One of the most often asked features when securing windows mobile devices, is preventing connection with the desktop computer. If you look at the Windows Mobile security policies you will find security policy with id 4097. This policy controls usage of the RAPI (Remote API) which affect ActiveSync operations as well. Allowed values for the policy follows:

  1. ActiveSync service is shutdown. Device is inacassible.
  2. ActiveSync is allowed and RAPI operations are called without restrictions
  3. ActiveSync and RAPI operations are restricted to the SECROLE_USER_AUTH (default)

Blocking connection to the PC can be done by simple provisioning XML file

<!-- DenyRAPI.xml !-->
<wap-provisioningdoc>
    <characteristic type="SecurityPolicy">
        <parm name="4097" value="0"/>
    </characteristic>
</wap-provisioningdoc>

For unblocking use the following one

<!-- AllowRAPI.xml !-->
<wap-provisioningdoc>
    <characteristic type="SecurityPolicy">
        <parm name="4097" value="2"/>
    </characteristic>
</wap-provisioningdoc>

Making the .cab file

If you tried to apply XML files through RAPI_config.exe you may received the Access Denied message. That’s because of chaging the 4097 policy is allowed only to the SECROLE_MANAGER role. As I mentioned, by default all RAPI operations are done under the SECROLE_USER_AUTH role. So we will use provisioning from a .cab files instead of the RAPI_config.exe. We will copy blocking and unblocking .cab files into the device and execute them. We will be asked if we really want to procced the unsigned .cab file. Once we agree, the cab file will be executed in privileged mode and settings will pass. For creation of the .cab files we will need the Microsoft Cabinet Software Development Kit.

In the cabinet SDK, there is a command line tool makecab.exe which takes name of the provisioning XML and output cabinet as the input parameters. Before we move XML into the CAB, we need to rename it to _setup.xml. Every time the Windows Mobile Shell founds _setup.xml in the cab file, it will automatically process it as the provisioning file. So let’s create the cab files. Execute following commands from your command line

C:\Test>copy DenyRAPI.xml _setup.xml
C:\Test>makecab _setup.xml denyRAPI.cab

C:\Test>copy AllowRAPI.xml _setup.xml /Y
C:\Test>makecab _setup.xml allowRAPI.cab

Now copy both .cab files into the device. Execute the denyRAPI.cab and you will see that your actual ActiveSync session will be closed. Try to uncradle and cradle your device again and ….. nothing happend at least on device with Windows Mobile 5.0 and less. Windows Mobile 6.0 devices will give you the following dialog.

device not allowed to connect the desktop 448x322

Remember that the following setting will NOT affect your messaging connectivity to Exchange or POP3 server. For allowing RAPI again, execute the allowRAPI.cab. Happy provisioning!