11/11/2008
System Center Mobile Device Manager (MDM) policy-based security
enforcement has ties to Active Directory\Group Policy.
A managed Windows Mobile device processes Group Policy settings
in a manner similar to a standard Windows-based operating system
desktop or portable computer. By using Group Policy management
tools that support MDM, you can assign specific Group Policy
objects (GPOs) to security groups.
Used with care, security groups provide an efficient way to
assign access to resources on a network. By using security groups,
you can do the following:
- Assign user rights to security groups in Active Directory
Domain Services
- Assign permissions to security groups on resources
You can configure the settings to customize MDM through the MDM
extensions to the Group Policy Management Console (GPMC) and Group
Policy (GPO) Editor.
For more information on using Group Policy to manage devices in
MDM, see
Configuring
Managed Devices with Group Policy.
For a list of MDM messaging settings available through Group
Policy, see
Messaging
Policies in MDM.
Security Policies
The following sections show the security policies for
MDM that are available under Computer Configuration\Administrative
Templates\Windows Mobile Settings.
Password Policies
Policy |
Description |
Require password
|
Lets you require users to set a password on the device:
- If this setting is
Enabled, users are required to create a password on their
devices.
- If this setting is
Disabled, users can disable their password through Control
Panel, and not lock their Windows Mobile device. However, users are
not notified that the policy is disabled.
- If this setting is
Not Configured, password-related settings on the device are
in effect.
The default setting is
Not Configured.
|
Password type
|
Lets you specify the type of password that users must
create:
- If this setting is
Enabled, you can specify that passwords must be alphanumeric
(
Strong), a numeric PIN (
PIN), or either type (
PIN or Strong).
- If this setting is
Disabled, users can set an alphanumeric password or a
numeric PIN.
- If this setting is
Not Configured, password-related settings on the device are
in effect.
The default setting is
Not Configured.
|
Password timeout
|
Lets you specify whether to have the device lock after the idle
time that you configure.
The
Require passwordpolicy must also be enabled for this policy
setting to take effect.
- If this setting is
Enabled, you can set the idle time, in minutes, after which
the device automatically locks. The user must then enter the
password to use most device functionality. The user can modify the
idle time-out to be a shorter duration than that specified through
this policy setting by configuring it in the device lock settings
panel on the device.
- If this setting is
Disabled, the user can set the idle time-out through the
device lock settings panel, up to a maximum of 24 hours.
- If this setting is
Not Configured, password-related settings on the device are
in effect.
The default setting is
Not Configured.
|
Number of passwords remembered
|
Lets you prevent users from resetting their password to one of
their previously set passwords.
As a best practice, when this policy is enabled, you should also
enable the
Password expirationpolicy.
- If this setting is
Enabled, you can set the number of passwords that the device
maintains. The user cannot create a new password that matches any
of these previous passwords.
- If this setting is
Disabled, users can reuse any of their previous passwords.
- If this setting is
Not Configured, existing password-related settings on the
device are in effect.
The default setting is
Not Configured.
|
Password expiration
|
Lets you configure the device lock expiration period. After the
password expires, the user must enter a new password.
- If this setting is
Enabled, you can specify the number of days after which the
device password expires. After expiration, the user is prompted to
renew the password.
- If this setting is
Disabled, the user can have the same password indefinitely.
- If this setting is
Not Configured, device-specific settings that control
password expiration are in effect.
The default setting is
Not Configured.
|
Minimum password length
|
Lets you to require that the device password is a minimum
password length.
The
Require passwordpolicy must also be enabled for this policy
setting to take effect.
- If this setting is
Enabled, you can set the required minimum password length.
After this policy is set on the device, the user is asked to create
a new password if the current password does not meet the length
requirement. You can set the minimum length to any integer between
1 and 40.
- If this setting is
Disabled, no minimum length is enforced and the default
values are used. The default for Simple PIN is four digits, and for
Strong Alphanumeric, it is seven characters.
- If this setting is
Not Configured, existing password-related settings on the
device are in effect.
The default setting is
Not Configured.
|
Wipe device after failed attempts
|
This policy setting allows you to configure the number of
incorrect password attempts to accept before the device wipes all
of its mounted storage volumes. The
Require Passwordpolicy setting MUST be enabled for this
policy setting to take effect
- If this setting is
Enabled, you can set the number of incorrect tries to allow.
The user is warned after every incorrect try and then displays the
number of remaining tries. Before the last try, the user receives a
warning that the device will be wiped.
