Heightened security for AppConnect apps using the Secure Enclave

For heightened security of especially sensitive data, such as encryption keys and passwords, you can configure AppConnect apps to use the Apple hardware known as the Secure Enclave. By using the Secure Enclave, the app reduces the sensitive data’s attack surface, because the sensitive data is stored in the Secure Enclave rather than in plain-text in memory. When sensitive data is stored in memory, it can be captured in a memory dump.

For an AppConnect app to use the Secure Enclave, the device must:

have Apple’s Secure Enclave hardware.

NOTE:

Devices that have biometric security have Secure Enclave hardware

be running iOS 11 through the most recently released version as supported by MobileIron
be running Mobile@Work 9.8 for iOS through the most recently released version as supported by MobileIron

To configure an AppConnect app to use the Apple Secure Enclave, you use the key named MI_AC_CONTAINER_TYPE in the app’s AppConnect app configuration.

The possible values for MI_AC_CONTAINER_TYPE are:

Value

Description

ENCLAVE

The Secure Enclave is used to store:

•

Sensitive data as defined by the app. Check the app’s documentation to see if the app uses the Secure Enclave.

•

encryption keys used by the AppConnect library

LOCAL

No data is stored in the Secure Enclave. This value is this default if you do not include the key.