Installing a Certificate Using a Device Provisioning File

If you determine that you need to install a certificate using a device provisioning file, use these instructions.

To install a certificate using a device provisioning file

  1. Ensure that you have installed a registry editor on the device and the software tools required for the device provisioning file certificate installation method.
  2. Connect the mobile device to your computer.
  3. Open the registry editor, and then modify the Unsigned CAB Policy (4101) setting by going to the registry key HKEY_LOCAL_MACHINE\Security\Policies\Policies\. Edit ‘00001005’ (4101), changing the value to 16.
  4. Generate a _setup.xml file that contains the following, where the THUMBPRINT and BASE64 values are derived from the certificate file, as described in the subsequent steps:

<wap-provisioningdoc>

<characteristic type=“CertificateStore”>

<characteristic type=“ROOT”>

<characteristic type=“THUMBPRINT”>

<parm name=“EncodedCertificate”value=“BASE64 Data”/>

</characteristic>

</characteristic>

</characteristic>

</wap-provisioningdoc>

  1. On the computer, open the certificate (.cer) file that you want to install on the device, click the Details tab, and then click Thumbprint.Copy the Thumbprint value, paste it into the _setup.xml file, and then remove all spaces from the value.
  2. Also on the Details tab of the certificate, click Copy to File, and then follow the wizard instructions to export the file to a Base64 format. Use a text editor to open the exported file, and then copy the encoded portion between BEGIN and END. Paste that value into the _setup.xml file, and then remove all spaces and carriage returns from the encoded portion.
  3. To create a cabinet file, open a command window, and then navigate to the directory where you installed MakeCAB. Type makecab /D COMPRESS=OFF _setup.xml mycpf_Uncompressed.cpf.
  4. To sign the cabinet file, navigate to the directory where you installed SignTool, and then type signtool sign /f some-privatekey.pfx mycpf_Uncompressed.cpf, where someprivatekeyis chained to a certificate in the SPC certificate store.
  5. To copy the cabinet file to the device, navigate to the directory where you installed CECopy, and then type cecopy <certificate>.cpf “dev:\Windows\Start Menu”.
  6. To install the cabinet file on the device, navigate to the device’s Windows\Start Menu directory, and then double-tap the .cpf file. If necessary, navigate to the directory where you installed RAPIStart, and then type rapistart \Windows\wceloadsp.exe “\“\Windows\Start Menu\<certificate>.cpf\”” /silent /confignotify /verifyconfig.

Disabling Certificate Revocation List (CRL) Checking

If you are unable to install certificates on your device using the previously described certificate installation methods or if you encounter problems connecting to the server using TLS when you try to sign in to Communicator Mobile after installing the certificates, you can disable CRL checking for Communicator Mobile.

If you disable CRL checking, the device cannot verify the authenticity or certificate revocation status of the servers to which you connect. Connecting to unknown servers is a serious security risk. We recommend that you do not disable CRL checking if your deployment meets the following criteria:

  • Your Windows Mobile powered device is not locked.
  • You have sufficient privileges on the mobile device to install the certificates required for Communicator Mobile to connect to Office Communications Server.

WARNING: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To disable CRL checking

  1. Connect the mobile device to your computer, and then open the registry editor.
  2. Modify the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings\ DisableCertCheck. Edit the registry key to change the value to 1.


Installation and Configuration

Getting Started

This Quick Reference Card provides instructions for installing and configuring Microsoft Office Communicator Mobile on your Windows Mobile powered device. Installation and configuration tasks include:

  • Installing the Communicator Mobile software
  • Configuring your account and server information
  • Installing certificates

Before you start using Communicator Mobile (2007 release), verify that you have the required hardware and software.

Hardware and Software Requirements

To use Communicator Mobile, you must have a Windows Mobile powered device running one of the following operating systems:

  • Microsoft Windows Mobile® 6.0 Professional (Pocket PC)
  • Windows Mobile Classic (smartphone)
  • Windows Mobile 5.0 for Pocket PC
  • Windows Mobile 5.0 for smartphone

On the computer that you use to install Communicator Mobile to your mobile device, you must have one of the following:

  • WindowsMobileDeviceCenter 6:
  • Microsoft ActiveSync® 4.5:
  • ActiveSync 4.2:

If you encounter installation issues that require you to edit the registry and your device does not have a built-in registry editor, you can use one of the following:

  • Remote Registry Editor tool that is installed with Microsoft Visual Studio® 2005
  • Free third-party registry editor available for download on the Internet. For example, PHM Registry Editor, which is available for download from

Additional Tools Required to Install Certificates

If you determine that you need to install a certificate to use Communicator Mobile in your organization, use some or all of the following tools, as appropriate:

  • SPAddCertAdds root certificates to devices that have the Unrestricted Application Security Policy or to restricted
    devices if it is a version of SPAddCert that is signed and distributed by the mobile operator.
  • MakeCABCreates the cabinet file that contains the XML provisioning file.
  • CECopy\Copies the cabinet file to the device.
  • RAPIStartInstalls the cabinet file onto the device.
  • SignToolDigitally signs files, verifies signatures in files, or time stamps files.

