Encryption management

Encryption management allows you to use modern device platform security while also ensuring the device remains in a sufficient state to use platform security effectively. A set of security criteria is identified that a device must adhere to, be considered compliant for encryption management. You are then able to identify non-compliant devices, and restrict access to apps on devices that are non-compliant with these criteria.

By using encryption management, you eliminate local data encryption redundancy since file system encryption is provided by the Android and iOS platforms. Encryption management also improves performance (avoiding double encryption) and application compatibility with MDX.

Note:

To help get started, run a new report in Citrix Endpoint Management to list the non-compliant devices are in your organization. This report helps determine the impact of turning on compliance enforcement. To access the report, open the Endpoint Management console and navigate to Analyze > Reports > Non-Compliant Devices and generate the report. The Non-Compliant Devices report is available in environments running Citrix Endpoint Management version 19.6.0.2 or later.

Encryption type

To use the encryption management feature, in the Endpoint Management console, set the Encryption type MDX policy to Platform encryption with compliance enforcement. This enables encryption management and all the existing encrypted application data on users’ devices seamlessly transition to a state that is encrypted by the device and not by MDX. During this transition, the app is paused for a one-time data migration. Upon successful migration, responsibility for encryption of locally stored data is transferred from MDX to the device platform. MDX continues to check compliance of the device upon each app launch. This feature works in both MDM + MAM and MAM-only environments.

When you set the Encryption type policy to Platform encryption with compliance enforcement, the new policy supersedes your existing MDX Encryption.

For details about the encryption management MDX policies, see the Encryption section in:

Non-compliant device behavior

When a device falls below the minimum compliance requirements, the Non-compliant device behavior MDX policy allows you to select what action is taken:

  • Allow app – Allow the app to run normally.
  • Allow app after warning – Warn the user that an app does not meet the minimum compliance requirements and allows the app to run. This is the default value.
  • Block app – Block the app from running.

The following criteria determine whether a device meets the minimum compliance requirements.

Devices running iOS:

  • iOS 10: An app is running operation system version that is greater than or equal to the specified version.
  • Debugger access: An app does not have debugging enabled.
  • Jailbroken device: An app is not running on a jailbroken device.
  • Device passcode: Device passcode is ON.
  • Data sharing: Data sharing is not enabled for the app.

Devices running Android:

  • Android SDK 24 (Android 7 Nougat): An app is running operation system version that is greater than or equal to the specified version.
  • Debugger Access: An app does not have debugging enabled.
  • Rooted devices: An app is not running on a rooted device.
  • Device lock: Device passcode is ON.
  • Device encrypted: An app is running on an encrypted device.

Encryption management