There is no API for locking down certain elements (programs, functions) on Windows Mobile and in fact there is not a lot of information out there on how to do such a thing.
There is information about security policies on particular Windows Mobile 5 and 6 and testing tools such as the Device Security Manager. For information about security policies and certificates, see this blog. I am currently in the middle of writing a document about the signing and creating of certificates which I will publish soon…
So back to a simple way of locking down an individual program….
There are three ways for locking down Windows Mobile. They are:
● Kiosk solution (SPB Kiosk)
● Long hand (code “hack”)
● Lock-down product (Trust Digital)
Of course the Kiosk solution or any of the lock down products are the easiest, but if you are fussy about using third party software or trying to keep costs down, then the long hand option might be the way to go. In addition the Kisok solution requires full screen which in some cases is not desirable. Personally I like to stick to using my own code rather than using third party solutions. Based on this, I will talk about the Long hand (code) option.
A silly simple way to stop end users from running an application is to create a zero-byte filename that you wish to block. So for example if you didn’t want a handful of your users using Pocket Internet Explorer, then you would create a zero-byte file named iexplore.exe in the \Windows directory. I know this sounds strange that it might overwrite the existing file, but it merely “hides” it. In order to enable Pocket Internet Explorer again just simply delete the zero-byte file.
This is all fine, but what about the shortcuts? Simply tapping them after locking down the .exe will generate an error message that the application could not be found. A better way to handle this situation is to delete the shortcut file. For example if Pocket Internet Explorer is present in the Start Menu, you would need to delete the shortcut file: \Windows\Start Menu\Internet Explorer.lnk.
There is one thing you should bear in mind when deleting the shortcut file and that is when locking down File Explorer (\Windows\fexplore.exe) – among others the shortcut file is marked as read-only. A simple way of getting around this is to mark the Attribute property for the FileInfo object as Archive. IE:
FileInfo ieShortcutStartMenuFile = new FileInfo(@“\Windows\Start Menu\Internet Explorer.lnk”);
ieShortcutStartMenuFile.Attributes = FileAttributes.Archive;
Of course when you need to re-enable the application you will not only need to delete the zero-byte file but create the shortcut file as well.
This method of locking down applications can be applied throughout the device for all programs if required including some of the ROM installed apps:
Phone (for Phone Edition devices cprog)
It is also possible to limit access to the Settings window. This is as easy as deleting the \Windows\Start Menu\Settings folder. There is nothing contained in this folder, so you won’t lose any shortcuts/data. To re-enable, simply re-create the folder.