PRINT SETTINGS For best results, set printer options to: Paper Size: Legal (8.5 x 14”) / Orientation: Landscape
2-sided printing options: Two-sided, flip on short side

Installing Communicator Mobile (2007 Release) Software

Before you install Communicator Mobile, ensure you have met all requirements, including the following prerequisites:

  • You must remove all other versions of Communicator Mobile before installing Communicator Mobile (2007 release).
  • The folder to which you download the Communicator Mobile Windows Installer package (.msi) must not be encrypted.
  • Installation requires approximately 7.5 MB of space. Ensure there is sufficient space on your mobile device.

To install Communicator Mobile using ActiveSync (Windows Server 2003, Windows XP, or earlier)

  1. Connect your mobile device to the computer running ActiveSync.
  2. In Windows Explorer, double-click the CommunicatorMobile.msi Windows Installer file.
  3. On the Welcome to the Microsoft Office Communicator Mobile Setup Wizard page, click Next.
  4. Review the license agreement, and then click I accept the terms in the license agreement if you agree to the terms of installation (required to continue). Click Next to continue.
  5. To use the default location to install the program files, click Next. To change the location where the files are installed, click Location, and then type the location on your computer where you want to install the Communicator Mobile files. When you are finished, click Next.
  6. Click Next to start installing files.
  7. In the Installing Applications dialog box, click Yes to install Communicator Mobile to the default location.
  8. In the Application Downloading Complete dialog box, click OK.
  9. Click Close to close the wizard.

To install Communicator Mobile using WindowsMobileDeviceCenter (Windows Vista)

  1. Connect your mobile device to the computer running WindowsMobileDeviceCenter.
  2. Copy the CommunicatorMobile.msi Windows Installer file to your computer.
  3. Click Start, click All Programs, click Accessories, and then double-click Command Prompt.
  4. At the command prompt, browse to the folder where you copied the Windows Installer file for Communicator Mobile.
  5. Type the complete name of the Windows Installer file, and then press ENTER.
  6. On the Welcome to the Microsoft Office Communicator Mobile Setup Wizard page, click Next.
  7. Review the license agreement, and then click I accept the terms in the license agreement if you agree to the terms of installation (required to continue). Click Next to continue.
  8. To use the default location to install the program files, click Next. To change the location where the files are installed, click Location, and then type the location on your computer where you want to install the Communicator Mobile files. When you are finished, click Next.
  9. Click Next to start installing files.
  10. In the Installing Applications dialog box, click Yes to install Communicator Mobile to the default location.
  11. In the Application Downloading Complete dialog box, click OK.
  12. Click Close to close the wizard.


Configuring Server and Account Information

You need to configure Communicator Mobile with your account details, including your account and server information, before you can use it. You can configure Communicator Mobile manually or using a client provisioning file.

To configure your account

  1. Do one of the following:
  • If you are signed in, tap Menu, and then tap Options.
  • If you are not signed in, tap Options.
  1. Tap the Account tab, tap Sign-in address, and then type your Communicator sign-in address, which is usually the same as your e-mail address. If you do not know your Communicator sign-in address, contact your system administrator.
  2. Tap Domain\username, and then enter your domain name and user name in the specified format.
  3. Tap Password, and then type the password for your domain account.
  4. Optionally, select the Remember password check box if you do not want to type your password every time you sign in to Communicator.
  5. Optionally, tap Sign in as and then tap the presence status that you want to display when you sign in.

To configure your server address

  1. Do one of the following:
  • If you are signed in, tap Menu, and then tap Options.
  • If you are not signed in, tap Options.
  1. Tap the Server tab, and then do one or both of the following:
  • Tap External server name, and then enter the full address (including port number) for Office Communications Server that is used by users connecting from outside your organization.
  • Tap Internal server name, and then enter the full address (including port number) for Office Communications Server used by users connecting from inside your organization.

You must include the port number in the server address in <server address>:<port number> format. For example, sip.contoso.com:443. If you do not know the external or internal server address, contact your system administrator.

  1. Tap Connect using, and then tap either TLS to connect by using Transport Layer Security protocol or TCP to connect by using Transmission Control Protocol. If you are not sure which to use, contact your system administrator.
  2. When you are finished, tap ok.


Configuring Sign-In and Alert Options

You can configure Communicator Mobile to sign in automatically when the device starts or whenever you regain a lost network connection. You can also configure Communicator Mobile to alert you to contact presence changes or incoming conversations.

