Device log encryption on Android devices

Log files can be emailed by using the Send Log option in Ivanti Mobile@Work for Android. You can choose whether the log files are encrypted when they are provided to the email app. The choice affects the log files of the following:

  • Ivanti Mobile@Work for Android
  • Secure Apps Manager
  • AppConnect-enabled apps (including what the app logs and what the AppConnect wrapper around the app logs)

The security policy for a device contains the option for choosing whether the emailed log files are encrypted. The default setting is to not encrypt the files.

By default, encrypted log files can be decrypted only by Ivanti Technical Support. If you want to encrypt the log files using your own certificate, see Encrypting device logs with your own certificate.

Regardless of the device log encryption setting, the log files never include passwords, certificate content, license information, or other sensitive authentication data.

By encrypting the emailed log files, you improve security because the data is readable only by Ivanti Technical Support when using the default encryption, or by your own enterprise when using your certificate for encryption. Since emailing logs for troubleshooting is a common practice, you typically choose to encrypt the logs.

Procedure 

  1. Go to Policies & Configs > Policies.
  2. Select the security policy for the appropriate devices.
  3. Click Edit.
  4. In the Data Encryption section. for Device Log Encryption, select On.
  5. Click Save.

Security and logging enablement

Ivanti Mobile@Work version 11.5.0.0 and later can configure security and network logging on the device according to the state of "Enable Security Logging on Android" and "Enable Network Logging on Android" options of the Security Policy.

  • If Security Logging is enabled for the device, then Ivanti Mobile@Work will be able to receive batches of security log events from Android for collecting and processing. Security logging is supported now for the devices registered in Work Managed Device mode, Managed Device with Work Profile mode, and Work Profile on Company Owned Device mode.

  • If Network Logging is enabled for the device, then Ivanti Mobile@Work will be able to receive batches of network log events (DNS and Connect) from Android for collecting and processing. Network logging is supported now for the devices registered in Work Managed Device mode and Work Profile on Company Owned Device mode.

Security and network logs, along with the regular client logs, are included in a zip file created by Ivanti Mobile@Work on demand of device user with "Send logs" command (Settings menu) or as a response to the "Pull Client Logs" administrator command.

The set of the latest security log events in the form of JSON-formatted strings up to 10 MB total may be found in files with names beginning with a "security" prefix. The most recent log events will be represented by readable security.txt file (up to 1MB). Older security log events will be zipped in a series of zip files, i.e., security1.zip, security2.zip, etc. The same applies to network logs, except the file names begin with the "network" prefix.

JSON formatting for security and network logs is a compromise between the human-friendly readability and potential automated logs processing on the server side.