- If this setting is
Disabled, the user can enter an infinite number of incorrect
password tries and the device is never wiped.
- If this setting is
Not Configured, existing password-related settings on the
device are in effect.
The default setting is
Not Configured.
|
Code word frequency
|
Lets you specify how many times a user may enter an incorrect
device lock password before the user is required to enter a code
word. This policy can prevent a local device wipe caused by an
accidental password entry.
- If this setting is
Enabled, you can set the
Code word frequencyvalue to specify the number of incorrect
password tries that the user can make before a code word is
required. We recommend that you set this value to a number less
than the number of incorrect password tries that cause the device
to be wiped.
- If this setting is
Disabled, the user is not asked to enter a code word after
incorrect password tries.
- If this setting is
Not Configured, the existing device wipe setting on the
device remains in effect.
The default setting is
Not Configured.
|
Code word
|
Lets you configure the code word that the user must enter after
several incorrect device lock passwords have been tried. The
threshold number of password tries that triggers the code word is
specified in the
Code word frequencypolicy. This policy can prevent a local
device wipe caused by an accidental password entry.
- If this setting is
Enabled, you can specify the code word that the user is
asked to enter.
- If this setting is
Disabled, the default code word is a1b2c3.
- If this setting is
Not Configured, existing device-specific settings that
control the code word text on the device apply.
The default setting is
Not Configured.
|
Block user reset of authentication on the device
|
Lets you block the user from resetting the device lock
authentication (PIN or password) by using the capability that
Microsoft Exchange Server 2007 provides.
- If this setting is
Enabled, the user cannot reset the device lock
authentication (PIN or password). The only way to unlock the device
is by doing a full reset of the device.
- If this setting is
Disabled, the user can reset the device lock authentication
(PIN or password), if Exchange Server 2007 provides that
capability.
- If this setting is
Not Configured, existing device-specific policies that
control authentication reset on the device apply.
The default setting is
Not Configured.
|
Platform Lockdown
Policy |
Description |
Turn off POP and IMAP Messaging
|
Lets you specify if the user can use IMAP4 and POP3 e-mail
accounts.
- If this setting is
Enabledor
Not Configured, the user can use IMAP4 or POP3 e-mail
accounts.
- If this setting is
Disabled, e-mail accounts that use IMAP4 or POP3 protocols
are turned off. The user cannot synchronize existing IMAP4 or POP3
e-mail accounts that have the corresponding e-mail servers, and
cannot set up a new IMAP4 or POP3 e-mail account. The user may be
able to view e-mail messages for IMAP4 or POP3 e-mail accounts that
were downloaded to the device before the policy setting was
changed.
You can still provision a new IMAP4 or POP3 e-mail account
by using the Email2 Configuration Service Provider. However, if the
new account was created after this policy is disabled, the user
cannot synchronize that account with its e-mail server.
Note: |
This policy affects only the Microsoft e-mail application. To
prevent users from accessing IMAP4 or POP3 e-mail accounts by using
a third-party application, you must block applications from running
by configuring the
Application Disablepolicies or by configuring security
policies to allow only applications that are signed by trusted
authorities to run. |
The default setting is
Not Configured.
|
Turn off SMS and MMS messaging
|
Lets you specify whether the user can send and receive SMS and
MMS text messages.
Important: |
The user may be charged for SMS messages that are blocked by
this policy on the device. |
- If this setting is
Enabledor
Not Configured, the user can send and receive SMS and MMS
text messages.
- If this setting is
Disabled, the user cannot send or receive new MMS text
messages, and cannot send or receive SMS messages that use the
following types: Text, class 1, class 2, class 3; Raw; or vCard.
The user can view existing messages, and continue to receive
special types of SMS messages that are not blocked, even if this
policy is disabled.
Note: |
This policy affects only built-in SMS and MMS applications. To
prevent users from sending and receiving SMS and MMS text messages
by using a third-party application, you must block applications
from running by configuring the Application Disable policies or by
configuring Security Policies to allow only those applications that
are signed by trusted authorities to run. |
The default setting is
Not Configured.
|
Turn off removable storage
|
Lets you specify whether the user can use removable storage on
the device.
Note: |
When you change this setting, all devices that connect to MDM
Gateway Server restart. |
- If this setting is
Enabled, the user can use removable storage.
- If this setting is
Disabledor
Not Configured, removable storage is disabled from the
driver level and the user cannot use it.