To configure sign-in options

  1. Do one of the following:
  • If you are signed in, tap Menu, and then tap Options.
  • If you are not signed in, tap Options.
  1. Tap the General tab, and then do one or both of the following:
  • To automatically start Communicator and sign in whenever you start your mobile device, select the Automatically sign me in check box.
  • To automatically sign in to Communicator whenever the device establishes a connection to the network, select the Reconnect if network lost check box.
  1. When you are finished, tap ok.

To configure alerts

  1. Do one of the following:
  • If you are signed in, tap Menu, and then tap Options.
  • If you are not signed in, tap Options.
  1. Tap the Alerts tab, and then do one or both of the following:
  • To display alerts when a tagged contact’s presence status changes from unavailable to Available, select the Display status alerts for tagged contacts check box. For information about tagging contacts, see the Microsoft Office Communicator Mobile (2007 Release) User’s Guide.
  • To display alerts even when your presence status is set to Do Not Disturb, select the Display alerts when my status is Do Not Disturb check box.
  1. When you are finished, tap ok.

To add audio alerts, also see “Configuring Device Alerts” in this card.
Configuring Device Alerts

When you want to receive more than a visual notification for presence status updates or incoming conversations, also configure the device’s audio alerts.

To configure device alerts on a Pocket PC

  1. Tap Start, tap Settings, and then tap Sounds & Notifications.
  2. In Sounds & Notifications, tap the Notifications tab.
  3. Tap the Event list, and then do one or both of the following, according to your preferences:
  • To receive an audio alert when you receive a new message, tap New message: Communicator, and then select the Play sound check box. Optionally, select the Vibrate check box to also make the device vibrate when you receive an incoming conversation.
  • To receive an audio alert when the status of a tagged contact changes, tap Status change: Communicator, and then select the Play sound check box. Optionally, select the Vibrate check box to also make the device vibrate when you receive a presence update.
  1. When you are finished, tap ok.

To configure device alerts on a smartphone

NOTE: Audio alerts are not available on all smartphones.

  1. Click Start, click Settings, and then click Sounds.
  2. Click Sounds, and then, under New instant message, click the sound that you want to alert you to an incoming conversation.
  3. When you are finished, click Done.


Installing Certificates

Certificates help keep your network secure by authenticating the Office Communications Server to which Communicator Mobile connects. In order to perform authentication, Communicator Mobile requires that the root certificate that is part of the server certificate is installed on your mobile device. In your organization, it may not be necessary to install certificates to use Communicator Mobile. See your administrator for more information.

Enabling Certificate Installation

Before you install certificates, you will have to configure your device to allow you to install certificates. If your device does not have a built-in registry editor, install one of the free registry editors that are on the Web.

To enable certificate installation

  1. Connect the mobile device to your computer.
  2. Open the registry editor.
  3. Modify the Grant Manager Policy (4119) setting by going to the registry key HKEY_LOCAL_MACHINE\Security\Policies\Policies\. Edit ‘00001017’ (4119), changing the value to 16.

WARNING: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Choosing a Certificate Installation Method

The certificate installation method that you use will depend on your device and the permissions that you have on the device. In your organization, it may not be necessary to install certificates to use Communicator Mobile. See your administrator for more information.

To determine the certificate installation method to use, answer the following questions:

  1. Are you using a trusted third-party Certification Authority (CA) on the device?
  2. If yes, work with the third-party CA (for example, VeriSign, CyberTrust, Entrust, and so on) to obtain and install the certificate.
  3. If no, are you using a trusted third-party CA that is not on the device?
  4. If yes, request your mobile operator to install the certificate on the device.
  5. If no, proceed to the next set of questions.
  1. What type of device are you using?
  • If you are using a Pocket PC device, use the Install a Self-Signed Certificate on a Pocket PC installation method.
  • If you are using a smartphone device, proceed to the next set of questions.
  1. Is the value of the Grant Manager policy on the device set to 144 (Manager role granted to both OPERATOR_TPS and USER_AUTH roles)?
  • If yes, use the Install a Self-Signed Certificate on a Smartphone installation method.
  • If no, does the mobile operator support using a signed version of the SPAddCert tool? (Operators known to support a signed version of SPAddCert include Verizon and Sprint.)
  • If yes, use the mobile operator-signed copy of SPAddCert to install the self-signed root certificate.
  • If no, your device is locked. You do not have the security permissions to install certificates. Contact your mobile operator to add root certificates. (Operators known to lock devices include Orange and Sprint.) If your device is locked, the following message will display: This device is currently secured such that certificates cannot be added to the root store. For support please contact your device administrator.

If none of the previously described options succeed or if you prefer, use the Install a Certificate Using the Device Provisioning File method described later in this card.

For detailed information about tools used to install certificates for Communicator Mobile, see the Microsoft Office Communicator Mobile (2007 Release) Planning and Deployment Guide.
Installing a Self-Signed Certificate on a Pocket PC