Setting Up Handheld Package Policies

ZENworks for Handhelds provides Handheld Package policies for the Palm OS, Windows CE, and BlackBerry platforms.

Each platform has its own page where you can view and configure available policies. To display a desired platform page: in ConsoleOne, right-click the Handheld Package, click Properties, click the down-arrow on the Policies tab, then click the appropriate platform: Palm, WinCE, or BlackBerry.

Review the following sections for more information to help you set up the Handheld Package policies:


BlackBerry Configuration Policy

The BlackBerry Configuration policy lets you specify a standard owner name and additional information that will be set on the associated BlackBerry devices. For example, you could specify that your company name, address, and telephone number be set on all associated BlackBerry devices to help recover lost devices.

The owner name and information that you specify using this policy does not affect the naming of the device objects in eDirectory; the owner name and information you specify in this policy displays only on the actual device.

To set up the BlackBerry Configuration policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

  2. On the Policies tab, click the down-arrow, then click BlackBerry.

  3. Check the check box under the Enabled column for the BlackBerry Configuration policy.

    This both selects and enables the policy.

  4. Click Properties to display the Owner page.


    Screen shot of the BlackBerry Configuration policy's Owner page.

  5. Fill in the fields:

    Owner Name: Click the Specify Owner Name To Be Set on the Handheld check box, then type the owner name that you want to be set on associated BlackBerry devices.

    Owner Information: Click the Specify Owner Information To Be Set on the Handheld check box, then type any additional information that you want to be set on associated BlackBerry devices.

  6. Click OK to save the policy.

  7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


BlackBerry Inventory Policy

The BlackBerry Inventory policy lets you enable the collection of hardware and software inventory from associated BlackBerry devices.

To set up the BlackBerry Inventory policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

  2. On the Policies tab, click the down-arrow, then click BlackBerry.

  3. Check the check box under the Enabled column for the BlackBerry Inventory policy.

    This both selects and enables the policy.

  4. Click Properties to display the General page.


    Screen shot of the BlackBerry Inventory policy's General page.

  5. Fill in the fields:

    Hardware: To collect hardware information for associated BlackBerry devices, click the Enable Collection of Hardware Inventory on the Handheld check box.

    Collected data about hardware is stored on a per-device basis and is found on the ZENworks Inventory page in ConsoleOne or on the Clients: Hardware Inventory page in the ZENworks for Handhelds Inventory Viewer. To view the ZENworks Inventory page in ConsoleOne, right-click a handheld device object, click Properties, then click the ZENworks Inventory tab. To open the ZENworks for Handhelds Inventory Viewer, right-click a handheld device object, click Actions, then click Inventory. For more information, see Viewing Hardware Inventory.

    Software: To collect software information for associated BlackBerry devices, click the Enable Collection of Software Inventory on the Handheld check box.

    Collected data about software is found in the ZENworks for Handhelds Inventory Viewer. To open the ZENworks for Handhelds Inventory Viewer, right-click a handheld device object, click Actions, then click Inventory. You can view software inventory information for a specific device or across all BlackBerry devices in your system. For more information, see Viewing Software Inventory.

  6. Click OK to save the policy.

  7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.

    NOTE:  You must schedule inventory for BlackBerry devices because they are always connected to the ZENworks for Handhelds server. For Palm and Windows CE devices, you do not need to schedule inventory; software inventory is collected once a day from the handheld devices during synchronization.

    For BlackBerry devices, a policy schedule of Custom Event:EventHandheldSync gets translated on the device to Daily.


BlackBerry Security Policy

The BlackBerry Security policy lets you ensure that a password is set on associated BlackBerry devices. You can also use the BlackBerry Device Lockout feature to lock a device that you suspect has been lost or stolen. For more information, see BlackBerry Device Lockout.

To set up the BlackBerry Security policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

  2. On the Policies tab, click the down-arrow, then click BlackBerry.

  3. Check the check box under the Enabled column for the BlackBerry Security policy.

    This both selects and enables the policy.

