Heightened security for AppConnect apps using the Secure Enclave

For heightened security of especially sensitive data, such as encryption keys and passwords, you can configure AppConnect apps to use the Apple hardware known as the Secure Enclave. By using the Secure Enclave, the app reduces the sensitive data’s attack surface, because the sensitive data is stored in the Secure Enclave rather than in plain-text in memory. When sensitive data is stored in memory, it can be captured in a memory dump.

For an AppConnect app to use the Secure Enclave, the device must:

  • have Apple’s Secure Enclave hardware.

    Devices that have biometric security have Secure Enclave hardware

  • be running iOS 11 or supported newer versions
  • be running Mobile@Work 9.8 for iOS or supported newer versions

To configure an AppConnect app to use the Apple Secure Enclave, you use the key named MI_AC_CONTAINER_TYPE in the app’s AppConnect app configuration.

The possible values for MI_AC_CONTAINER_TYPE are:

Value

Description

ENCLAVE

The Secure Enclave is used to store:

Sensitive data as defined by the app. Check the app’s documentation to see if the app uses the Secure Enclave.

encryption keys used by the AppConnect library

LOCAL

No data is stored in the Secure Enclave. This value is this default if you do not include the key.

Configuring an AppConnect app configuration