Important:
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
4/8/2010

This topic shows the Device Description Framework (DDF) file for the SecurityPolicy Configuration Service Provider. Open Mobile Alliance Device Management (OMA DM) DDF files and the example in this topic are used only for OMA DM provisioning.

Copy Code
<MgmtTree
xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
	<VerDTD>1.2</VerDTD>
	<Node>
		<NodeName>SecurityPolicy</NodeName>
		<Path>./Vendor/MSFT</Path>
		<DFProperties>
			<AccessType>
				<Get />
			</AccessType>
			<DFFormat>
				<node />
			</DFFormat>
			<Occurrence>
				<One />
			</Occurrence>
			<Scope>
				<Permanent />
			</Scope>
			<MSFT:RWAccess>3</MSFT:RWAccess>
			<DFType>
				<DDFName></DDFName>
			</DFType>
		</DFProperties>
		<Node>
			<NodeName>2</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Autorun Policy

This security policy determines whether applications stored on a
removable storage card are allowed to auto-run when inserted into
the device. 

Possible Values:

1 -- Applications on a removable storage card card are restricted
from auto running. 

0 -- Applications on a removable storage card card are allowed to
auto-run.

Default Value: 0.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4097</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>RAPI Policy

This policy restricts access to the device using RAPI over
ActiveSync.  

Possible Values:

0 -- All RAPI calls are disabled. 

1 -- All RAPI calls are allowed. 

2 -- RAPI is in restricted mode. RAPI calls are processed according
to ActiveSync's security access role. 

ActiveSync's security role is SECROLE_USER_AUTH, and all resource
requests are checked against this role 

mask before they are granted.

Default Value: 2</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4101</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Unsigned CABs Policy

This security policy determines whether Unsigned CABs can be
installed on the device, and, if so, what role mask should be
assigned to the CAB.

This policy's value specifies a role mask, and a value of '0'
(equivalent to having none of the role mask's bits set) means that
no unsigned CABs can be installed.

Default Value: 16 (SECROLE_USER_AUTH)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4102</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Unsigned Application Policy

This policy setting enforces whether unsigned applications are
allowed to run on the device.

Possible Values:

0 -- Unsigned applications are NOT allowed to run on the device. 

1 -- Unsigned applications ARE allowed to run on the device.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4103</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Unsigned Themes Policy

This security policy determines whether theme files can be
installed on the device, and if so, what role mask they will be
installed with. Theme files are home screen cab files that are
given more restricted access to the device resources by default.

This policy's value specifies a role mask.

Default Value: 40 (SECROLE_USER_UNAUTH)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4104</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Trusted Provisioning Server
Policy

This policy setting determines whether a message can be assigned
the SECROLE_OPERATOR_TPS role if the message has been deemed as
coming from a TPS.

Possible Values:

0 -- Disable assigning SECROLE_OPERATOR_TPS role. 

1 -- Enable assigning TPS role.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4105</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Message Authentication Retry
Policy

This policy setting defines the maximum allowed number of retry
times for the user to authenticate a pin-signed WAP OTA
provisioning message.

The minimum value is 1.  The maximum value is 256.  

Default Value: 3</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4107</NodeName>
			<DFProperties>
				<AccessType>
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>1</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>WAP-Signed Message Policy

This policy setting determines the set of allowed roles that an OTA
Provisioning message must have in order to be routed for
processing.

This policy's value specifies a role mask.  (If the message
contains at least one of the roles in the role mask, then the
message is routed.)

Default Value: 3200 (SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED,
SECROLE_OPERATOR_TPS)

This policy is deprecated in Windows Mobile 6. Use
SECPOLICY_OMACPNETWPINMSG, SECPOLICY_OMACPUSERPINMSG and 

SECPOLICY_OMACPUSERNETWPINMSG instead. You cannot use the new
security policies (4141, 4142, 4143) and 

4107 in the same provisioning document. Query on policy 4107 will
return an error.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4108</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Service Loading (SL) Message
Policy

This policy setting determines whether SL messages are to be
processed.  

This policy's value specifies a role mask.  (If a message contains
at least one of the roles in the role mask, then the message is
processed.)

Default Value: 2048 (SECROLE_PPG_TRUSTED)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4109</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Service Indication (SI) Message
Policy

This policy setting determines whether SI messages are to be
processed.  

