannot change.

  • If this setting is Enabled, you can select from the following options:

    Switch Off: The update service is turned off for the device. The user cannot change the configuration.

    Switch On for User Config: The update service is turned on for the device. The user can change the settings.

    Note:
    This option is identical to the behavior of the update service when it is turned on in an unmanaged device.
    Switch On for Admin Lockdown: The update service is turned on for the device and is configured to work in automatic mode. Important security updates download automatically over any network connection, except when the device is roaming. The user is prompted to install updates that download automatically. The user cannot change this configuration.

  • If this setting is Disabled, the update service is turned on for the device. This shows the same behavior as if you enabled the policy and selected Switch On for User Config. The user can change the settings.

  • If this setting is Not Configured, how the device was configured at manufacture determines whether the update service is turned on.

The default setting is Not Configured.

Configure device management when roaming

Lets you configure how devices manage updates when roaming.

  • If this setting is Enabled, you can specify the following:

    Allow software download and Windows Update settings:

    • If selected, managed downloads that automatically start when a device is in roaming mode continue as they would when it is not roaming. Additionally, the device checks for new updates on Windows Update servers, as when it is not roaming.

    • If cleared, managed downloads that automatically start when a device is in roaming mode are paused. Additionally, the device does not check for new updates on any firmware update server. When the device is no longer roaming then downloading continues normally.

    Change device management schedule when roaming:

    • If selected, the device checks for updates when roaming based on the value of Check frequency multiplier.

    • If cleared, the device uses the default schedule to check for device management tasks while roaming.

    Check frequency multiplier: If you select Change device management schedule when roaming, this value specifies the time between server checks. You can select an integer from 0 to 10. The device multiplies the default server connection frequency by this value. For example, if the default server connection frequency is eight hours and this value is 4, the device checks for updates every 32 hours. If you set this value to zero, the device does not check for updates when roaming. The default value is 4. If you do not select Change device management schedule when roamingthis value is ignored.

  • If this setting is Disabled, the device checks for device management tasks while roaming, but does not accept managed downloads from MDM Device Management Server or updates from WSUS.

  • If this setting is Not Configured, the default device settings for roaming will apply.

The default setting is Not Configured.

Management session reset reminder timeout

Lets you specify a time interval after policies that require a restart are provisioned on the device until the user is prompted to restart the device.

  • If this setting is Enabled, you can specify the number of minutes until the user is prompted to restart the device

  • If this setting is Disabled, the user is not reminded to reboot the device.

  • If this setting is Not Configured, existing device-specific policies that control the reboot prompt apply.

The default setting is Not Configured.

Mobile VPN Settings

Policy Description

Mobile VPN Name

Lets you specify the display name for the Mobile VPN on Windows Mobile devices. Specify a name that is 30-characters maximum. If you do not specify a name, MyMobileVPNis displayed.

The default setting is MyMobileVPN.

MDM Gateway Server name

Lets you change the fully qualified name or IP address for the MDM Gateway Server that was specified during enrollment. Typically, you do not have to change this name. A fully qualified name is 255 characters maximum, and must be ASCII characters.

Corporate proxy server name for internet access

Lets you specify information for a proxy server. A company can decide to have all Internet access pass through a proxy server to filter, audit, or restrict access.

With this setting, you can specify the fully qualified name or IP address for the proxy server that is used for Internet access when the Mobile VPN is active. A fully qualified name is 255 characters maximum, and must be ASCII characters.

If you do not specify a proxy server, the Windows Mobile device forwards all Internet traffic to the MDM Gateway Server for appropriate routing. By default, no proxy server is specified.

Allow user to turn off Mobile VPN

Lets you specify whether the user can turn off the Mobile VPN on Windows Mobile devices.

Note:
If the Mobile VPN is disconnected, the user can manually trigger a connection retry. An example of when the Mobile VPN is disconnected is when the base channel in a Windows Mobile device fails.
  • If this setting is Enabled, the user can turn off the Mobile VPN.

  • If this setting is Disabledor Not Configured, the user cannot turn off the Mobile VPN.

