Motorola MC31 Series Integrator Manual page 90

5 - 2 MC31XX Series Mobile Computer Integrator Guide
certificate, they are assured that the package is authentic and that it was created by Motorola. By enforcing the use
of digital signatures, users can also prevent malicious applications from executing on the MC31XX. For example,
users can provision the MC31XX to only execute "trusted" applications (digitally signed).
Motorola ships all Windows Mobile 6.1 based products in an "open" state, which means all signed and unsigned
applications should work. However, customers can still reconfigure their MC31XXs to operate in the "trusted"
mode. This means that only applications signed with a certificate from the Privileged Execution Trust Certificate
Store can run.
To support the broadest number of deployments, third-party software developers should perform the following
when releasing software for a Windows Mobile 6.1 devices:
•
Sign all their EXEs & DLLs with their private key
•
Provide the corresponding public certificate to end-users so that it can be installed into Privileged Execution
Trust Certificate Store.
If the software is installed via a .CAB file, developer should also:
•
Sign the .CAB file with their private key
•
Provide the corresponding public certificate to end-users so that it can be installed into SPC Certificate Store.
Locking Down a Mobile Computer
Like most configuration options in Windows Mobile 6.1, security settings are set via XML provisioning. For
example, to enforce the "trusted" model and only allow applications signed with a privileged certificate to run, use
the following provisioning document:
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<!-- Disallow unsigned apps -->
<parm name= "4102" value= "0"/>
<!-- No Prompt -->
<parm name= "4122" value= "1"/>
</characteristic>
</wap-provisioningdoc>
For more information on various security options, refer to the Security Policy Settings topic in the latest Windows
Mobile documentation.