This policy's value specifies a role mask.  (If a message contains
at least one of the roles in the role mask, then the message is
processed.)

Default Value: 3072 (SECROLE_PPG_AUTH,
SECROLE_PPG_TRUSTED)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4110</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Unauthenticated Message Policy

This policy setting determines the security role assigned to non
WAP-signed messages.

This policy's value specifies a role mask.

Default Value: 64 (SECROLE_USER_UNAUTH)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4111</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>OTA Provisioning Policy

This policy setting determines which provisioning messages are
accepted, based on the message's role(s). This policy is used to
filter provisioning messages routed from the Push Router. This
policy's value specifies a role mask.  (If a message contains at
least one of the roles in the role mask, then the message is
processed.)

Default Value: 3732 (SECROLE_OPERATOR_TPS, SECROLE_PPG_TRUSTED,
SECROLE_PPG_AUTH, SECROLE_TRUSTED_PPG, SECROLE_USER_AUTH,
SECROLE_OPERATOR)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4113</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>WSP Push Policy

This policy setting determines whether a WAP push message over WSP
is allowed.

Possible Values:

0 -- WSP push source is blocked.

1 -- Routing of WSP push message is allowed.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4119</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Grant Manager Policy

This security policy permits mapping a particular role mask to the
SECROLE_MANAGER role without having to modify the security role
assigned to every setting in the Metabase accessible only to the
manager role. This policy allows other roles to impersonate the
SECROLE_MANAGER role. This policy's value specifies a role mask,
and a value of '0' (equivalent to having none of the role mask's
bits set) means that no roles can impersonate the SECROLE_MANAGER
role.

Default Value: 128 (SECROLE_OPERATOR_TPS) for Windows Mobile
Professional and Windows Mobile Standard; 16 (SECROLE_USER_AUTH)
for all other devices</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4120</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Grant User Authenticated Policy

This security policy permits mapping a particular role mask to the
SECROLE_USER_AUTH role without having to modify the security role
assigned to every setting in the Metabase accessible to the
SECROLE_USER_AUTH role. This policy allows other roles to
impersonate the SECROLE_USER_AUTH role. This policy's value
specifies a role mask, and a value of '0' (equivalent to having
none of the role mask's bits set) means that no roles can
impersonate the SECROLE_USER_AUTH role.

Default Value: 16 (SECROLE_USER_AUTH)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4121</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Trusted WAP Proxy Policy

This security policy specifies the level of permissions required to
create, modify, and delete a trusted proxy using the PXLOGICAL
Configuration Server Provider. This policy's value specifies a role
mask.

Default Value: 140 (SECROLE_OPERATOR, SECROLE_OPERATOR_TPS,
SECROLE_MANAGER)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4122</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Unsigned Prompt Policy

This policy setting determines whether a user will be prompted if
an unsigned application is installed or executed.

Possible Values:

0 -- Enable user prompt for unsigned application.

1 -- Disable user prompt.

Default Value: 0</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4123</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Privileged Applications Policy

This security policy controls which security model is implemented
on the device.

Possible Values:

0 -- 2-tier security is enabled. 

1 -- 1-tier security is enabled. Apps run privileged if they are
allowed to run at all.

Default Value: 0 (for a device running Windows Mobile  Standard); 1
(for a device running Windows Mobile
Professional)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4124</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Service Loading (SL) Security
Policy

This setting allows the operator to override https to use http, or
wsps to use wsp.

Possible Values:

0 -- Use https or wsps.

1 -- Use http or wsp.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4125</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Signed Mail Policy

This policy is used in S/MIME, and indicates whether the Inbox
application will send all messages signed. If messages are sent
signed, this policy identifies which algorithm to use. 

Possible Values:

0 -- Messages are signed with the default algorithm (SHA-1).

1 -- Messages are not signed at all.

2 -- Messages are signed using the SHA-1 algorithm.

3 -- Messages are signed using the MD5 algorithm. 

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4126</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Encrypted Mail Policy

This policy is used in S/MIME, and indicates whether the Inbox
application sends all messages encrypted. If messages are
encrypted, it identifies the algorithm to use. 

Possible Values:

0 -- Messages are encrypted using the default algorithm (RC2).