The default setting is Not Configured.

Always connected when roaming

Lets you send keep-alive packets associated with the Mobile VPN while roaming. The Mobile VPN application automatically sends keep-alive packets to keep the connection on always.

Sending keep-alive packets enables push applications, such as remote device immediate wipe, to work. If keep-alive packets are not sent, applications that require push functionality do not work.

Important:
Depending on the service plan, sending keep-alive packets while roaming may incur additional data transmission costs.

Disabling this setting does not block all traffic while roaming. Traffic that is started by applications, or the user, may flow over the Mobile VPN connection.

  • If this setting is Enabled, the device sends Mobile VPN keep-alive packets while roaming.

  • If this setting is Disabledor Not Configured, the device does not send Mobile VPN keep-alive packets while roaming. In this case, the Mobile VPN sends traffic only on demand, as specified by applications on the device.

The default setting is Disable.

Time interval between keepalive packets

Lets you specify the time interval between keep-alive packets.

  • If you specify a value, keep-alive packets are sent to the device. The value is specified in seconds. You can specify a value of up to 604,800 seconds.

    Note:
    Setting the value too low causes increased data traffic and decreased battery power on the device. If the value that is too high, the Mobile VPN can disconnect and then require reconnection.
  • If you do not define this setting, the default value is 0(zero). This lets the device detect the optimal time interval and use it.

The default setting is 0.

Allow AES data encryption algorithm

Lets you specify whether you can use the AES cipher to encrypt data that is sent over the Mobile VPN.

Note:
If both AES and 3DES encryption are explicitly not enabled, the Mobile VPN fails.
  • If this setting is Enabled, the Mobile VPN can use AES data encryption.

  • If this setting is Disabled, the Mobile VPN cannot use AES data encryption.

The default setting is Enabled.

Allow Triple DES data encryption algorithm

Lets you specify whether you can use the Triple Data Encryption Standard (3DES) cipher to encrypt data that is sent over the Mobile VPN.

Note:
If both Advanced Encryption Standard (AES) and 3DES are explicitly not enabled, the Mobile VPN fails.
  • If this setting is Enabled, the Mobile VPN can use 3DES data encryption.

  • If this setting is Disabled, the Mobile VPN cannot use 3DES data encryption.

The default setting is Enabled.

Key Exchange Algorithms

These policies let you specify which Diffie-Hellman Group protocols the Internet Key Exchange (IKE) protocol uses during Mobile VPN key exchange negotiations. By default, Diffie Hellman Group 2, Group 5, and Group 14 are all enabled.

Note:
If not all Diffie-Hellman groups are explicitly enabled, the Mobile VPN fails.

Policy Description

Allow Diffie Hellman group 2

Lets you specify whether the Diffie-Hellman Group 2 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 2 key exchange algorithms.

  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 2 key exchange algorithms.

The default setting is Enabled.

Allow Diffie Hellman group 5

Lets you specify whether the Diffie-Hellman Group 5 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 5 key exchange algorithms.

  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 5 key exchange algorithms.

The default setting is Enabled.

Allow Diffie Hellman group 14

Lets you specify whether the Diffie-Hellman Group 14 protocol can be used by the IKE protocol during Mobile VPN key exchange negotiations.

  • If the setting is Enabled, the Mobile VPN can use Diffie-Hellman Group 14 key exchange algorithms.

  • If this setting is Disabled, the Mobile VPN cannot use the Diffie-Hellman Group 14 key exchange algorithms.

The default setting is Enabled.

Software Distribution

Policy Description

Enable client-side targeting

Lets you specify the target group names to use to receive updates from MDM software distribution.

If MDM software distribution supports multiple target groups, this policy can specify multiple group names, separated by semicolons. Otherwise, you must specify a single group.

Note:
This policy applies only when the MDM software distribution for this device is configured to support client-side targeting.
  • If this setting is Enabled, the target group information is sent to the Software Distribution service. This service uses the group information to determine the updates to deploy to the device.

  • If this setting is Disabledor Not Configured, no target group information is sent to MDM software distribution.

The default setting is Not Configured.

See Also