  4. Click Properties to display the Security page.


    Screen shot of the BlackBerry Security policy's Security page.

  5. Click the Require a Password To Be Set On the Handheld check box.

    If your organization has a rule stating that all handheld devices must have a password, you should enable this policy.

    When the BlackBerry Security policy is enforced, if the user does not have a password set, he or she will be prompted to create one. If the user ignores the prompt, he or she will be prompted every 15 minutes to create a password for the device.

  6. Click OK to save the policy.

  7. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  8. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


BlackBerry Device Lockout

The BlackBerry Device Lockout feature lets you disable a BlackBerry device if you suspect that it has been lost or stolen. After the device is locked, no applications can run on the device other than ZENworks for Handhelds, which can be used to unlock the device.

If a BlackBerry device that has been locked is placed in a cradle, the device will display error messages and will be unusable. The device will remain in an unusable state until it is unlocked by ZENworks for Handhelds; if the device is reset, it will remain locked.

To lock or unlock a BlackBerry device:

  1. In ConsoleOne, right-click the desired BlackBerry handheld device object, click Actions, then click Lock/Unlock Device.


    Screen shot of the Lock/Unlock Device dialog box.

  2. Click Unlock the Device.

    or

    Click Lock the Device, then type the text you want displayed on the device when in is locked.

  3. Click OK.


Palm Configuration Policy

The Palm Configuration policy lets you configure the following:

To set up the Palm Configuration policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click Palm.

  3. Check the check box under the Enabled column for the Palm Configuration policy.

    This both selects and enables the policy.

  4. Click Properties.

  5. On the General page, make the desired configuration changes.


    Screen shot of the Palm Configuration: General page.

    You can change the settings for the following preferences:

    • Auto-Off After
    • Stay On in Cradle
    • System Sound
    • Alarm Sound
    • Alarm Vibrate
    • Alarm LED
    • Game Sound
    • Beam Receive

    Each preference in the list contains a Don't Change setting. If you choose this setting, ZENworks for Handhelds will not change that preference on associated devices; the corresponding setting on each device will determine its behavior. For example, if you choose the Don't Change setting for Auto-Off After, each associated device will use its own preference settings to determine how long an idle Palm OS device will wait until it turns itself off. If you want to ensure consistency across all associated Palm OS devices, choose the appropriate setting.

  6. On the Buttons: Configuration page, make the desired configuration changes.


    Screen shot of the Buttons: Configuration page.

    The Button Column lists the available buttons on the Palm OS device. To change a button's association, select a button from the Button list, click Edit, click Set to Application, browse to an application, then click OK.

    HINT:  Depending on your particular Palm OS device, the available buttons in the Button list will be named differently than those in the preceding illustration.

    The Pen Function drop-down list lets you assign a feature users can access when they drag the pen from the writing area to the top of the screen on the Palm OS device. For example, you can select Turn Off & Lock to make it easier for users to turn off and lock their Palm OS devices. To assign a feature, choose an option from the drop-down list.

    The following options are available:

    • Not Specified
    • Backlight
    • Keyboard
    • Graffiti Help
    • Turn Off & Lock
    • Beam Data

  7. On the Programs page, make the desired configuration changes.


    Screen shot of the Programs: Application page.

    The Application column lists the applications that you want to allow on the device or remove from the device. To add an application to the list, click Add, browse to the application, then click OK.

    NOTE:  When you browse to applications, ZENworks for Handhelds displays all applications, regardless of whether they reside in ROM or RAM. You cannot delete applications from ROM or from an external storage device.

    Select a rule to apply to the application:

    • Allow the Application on the Handheld
    • Remove the Application from the Handheld

    Rather than selecting certain applications to be removed from the device, you might find it easier to specify a list of allowed applications and check the Remove All Other Applications from the Handheld check box. When the policy is enforced or when the user synchronizes the device, all applications not listed in the Applications list with the Allow rule set will be removed from the device.

