Product Documentation

Configuring iOS Data Protection Policies for iOS 9

Jun 22, 2016

Important

In a previous advisory, Citrix notified customers about a problem wherein files written onto an iOS 9 device by XenMobile-managed mobile apps did not use Citrix encryption. For more information about the advisory, see iOS 9 and XenMobile. A solution to this issue is now available as a download as part of an updated MDX Toolkit. For details, see What's New in the MDX Toolkit 10.2. This solution provides the same level of encryption supported on iOS 8.

The XenMobile MDX policies, as described in this article, that were created to provide additional security for application files support with iOS 9 are still available but have been turned Off by default. It is not necessary to set a device passcode to enable iOS Data Protection, nor to enforce a device passcode in the XenMobile console.

The following options help to protect data.  

  • Use iOS File Data Protection to encrypt data by requiring a device passcode.

Apple requires a device passcode to encrypt all app data on the device using iOS file encryption. To support the iOS level of protection, MDX Toolkit 10.2 includes a new policy, Device passcode, which requires a PIN or passcode on an iOS 9 device. By default, this policy is Off. The policy applies on a per-app basis and can be used whether you run XenMobile in MDM or MAM mode.

  • In addition to requiring a PIN or passcode, you can also specify a minimum iOS data protection class that is used for the app data stored on the file system.
  • If you do not want to require a PIN or passcode, you can instead restrict the data stored on iOS 9 devices through new policies for WorxMail (Block file attachments policy), WorxNotes (Block file attachments policy), and WorxWeb (iOS 9 security restrictions policy).
  • Enterprises that must meet Australian Signals Directorate (ASD) data protection requirements can use the new Enable iOS data protection policies for WorxMail and WorxWeb.

Configuring the Minimum Data Protection Class Policy for iOS 9

For additional protection on iOS devices with a device PIN enabled, you can opt to set iOS device-level encryption for files that apps store on the device.

iOS file encryption has several data protection levels. The new Minimum data protection class policy lets you specify a protection class to be used for any MDX app data stored (unless a higher protection level is already specified by the app).

The policy values are:

  • Complete – When a device locks, files become unavailable. Files can be opened, read, and written only when the device is unlocked.
  • Complete unless open If a file is open when a device locks, the file continues to be available to the app. This is the default value. A files can be created when the device is locked; a file cannot be opened when the device is locked.
  • Until first lock When a device restarts, until the user unlocks the device for the first time, files are locked and can’t be read. Files can created, opened, read, and written after first unlock of the device.
  • None Files have no special protections and can be read from or written to at any time.

The Minimum data protection class policy is hidden by default. To make the policy visible in XenMobile and then configure it, follow these steps, which use WorxMail as an example app.

1. Download the MDX Toolkit 10.2 and Worx mobile apps 10.2 from http://www.citrix.com/downloads/xenmobile/product-software.html.

2. In Finder, browse to Applications\Citrix\MDXToolkit\Data and open the .xml file for each Worx app. For WorxMail, the file name is com.citrix.mail_policy_metadata.xml.

localized image

3. To make the Minimum data protection class policy visible in the XenMobile console, open the policy XML file in a text editor, locate MinimumDataProtectionClass, and change the PolicyHidden value to False. Save and close the file.

localized image

4. Use MDX Toolkit 10.2 to wrap the latest version of the Worx apps. For details, see Wrapping iOS Mobile Apps and Wrapping Worx Apps for iOS 8 or iOS 9.

5. Use the XenMobile console to load the MDX files to XenMobile: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrading an App in XenMobile.

localized image

6. To require that users provide a device passcode, so that iOS Data Protection is enforced on iOS 9 devices, be sure to keep the Device passcode policy set to On.

localized image

When users upgrade the app, the first time they open a Worx app (version 10.2) or an app wrapped with MDX Toolkit 10.2 on an iOS 9 device that doesn’t have a passcode, Worx prompts them to create a passcode.

localized image

7. For additional protection on devices with a device passcode enabled, set a Minimum data protection class level.

localized image

8. Configure the app policies as usual and save your settings to deploy the app to the Worx Store.

Worx Home 10.2 is required to run Worx apps wrapped with MDX Toolkit 10.2.

localized image

Additional Worx Apps File Control Policies for iOS 9

The Minimum Data Protection Class policy described in the previous section is only available if a device PIN is set on the device. If you do not want to enforce a device level PIN, you can block files from being stored in WorxMail, WorxNotes, and WorxWeb.

  • Block file attachments policy - For WorxMail, the Block file attachments policy disables downloading attachments for devices running iOS 9.
  • Block email as attachment policy - For WorxNotes (Exchange version only), the Block email as attachment policy disables sending a note as an email with a PDF attachment.  Note - When WorxNotes is used with ShareFile, notes are files, not data, and therefore rely entirely on a device passcode for encryption.
  • iOS 9 security restrictions policy - For WorxWeb, the iOS 9 security restrictions policy disables downloading files and offline pages. The policy also disables cookie caching and HTML 5 local storage. Enabling this policy slows web page loading.

Those policies are disabled by default. To enable the policies when loading apps into XenMobile, follow these steps.

1. Use MDX Toolkit 10.2 to wrap the latest version of the Worx apps. For details, see Wrapping iOS Mobile Apps and Wrapping Worx Apps for iOS 8 or iOS 9.

2. Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrading an App in XenMobile.

localized image

3. To Block file attachments in WorxMail on devices running iOS 9: Browse to the App Restrictions section, locate the Block file attachments policy, and set it to On.

Devices running older operating system versions will not be affected when this policy is enabled.

localized image

4. To block sending notes as an attachment in WorxNotes on devices running iOS 9: Browse to the App Restrictions section, locate the Block email as attachment policy, and set it to On.

Devices running older operating system versions will not be affected when this policy is enabled.

localized image

5. To block downloading of files and offline pages in WorxWeb on devices running iOS 9: Browse to the App Restrictions section, locate the iOS 9 security restrictions policy, and set it to On.

Devices running older operating system versions will not be affected when this policy is enabled.

localized image

6. Configure the app policies as usual and save your settings to deploy the app to the Worx Store.

Worx Home 10.2 is required to run Worx apps wrapped with MDX Toolkit 10.2.

localized image

Configuring iOS Data Protection for WorxMail and WorxWeb

Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the new Enable iOS data protection policies for WorxMail and WorxWeb. By default the policies are Off. When Enable iOS data protection is On for WorxWeb, WorxWeb uses Class A protection level for all files in the sandbox. For details about WorxMail data protection, see Australian Signals Directorate Data Protection. If you enable this policy, the highest data protection class is used so there is no need to also specify the Minimum data protection class policy.

To change the Enable iOS data protection policy:

1. Use MDX Toolkit 10.2 to wrap the latest version of the Worx apps. For details, see Wrapping iOS Mobile Apps and Wrapping Worx Apps for iOS 8 or iOS 9.

2. Use the XenMobile console to load the MDX files to the XenMobile Server: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrading an App in XenMobile.

localized image

3. For WorxMail, browse to the App settings, locate the Enable iOS data protection policy, and set it to On

Devices running older operating system versions will not be affected when this policy is enabled.

localized image

4. For WorxWeb, browse to the App settings, locate the Enable iOS data protection policy, and set it to On

Devices running older operating system versions will not be affected when this policy is enabled.

localized image

6. Configure the app policies as usual and save your settings to deploy the app to the Worx Store.

Worx Home 10.2 is required to run Worx apps wrapped with MDX Toolkit 10.2.

localized image