So you want to use the Today screen or a custom Shell over top of the Today screen to create a kiosk device. One of the things you can do is blacklist applications and use what is called lock mode.
First, let us discuss locked mode. When a program is run the Windows Mobile OS does some checks to see if the program is allowed to run. Based on the account being used and security policy the OS may decide
· To run the application without any input from the user. In this case the Windows Mobile OS is unlocked or the application is signed with a valid certificate.
· Prompt the user for what to do. In this case the Windows Mobile OS is in prompt mode and the application is either not signed or signed with a certificate that is not recognized or not valid. If the user says yes the application is run otherwise it is blocked.
· Locked mode is when the Windows Mobile OS is set to not prompt and require a valid certificate. In this case the application must have a valid recognized certificate. In additional all DLLs must be signed as well or the DLLs will not be loaded which may cause the application to fail to load.
The next step is to black list applications. This is actually built into Windows Mobile both Pocket PC and Smartphone editions. To enable this you simply setup a list of programs that are not allowed to run regardless of whether they have valid certificates or in ROM.
You enable this using a value under under the key, HKLM\Security\Policies\Shell. Set the value DisallowRun to 1. Or turn off this feature by setting it to 0.
Under the registry key, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun, you will create a list of values. The values are numbered sequential starting at 1. The value is a string with the name of the executable you wish to block for example
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
1=clock.exe
In this way the OS will not allow the clock application to be run by the user.
A couple of other key registry settings that can help secure a device include “NoRunDlg”, “NoAutoRun”, and “NoExternalExes”. By enabling these keys you will stop users from doing running a variety of applications. They can be found under the key, HKLM\Security\Policies\Shell. The first “NoRunDlg” prevents the user from being able to run an application by using the Run Dialog. “NoAutoRun” disables autorun from working on inserting memory cards including SD and MMCs. The last is “NoExternalExes” this prevents the user from using File Explorer to launch an application from a memory card.
I have attached a configuration service provider below to show how to set a variety of security settings, black listing, and setting the “No run” registry keys.
<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<!--
=============================================================
Security policies
=============================================================
-->
<!--
1-tier device -->
<parm name="4123" value="1" />
<!--
Grant Manager Role to MANAGER-->
<parm name="4119" value="8" />
<!--
=============================================================
Applications
=============================================================
-->
<!--
Do not allow unsigned CABs to install -->
<parm name="4101" value="0" />
<!--
Do not allow unsigned apps to run -->
<parm name="4102" value="0" />
<!--
Prompt user.
This policy has no effect because unsigned applications are disabled (policy 4102) -->
<parm name="4122" value="0" />
<!--
=============================================================
Configuration access
=============================================================
-->
<!--
AutoRun Policy: 0 -->
<parm name="2" value="0" />
<!--
Grant User Authenticated Policy -->
<parm name="4120" value="16" />
<!--
Do not allow unsigned themes to install -->
<parm name="4103" value="0" />
<!--
=============================================================
Remote access
=============================================================
-->
<!--
RAPI mode : Disabled -->
<parm name="4097" value="0" />
</characteristic>
<characteristic type="Registry">
<!--
=============================================================
Blacklist applications
=============================================================
-->
<characteristic type="HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun">
<parm name="1" value="clock.exe" datatype="string" />
</characteristic>
<!--
=============================================================
Block various ways an application to run or be installed
=============================================================
-->
<characteristic type="HKLM\Security\Policies\Shell">
<!--
No Run Dialog : Enabled -->
<parm name="NoRunDlg" value="1" datatype="integer" />
<!--
No Auto Run (SD card will not auto run) : Enabled -->
<parm name="NoAutoRun" value="1" datatype="integer" />
<!--
No External Exes (Can't install applicaions from SD card) : Enabled -->
<parm name="NoExternalExes" value="1" datatype="integer" />
</
</characteristic>
</wap-provisioningdoc>
<!--
Turn on DisallowRun : Enabled -->
<parm name="DisallowRun" value="1" datatype="integer" />
characteristic>
Hi,
Very interesting but I couldn't seem to get this to ork on WM6. Is this a WM5 only config?
All the best,
PianoSam.
Posted by: PianoSam | June 27, 2007 at 11:01 AM
Hi,
Very interesting but I couldn't seem to get this to work on WM6. Is this a WM5 only config?
All the best,
PianoSam.
Posted by: PianoSam | June 27, 2007 at 11:01 AM
I have not tested it on 6.0 however it should work since both 5.0 and 6.0 share the same core.
It might be that you are using a locked phone. In which case you might try turning off security. Looking in the 6.0 sdk for securityoff.cpf. Or you can install the developers certificates and sign the cpf before applying it.
Posted by: Rabi Satter | June 28, 2007 at 09:24 AM
Hi,
Thanks for your fast and patient response...
I am a bit of a dunce when it comes to programming on a mobile device...
My device is an unlocked HTC 4350 device.
The entries you refer to don't appear in my WM6 registry so I am assuming that the are created and populated as needed.
I created a CPF file with the above xml and dropped it into my HTC P4350 WM6 device and executed it.
I received an System Notification entry in my Text messaging folder stating 'your device settings cannot be changed by Test.cpf'
Do you know whether this is because I do not have the OTA Enterprise prvileges or is it just that I screwed up in the execution of the file or contents? Can I even expect to do this provisioning this way...I read the MSDN site and it seemed to suggest that this was a plausible way of implementing changes.
In the OOPS blog entry you suggested that there was a typo in the example above but I couldn't see it - did you correct the example?
Additionally, I thought in the file it suggests I only need manager access to execute these entries. So I presumed that it would be Ok to execute the file this way.
I am sorry to be a pest ...I guess the blacklist is really useful and important to me just now and the timing of your information is just wonderful if only I can get it to work...
Kind Regards,
PianoSam.
Posted by: PianoSam | June 28, 2007 at 10:13 AM
What you need to do is application unlock the phone. This requires the sdk developer certificates to be installed on the device. You will need to have the WM6 SDK installed on a PC. Then look for a cab file C:\Program Files\Windows Mobile 6 SDK\Tools\Security\SDK Development Certificates\Certs.cab. Install this on the device. Next you will need to use a security cpf to unlock the device. Looking the sdk for C:\Program Files\Windows Mobile 6 SDK\Tools\PocketPC\Security\Security Configuration\securityoff.cpf. Copy this to the device and install it. You should now be able to run the cpf you created since the security is turned off.
Hope this helps.
Posted by: Rabi Satter | June 28, 2007 at 10:35 PM