  8. Click OK to save the policy.

  9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


Palm File Retrieval Policy

The Palm File Retrieval policy lets you specify source files you want to retrieve from a Palm OS device and copy to a specified destination location.

The File Retrieval policy is a plural policy, meaning it can be added many times to a policy package. You can set up as many File Retrieval policies as required to adequately retrieve important files from the handheld devices in your organization. When you name these plural policies, be sure to give them descriptive names.

The File Retrieval policy is also cumulative, meaning that many different Palm File Retrieval policies can be effective for a single handheld device object, handheld group object, or container object.

NOTE:  If you want to retrieve files from handheld devices and store them on a NetWare® volume, you must install the Novell ClientTM on the ZENworks for Handhelds server machine.

To set up the Palm File Retrieval policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click Palm.

  3. Click Add.


    Screen shot of the Add Policy dialog box.

  4. Type a descriptive name in the Policy Name field, then click OK.

    The newly created File Retrieval policy displays in the Handheld Policies list.


    Screen shot of the Properties of Handheld Package with the newly created File Retrieval policy displayed.

  5. Check the check box under the Enabled column for the newly created Palm File Retrieval policy.

    This both selects and enables the policy.

  6. Click Properties to display the Files page.


    Screen shot of the Properties of Handheld Package: File Retrieval Policy dialog box with the Files page displayed.

  7. In the Files field, specify the source files to be retrieved from the handheld device.

    NOTE:  You must enter the Palm database or resource filename in the Files field. A third-party file utility tool (such as FileZ, a shareware program) may be necessary to determine the actual filename.

    When you specify source files, be aware that filenames are case sensitive. You can use wildcard characters to specify source files.

    When the policy is enforced, all specified source files will be retrieved from the device; the files will be retrieved even if the same files were previously retrieved at another time.

  8. Select the Files Are Required check box if you want ZENworks for Handhelds to report a failed status if the specified files do not exist on the handheld device or if the specified wildcard characters do not provide a match for files on the device.

    For more information about policy status, see Viewing Policy Status Information.

  9. Select the Delete Files After Retrieval check box if you want the specified source files to be deleted from the handheld device after they have been retrieved from the handheld device.

    If you do not enable this option, the source files will be copied to the specified location but will also remain on the handheld device.

  10. In the Path field, browse to or specify the destination location where you want the specified files copied to.

    The renamed file can include variables. To include variables, click the Insert button, then click the desired variable.

    The following variables are available for use:

    Variable: Description:

    device

    The CN of the device. For example, in Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.

    devicedn

    The full DN of the device. For example, In Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.Handhelds.NovellWheaton.

    user

    The username of the device. This is the value stored in the zfhUserName attribute for the object in the directory. When this value is not configured on the handheld device, it is set to <Undefined>.

    date

    The date the file was retrieved from the handheld device. This value is the date only; the time that the file was retrieved is not included. For example, if the file was retrieved on September 15, 2002 at 3:15 p.m., the string would be 2002-09-15. The string is always in the format of yyyy-mm-dd.

    time

    The time the file was retrieved from the handheld device. This value is for the time only; the date that the file was retrieved is not included. For example, if a file was retrieved on September 15, 2002 at 3:20 p.m., the string would be 15-20. The string is always in the format of hh-mm, with hh representing the hour in 24-hour format.

    guid

    The GUID for the handheld device.

    server

    The name of the server that received the data. This is the Windows NT name of the server.

    To use a variable, place an @ sign on either side of the variable in the string. For example, you could use the following syntax:

    @user@_filename

  11. Select Use the Original File Name(s) to use the original source filenames for the destination files.

    or

    Select Rename the Files To and specify new filenames for the destination files.

  12. Click OK to save the policy.

  13. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  14. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


Palm Security Policy

The Palm Security policy lets you configure the following:

To set up the Palm Security policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click Palm.