1 -- Messages are not encrypted at all.

2 -- Messages are encrypted using 3DES.

3 -- Messages are encrypted using DES. 

4 -- Messages are encrypted using RC2_128. 

5 -- Messages are encrypted using RC2_64. 

6 -- Messages are encrypted using RC2_40. 

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4127</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Software Certificates Policy

This setting determines whether software certificates can be used
to sign outgoing messages. 

Possible Values:

0 -- Software certificates cannot be used to sign messages. 

1 -- Software certificates can be used to sign messages.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4129</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>DRM Security Policy

This setting specifies which DRM rights messages are accepted by
the DRM engine based on the role assigned to the message.

This policy's value specifies a role mask.

Default Value: 3072 (SECROLE_PPG_AUTH,
SECROLE_PPG_TRUSTED)</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4131</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Password Required Policy

This policy indicates whether a password must be configured on the
device. 

Possible Values:

0 -- A password is required.

Non-zero -- A password is not required. 

Default Value: 0</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4132</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>Network PIN Prompt Policy

This policy indicates whether or not to prompt the user to accept
device setting changes from a 

provisioning message WAP-signed only with a network-PIN.

Possible Values:

0 -- The device prompts the user for confirmation to accept changes
to device settings. 

1 -- The user is not prompted.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4135</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>Bluetooth Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy specifies whether
Bluetooth on the device can be set to a discoverable 

state.

Possible Values:

0 -- The device Bluetooth cannot be set to discoverable status

1 -- The device Bluetooth could be set to discoverable status

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4136</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>HTML Message Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy specifies whether
the device can accept HTML email messages.

Possible Values:

0 -- HTML message is disabled. Message is processed as plain text

1 -- HTML message is enabled

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4134</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>Encrypt Removable Storage
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This security policy determines
whether removable storage is always 

encrypted, or whether the user can control the encryption in
Settings.

Possible Values:

0 -- User cannot control the state of removable encryption from
Settings.

1 -- User can control the state of removable encryption from
Settings.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4138</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SMIME Encryption
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This security policy determines
whether the Inbox app will send all messages encrypted.

Possible Values:

0 -- The encryption is enforced.

1 -- The encryption is optional.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4139</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SMIME Signing Algorithm
Policy</DFTitle>
				<DFType>
					<MIME>MIME:text/plain</MIME>
				</DFType>
				<Description>This policy determines which
algorithm will be used by the Inbox app when a message is to be
signed. It uses the same value range specified for policy 4125. The
algorithm specified by policy 4125 overrides this policy.

Possible Values:

0 -- Sign messages with the default algorithm 

1 --  Invalid (Do NOT set the policy with this value)

2 -- Sign messages with SHA1 

3 -- Sign messages with MD5

Default Value: 0

NOTE: 

1.If policy 4125 or policy 4126 has a bad value specified, check to
see if policy 4139 or policy 4140 has a value set (other than
None). If yes, use it, if no use the default algorithm.
2.If policy 4139 or policy 4140 has a bad value specified, use the
default algorithm. 
3.If policy 4125 or policy 4126 have been provisioned with garbage
values we will force signing and/or encryption.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4140</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
				</AccessType>
				<DFFormat>
					<chr />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SMIME Encryption Algorithm
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy determines which
algorithm will be used by the Inbox app when a message is to be
encrypted. It uses the same value range specified for policy 4126.
The algorithm specified by policy 4126 overrides this policy.

Possible Values:

0 -- Encrypt messages with the default algorithm

1 -- Invalid (Do NOT set the policy with this value)

2 -- Encrypt messages with 3DES 

3 -- Encrypt messages with DES 

4 -- Encrypt messages with 128-bit RC2 

5 -- Encrypt messages with 64-bit RC2 

6 -- Encrypt messages with 40-bit RC2

Default Value: 0

NOTE: 
1.If policy 4125 or policy 4126 has a bad value specified, check to
see if policy 4139 or policy 4140 has a value set (other than
None). If yes, use it, if no use the default algorithm.
2.If policy 4139 or policy 4140 has a bad value specified, use the
default algorithm. 
3.If policy 4125 or policy 4126 have been provisioned with garbage
values we will force signing and/or encryption.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4137</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SMIME Signing Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This security policy determines
whether the Inbox app will send all messages signed.

