Chris De Herrera's Windows CE Website

Discuss.Pocket PC FAQ Forum

Add Pocket PC FAQ to your Favorites
RSS    RSS Feeds
Wiki    Lost?
Custom Search
Subscribe    Print
Table of Contents
Mobile Format

[an error occurred while processing this directive]

Pocket PC Magazine Best Site

Website Awards
Website Updates

By Chris De Herrera 
Copyright 1998-2007
 All Rights Reserved
A member of the Talksites Family of Websites

Windows and Windows CE are trademarks of Microsoft
and are used
under license from owner.
CEWindows.NET is not
associated with Microsoft 

All Trademarks are owned
by their respective companies.

Going Beyond the Initial Setup �
Provisioning Windows Mobile Devices

By Chris De Herrera, Copyright 2006
 Version 1.00  Created 6/26/2006

[an error occurred while processing this directive]

If you work in an enterprise that has multiple Windows Mobile devices, you will soon find that you need an easy way to setup new devices. This is especially true if you are planning to deploy hundreds or thousands of devices. This article explains different options to configure or provision Windows Mobile devices en mass.

Backup & Restore

The initial idea that some enterprise users may think of is like using Symantec Ghost for Windows Mobile devices. Basically a network administrator configures a Windows Mobile device initially by hand. Then they perform a backup of the device using tools like SPB Backup or Sprite Clone. This backup would be the �golden master� for that particular device and configuration. The cloning process is easy to perform by restoring the backup onto a new device. The downside to this process is that the backup is generally device and rom version specific so you will want to test the image with each new device and rom.

Working with the Registry

Another way to configure settings in Windows Mobile is by using a registry editor. Please note that neither Microsoft nor any OEM will support you editing the registry on the device. Microsoft has documented common settings that are related to security at Default Security Policy Settings for Windows Mobile-Based Devices. You will need a registry editor since there is no editor provided with Windows Mobile. You can download a registry editor from PHM RegEdit or Resco Explorer 2005. Also, if your device has been secured, you may have to use a digitally signed registry editor in order to change the settings.

Windows Mobile 5.0 Provisioning

With Windows Mobile 5.0, Microsoft came up with a new process to provision devices. This process allows users to setup different types of settings all at once. Also, you can create XML entries that are compiled into a CPF file to make registry changes beyond the standard settings. One of the critical items to understand is the two tier security architecture, security policy and security roles that control whom can modify the settings on the device. This process is fairly complex and requires you to consider how devices are managed in your environment. The downside to the provisioning process is that there is no option to automatically install applications so you will have to install them separately.

Understanding Windows Mobile Two-Tier Security Architecture

Microsoft has introduced a two-tier security architecture for Windows Mobile devices. The first tier defines that digitally signed applications are allowed full access to all privileged APIs and Registry keys. Applications that are not signed cannot be run on the device. The second tier defines that digitally signed applications will run in Normal mode while specially signed applications from the carrier or enterprise can access all privileged APIs and Registry keys. Applications that are not signed cannot be run on the device. Microsoft has described the two tier security architecture at Selecting Security Configuration.

Windows Mobile 2003 and 5.0 Smartphones support two tiers of security which define whom can install applications and make registry changes. Windows Mobile 5.0 Pocket PCs support only a single tier security architecture. Normally Windows Mobile 5.0 Pocket PCs and Smartphones are delivered with no security architecture implemented. However you should ask your OEM to ensure that you can confirm this for your specific device. Prior versions of the Pocket PC did not support this security architecture however the Smartphone has supported it since the beginning.

So when you decide to implement security in your environment, you may choose to purchase a digital certificate so you can sign your provisioning XML files. This will prevent users from being able to change these settings and install applications. The digital certificate process is the same as application developers use to sign their applications. You may find the article Windows Mobile 5.0 Application Security which covers how to sign applications helpful.

Understanding Windows Mobile 5.0 Security Policy and Roles.

Part of Windows Mobile 5.0 is that Microsoft supports many different roles that can modify the device. The security roles define whether or not a specific configuration file has access to resources based on the role defined for it. The security policies define the different policy settings that can be defined on the device to control a particular function. I suggest that all administrators read about the Security Policy and Roles.

Creating an XML Provisioning File

Microsoft has documented the provisioning options and process at Provisioning Files. The process of creating a provisioning file requires the device administrator to create an XML file with al the settings required to configure the device. The different XML schemas for the provisioning file are documented at Configuration Service Provider Reference for Windows Mobile-Based Devices. Also you will want to review the 28 example XML files at OMA Client Provisioning XML File Examples or the combined XML sample at XML Example for Security Policy. I suggest that you combine multiple XML options into a single file so it configures everything you need. You must make sure that you name the XML file _setup.xml.

Creating and Installing a CPF File

Then you need to create a CPF file. A CPF file is a special CAB file that installs the settings on the device for you. To create a CPF file. go to a command line (start - run and type CMD) and navigate to the directory where the _setup.xml file is located. Then enter the command �C:\WINDOWS\SYSTEM32\ MakeCAB.exe /D COMPRESS=OFF _setup.xml MyCPF.cpf � to create a CPF file that installs the XML settings on the device. Finally once you have the MyCPF.CPF file you can install it on any Windows Mobile 5.0 device and the device will have all the same settings. To install the MyCPF.CPF file just copy it to your device and use File Explorer to navigate to the folder where it is located and click on it to install it.

Testing a CPF File

Once you have installed the CPF file you can use a registry editor (see above) to confirm that the security settings you enabled are set.  The common security settings are documented by Microsoft at  Default Security Policy Settings for Windows Mobile-Based Devices,  The registry is readable even if the registry editor is not digitally signed to allow changes.

The Future

While Microsoft now provides administrators with the option to setup default parameters and security on their devices, the process can be daunting. Hand coding an XML file and creating a .CPF file is a process that can fail due to typographical errors too easily. I hope that Microsoft or a 3rd party provides a simpler tool to customize these settings more easily than creating a custom CPF file by hand. In the meantime, you can create your own CPF file, edit the registry or consider the backup and restore approach.

[an error occurred while processing this directive]

Return to Chris De Herrera's Windows CE Website