  3. Check the check box under the Enabled column for the Palm Security policy.

    This both selects and enables the policy.

  4. Click Properties to display the Security page.


    Screen shot of the Palm Security page.

  5. Fill in the fields:

    Require a Password to Be Set on the Handheld: Lets you specify that a password must be set on the Palm OS device. If your organization has a rule that states that all handheld devices must have a password, you should enable this policy. If a user does not have a policy set, he or she will be prompted to create one.

    Enable Enhanced Password Support: Select this option to specify enhanced password support.

    For Palm OS devices, ZENworks for Handhelds replaces the Palm password applet if you select Enable Enhanced Password Support; users will see ZENworks for Handhelds password dialog boxes rather than the default Palm OS dialog boxes.

    If, in the future, you want to remove the ZENworks for Handhelds password applet and restore the original Palm password applet, you will need to reconfigure the Palm Security policy and disable the Require a Password to Be Set on the Handheld option and then resynchronize the device so that the policy is enforced. Uninstalling the ZENworks for Handhelds handheld client on the device or disassociating the device from the Palm Security policy will not remove the ZENworks for Handhelds password applet replacement.

    Minimum Password Length: Check this box and specify the minimum number of characters to allow for the password on the device. You should choose a number great enough to ensure adequate security, but small enough not to excessively burden the user.

    Require Alphanumeric Mix: Check this box to require that the user use both letters and numbers in the password. To improve the security of a password, it should contain both letters (uppercase and lowercase) and numbers.

    Password Expires In _ Days: Check this box and specify the number of days that you want the password to expire in. When the specified number of days has expired, the user will be prompted to change the password for the device.

    Limit Grace Logons to _ Attempts: Check this box and specify the number of grace logon attempts you want to allow the user before he or she must change the password for the device. After the number of days in Password Expires in _ Days, the user will be prompted to change the password. The user can choose to ignore this prompt and keep the same password for the number of logon attempts you specify.

    Require Unique Passwords: Check this box to require that the user enter a new password; he or she cannot reuse the previous eight passwords.

    Enable Auto Lock Configuration (Palm OS 4.x and Above): Lets you specify that the Palm OS device is automatically locked when the specified event occurs. Using this policy improves the security of the data on your Palm OS devices. To use this setting, the handheld device must be running Palm OS 4.x or later.

    The available settings include:

    • Never
    • On Power Off
    • At Present Time
    • After a Preset Delay

  6. Click the Self-Destruct tab.


    Screen shot of the Self-Destruct page.

    The Self-destruct page lets you configure self-destruct settings for Palm OS devices so that data is not accessible from handheld devices that are lost or stolen. When the self-destruct feature is activated, the data on the device is made unusable and the device must be manually reset, which restores the device to its out-of-the-box state.

    To use the self-destruct options for Palm OS devices, you must check the Require a Password to Be Set on the Handheld check box on the Security page.

    IMPORTANT:  Use caution when you use the self-destruct feature. Be sure to allow an adequate number of password attempts and an adequate number of days since the last connection or synchronization to prevent data loss to users who incorrectly enter the password or do not connect or synchronize the device during a short vacation.

    For Palm devices using HotSync, if the user synchronizes the device using the same desktop or laptop machine as usual, the data can be restored by HotSync.

  7. Fill in the fields:

    Bad Password Attempts: Enable the Enforce Self-destruct check box and specify the number of bad password attempts to allow before activating the self-destruct feature.

    Time Since Last Connection: Enable the Enforce Self-Destruct check box and specify the number of days after the last connection before activating the self-destruct feature. If the handheld device is using the ZENworks for Handhelds Palm IP client, the Time Since Last Connection option refers to the last time the handheld device connected to the IP conduit machine. If the handheld device is using the ZENworks for Handhelds sync client, the Time Since Last Connection refers to the last time the handheld device was synchronized.

