Removing Application Lock on Windows Mobile Standard Devices

September 4, 2009 9:30 am By Mike Temporale 146 Comments

Now that we know about Application Lock and the general principles behind it, we need to look at how to remove it from our phone so that you can install any application and make more customizations to your device.

Using an XML Provisioning file, you can load and change a number of settings, more commonly referred to as Configuration Service Providers, on your Windows Mobile device. You can find a really good list of the different Configuration Service Providers that can be changed here on MSDN. Depending on the configuration service you want to set, there are different delivery options available to use. When it comes to Application Lock, we’re interested in 4 specific settings.

Security Policy 4102 – This policy decides if the device can run unsigned applications. A value of zero (0) means that it’s locked and that no 3rd party signed applications, like Mobile2Market will be allowed. A value of one (1) means that the setting is unlocked and that 3rd party signed applications should be allowed to run. This policy is related to the following registry location: HKLM\Security\Policies\Policies\00001006. We need to set this to the unlocked state of 1.

Security Policy 4122 – This policy determines if a user should be prompted when an unsigned application attempts to run. The settings are reverse of 4102. A value of zero (0) means that there are no prompts. A value of one (1) means that the security is turned on and that you will be prompted when a unsigned application attempts to run. This policy is related to the following registry location: HKLM\Security\Policies\Policies\0000101a. We need to set this value to the unlocked state of 1. However, that means that we will be prompted when unsigned applications attempt to run.

Security Policy 4123 – This policy decides if the device should act as a two-tier or one-tier security. A value of zero (0) means that the device will act in the two-tier security profile. A value of one (1) means that it would act in the one-tier security profile. This policy is related to the following registry location: HKML\Security\Policies\Policies\0000101b. By default, Windows Mobile Standard devices have this value set to 0 – two-tier security. We need to set this to a value of 1.

Security Policy 4097 – This policy determines what level or rights a desktop computer has when making calls over the ActiveSync (RAPI) channel. A value of zero (0) means disabled and that an application running on the desktop computer has no rights on the mobile device. A value of one (1) means allowed and that an application running on the desktop computer has access and rights on the mobile device. a third value of two (2) means restricted and that an application on the desktop computer has the same level of permissions as the user on the device. This policy is related to the following registry location: HKLM\Security\Policies\Policies\00001001. We need to set this value to 1.

Now that we know what security policies we want to change and what registry settings they reflect, we can just change those registry values and be done, right? Unfortunately, it’s not that easy. Remember, the device is still application locked at this point. So we need an application that is considered to be trusted to be installed on the device to make changes to those values. In the past, there has been hacks that allowed you to application unlock your device. They typically involved a number of steps like; changing a registry value or two, then rebooting, then running a desktop tool, and then rebooting, and then maybe, just maybe, you might be able to change the rest of the registry and have an unlocked device.

Now that we know the security policies we need to work with, we can put them together into an XML format that can be run on the device. Here’s the resulting XML:

<wap-provisioningdoc>
<characteristic type=”SecurityPolicy”>
<parm name=”4102″ value=”1″ />
<parm name=”4122″ value=”1″ />
<parm name=”4123″ value=”1″ />
<parm name=”4097″ value=”1″ />
</characteristic>
</wap-provisioningdoc>

Now we need an application that has privileged access on the device so that we can use it to change the security policies. Unfortunately, applications that are privileged signed are not easy to come by. Typically, the privileged access is reserved applications that are aimed at enterprise users and not the average consumer. SOTI, the makers of Pocket Controller Pro, have just such a product – MobiControl. MobiControl is a full featured device management tool that is privileged signed, allowing you to have full control over every aspect of your fleet of mobile devices.

Once you’ve downloaded and installed MobiControl, you simply build an agent for your device, install it onto said device and then you can use that agent to run the XML Provisioning document outlined above. SOTI offers a full featured 30 day trial version. Which means you don’t have to pay anything to do this.

But that seems like a lot of work just to disable the application lock on your device. So I’ve gone ahead and built an agent that will automatically disable Application Lock on Windows Mobile Standard devices during the agent install. Simply download MobileJaw-ClearSecurity-MobiControl and run it on your device. After the install is complete, open the Start menu / Settings / Remove Programs and be sure to uninstall SOTI MobiControl from your device. If you leave this agent on your device it will have an adverse effect on your battery life as the agent will continually try and connect back to the device management server. I used a non-routable internal IP Address (192.168.1.128). So there’s no worry about it actually connecting back to some backend server and uploading all your data.