Possible Values:

0 -- The signing is enforced.

1 -- The signing is optional.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4141</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>OMA CP NETWPIN
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy setting determines
whether OMA CP NETWPIN signed message can be accepted. The
message's role mask is then AND-ed with the policy's role mask.  If
the result is non-zero, the message is accepted. 

This policy's value specifies a role mask.

Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED |
SECROLE_OPERATOR_TPS

Note:
1. You cannot use policy 4141 and 4107 in the same provisioning
document. The old security policy 4107 is deprecated. 
2. The acceptable security roles for this policy are:
SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG, SECROLE_ANY_PUSH_SOURCE,
SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, and
SECROLE_OPERATOR_TPS.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4142</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>OMA CP USERPIN
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This setting determines whether
the OMA user PIN or user MAC signed message will be accepted. The
message's role mask and the policy's role mask are combined using
the AND operator. If the result is non-zero, then the message is
accepted.

This policy's value specifies a role mask.

Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED |
SECROLE_OPERATOR_TPS 

Note:  The acceptable security roles for this policy are:
SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG,
,SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED,
SECROLE_OPERATOR_TPS</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4143</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>OMA CP USERNETWPIN
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy setting determines
whether OMA Client provisioning USERNETWPIN signed message can be
accepted. The message's role mask is then AND-ed with the policy's
role mask.  If the result is non-zero, the message is accepted. WAP
Signed Policy 4107 is depreciated.

This policy's value specifies a role mask.

Default Value: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED |
SECROLE_OPERATOR_TPS

Note:
1. The acceptable security roles for this policy are:
SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG, SECROLE_TRUSTED_PPG,
SECROLE_PPG_AUTH, SECROLE_PPG_TRUSTED, SECROLE_OPERATOR_TPS
2. You cannot use 4142 and 4107 in the same provisioning document.
The old security policy 4107 is deprecated.</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4144</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SMIME Encryption Negotiation
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy allows/disallows
"negotiating down" of encryption algorithms SMIME message
encryption. During SMIME encryption, certificates of recipients are
fetched. When a recipient's public certificate cannot be used to
encrypt the message using the algorithm the sender would like,
messaging will check this policy to decide the next action to take.

Possible Values:

0 -- Do not negotiate at all. Only send mail if the specified
algorithm can be used. 
In this case, we do not allow negotiation to any encryption
algorithm. If we cannot encrypt the message using the algorithm
specified we will fail in sending. 

1 -- Allow negotiation, but do not allow the use of encryption
algorithms.
In this case, any algorithm not mentioned on the exclusion list can
be used for encryption

2 -- Allow negotiation, but allow the use of encryption algorithms.

In this case any algorithm, including those mentioned on the
exclusion list, can be used for encryption.

Default Value: 0</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4145</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
					<Replace />
				</AccessType>
				<DFFormat>
					<int />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>SharePoint Access
Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy enables/disables
Outlook Mobile SharePoint/UNC access via the Activesync protocol to
fetch documents. 

Possible Values:

0 -- The device behaves as if the server does not support
SharePoint/UNC file access.

1 -- Outlook Mobile has the ability to fetch documents on a
corporate SharePoint site or UNC share via ActiveSync.

Default Value: 1</Description>
			</DFProperties>
		</Node>
		<Node>
			<NodeName>4146</NodeName>
			<DFProperties>
				<AccessType>
					<Get />
				</AccessType>
				<DFFormat>
					<chr />
				</DFFormat>
				<Occurrence>
					<One />
				</Occurrence>
				<Scope>
					<Permanent />
				</Scope>
				<MSFT:AccessRole>40</MSFT:AccessRole>
				<MSFT:RWAccess>3</MSFT:RWAccess>
				<DFTitle>Desktop Quick Connect 
Authentication Policy</DFTitle>
				<DFType>
					<MIME>text/plain</MIME>
				</DFType>
				<Description>This policy specifies how the
desktop should handle quick connect authentication.

Possible Values:

0 -- User must authenticate on device upon connect, if device lock
is active  

1 -- User can authenticate through a shared secret on desktop

Default value: 1</Description>
			</DFProperties>
		</Node>
	</Node>
</MgmtTree>

See Also