I still owe y’all a review of my new Qtek 9100 PDA/cellphone running Windows Mobile 5.0, but in the meantime, as I’m working on some other WM5.0 projects, I wanted to share word of what is turning out to be a potentially huge problem with the new WM 5.0 devices, depending on which devices you buy and which carriers you get them from. This post from the Windows Mobile Team Blog, “Adding Root Certificates for Exchange Activesync”, doesn’t provide a lot of detail and background, but the comments give you a bigger picture of how much trouble this is causing folks.
The base problem is that some WM5.0 devices, depending on how they’ve been configured by the OEM (in many cases the carrier that sells the device), do not allow end-users to install additional root certificates. This is great if you’re only using SSL certs from a major vendor, but if you’re using self-signed certs, this becomes a problem. The Windows Mobile 2003 workaround of disabling SSL for EAS isn’t an option in WM5.0. Normally, I’d be happy about how the use of SSL is enforced — I’ve never advised using OWA/EAS/OMA over unencrypted connections — but in this case, a lot of people are frustrated because they can’t use their new devices to synchronize with Exchange. Since that was the only real functionality I was interested in for my Qtek, I have to say I’d have been extremely unhappy to find out I wasn’t able to do it.
The moral of the story is simple: be very, very choosy about which vendors and carriers you buy your WM5.0 devices from. Insist that they either provide the tool you need to install your own root certificates (if you don’t get management access to the device) or insist on having devices configured so that you have management access.