That’s all there is to it. Just install and remove this agent and then Application Lock will be disabled on your device. This works on any Windows Mobile Standard device running Windows Mobile 5, 6, or 6.1. So it doesn’t matter if you have a BlackJack, Ozone, Jack, Snap, Matrix Pro, or Moto Q. It even works on upcoming 6.5 devices from HTC, LG, Samsung, Motorola, and other manufacturers. It’s a little early to say if it will work on Windows Mobile 7 devices. But we’ll cross that bridge when the time comes.

UPDATE (24-Oct-2009) – With the release of Windows Mobile 6.5, application lock can now be found on touch screen devices. This was never the case before. If you have a touch screen device (Windows Mobile Professional), please use this CAB file – MobileJaw-ClearSecurity-MobiControl-TouchScreen – to remove application lock on your device.

Anyone with non-touch screen devices (Windows Mobile Standard) should continue to use this CAB file – MobileJaw-ClearSecurity-MobiControl – to remove their application lock.

Filed Under: Articles Tagged With: Application Lock, Mobile Device, Remove, Security, Standard, Windows Mobile

About Mike Temporale

Mike Temporale has written 603 posts on Mobile Jaw..

Mike Temporale grew up fascinated by computers since an early age. His first hands on with a computer came when he was 7 years old and a travelling lab of Commodore PET computers made a stop at his school. Hooked on the new world these devices offered, he took any chance possible to get in front of a computer. When Compaq launched the iPaq 3600, he was hooked again. This time on a whole new world of mobile computing. Today, Mike spends his day helping clients deploy and manage their mobile device around the world. From installing custom software, to locking and securing data, and everything in between. He is also the Editor in Chief at Mobile Jaw - a site focused on today's mobile world.

Walt Barnes

Aloha Mike – Crazy but I can’t get it to work on my AT&T Samsung Blackjack II flashed to 6.1. If I just install your MobileJaw-ClearSecurity-MobiControl cab file and use file manager to try to execute it I get the install unsuccessful becuase not digitally signed with a trusted certificate. I get the same thing if the cab is in main memory or on the storage card. Interestingly enough. If I download and install MobiControl and then go through the progress of making a default agent for my phone, that does install OK. Any suggestions how to get your cab working? Or what I need to do to install the security policy to allow other installs via MobiControl. Thanks.
http://www.MobileJaw.com Mike Temporale

@walt – Interesting. I’m not sure why the agent is failing to install. When you try and run it, you should be prompted with a message “Do you trust this application”. If you say Yes to that, you shouldn’t have any problems. Are you using the AT&T BJII? Or is it from another carrier?

Regardless, if you went through the hassle of downloading, installing and building an agent in MobiControl. Then all you need to do is copy the XML from above to a text file and rename the file to .XML. Copy the text file to your device in the root folder. Then remote control the device, click the DOS screen and type the following:

xmlconfig \{yourtextfile.xml}

And that will remove the application security lock on your device.
Jon Bond

Another Telecom NZ HTC Snap 523 successfully unlocked. No SD card in this one. Install/uninstall went 100% according to the instructions
Thanks Mike.
Walt Barnes

Bizarre – there must be some underlying other problem with my AT&T BJ II WM 6.1 phone. The symptom was anything unsigned I tried to install went directly to the “install unsuccessful… no valid signed certificate” without prompting me if I wanted to continue the install. Even the custom made agent provided here got the same result. On my other WM 5, 6, and 6.1 phones I am used to getting the prompt, saying “yes” and continuing the install. Also attempts to run imported, built exe applications failed.

I was able to install the entire MobiControl demo, make my own agent, and install that to gain remote control over the phone. As suggested, using a remote DOS window I was able to xmlconfig and make the registry changes as suggested. Yea.

Now I can run imported, built exe applications and using a local registry editor I can verify the specific registry changes have been made. And I can make other registry changes if I want to.

Now for the bad news… I still am stuck with exactly the same “install unsuccessful… no valid signed certificate” when I try to install any application .cab file.

Could there be some other security registry setting I might need?

Could there be some other problem with the default certificates I should have that is shutting me down before I even get to the typical prompt?
Jon Bond

Just used this on another Telecom NZ HTC Snap 523. This one had been upgraded to Windows Mobile 6.5

No problems at all.
http://www.MobileJaw.com Mike Temporale

@walt – there must be something weird going on under the covers with your BJII. I have an AT&T BJII here and this works like a charm.