    Each day is made up of 24 hours. If you connect (synchronize) the device on Monday at 2 p.m. and specify three days after the last connection before activating the self-destruct feature, the self-destruct feature will activate Thursday at 2 p.m (72 hours after the last connection/synchronization) unless the device is connected/synchronized during that period.

  8. Click OK to save the policy.

  9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


WinCE Configuration Policy

The WinCE Configuration policy lets you configure the following:

To set up the WinCE Configuration policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click WinCE.

  3. Check the check box under the Enabled column for the WinCE Configuration policy.

    This both selects and enables the policy.

  4. Click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  5. On the Buttons: Configuration page, click Add to change a button's assignment.


    Screen shot of the Select a Button dialog box.

    To view the button naming conventions for your particular handheld device: on the handheld device, click Start > Settings > Buttons. For example, on a Compaq iPAQ Pocket PC, the buttons are named Button 1, Button 2, and so forth. On a HP Jornada Pocket PC, the buttons are named Hot key 1, Hot key 2, and so forth.

  6. Select a button or type the name of a button, click OK, then select an option:

    • Reset to Default: Resets the selected button's association to the factory default association.

    • Set to Application: Lets you specify the application to assign to the selected button. If you specify an application that is not in the Start menu path (or subpath), the button applet might not show the correct settings and you will be prompted to restart the handheld device to see the changes.

    • Set to Other Function: Lets you specify a function from the drop-down list to assign a function to the selected button.

      The available options include:

      • <Input Panel>
      • <None>
      • <Scroll Down>
      • <Scroll Left>
      • <Scroll Right>
      • <Scroll Up>
      • <Start Menu>
      • <Today>

  7. On the Programs: Start Menu/Desktop page, make the desired configuration changes.


    Screen shot of the Start Menu/Desktop page of the WinCE Configuration policy.

    Click Add to specify a program to be added to the Short Cut list, fill in the Shortcut Name box (this is the name that will display in the Start menu or on the desktop), fill in the Target path (the full path to an application's executable file), then click OK.

    Rather than selecting certain programs to be removed from the device's Start menu/desktop, you might find it easier to specify a list of allowed applications and check the Move All Other Start Menu/Desktop Items to the Programs Folder check box. When the policy is enforced, all programs not listed in the Icon Name list will be moved to the Programs folder.

    Click Hide All Items in the Programs Folder to hide the names and icons of all listed programs in the Programs folder. Using this option lets the user run applications only from the Start menu (on Pocket PC devices) or on the desktop (on handheld PC devices).

  8. Click OK to save the policy.

  9. On the Power page, make the desired configuration changes.


    Screen shot of the Power page.

    NOTE:  The Power settings do not apply to HP Jornada devices running Microsoft Pocket PC 2002 software.

    If you select the Don't Change setting, ZENworks for Handhelds will not change that setting on associated devices; the corresponding setting on each device will determine its behavior. For example, if you select the Don't Change setting, each associated device will use its own preference settings to determine how long an idle Windows CE device will wait until it turns itself off. If you want to ensure consistency across all associated Windows CE devices, select the appropriate setting.

    If you select the Disable setting, ZENworks for Handhelds will disable that setting on all associated Windows CE devices; idle Windows CE devices will not shut down.

  10. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  11. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


WinCE File Retrieval Policy

The WinCE File Retrieval policy lets you specify source files you want to retrieve from a Windows CE device and copy to a specified destination location.

The WinCE File Retrieval policy is a plural policy, meaning it can be added many times to a policy package. You can set up as many File Retrieval policies as required to adequately retrieve important files from the handheld devices in your organization. When you name these plural policies, be sure to give them descriptive names.

The WinCE File Retrieval policy is also cumulative, meaning that many different WinCE File Retrieval policies can be effective for a single handheld device object, handheld group object, or container object.

NOTE:  If you want to retrieve files from handheld devices and store them on a NetWare volume, you must install the Novell Client on the ZENworks for Handhelds Server.