The default setting is
Not Configured.
|
Turn off camera
|
Lets you specify whether the user can use a camera on the
device. This policy affects all camera functions. This includes,
but is not limited to showing preview, taking pictures, and
recording videos.
Note: |
When you change this setting, devices restart when the policy
is applied. |
- If this setting is
Enabled, the user cannot use the camera in any way. The user
cannot run the Microsoft Camera application, and may be unable to
run third-party camera applications or capture images or videos
with these applications. The user can use applications that use the
camera, such as Microsoft Office Outlook Mobile and Mobile Address
Book, but commands that work with the camera will not work.
- If this setting is
Disabledor
Not Configured, the user can use the camera as usual,
subject to existing restrictions imposed by the manufacturer.
The default setting is
Not Configured.
|
Turn off wireless Local Area Network (LAN)
|
Lets you specify whether the user can use Wireless LANs (Wi-Fi)
with the device.
Note: |
When you change this setting, the device restarts when the
policy is applied. |
- If this setting is
Enabled, the user cannot use Wi-Fi.
- If this setting is
Disabled, or
Not Configured, the user can use Wi-Fi as usual.
The default setting is
Not Configured.
|
Turn off Infrared
|
Lets you specify whether the user can use Infrared (IrDA)
communications on the device. This setting affects all IrDA
functions on the device. This includes, but is not limited to
beaming data and connecting to ActiveSync by using IrDA.
Note: |
When you change this setting, the device restarts when the
policy is applied. |
- If this setting is
Enabled, the user cannot use IrDA.
- If this setting is
Disabledor
Not Configured, the user can use IrDA as usual.
The default setting is
Not Configured.
|
Turn off Bluetooth
|
Lets you specify whether the user can use Bluetooth on the
device. This setting affects all Bluetooth functions on the device.
This includes, but is not limited to pairing with Bluetooth
headsets and Bluetooth car kits.
Note: |
When you change this setting, the device restarts when the
policy is applied. |
- If this setting is
Enabled, the user cannot use Bluetooth.
- If this setting is
Disabledor
Not Configured, the user can use Bluetooth as usual.
The default setting is
Not Configured.
|
Allowed Bluetooth profiles
|
Lets you specify Bluetooth profiles that the user can use on the
device.
Note: |
If
Turn off Bluetoothis enabled, this policy does not
apply. |
Note: |
When you change this setting, devices restart when the policy
is applied. |
- If this setting is
Enabled, the user can use only the specified Bluetooth
profiles. All other programs are blocked.
- If this setting is
Disabledor
Not Configured, the user can use Bluetooth as usual.
The default setting is
Not Configured.
|
Block Remote API access to ActiveSync
|
Lets you restrict remote applications that are using Remote API
(RAPI) to implement ActiveSync operations on Windows Mobile
devices.
- If this setting is
Enabled, desktop ActiveSync service is blocked and the user
cannot synchronize e-mail, files, or applications from the desktop
or change any settings.
- If this setting is
Disabled, desktop applications that use ActiveSync Remote
API (RAPI) to access the device can perform only operations on the
device that the user has permissions to perform.
- If this setting is
Not Configured, existing device-specific policies that
manage access to the device by desktop applications by using
ActiveSync RAPI operations are in effect.
The default setting is
Not Configured.
|
Application Disable
Policy |
Description |
Turn off blocked application notification
|
Lets you turn off the custom notification message that is set by
the
Blocked application notification messagepolicy.
- If this setting is
Enabled, the custom notification message is turned off and
the system default message appears.
- If this setting is
Disabledor
Not Configured, the system default notification message
appears.
The default setting is
Not Configured.
|
Blocked application notification message
|
Defines the custom notification message that appears when the
user tries to run a built-in application that is blocked by Group
Policy.
- If this setting is
Enabled, you can specify the custom text to use for the
notification message.
- If this setting is
Disabledor
Not Configured, a default notification message appears.
The default setting is
Not Configured.
|
Block applications in-ROM
|
Lets you block in-ROM applications so that the user cannot run
them.
- If this setting is
Enabled, in-ROM applications that are specified in this
policy are blocked.
- If this setting is
Disabledor
Not Configured, all in-ROM applications can run.
