[Richard Murphy]

Updated Nov 18 to provide updated information about the current Bonsai beta.
Background Information
Windows Mobile devices configured with two-tier security are not able to run ActiveSync service provider DLLs unless they are signed with a privileged certificate. While Natara signs all of the executables with its code signing certificate, this is not a Windows Mobile privileged certificate and therefore the Windows Mobile device does not recognize these as being signed. If a device is configured for two-tier security, and because the ActiveSync process on the device is running as a privileged process, it can only load DLLs that are also signed with a privileged certificate. Any unsigned DLLs will not load regardless of how security is configured for running unsigned applications. This means the current Bonsai beta will not be able to sync via the ActiveSync/WMDC framework.
Non-touchscreen devices (Windows Mobile Standard- previously called Smartphone devices) generally run in a two tier security model that limits what unsigned applications can do. In very strict security settings, unsigned apps cannot run. It is probably more common that security is configured so the device prompts before running an unsigned application. Therefore, I expect most users will be able to run the Bonsai application on the handheld. If you have a device that does not allow for running unsigned applications, you can probably find tools to "application unlock" your device, possibly even with the help of your service provider.
Now for the bad news. Even if your device allows unsigned applications to run, your device will not load the Bonsai ActiveSync component when a sync operation begins if the device is configured for two tier security.
With the current beta, the wizard used to install Bonsai to your device will detect if you device is configured for two-tier security. If it is configured this way, a dialog will be display explaining this. At this point you have two options:
Continue the install and a "sync on device connect" will run when the device is connected:
Bonsai will configure a process to run whenever your Windows Mobile device is connected. There are two drawbacks with this option. The sync only occurs when the device is connected. If you modify an outline with the device already connected, it will not be synced automatically like it would if the ActiveSync component was working. Second, during the "sync on device connect" the process will have limited ability to notify the Bonsai app on the handheld that a sync is beginning. Normally, the Bonsai app will save the outline being viewed if it is modified at the start of the sync and reload it once the sync is complete. This notification does not occur so instead the sync will attempt to make a RAPI call to close the Bonsai application. This may or may not work depending on device security. Since Bonsai auto-saves the outline periodically on the handheld, in most cases I would not expect Bonsai to have a modified unsaved outline opened when the device is connected. This may not be a big deal for most users but it is something to keep in mind.

Provision your device to use a one-tier security model:
Of course this does has security implications and it s entirely your decision whether you can and if you want to make this change. Keep in mind all of the WM Professional and Classic devices generally run in a one-tier security model. Natara will not be able to provide assistance in reconfiguring your device to use a one-tier security model as the tools available vary based on which device you own.

Needless to say, we plan to have a solution to this issue near or shortly after the time of the product release. We plan to have our ActiveSync DLL signed with a privileged certificate so it will load on devices using a two-tier security model.

Microsoft has a handy tool to examine the configuration of your device called Security Configuration Manager. While it can be used to provision your device (i.e. change the security settings), it will also update your certificate stores. I DO NOT recommend you use this tool to provision your device using the "built-in" profiles as you would not want the changes to the certificates that would be applied.

[Richard Murphy]

I updated the original post with current information regarding this issue and the changes introduced in beta build 2938. Please re-read if you have a Windows Mobile device configured with two-tier security.
Also, I found that the current build (2938) the "sync on connect" process may not properly detect your device. The process is started on connect but before ActiveSync has fully initialized. Depending on timing, this may or may not work in your environment. If the sync does not seem to run, or if you get a trial expired error even though the Bonsai Desktop is working, then you are hitting this issue. I will have this fixed in the next build but for now you can manually run the sync using the following command using the Windows Start/Run menu (after the device is connected and ActiveSync is initialized):
"rundll32" C:\PROGRA~1\Natara\Bonsai\BONSAI~1.DLL,SyncOutlines
Make sure the path to the BonsaiActiveSyncProvider.dll is specified as a short file name as the rundll does not handle names with spaces. You may need to update the path if you picked a non-default installation location for Bonsai.

[goldenRetriever]

I have an HP IPAQ 111 and tried to install the Bonsai beta using the WMDC (my laptop runs Vista) before I saw the post below. I didn't receive a message from the Bonsai wizard -- it just hung up on installation. Is a privileged digital certificate planned that will satisfy the two-tier security issue? Thank you.