Hello,
Our company recently deployed a very restrictive IT Policy. Since we've deployed the policy we are unable to push applications OTA. I've created a second IT Policy that has less restrictions such as enabling 3rd party apps but I am still unable to successfully push an app(in this case RSA software token). The only way I am able to push OTA is if I put the device into a non-resrtictive IT Policy, one with nothing enabled. My question is which setting in our Policy is preventing OTA installs (excluding the disabled 3rd party apps option)? Here are the settings...

HANDHELD POLICY SETTINGS:
IT Policy Name = "Secured Policy - Outgoing Call Enabled"
Password Required = TRUE
Allow Peer-to-Peer Messages = TRUE
Minimum Password Length = 6
User Can Disable Password = FALSE
Maximum Security Timeout = 20
Maximum Password Age = 90
User Can Change Timeout = TRUE
Password Pattern Checks = 0
Enable Long-Term Timeout = TRUE
Allow SMS = TRUE
Enable WAP Config = TRUE
Common Policy Group:
Disable MMS = TRUE
Set Owner Name = "Blackberry"
Set Owner Info =
IT Policy Notification = FALSE
Lock Owner Info = 3
Password Policy Group:
Periodic Challenge Time = 60
Maximum Password History = 5
Suppress Password Echo = TRUE
Set Maximum Password Attempts = 5
Set Password Timeout = 20
Security Policy Group:
Disable Public Social Networking Applications = TRUE
Disable Public Photo Sharing Applications = TRUE
Allow Smart Card Password Caching = FALSE
Disable IP Modem = FALSE
Disable Unverified Certificate Use = TRUE
Minimal Encryption Key Store Security Level = 2
Minimal Signing Key Store Security Level = 2
Disable Persisted Plain Text = TRUE
Disable 3DES Transport Crypto = FALSE
Disable Unverified CRLs = TRUE
Allow Outgoing Call When Locked = TRUE
FIPS Level = 2
Disable Forwarding Between Services = TRUE
Disable Radio When Cradled = 0
Disable Stale Status Use = TRUE
Certificate Status Maximum Expiry Time = 4
Disable Key Store Backup = TRUE
Disable Weak Certificate Use = TRUE
Disable Invalid Certificate Use = TRUE
Allow Split-Pipe Connections = FALSE
Allow External Connections = TRUE
Allow Internal Connections = TRUE
Allow Third Party Apps to Use Serial Port = TRUE
Disallow Third Party Application Downloads = TRUE
Certificate Status Cache Timeout = 1
Disable Key Store Low Security = TRUE
Disable Peer-to-Peer Normal Send = TRUE
Disable Message Normal Send = FALSE
Disable Revoked Certificate Use = TRUE
Disable Untrusted Certificate Use = TRUE
SMIME Application Policy Group:
SMIME Minimum Strong DSA Key Length = 1024
SMIME Allowed Content Ciphers = 00100001 (33)
SMIME Minimum Strong ECC Key Length = 163
SMIME Minimum Strong DH Key Length = 1024
SMIME Minimum Strong RSA Key Length = 1024
TLS Application Policy Group:
TLS Disable Invalid Connection = 0
TLS Minimum Strong ECC Key Length = 163
TLS Minimum Strong DH Key Length = 1024
TLS Minimum Strong RSA Key Length = 1024
TLS Disable Untrusted Connection = 0
TLS Disable Weak Ciphers = 0
Browser Policy Group:
Disable Java Script in Browser = TRUE

DESKTOP POLICY SETTINGS:
Show Application Loader = FALSE
Force Load Count = 0
Auto Backup Enabled = TRUE
Auto Backup Include All = TRUE
Show Web Link = FALSE
Do Not Save Sent Messages = FALSE
Desktop Policy Group:
Desktop Allow Device Switch = FALSE
Desktop Allow Desktop Add-ins = TRUE
Desktop Password Cache Timeout = 10
Service Exclusivity Policy Group:
Allow Public Yahoo! Messenger Services = FALSE
Allow Other Browser Services = TRUE

Disallow Third Party Application Downloads = TRUE

Set this to FALSE and try again.
Perhaps you first have to resend the policy to the affected device.

I've already tried that as stated in my post.

(excluding the disabled 3rd party apps option)

Someone? Anyone? HELP!

What happens if you push the Default IT Policy to a test device and then try pushing the software config? Does it still fail?

I'm wondering if some security value (Firewall, perhaps) got changed with the restrictive IT Policy, and may have to be changed back manually....