Note: |
Take care not to block in-ROM applications that are required
for basic device functionality, such as the ability to make a phone
call or an emergency phone call. For example, do not block
cdial.exe or cprog.exe. |
The default setting is
Not Configured.
|
Allow specified unsigned applications to run as privileged
|
Lets you specify whether RAM-installed unsigned applications run
as privileged applications by default.
Note: |
If an application is signed but the certificate needed to
verify that the signature could not be found on the device, the
application is treated as an unsigned application and the
certificate defines the user rights level. This policy does not
affect how application signing or the application revocation policy
is applied to applications. |
- If this setting is
Enabled, RAM-installed unsigned applications that are
specified in this policy are can run as privileged applications.
This is the default setting. We recommend that you also disable the
Allow unsigned applications to run on devicespolicy to
prevent the user from being able to decide whether an unsigned
application can run.
- If this setting is
Disabledor
Not Configured, the following policies determine whether a
specific RAM-installed unsigned application can run:
- Let unsigned applications to run on devices.
- Turn off user prompts on unsigned .cab file installations.
The default setting is
Not Configured.
|
Allow specified unsigned applications to run as normal
|
Lets you specify whether RAM-installed unsigned applications run
as typical applications, by default.
Note: |
If an application is signed but the certificate needed to
verify the signature could not be found on the device, the
application is treated as an unsigned application and the
certificate defines the user rights level. This policy does not
affect how application signing or the application revocation policy
is applied to applications. |
- If this setting is
Enabled, RAM-installed unsigned applications specified in
this policy run as usual applications, by default. We recommend
that you also disable the
Allow unsigned applications to run on devicespolicy to
prevent the user from being able to decide whether an unsigned
application can run.
- If this setting is
Disabledor
Not Configured, the following policies determine whether a
specific RAM-installed unsigned application can run:
- Lets unsigned applications run on devices.
- Turn off user prompts on unsigned .cab file installations.
The default setting is
Not Configured.
|
Security Policies
To apply the following security policies, push the
certificate to the respective store. When
Remove unmanaged Root certificatesis enabled, the Resultant
Set of Policy (RSOP) report for a device shows this policy as
Disabledinstead of
Enabled, even though the policy was successfully applied to
the devices.
Policy |
Description |
Remove unmanaged SPC certificates
|
Lets you remove all certificates in the Software Publishing
Certificate (SPC) store. The certificates in the SPC store
authenticate application installation.
Important: |
Make sure that you do not remove certificates that you must
have for typical device operation. |
- If this setting is
Enabled, all certificates in the SPC store are removed.
- If this setting is
Disabledor
Not Configured, device certificates remain on the device and
applications signed with these certificates install as usual.
The default setting is
Not Configured.
|
Remove unmanaged privileged certificates
|
Lets you remove all certificates in the Privileged certificate
store. For applications that require full device access, the
certificates in the Privileged store control which applications can
run.
Important: |
Make sure that you do not remove certificates that you must
have for typical device operation. |
- If this setting is
Enabled, all Privileged certificates are removed.
- If this setting is
Disabledor
Not Configured, Privileged certificates remain on the device
and all applications signed with these certificates will run.
The default setting is
Not Configured.
|
Remove unmanaged normal certificates
|
Lets you remove all Normal certificates. For applications that
do not require full device access, the Normal certificates control
which applications can run.
Important: |
Make sure that you do not remove certificates needed for
typical device operation. |
Note: |
Most applications do not have to call privileged APIs. |
- If this setting is
Enabled, all Normal certificates are removed.
- If this setting is
Disabledor is
Not Configured, Normal certificates remain on the device and
applications that are signed with these certificates will run.
The default setting is
Not Configured.
|
Remove unmanaged Root certificates
|
Lets you remove all certificates in the Root store. The
certificates in the Root certificate store are used for
authentication, such as SSL.
Important: |
Make sure that you do not remove certificates that you must
have for typical device operation. |
- If this setting is
Enabled, all certificates in the Root certificate store are
removed.
- If this setting is
Disabledor is
Not Configured, device Root certificates remain on the
device.
The default setting is
Not Configured.
|
Remove unmanaged intermediate certificates
|
Lets you remove all certificates in the Intermediate store. The
certificates in the Intermediate certificate store are used for
authentication such as SSL.
Important: |
Make sure that you do not remove certificates that you must
have for typical device operation. |
- If this setting is
Enabled, all certificates in the Intermediate certificate
store are removed.
- If this setting is
Disabledor is
Not Configured, existing device Intermediate certificates
remain provisioned on the device.
The default setting is
Not Configured.
|
Remove manager role permission from user
|
Lets you specify whether a user has system administrative
credentials on the device, without modifying metabase role
assignments.
- If this setting is
Enabled, the user does not have administrative credentials.
Only someone with a SECROLE_MANAGER security role has full
administrative access to the device.
- If this setting is
Disabled, the user and manager have full administrative
access. This means that the user can change device security
settings.
- If this setting is
Not Configured, existing device-specific policies for system
administrative credentials apply.
The default setting is
Not Configured.
|
Block unsigned .cab file installation
|
Lets you specify whether unsigned .cab files can install on the
device.
- If this setting is
Enabled, only signed .cab files install on the device.
- If this setting is
Disabled, unsigned .cab files are installed on the device
under the SECROLE_USERAUTH security role.
- If this setting is
Not Configured, existing device-specific policies apply.
The default setting is
Not Configured.
|
Block unsigned theme installation
|
Lets you specify whether unsigned themes can install on the
device.
- If this setting is
Enabled, only signed themes install on the device.
- If this setting is
Disabled, unsigned themes install on the device under the
SECROLE_USERAUTH security role.
- If this setting is
Not Configured, existing device-specific policies for
installing themes apply.
The default setting is
Not Configured.
|
Block unsigned applications from running on devices
|
Lets you specify whether unsigned applications can run on the
device.
- If this setting is
Enabled, only signed applications and unsigned applications
that have specific permissions can run on the device.
- If this setting is
Disabled, all unsigned applications can run on the device.
Depending on the existing device-specific policies, the user may be
prompted for consent before an unsigned application can run.
- If this setting is
Not Configured, existing device-specific policies that
control whether unsigned applications can run apply.
The default setting is
Not Configured.
|
Turn off user prompts on unsigned files
|
Lets you specify whether to prompt a user to accept or reject
unsigned .cab, theme, .dll, and .exe files.
Note: |
This policy applies only if you let unsigned applications or
.cab files on the device. |
- If this setting is
Enabled, the user is prompted for consent before unsigned
applications run.
- If this setting is
Disabled, the user is not prompted for consent before
unsigned applications run.
- If this setting is
Not Configured, device-specific policies that exist
determine whether the user is prompted before unsigned applications
run apply.
The default setting is
Not Configured.
|
File Encryption
Policy |
Description |
Turn on device encryption
|
Lets you turn on or off device encryption.
- If this setting is
Enabled, device encryption is turned on and password use is
enforced.
- If this setting is
Disabledor
Not Configured, device encryption is turned off.
The default setting is
Not Configured.
|
Specify device encryption file list
|
Lets you specify files to encrypt, in addition to those in the
default encryption list, when device encryption is turned on.
Note: |
This policy is in effect only when
Turn on device encryptionis enabled. |
- If this setting is
Enabled, the files specified are added to the encryption
list.
- If this setting is
Disabledor
Not Configured, no files are added to the encryption list.
The default setting is
Not Configured.
|
Exclude files from device encryption
|
Lets you specify files that should not be encrypted when device
encryption is turned on.
Note: |
This policy is in effect only when
Turn on device encryptionis enabled. |
- If this setting is
Enabled, the files specified will not be encrypted.
- If this setting is
Disabledor
Not Configured, no files are added to the encryption list.
The default setting is
Not Configured.
|
Turn on storage card encryption
|
Lets you enable the encryption of removable media and not let
the user change this setting.
- If this setting is
Enabled, newly created files on the storage card are
encrypted with a key that is tied to the device. The user cannot
disable this setting.
Important: |
If the user performs a cold reset on the device, encrypted
files on the storage card are not recoverable. |
- If this setting is
Disabled, the user decides whether to encrypt files put on
the storage card.
- If this setting is
Not Configured, existing device-specific policies for
storage card encryption apply.
The default setting is
Not Configured.
|
Device Management
Policy |
Description |
Configure the Windows Update for Windows Mobile Service
|
Lets you configure the level of user control for the Windows
Update for Windows Mobile Service. You can turn off the update
service, leave it to be configured by the user, or configure it to
be turned on with predefined settings that the user cannot
change.
- If this setting is
Enabled, you can select from the following options:
Switch Off: The update service is turned off for the device.
The user cannot change the configuration.
Switch On for User Config: The update service is turned on
for the device. The user can change the settings.
