Data encryption
AppConnect-related data
The MobileIron client app and the Wrapper library work together to use encryption to protect AppConnect-related data, such as configurations and certificates, on the device.
The encryption key is not stored on the device. It is either:
|
•
|
Derived from the device user’s AppConnect passcode. |
|
•
|
Protected by the device passcode if the administrator does not require an AppConnect passcode. |
|
•
|
Protected by the device passcode if the device user uses Touch ID/Face ID to access AppConnect apps. |
If no AppConnect passcode or device passcode exists, the data is encrypted, but the encryption key is not protected by either passcode.
App data files
The AppConnect passcode does not impact encryption of the app’s data. The app’s data is encrypted only if both of the following are true:
|
•
|
the device has a device passcode. |
The MobileIron server administrator determines whether a device passcode is required.
|
•
|
the app enables iOS data protection on its files. |
The wrapper ensures that data that the app writes with the following APIs has a data protection level of either NSFileProtectionCompleteUntilFirstUserAuthentication or NSFileProtectionComplete:
|
-
|
NSPersistentStoreCoordinator |
Note that Apple defines the data protection levels as follows:
|
•
|
NSFileProtectionCompleteUntilFirstUserAuthentication |
The file is stored in an encrypted format on disk and cannot be accessed until after the device has booted. After the user unlocks the device for the first time, your app can access the file and continue to access it even if the user subsequently locks the device.
|
•
|
NSFileProtectionComplete |
The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting.