This section describes the policies you should set on a single-purpose device, such as a device that is used only to track deliveries. In this scenario, you disable applications to prevent use other than the intended purpose.

The following sections show the policies that are available under Computer Configuration\Administrative Templates\Windows Mobile Settings. The following shows the suggested settings for the single purpose scenario.

Password Policies

Policy Enable Disable

Require password


Password time-out

Set the value to 15 minutes maximum


Platform Lockdown

Policy Enable Disable

Turn off POP and IMAP messaging


Turn off SMS and MMS messaging


Turn off removable storage


Turn off wireless LAN


Turn off infrared


Turn off Bluetooth


Block remote API access to ActiveSync


Application Disable

Policy Enable Disable

Block applications in-ROM


You should block the following applications:

  • Modem Link (ATCIUI.exe)

  • Automatic profile (autoprof.exe)

  • Network Identity and Time Zone update (autotimeupdate.exe)

  • Windows Update (autoupdate.exe)

  • OBEX transfer (beam.exe)

  • Bluetooth bond (bthbond.exe)

  • BubbleBreaker Game (BubbleBreaker.exe)

  • Calendar (calendar.exe)

  • Call notification (calnot.exe)

  • Calendar notification (calupd.exe)

  • Application catalog (catalog.exe)

  • Catalog installer (cataloginstaller.exe)

  • Customer Experience Improvement Program User Interface (ceipui.exe)

  • Event log flusher (celogflush.exe)

  • Certificate installer (CertInstaller.exe)

  • WAP provisioning provider (cfghost.exe)

  • Clock alarms (clocknot.exe)

  • Call history (clog.exe)

  • Control Panel (ctlpnl.exe)

  • Windows Application Installer upgrade for Windows Mobile 6 Professional (d0b41563-b345-4444-aa15-986e7c7fff99.exe)

  • Windows Application Installer upgrade for Windows Mobile 6 Professional (D5AB0034-8AAC-4a19-B5C4-A8B01B5BBE87.exe)

  • Diagnostic information for the event log (diaginfo.exe)

  • Watson Logging (dw.exe)

  • Fax Viewer (FaxView.exe)

  • Help system (helpstub.exe)

  • Voice tags for contacts (hotvoice.exe)

  • Pictures and video screen saver (idledetect.exe)

  • Internet Explorer (iexplore.exe)

  • Internet Sharing (IntShrUI.exe)

  • Application Catalog (launchman.exe)

  • Live Search (LiveSearch.exe)

  • Mobile Calculator (MobileCalculator.exe)

  • Microsoft Today screen helper (mstli.exe)

  • Notes (notes.exe)

  • One Note (OneNoteMobile.exe)

  • Help program (peghelp.exe)

  • Performance Manager (perfman.exe)

  • Photo Application (pimg.exe)

  • Contacts (poutlook.exe)

  • Power Point Mobile (ppt.exe)

  • Profile Manager (profiles.exe)

  • Word Mobile (pword.exe)

  • Word Excel (pxl.exe)

  • Quicklist (quickapp.exe)

  • Remote Network/Connection Manager UI (remnet.exe)

  • Rights Management Activation (rmactivate.exe)

  • Run DLL (rundll32.exe)

  • Smartphone Settings (settings.exe)

  • Find Application (shfind.exe)

  • SI\SL Client for WAP (sicInt.exe)

  • Solitaire (solitare.exe)

  • SQM event trigger (sqmevent.exe)

  • Task Manager (taskmgr.exe)

  • Tasks (tasks.exe)

  • Microsoft® SQL Server® 2000 Windows® CE Edition (tdsserver.exe)

  • SIM Toolkit (tkitapp.exe)

  • Outlook (tmail.exe)

  • Smartphone Solitaire (TPCsolitare.exe)

  • Desktop passthrough networking (udp2tcp.exe)

  • SQM uptime tracking (uptimesqm.exe)

  • Voice Command Configuration (VCConifg_SP.exe)

  • Voice mail (vmail.exe)

  • Voice Command (voicecmd.exe)

  • Welcome Center (wcsan.exe)

  • Welcome Startup (welcome.exe)

  • Welcome Center (WelcomeCenter.exe)

  • Windows Live Launcher (WLMLauncher.exe)

  • Windows Live Messenger (WLMMessenger.exe)

  • Windows Live Setup (WLMSetup.exe)

  • Windows Media Player (wmplayer.exe)

  • Remote Desktop (wpctsc.exe)

  • Wireless Manager (wrlsmgr.exe)

  • Zip Viewer (ZipView.exe)

You may also have to block other applications that the OEM or Mobile Operator installed on the device.

Security Policies

Before you enable one of the Remove unmanaged certificatepolicies, make sure that you used MDM Group Policy Extensions to add root certificates to the managed device. If you did not, the device will no longer connect to MDM Gateway Server because this policy removes the root certificates that MDM Group Policy Extensions did not add.

Policy Enable Disable

Remove unmanaged SPC certificates


Remove unmanaged privileged certificates


Remove unmanaged normal certificates


Remove unmanaged root certificates


Removed unmanaged intermediate certificates


Remove manager role permission from user


Block unsigned .cab file installation


Block unsigned theme installation


Block unsigned applications from running on device


Mobile VPN Settings

Policy Enable Disable

Allow user to turn off Mobile VPN


See Also