Note: |
This option is identical to the behavior of the update service
when it is turned on in an unmanaged device. |
Switch On for Admin Lockdown: The update service is turned
on for the device and is configured to work in automatic mode.
Important security updates download automatically over any network
connection, except when the device is roaming. The user is prompted
to install updates that download automatically. The user cannot
change this configuration.
- If this setting is
Disabled, the update service is turned on for the device.
This shows the same behavior as if you enabled the policy and
selected
Switch On for User Config. The user can change the settings.
- If this setting is
Not Configured, how the device was configured at manufacture
determines whether the update service is turned on.
The default setting is
Not Configured.
|
Configure device management when roaming
|
Lets you configure how devices manage updates when roaming.
- If this setting is
Enabled, you can specify the following:
Allow software download and Windows Update settings:
- If selected, managed downloads that automatically start when a
device is in roaming mode continue as they would when it is not
roaming. Additionally, the device checks for new updates on Windows
Update servers, as when it is not roaming.
- If cleared, managed downloads that automatically start when a
device is in roaming mode are paused. Additionally, the device does
not check for new updates on any firmware update server. When the
device is no longer roaming then downloading continues normally.
Change device management schedule when roaming:
- If selected, the device checks for updates when roaming based
on the value of
Check frequency multiplier.
- If cleared, the device uses the default schedule to check for
device management tasks while roaming.
Check frequency multiplier: If you select
Change device management schedule when roaming, this value
specifies the time between server checks. You can select an integer
from 0 to 10. The device multiplies the default server connection
frequency by this value. For example, if the default server
connection frequency is eight hours and this value is 4, the device
checks for updates every 32 hours. If you set this value to zero,
the device does not check for updates when roaming. The default
value is 4. If you do not select
Change device management schedule when roamingthis value is
ignored.
- If this setting is
Disabled, the device checks for device management tasks
while roaming, but does not accept managed downloads from MDM
Device Management Server or updates from WSUS.
- If this setting is
Not Configured, the default device settings for roaming will
apply.
The default setting is
Not Configured.
|
Management session reset reminder timeout
|
Lets you specify a time interval after policies that require a
restart are provisioned on the device until the user is prompted to
restart the device.
- If this setting is
Enabled, you can specify the number of minutes until the
user is prompted to restart the device
- If this setting is
Disabled, the user is not reminded to reboot the device.
- If this setting is
Not Configured, existing device-specific policies that
control the reboot prompt apply.
The default setting is
Not Configured.
|
Mobile VPN Settings
Policy |
Description |
Mobile VPN Name
|
Lets you specify the display name for the Mobile VPN on Windows
Mobile devices. Specify a name that is 30-characters maximum. If
you do not specify a name,
MyMobileVPNis displayed.
The default setting is
MyMobileVPN.
|
MDM Gateway Server name
|
Lets you change the fully qualified name or IP address for the
MDM Gateway Server that was specified during enrollment. Typically,
you do not have to change this name. A fully qualified name is 255
characters maximum, and must be ASCII characters.
|
Corporate proxy server name for internet access
|
Lets you specify information for a proxy server. A company can
decide to have all Internet access pass through a proxy server to
filter, audit, or restrict access.
With this setting, you can specify the fully qualified name or
IP address for the proxy server that is used for Internet access
when the Mobile VPN is active. A fully qualified name is 255
characters maximum, and must be ASCII characters.
If you do not specify a proxy server, the Windows Mobile device
forwards all Internet traffic to the MDM Gateway Server for
appropriate routing. By default, no proxy server is specified.
|
Allow user to turn off Mobile VPN
|
Lets you specify whether the user can turn off the Mobile VPN on
Windows Mobile devices.
Note: |
If the Mobile VPN is disconnected, the user can manually
trigger a connection retry. An example of when the Mobile VPN is
disconnected is when the base channel in a Windows Mobile device
fails. |
- If this setting is
Enabled, the user can turn off the Mobile VPN.
- If this setting is
Disabledor
Not Configured, the user cannot turn off the Mobile VPN.
The default setting is
Not Configured.
|
Always connected when roaming
|
Lets you send keep-alive packets associated with the Mobile VPN
while roaming. The Mobile VPN application automatically sends
keep-alive packets to keep the connection on always.
Sending keep-alive packets enables push applications, such as
remote device immediate wipe, to work. If keep-alive packets are
not sent, applications that require push functionality do not
work.