To set up the WinCE File Retrieval policy:

  1. In ConsoleOne, right-click the Handheld Package, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click WinCE.

  3. Click Add.


    Screen shot of the Add Policy dialog box.

  4. Type a descriptive name in the Policy Name field, then click OK.

    The newly created File Retrieval policy displays in the Handheld Policies list.


    Screen shot of the Properties of Handheld Package with the newly created File Retrieval policy displayed.

  5. Check the check box under the Enabled column for the newly created WinCE File Retrieval policy.

    This both selects and enables the policy.

  6. Click Properties to display the Files page.


    Screen shot of the Properties of Handheld Package: File Retrieval Policy dialog box with the Files page displayed.

  7. In the Path field in the Source Files box, specify the path to the source files.

  8. In the Files field, browse to or specify the source files to be retrieved from the Windows CE device.

    You can use wildcard characters to specify source files.

    When the policy is enforced, all specified source files will be retrieved from the device; the files will be retrieved even if the same files were previously retrieved at another time.

  9. Select the Files Are Required check box if you want ZENworks for Handhelds to report a failed status if the specified files do not exist on the Windows CE device or if the specified wildcard characters do not provide a match for files on the device.

    NOTE:  For more information about policy status, see Viewing Policy Status Information.

  10. Select the Delete Files After Retrieval check box if you want the specified source files to be deleted from the Windows CE device after they have been retrieved from the handheld device.

    If you do not enable this option, the source files will be copied to the specified location but will also remain on the Windows CE device.

  11. In the Path field in the Destination Location box, browse to or specify the destination location where you want the specified files copied to.

    The renamed file can include variables. To include variables, click the Insert button, then click the desired variable.

    The following variables are available for use:

    Variable: Description:

    device

    The CN of the device. For example, in Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.

    devicedn

    The full DN of the device. For example, In Dan m130.Handhelds.NovellWheaton, the string would be Dan m130.Handhelds.NovellWheaton.

    user

    The username of the device. This is the value stored in the zfhUserName attribute for the object in the directory. When this value is not configured on the handheld device, it is set to <Undefined>.

    date

    The date the file was retrieved from the handheld device. This value is the date only; the time that the file was retrieved is not included. For example, if the file was retrieved on September 15, 2002 at 3:15 p.m., the string would be 2002-09-15. The string is always in the format of yyyy-mm-dd.

    time

    The time the file was retrieved from the handheld device. This value is for the time only; the date that the file was retrieved is not included. For example, if a file was retrieved on September 15, 2002 at 3:20 p.m., the string would be 15-20. The string is always in the format of hh-mm, with hh representing the hour in 24-hour format.

    guid

    The GUID for the handheld device.

    server

    The name of the server that received the data. This is the Windows NT name of the server.

    To use a variable, place an @ sign on either side of the variable in the string. For example, you could use the following syntax:

    @user@_filename

  12. Select Use the Original File Name(s) to use the original source filenames for the destination files.

    or

    Select Rename the Files To and specify new filenames for the destination files.

  13. Click OK to save the policy.

  14. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  15. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


WinCE Security Policy

The WinCE Security policy lets you configure the following:

IMPORTANT:  The WinCE Security policy will not function on Jornada Pocket PCs running Microsoft Windows for Pocket PC 2000 software. Jornada Pocket PCs must be running Microsoft Pocket PC 2002 software to use the WinCE Security policy.

To set up the WinCE Security policy:

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.


    Screen shot of the Properties of Handheld Package dialog box.

  2. On the Policies tab, click the down-arrow, then click WinCE.

  3. Check the check box under the Enabled column for the WinCE Security policy.

    This both selects and enables the policy.

  4. Click Properties to display the Security page.


    Screen shot of the Security page.

  5. Fill in the fields:

    Require a Password to Be Set on the Handheld: Lets you specify that a password must be set on the Windows CE device. If your organization has a rule that states that all handheld devices must have a password, you should enable this policy. If a user does not have a password set, he or she will be prompted to create one.

