What do the smartphone policy id's mean

policies

smartphone policies are stored in the registry in HKLM\Security\Policies\Policies. the low numbered policies are named registry keys, stored in HKLM\Security\Policies\Shell.

ossvcs.dll ordinal 116, is the function used to query a policy status
ossvcs.dll ordinal 117, is the function used to query change a policy status

you can modify policies by using the 'rapiconfig.exe' tool.
or, easier, by using my prapi.exe tool.

create a config file containing the parameters you want to set:

<wap-provisioningdoc>
  <characteristic type="SecurityPolicy">
    <parm name="4097" value="1"/>
    <parm name="4101" value="64"/>
    <parm name="4102" value="1"/>
    <parm name="4119" value="196"/>
  </characteristic>
</wap-provisioningdoc>

execute it with: rapiconfig /p yourfile.xml

to find out what your current settings are:

create a config file containing the parameters you want to query:

<wap-provisioningdoc>
  <characteristic type="SecurityPolicy">
    <parm-query name="4097"/>
    <parm-query name="4101"/>
    <parm-query name="4102"/>
    <parm-query name="4119"/>
  </characteristic>
</wap-provisioningdoc>

execute it with: rapiconfig /p yourfile.xml
read the result from RapiConfigOut.xml

policy id's

Policies\Shell NoRunDlg

AutoRun Policy

The AutoRun security policy setting determines whether applications stored on a MultiMedia Card (MMC) are allowed to auto-run when inserted into the device.

0	Applications on a Compact Flash card are allowed to auto-run. ( default )
1	Applications on a Compact Flash card are restricted from auto-running.

Policies\Shell DisallowRun

Policies\Shell RestrictRun

Policies\Shell NoDownload

Policies\Shell PasswordPeriod

Policies\Shell NoPasswdPeriod

Policies\Shell NoWeakPassword

Policies\Shell NoRapiRegMod

Policies\Shell NoExternalExes

4097
0x1001

RAPI Policy

The Remote API (RAPI) policy restricts the access of remote applications that are using RAPI to implement ActiveSync operations on mobile devices.

0	ActiveSync service is shut down. RAPI calls are rejected.
1	Full access to ActiveSync is provided. RAPI calls are allowed to process without restrictions.
2	Access to ActiveSync is restricted to the SECROLE_USER_AUTH (User Authenticated) role. RAPI calls are checked against this role mask before they are granted. ( default )

4101
0x1005

Unsigned CABS Policy

The Unsigned CABS policy determines whether unsigned .cab files can be installed on the device. On the Windows Mobile-based Smartphone, this policy also determines whether applications stored on a MultiMedia Card (MMC) are allowed to auto-run when inserted into the device. Accepted unsigned .cab files are installed with the role mask specified by the policy value.

If a signed .cab file does not have a matching root certificate in the Software Publisher Certificate(SPC) store, the file is unsigned. For information about certificate stores, see Application Security on Mobile Devices.

Specified as a role mask	Accepted unsigned .cab files are installed with the role mask specified by this policy.
SECROLE_USER_AUTH	Unsigned .cab files cannot be installed. (default)

4102
0x1006

Unsigned Applications Policy

The Unsigned Applications policy determines whether unsigned applications are allowed to run on a Windows Mobile-based Smartphone. If a signed application does not have a matching root certificate in the Privileged Execution Trust Authorities or the Unprivileged Execution Trust Authoritiescertificate store, the application is unsigned. For information about certificate stores, see Application Security on Mobile Devices.

0	Unsigned applications are not allowed to run on the device. Any value other than 1 is treated as 0.
1	Unsigned applications are allowed to run on the device. ( default )

4103
0x1007

Unsigned Themes Policy

The Unsigned Themes policy determines whether unsigned theme files (.cab files that update the Home screen) can be installed on the device and with which role mask they are installed.

Specified as a role mask

Default value SECROLE_USER_UNAUTH

4104

Trusted Provisioning Server Policy

The Trusted Provisioning Server (TPS) policy setting determines whether mobile operators can be assigned the TPS role.

0	Disable assigning TPS role
1	Enable assigning TPS role ( default )	-

4105
0x1009

Message Authentication Policy

The Message Authentication policy setting defines the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

Maximum number of allowed retries to authenticate. 1-256

Default value 3

4106
0x100a

unknown

4107
0x100b

WAP Signed Message Policy

The WAP Signed Message policy setting determines whether a WAP signed message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting.

Specified as a role mask

Default value SECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED + SECROLE_OPERATOR_TPS + SECROLE_OPERATOR

4108
0x100c

Service Loading Policy

The Service Loading (SL) policy setting determines whether SL messages are accepted. An SL message downloads new services or provisioning XML to the Windows Mobile-based Smartphone. An SI message is a type of over-the-air (OTA) message.