If you can, I would suggest hard reseting the BJII and then trying this again. It’s almost like something is wrong with the default certificates on the device.
http://www.MobileJaw.com Mike Temporale

@Jon – Excellent!
Imagio

Has anybody tried this on a verizon Imagio?
Robert

I tried it on My Samsung Jack it will not accept it.
http://www.MobileJaw.com Mike Temporale

@Imagio – This is for non-touch devices (also known as Windows Mobile Standard). I have setup a version for touch screen devices (Windows Mobile Professional) running 6.5, but I don’t have a device to test it on. Please check out this post and see how things work for you.

Remove Application Lock on Touch devices:
http://www.mobilejaw.com/articles/2009/10/application-lock-makes-its-way-to-touch-screen-windows-mobile-6-5-devices/
http://www.MobileJaw.com Mike Temporale

@Robert – I’m sorry you’re having problems. I can assure you that this does work on the Jack, as I have personally used it on numerous Samsung Jack’s, BlackJacks, and BlackJack II’s.

If you can provide some information about the problem you are having, I can help you get things working.
Rodney

I copied the cab file over to my WM 6.5 phone, tapped it in file explorer, but the cab file won’t execute. This is the same problem I’m having while trying to install other cab files, I thought it was because of this application lock?
http://www.MobileJaw.com Mike Temporale

@Rodney – What device do you have? What programs are you trying to run that fail? What error do you get when you run the CAB file?
Rodney

I have a T-Mobile HTC Touch Pro 2. It doesn’t seem that any CAB files execute, including the one I downloaded from this page. I don’t get an error, just nothing happens when I tap the CAB file. Appreciate the help that you are giving.
http://www.MobileJaw.com Mike Temporale

@Rodney – The Touch Pro 2 is a touch device. The application unlock CAB i have here is for non-touch devices.

As far as I have seen, application lock is not enabled on the TP2. If you are having problems installing CABs, make sure that they are for TOUCH devices (sometimes called Pocket PC or Professional). If the CAB says Standard or Smartphone (these are terms used with non-touch devices) then chances are it won’t work on your device.
Rodney

Thanks again for your response, Mike. I pulled down the CAB file from your 10/24/2009 Update that was for touch screens, so I thought it applied to my phone. I was hoping that the application lock was the reason for my problem The CAB files that won’t install are for Touch screen phones, as I was using it on my HTC Touch Pro under WM 6.1. Strangely enough, Pocket Quicken would install on my new WM 6.5 phone, but not anything else. Things that wouldn’t install was Intelligolf, Tom Tom Navigator 6, and a Windows Mobile Stopwatch made by Time Central. None of those CAB files, like your utility, would even begin installing. When I tap the CAB file, nothing happens.
http://www.MobileJaw.com Mike Temporale

@Rodney – Ah, ok. Now I’m following. That CAB file should work on your device. However, I still don’t expect application lock to be enabled on that device. It may be – based on the carrier and whatnot. But the ones I have seen don’t have it enabled. The Imagio is another story…

From the sounds of it, there is something else going on with your device. If you try and run a CAB you should see something. It should at least come back with an error that the CAB is not supported on your device, or that it failed to install. If you’re not seeing any message, then there is a bigger problem.

When you run a CAB file, there is a program called WCELOAD.exe that is used to unpack the CAB and install it’s contents. There can only be one copy of WCELOAD running at a time. I would start be rebooting your device. If WCELOAD is hung in memory or some other issue has come up with it, this should fix it.

If rebooting doesn’t help, your next option would be a hard reset. That would return it to factory default settings and you will be good to go.
Rodney

Mike – You’re a genius! A soft reset did the trick. So simple, I don’t know why I didn’t think of it. I’m new to this website. I know you don’t work for free. Are there products, etc. I should be looking at to make it worth your while? Thanks a bunch! Rodney
Dawn

Hi. I followed you here from the XDA App Unlock thread for the Samsung Propel Pro.

I downloaded the Clear Security .cab file provided in this article to my desktop computer. I then turned on my Propel Pro, and connected it to my computer, which automatically triggered ActiveSync. I then transferred the .cab file onto the phone.

When I unplug my phone from the computer and look for the file in order to install it, it is not there! I have tried this several times with no luck. When I look at the contents of my folders with ActiveSync on my computer, I can see the file, but for some reason, it is not visible to my phone in Windows Mobile Standard 6.1.