    Pocket PC Options: Lets you specify enhanced security options for Pocket PCs. The options in this group box are disabled unless you check Require a Password to Be Set on the Handheld.

    • Enable Enhanced Password Support: Select this option to specify enhanced password support settings for Pocket PCs.

      For Pocket PCs, ZENworks for Handhelds replaces the Windows CE password applet if you select Enable Enhanced Password Support; users will see ZENworks for Handhelds password dialog boxes rather than the default Windows CE dialog boxes. The Enable Enhanced Password Support option will not function on handheld PCs.

      If, in the future, you want to remove the ZENworks for Handhelds password applet and restore the original Windows CE password applet, you will need to reconfigure the WinCE Security policy and disable the Enable Enhanced Password Support option and then resynchronize the device so that the policy is enforced. Uninstalling the ZENworks for Handhelds handheld client on the device or disassociating the device from the WinCE Security policy will not remove the ZENworks for Handhelds password applet replacement.

      NOTE:  You can replace the bitmap image that displays in the ZENworks for Handhelds password dialog boxes with a bimap image of your choosing. For more information, see Replacing the ZENworks for Handhelds Password Dialog Box Bitmap Image.

      • Password Expires in _ Days: Check this box and specify the number of days that you want the password to expire in. When the specified number of days has expired, the user will be prompted to change the password for the Pocket PC.

      • Limit Grace Logons to _ Attempts: Check this box and specify the number of grace logon attempts you want to allow the user before he or she must change the password for the device. After the number of days in Password Expires in _ Days, the user will be prompted to change the password. The user can choose to ignore this prompt and keep the same password for the number of logon attempts you specify.

      • Require Unique Passwords: Check this box to require that the user enter a new password; he or she cannot reuse the previous eight passwords.

      • Minimum Password Length: Check this box and specify the minimum number of characters to allow for the password on the device. You should choose a number great enough to ensure adequate security, but small enough not to excessively burden the user.

      • Require Alphanumeric Mix: Check this box to require that the user use both letters and numbers in the password. To improve the security of a password, it should contain both letters (uppercase and lowercase) and numbers.

    Pocket PC 2002 Options: Lets you specify a time limit that the Pocket PC can be turned off for before a password prompt will be displayed when the device is turned back on. For example, if you set this option to 5 minutes, if the user turns the device off and then back on within 5 minutes, no password is required to use the device. However, if more than 5 minutes passes, the user must enter a password to use the device.

    • Display Password Prompt for Unused Devices Within: Check this box and choose a time limit from the drop-down list.

      The Windows CE device user can change the corresponding setting on the actual handheld device; however, the value you enter in the Display Password Prompt for Unused Devices Within field in ZENworks for Handhelds is the maximum amount of time the user can set; he or she cannot increase the time limit beyond this value.

  6. Click the Self-Destruct tab.


    Screen shot of the Self-Destruct page.

    The Self-Destruct page lets you configure self-destruct settings for Windows CE devices so that data is not accessible from handheld devices that are lost or stolen. When the self-destruct feature is activated, the data on the device is made unusable and the device must be manually reset, which restores the device to its out-of-the-box state.

    To use the self-destruct options for Windows CE devices, you must check the Enable Enhanced Password Support check box on the Security page. You cannot use the self-destruct options on handheld PCs because the Enable Enhanced Password Support option will not function on them.

    IMPORTANT:  Use caution when you use the self-destruct feature. Be sure to allow an adequate number of password attempts and an adequate number of days since the last connection or synchronization to prevent data loss to users who incorrectly enter the password or do not connect or synchronize the device during a short vacation.

    For Windows CE devices, ActiveSync does not automatically back up data. If the user has manually backed up the data, he or she can then manually restore the data to the device.

  7. Fill in the fields:

    Bad Password Attempts: Enable the Enforce Self-Destruct check box and specify the number of bad password attempts to allow before activating the self-destruct feature.