Specified as a role mask

Default value SECROLE_PPG_TRUSTED

4109
0x100d

Service Indication Policy

The Service Indication (SI) policy setting determines whether SI messages are accepted. An SI message is sent to the Windows Mobile-based Smartphone to notify users of new services, service updates, and provisioning services. An SI message is a type of over-the-air (OTA) message.

Specified as a role mask

Default value SECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED

4110
0x100e

Unauthenticated Messages Policy

The Unauthenticated Messages policy setting determines whether to accept unsigned WAP messages processed by the default security provider in the Security Module (Push Router), based on their origin.

Specified as a role mask

Default value SECROLE_USER_UNAUTH

4111
0x100f

OTA Provisioning Policy

The over-the-air (OTA) Provisioning policy setting determines which provisioning messages are accepted by the Configuration Host, based on the roles assigned to the messages. This policy limits the provisioning messages that come from the Push Router.

Specified as a role mask

Default value SECROLE_OPERATOR + SECROLE_OPERATOR_TPS + SECROLE_PPG_TRUSTED + SECROLE_PPG_AUTH + SECROLE_TRUSTED_PPG + SECROLE_USER_AUTH

4112

unknown

4113
0x1011

WSP Push Policy

The WSP Push policy setting determines whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

0	Routing of WSP notifications is not allowed.
1	Routing of WSP notifications is allowed. ( default )

4114
0x1012

unknown

4115
0x1013

unknown

4116
0x1014

unknown

4117
0x1015

unknown

4118
0x1016

unknown

4119

Grant Manager Policy

Configuration Manager enforces the Grant Manager policy. This policy maps a specified role mask to the SECROLE_MANAGER role, to grant system administrative privileges that are given to the SECROLE_MANAGER role to other security roles without modifying metabase role assignments.

When this policy is set to the SECROLE_NONE role mask, only the manager is granted the Manager role.

Specified as a role mask

Default value SECROLE_USER_AUTH

4120

Grant User Authenticated Policy

Configuration Manager enforces the Grant User Authenticated policy. This policy maps a role to the SECROLE_USER_AUTH role to grant privileges that are given to the SECROLE_USER_AUTH role without modifying metabase role assignments.

Specified as a role mask

Default value SECROLE_USER_AUTH

4121
0x1019

Trusted WAP Policy

The Trusted WAP Proxy security policy specifies the level of permissions required to create, modify, or delete a trusted proxy. WAP proxies are configured by means of the PXLOGICAL characteristic element in a WAP provisioning XML document. A WAP proxy is trusted when the TRUST parm is specified in the PXLOGICAL characteristic element.

Specified as a role mask

Default value SECROLE_OPERATOR + SECROLE_OPERATOR_TPS + SECROLE_MANAGER

4122
0x101a

Unsigned Prompt Policy

The Unsigned Prompt policy determines whether a user is prompted to accept or reject an unsigned .cab file or theme with unsigned .dll files for a Windows Mobile-based Smartphone.

1	Disable user prompt.
0	Enable user prompt. Any value other than 1 is treated as 0. ( default )

4123
0x101b

PrivilegedApps Policy

The PrivilegedApps policy setting specifies which security model is implemented on the device.

0	Two-tier security model is enabled. Any value other than 1 is treated as 0. ( default )
1	One-tier security model is enabled.

4124
0x101c

SL Security Policy

This setting allows the operator to override https to use http or wsps to use wsp.

The following list shows the possible values:

0 use https or wsps.
1use http or wsp.

The required role to modify this policy is SECROLE_MANAGER.

4125
0x101d

Signed Mail Policy

This policy is used in S/MIME. It indicates whether the Inbox application will send all messages signed. If message are sent signed, this policy identifies which algorithm to use.

The following list shows the possible values:

0 indicates that messages are signed with the default algorithm (SHA-1.
1indicates that messages are not signed.
2 indicates that messages are signed by using SHA-1 algorithm.
3 indicates that messages are signed using MD5 algorithm.

The Required role to modify this policy is SECROLE_MANAGER.

4126
0x101e

Encrypted Mail Policy

This policy is used in S/MIME. It indicates whether the Inbox application sends all messages encrypted. If messages are encrypted, it identifies the algorithm to use.

The following list shows the possible values:

0 indicates that messages are encrypted using a default encryption. Default encryption is RC2..
1indicates that messages are not encrypted.
2 indicates that messages are encrypted using 3DES.
3 indicates that messages are encrypted using DES.
4 indicates that messages are encrypted using RC2_128.
5 indicates that messages are encrypted using RC2_64.
6 indicates that messages are encrypted using RC2_40.