I have tried downloading the .cab file directly from this page using my phone’s browser, but instead of downloading the file, it shows a garbled text file instead. I think this is the result of the app lock itself which blocks .cab downloads.

How can I run this .cab on my phone?

Thanks for any help you can give me.
http://www.MobileJaw.com Mike Temporale

@Dawn – Samsung has 2 file explorer apps, one called “My Stuff” and the other called “File Explorer” The first one is specific to Samsung devices and will only show certian file types – like documents, media files, etc.

File Explorer can be found in the Applications folder and is the file browser that ships with Windows Mobile. It sounds to me like you might be browsing using My Stuff and not File Explorer.

Also, when you copied it to the device, where abouts did you place the file?
Dawn

Mike, you are absolutely right — I was mistakenly using My Stuff instead of File Explorer.

I downloaded the .cab to My Documents and opened it up in File Explorer as you described, and this time I was able to install it, uninstall it, and thereby app unlock my phone.

Thank you again for all your help.
Sam

I’ve got a HTC HD2. I’ve installed the touch screen cab file and the unsigned file is still not installing.
Any ideas on how i could resolve this?
http://www.MobileJaw.com Mike Temporale

@Sam – what’s the CAB file you’re trying to install? What’s the error you’re getting on install?
Sam

Mike im installing this CAB file – MobileJaw-ClearSecurity-MobiControl-TouchScreen.

It installs fine, then when i try to install a setup on my phone i get the error “the file cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. If the problem persists, try reinstalling or restoring this file.”
http://www.MobileJaw.com Mike Temporale

@Sam – Ok, so there are no errors when you install the ClearSecurity CAB. That’s a good sign. What is the CAB file you are installing after? I’ll try it here on my HD2 and see if I get the same error.
Robert

I tried to hard, clear reset and installed again, it worked great on my Jack, thanks!!!
mike

Hi,

My Samsung with Windows mobile 5.1.525 with \messaging and security feature pack.\ no way. It doesn’t even install the program MobileJaw-ClearSecurity-MobiControl because its not digitally signed with a trusted certifiate !!
Rick

Hi Mike – Does the MobileJaw Unlock CAB enable tethering on the Samsung Jack with Windows 6.5? I’ve seen this discussed in other forums, but would like to know before I unlock my device. In fact, this would be the main reason for unlocking and also to remove ATT pre-installed software and games. Thanks!
mike

Rick, I can’t tell you because MobileJaw Unlock CAB doesn’t work with Windows mobile with MSFP (mine is Telefonica’s corporate Samsung terminal)
http://www.MobileJaw.com Mike Temporale

@mike – It should work with Windows Mobile 5.1. I can test this next week when I’m back home and have access to my Original BlackJack. Use the contact page to drop me an email (so I don’t forget) and I’ll see what I can find. It might be that I built the agent focused on WinMo 6. I should be able to rebuild it for 5 without any issues.
http://www.MobileJaw.com Mike Temporale

@Rick – application unlocking your device will allow you to make the needed changes to enable tethering.
kris

Hi, I have an HTC TP2 (vzw) WM6.5. I’ve run the clearsec-touch.cab and saw the expected ‘device is now app unlocked’ but I still cannot install a 3rd party .cab. I get “Installation was unsuccessful. The program or setting cannot be installed because it does not have sufficient permissions.” I have played with HKLM/sec/pol/pol/1001,1005,1006,1017,101a & 101b settings but cannot seem to drop the security enough to install this app. Any ideas?
Mario Fernandez

Hello,

My case is a bit strange. I have a problem trying to uninstall an application in my Windows Mobile PDA an I get a message of “Permission denied”. The problem is that the app i’m trying to uninstall is SOTI MobiControl Device Agent. The exact message i’m getting is: “Permission denied to uninstall SOTI MobiControl Device Agent”.

Surprisingly, when i install MobileJaw-ClearSecurity-MobiControl-TouchScreen.cab and Cancel installation of MobiControl agent, the I’m able to uninstall SOTI MobiControl Device Agent. But only the first time: when i reinstall SOTI MobiControl Device Agent then I cannot uninstall it again until I re-launch MobileJaw-ClearSecurity-MobiControl-TouchScreen.cab. So, what happens with the security settings in this case??

