Product Documentation

Configuring Encryption Policies for Apps Running on Mobile Devices

Oct 24, 2013

You can configure encryption policies for apps running on iOS and Android mobile devices. This topic lists the encryption policies that apply to each device type.

Policies for Encryption for iOS Apps

This section describes the policies you can configure in App Controller for apps that run on iOS devices. For a complete list of the policies you can configure for iOS devices, see the topic, Configuring MDX Policies for iOS Apps in App Controller.

Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Options:

  • Online access only. Secrets used to derive encryption keys may not persist on the device. Instead, the device must recover the keys from the key management service of XenMobile App Edition each time they are needed.
    Note: If you select Online access only, the authentication policy is assumed to be Network logon regardless of the authentication policy setting that you configured for the app.
  • Offline access permitted. Secrets used to derive encryption keys may persist on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
Enable encryption

Determines if the data held in local database files is encrypted. Default is On.

Options:

  • On. The data is encrypted in local database files.
  • Off. The data is not encrypted in local database files.
Database encryption exclusions
Exclusion list of databases that are not automatically encrypted. To prevent database encryption for a specific database, add an entry to the comma-separated list of database file names. If any part of the supplied entry matches the database file name used by the app, that database is not automatically encrypted. For example, if the database to be excluded is named "googleanalytics.sql," adding "google," "googleanalytics," or "analytics" to the list prevents the database contents from being encrypted. Default is empty.
File encryption exclusions
Exclusion list of files that are not automatically encrypted. To prevent encryption for a specific set of files, add an entry to this comma-separated list of regular expressions. If a file path name matches any of the regular expressions, then that file is excluded from encryption. The exclusion patterns support Posix 1003.2 Extended Regular Expressions syntax. The pattern matching is case insensitive. Example: \.log$,\.dat$ excludes any file path name that ends with either ".log" or ".dat". The syntax */Documents/unencrypteddoc.txt will match the file unencrypteddoc.txt in the Documents folder. The syntax */Documents/UnencryptedDocs/* will match all files that contain the path /Documents/UnencryptedDocs/. Default value is empty.

Policies for Encryption for Android Apps

This section describes the policies you can configure in App Controller for apps that run on Android devices. Before you configure encryption policies for Android apps, to understand how file storage and encryption works on Android devices, see the topic, Configuring Encryption Policies for Android Devices. For a complete list of the policies you can configure for Android devices see Configuring MDX Policies for Android Apps in App Controller.

Require device encryption
If On, the managed app is locked if the device does not have encryption configured. If On, the app is allowed to run even if the device does not have encryption configured. Default is Off.
Important: This policy is supported only on Android 3.0 (Honeycomb). Setting the policy to On prevents an app from running on older versions.
Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Option:

  • Offline access permitted. Android devices permit offline access only. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
File encryption version
Specifies the encryption version for public and private file encryption. Citrix recommends Current to provide the maximum security, especially in the case of a new app deployment. If you select Current, note that users must reinstall any apps that include a previous encryption version, such as Legacy, or else they may lose data. Default value is Current.
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/appname and /mnt/sdcard/Android/data/appname. Default is Application.
Options:
  • Disabled. Encryption is turned off.
  • SecurityGroup. Encrypts private files by using a key shared by all MDX applications in the same security group.
  • Application. Encrypts private files by using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Non-standard external storage locations
Contains a comma-separated list of non-standard external storage. Different devices may use different paths for SD cards and so on. The standard external storage location for Android (typically, /mnt/sdcard) is automatically recognized and does not need to appear on this list.
Access limits for public files
Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the first matching path is used to set the access limit. Default value is empty.
Public file encryption
The Disabled option means public files are not encrypted. The SecurityGroup option encrypts public files by using a key shared by all MDX apps in the same security group. The Application option encrypts public files by using a key unique to this app. Default value is Security group.
Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the default external storage and to any explicitly listed external storage.
Public file migration
This policy is enforced only when public file encryption is enabled (changed from the Disable option to the SecurityGroup/Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write(WO/RW).
Note: New files or overwriting existing unencrypted files encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other applications that do not have the same encryption key.
Options:
  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.