Important: |
Depending on the service plan, sending keep-alive packets while
roaming may incur additional data transmission costs. |
Disabling this setting does not block all traffic while roaming.
Traffic that is started by applications, or the user, may flow over
the Mobile VPN connection.
- If this setting is
Enabled, the device sends Mobile VPN keep-alive packets
while roaming.
- If this setting is
Disabledor
Not Configured, the device does not send Mobile VPN
keep-alive packets while roaming. In this case, the Mobile VPN
sends traffic only on demand, as specified by applications on the
device.
The default setting is
Disable.
|
Time interval between keepalive packets
|
Lets you specify the time interval between keep-alive
packets.
- If you specify a value, keep-alive packets are sent to the
device. The value is specified in seconds. You can specify a value
of up to 604,800 seconds.
Note: |
Setting the value too low causes increased data traffic and
decreased battery power on the device. If the value that is too
high, the Mobile VPN can disconnect and then require
reconnection. |
- If you do not define this setting, the default value is
0(zero). This lets the device detect the optimal time
interval and use it.
The default setting is
0.
|
Allow AES data encryption algorithm
|
Lets you specify whether you can use the AES cipher to encrypt
data that is sent over the Mobile VPN.
Note: |
If both AES and 3DES encryption are explicitly not enabled, the
Mobile VPN fails. |
- If this setting is
Enabled, the Mobile VPN can use AES data encryption.
- If this setting is
Disabled, the Mobile VPN cannot use AES data encryption.
The default setting is
Enabled.
|
Allow Triple DES data encryption algorithm
|
Lets you specify whether you can use the Triple Data Encryption
Standard (3DES) cipher to encrypt data that is sent over the Mobile
VPN.
Note: |
If both Advanced Encryption Standard (AES) and 3DES are
explicitly not enabled, the Mobile VPN fails. |
- If this setting is
Enabled, the Mobile VPN can use 3DES data encryption.
- If this setting is
Disabled, the Mobile VPN cannot use 3DES data encryption.
The default setting is
Enabled.
|
Key Exchange Algorithms
These policies let you specify which Diffie-Hellman
Group protocols the Internet Key Exchange (IKE) protocol uses
during Mobile VPN key exchange negotiations. By default, Diffie
Hellman Group 2, Group 5, and Group 14 are all enabled.
Note: |
If not all Diffie-Hellman groups are explicitly enabled, the
Mobile VPN fails. |
Policy |
Description |
Allow Diffie Hellman group 2
|
Lets you specify whether the Diffie-Hellman Group 2 protocol can
be used by the IKE protocol during Mobile VPN key exchange
negotiations.
- If the setting is
Enabled, the Mobile VPN can use Diffie-Hellman Group 2 key
exchange algorithms.
- If this setting is
Disabled, the Mobile VPN cannot use the Diffie-Hellman Group
2 key exchange algorithms.
The default setting is
Enabled.
|
Allow Diffie Hellman group 5
|
Lets you specify whether the Diffie-Hellman Group 5 protocol can
be used by the IKE protocol during Mobile VPN key exchange
negotiations.
- If the setting is
Enabled, the Mobile VPN can use Diffie-Hellman Group 5 key
exchange algorithms.
- If this setting is
Disabled, the Mobile VPN cannot use the Diffie-Hellman Group
5 key exchange algorithms.
The default setting is
Enabled.
|
Allow Diffie Hellman group 14
|
Lets you specify whether the Diffie-Hellman Group 14 protocol
can be used by the IKE protocol during Mobile VPN key exchange
negotiations.
- If the setting is
Enabled, the Mobile VPN can use Diffie-Hellman Group 14 key
exchange algorithms.
- If this setting is
Disabled, the Mobile VPN cannot use the Diffie-Hellman Group
14 key exchange algorithms.
The default setting is
Enabled.
|
Software Distribution
Policy |
Description |
Enable client-side targeting
|
Lets you specify the target group names to use to receive
updates from MDM software distribution.
If MDM software distribution supports multiple target groups,
this policy can specify multiple group names, separated by
semicolons. Otherwise, you must specify a single group.
Note: |
This policy applies only when the MDM software distribution for
this device is configured to support client-side targeting. |
- If this setting is
Enabled, the target group information is sent to the
Software Distribution service. This service uses the group
information to determine the updates to deploy to the device.
- If this setting is
Disabledor
Not Configured, no target group information is sent to MDM
software distribution.
The default setting is
Not Configured.
|
See Also