    Time Since Last Connection: Enable the Enforce Self-destruct check box and specify the number of days after the last connection before activating the self-destruct feature. If the handheld device is using the ZENworks for Handhelds WinCE IP client, the Time Since Last Connection option refers to the last time the handheld device connected to the IP conduit machine. If the handheld device is using the ZENworks for Handhelds sync client, the Time Since Last Connection refers to the last time the handheld device was synchronized.

    Each day is made up of 24 hours. If you connect (synchronize) the device on Monday at 2 p.m. and specify three days after the last connection before activating the self-destruct feature, the self-destruct feature will activate Thursday at 2 p.m (72 hours after the last connection/synchronization) unless the device is connected/synchronized during that period.

  8. Click OK to save the policy.

  9. When you have finished configuring all of the policies for this package, continue with the steps under Associating the Handheld Package to associate the policy package.

  10. If desired, schedule the policy. For more information, see Scheduling Packages and Policies.


Replacing the ZENworks for Handhelds Password Dialog Box Bitmap Image

You can replace the ZENworks for Handhelds bitmap image that displays in the following ZENworks for Handhelds password dialog boxes with a bimap image of your choosing:

  • The login dialog box if you selected Enable Enhanced Password Support in Step 5.
  • The dialog boxes that display when the WinCE Security policy is enforced and you selected Require a Password to Be Set on the Handheld in Step 5.

    To replace the bitmap image in these dialog boxes, create a bitmap file called logo.bmp and place it in the ZENworks for Handhelds installation directory on the handheld device. The size of this bitmap image should be 240 pixels wide by 35 pixels high.


Associating the Handheld Package

The policies you configured and enabled will not be in effect until you associate their policy package with a handheld device object, a handheld group object, or a container object.

  1. In ConsoleOne, right-click the Handheld Package object, then click Properties.

  2. Click the Associations tab > Add.

  3. Browse for the container for associating the package, then click OK.


Scheduling Packages and Policies

Some policies can be scheduled to run at a certain time. During creation, all policy packages are given a default run schedule (Handheld Cradle/Connect, by default). This means that all applicable policies in this package will be enforced every time the handheld device is cradled or connects to the proxy service through the IP client. However, you can change the entire policy package schedule, or you can set a policy within the package to run at a different time from the rest of the package.

If you should enable a policy but fail to schedule it, it will run according to the schedule currently defined in the Default Package Schedule.

NOTE:  If you have configured and enabled policies, but they have not been enforced on individual handheld devices, ensure that enough time has passed for the policies to have reached their scheduled run time (hourly, by default). You can force an immediate directory scan to enforce policies by right-clicking the ZENworks for Handhelds Service object, clicking Actions, then clicking Scan Now.

The following sections contain additional information:


Changing the Handheld Package's Schedule

  1. In ConsoleOne, right-click the Handheld Package object, click Properties, then click the desired platform page.

  2. Click the Edit button in the Default Package Schedule group box.


    Screen shot of the Edit Policy Package Schedule dialog box.

  3. Make the desired changes to the schedule.

    Be aware that changing the policy package's schedule to run too frequently will affect performance, depending on your environment. The default schedule (hourly) should be adequate for most situations.

    NOTE:  Click the Help button for detailed information about the options in the Edit Policy Package Schedule dialog box.

  4. Click OK.


Changing an Individual Policy's Schedule

  1. In ConsoleOne, right-click the Handheld Package object, click Properties, then click the desired platform page.

  2. Check the check box under the Enabled column for the desired policy.

    This both selects and enables the policy.

  3. Click Properties.

  4. Click the Policy Schedule tab, then make the desired changes to the schedule.

    Be aware that changing the an individual policy's schedule to run too frequently will affect performance, depending on your environment. The default schedule (Handheld Cradle/Connect) should be adequate for most situations.

  5. Click OK.