The Required role to modify this policy is SECROLE_MANAGER.

4127
0x101f

Software Certificates Policy

This setting determines whether software certificates can be used to sign outgoing messages. You can use this security policy with a tool that you create to allow people to import certificates.

The following list shows the possible values:

0 indicates that software certificates cannot be used to sign messages.
1indicates that software certificates can be used to sign messages.

4128
0x1020

unknown

4129
0x1021

DRM Security Policy

This setting specifies which DRM rights messages are accepted by the DRM engine based on the role assigned to the message.

Default value SECROLE_PPG_AUTH + SECROLE_PPG_TRUSTED

4130
0x1022

unknown

4131
0x1023

Password Required Policy

This policy indicates whether a password must be configured on the device.

The following list shows the possible values:

0indicates that a password is required.
A value other than 0 indicates that a password is not required.

The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

4132
0x1024

unknown

4133
0x1025

Desktop Unlock

This policy indicates how the desktop must handle authentication when the device is locked.

The following list shows the possible values:

0 indicates that the user must authenticate on the device if it is locked upon connect.
1indicates the user can authenticate by using a PIN on desktop.

The Required role to modify this policy is SECROLE_MANAGER or SECROLE_ENTERPRISE.

security roles

SECROLE_NONE	0	This role specifies that a message not be signed with a role.
SECROLE_OEM	2	Original equipment manufacturer (OEM) role. By default, this role does not provide permissions to configure settings using over-the-air (OTA) messages..
SECROLE_OPERATOR	4	Mobile Operator role. This role is assigned to OTA messages that are signed by the mobile operator's network PIN (IMSI in Global System for Mobile Communications [GSM]). OTA messages include wireless application protocol (WAP) push messages, Service Loading (SL), and Service Indication (SI) messages. The permissions associated with this role are determined by the settings that the mobile operator requires access to if the operator is not the manager of the phone. The mobile operator can determine whether this role and the SECROLE_OPERATOR_TPS role require the same permissions.
SECROLE_MANAGER	8	Manager role. This role holds the highest level of authority and is assigned to the user-authenticated message by default. This role provides permissions to change all of the settings on the device.
SECROLE_USER_AUTH	16	User Authenticated role. This role is assigned to the following types of messages: User PIN-signed WAP push messages Messages received through the Remote API (RAPI) by default The permissions associated with this role are determined by the settings that the user requires access to if the user is not the manager of the device.
SECROLE_ENTERPRISE	32	Enterprise IT Administrator role. wm5 aku2.0 and later
SECROLE_USER_UNAUTH	64	User Unauthenticated role. This role is assigned to unsigned WAP push messages, and to unsigned .cab files. This role provides permissions to install a Home screen or ring tones.
SECROLE_OPERATOR_TPS	128	Trusted Provisioning Server role. This role is assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device. The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions.
SECROLE_KNOWN_PPG	256	Known Push Proxy Gateway role. Messages assigned this role indicate that the device knows the Push Proxy Gateway.
SECROLE_TRUSTED_PPG	512	Device Trusted Push Proxy Gateway role. Messages assigned this role indicate that the Push Proxy Gateway is known and trusted by the device. The address of the Push Proxy Gateway is compared with the trusted Push Proxy Gateway address stored on the device.
SECROLE_PPG_AUTH	1024	Push Initiator Authenticated role. Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).
SECROLE_PPG_TRUSTED	2048	Trusted Push Proxy Gateway role. Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).

usage of policy restrictions

the policy restrictions are most likely checked with these functions from ossvcs.dll:

ordinal 116 or 29 : get policy value

ordinal 117 or 91 : set policy value

file	ossvcs api	policy value
cabinstl.dll	Ordinal 116	0x101a
ceshell.dll	Ordinal 29	0xA
cfghost.exe	Ordinal 116	0x100f
coresecproviders.dll	Ordinal 116	0x1008, 0x100b, 0x1009
rapisrv.exe	Ordinal 116	0x1001
repllog.exe	Ordinal 116	0x1001
siclnt.exe	Ordinal 116	0x100d, 0x100c
syscsps.dll	Ordinal 116 Ordinal 117	0x1019
telshell.exe	Ordinal 116 Ordinal 29	3, 0xA, 2, 0x101a, 0x101b
wceload.exe	Ordinal 116	0x1005, 0x1007, 0x101a
wdppush.dll	Ordinal 116	0x1010
wsp.dll	Ordinal 116	0x1011

links

policies

security roles

Configuration Service Provider Reference for Windows Mobile Devices