Regards,
Mario.
http://www.MobileJaw.com Mike Temporale

@Mario – Permission denied is displayed when the server is set to prevent the the agent from be removed from the device. It sounds to me like your organization has loaded this agent on your device, correct? You will need to talk with the MobiControl administrator about having it removed.
kris

HTC TP2 (vzw) – working now. I believe I had 2 bad .cabs or at least not correct .cabs for my TP2. I have been able to install other .cabs that I could not prior so the ‘clear security’ worked for me. Thanks!
Mario Fernandez

Mike,

Thanks for the reply, but that is not the case as I am the administrator of SOTI. I’m installing the device agent in Motorola MC75 devices. Acoording to SOTI, there should be no problem in uninstalling the Agent through Remove Programs feature, but there is no way.

In addition, it could never be a server problem as i can uninstall the Agent the first time after the installation of MobileJaw-ClearSecurity-MobiControl-TouchScreen.cab. I have checked the registry setings i Security Policies and they are the same before and after the installation. Any other ideas of why cannot be uninstalled?
http://www.MobileJaw.com Mike Temporale

@Mario – When the agent is built, you can set it such that it can not be uninstalled from the device. When you try and remove that agent from the device, you will get a “Permission Denied” error. When you installed my MobiControl-ClearSecurity CAB, it over-wrote the settings of the original agent and thus allowed you to unsintall the agent. (My CAB version does not have this setting enabled)

I’ve installed the agent and removed it from many a MC75.
prahasa

i m using LG eXpo.
i am not able to unlock it using the cab.
my visual studio cannot connect to the device. it says boostrap failed.

Kindly someone help.
Gagan

Thank you so much, It removed the lock just followed your instructions.
Michael

Just tried to install on a new HTC Snap – fails as it claims cab is not signed with trusted certificate!

Please advise
TheSamim

Thank you! Worked like a charm, no fuss no muss, on a Jack i637. Finally got rid of ATT Navigator!
emanuel

Unfortunately, for me it doesn’t work. I have a Samsung Omnia B7330 with WM6.5 Standard, I get always the stupid certificate error.
The installation of MobileJaw-ClearSecurity-MobiControl went OK, I checked the registry key values, everything seems to be fine – but it’s not MS with WM6.5 s*cks big time (again)!!
theSamim

@emanuel: To ask the obvious question: Have you tried restarting (turn off/turn on) the phone after installation?
emanuel

@theSamin: Yes sure, I ran the cab, waited 30 seconds and did a turn off/on. I think the problem is that my phone has WM 6.5
http://www.MobileJaw.com Mike Temporale

@emanuel – It’s not a Windows Mobile 6.5 issue. I have used this on the Samsung Jack without any issues.

What certificate error are you getting? Can you post the wording of it here so I can better understand what’s going on. Thanks!
paul

We just got moto mc75′s at work.win 6,1 with touch screen.it has mobicontrol requiring an admnin password to exit the company’s front end with links to the very few features of the phone.witch cab should I attempt to install, will it just disable that mobi login so i can turn on my bluetooth,and not mess up the front end the company put on?
http://www.MobileJaw.com Mike Temporale

@paul – Sorry, this article is not about bypassing MobiControl’s security. This will only work on devices that are not centrally managed.

If you require bluetooth enabled, you will need to talk with the administrator of your MobiControl system.
Rui

Hi, I an SE X1i and my company IT people loaded some email certificates that were required. Since then I have this app lock problem. I have tried everything on this forum and have not had any success. Downloaded Mobicontrol v7, only one I could find, even had to install SQl server 2005 to be able to complete the installation. I cannot pickup my device in MC, I create the agent to the best of my knowledge and it installs on the device. I soft reset the phone and try to run the file you created but it is still not successful. I have created the .XML file and transferred it to the device but am unable to do the remote dos command thing. I am really desperate as I have already spent many hours on this and no luck. If possible I will appreciate some more advice.

Thank you very much.
Rui
Rui

Hi,just to add to the above, I have also dissabled the firewall, forgot to mention that.
http://www.MobileJaw.com Mike Temporale

@Rui – Your problem has nothing to do with application lock. This solution is not going to help you out at all.

It sounds to me like you’re having a certificate issue. Perhaps the certificate installed by your company was placed into the wrong store, or they removed the default certs.

Removing Application Lock on Windows Mobile Standard Devices

About Mike Temporale

Follow Us

Search

Log In

Facebook

Twitter Stream

Recent Comments

Username
Password

	Remember Me Lost your password?

Removing Application Lock on Windows Mobile Standard Devices

Share:

About Mike Temporale

Follow Us

Search

Log In

Facebook

Twitter Stream

Recent Comments

Tag Cloud