- Control which applications are allowed to run on the device and what they can do.
- Control who can access specific device settings, and their level of access.
- Control what desktop applications can do on the device (Remote API (RAPI) control through ActiveSync).
- Policies configure security settings that are then enforced with the security roles and certificates:
Security roles determine access to device resources, based on message origin and how the message is signed.
- Certificates are used to sign executables, DLLs, and CAB files that run on Windows Mobile-powered devices.