This page describes the Data Protection Enforcement policy.
- This policy only works on devices running iOS 8 or higher.
- The device must have a passcode enabled.
- Apps using this policy need to have the Data Protection entitlement enabled.
The Data Protection Enforcement policy ensures that an app can be used on a device only when its content is secured using Apple's iOS Data Protection. iOS Data Protection is a built-in capability that encrypts data stored on an iOS device whenever the device is locked. The encrypted data is automatically decrypted when the device is unlocked, making the process seamless for both the application and the user. Note that iOS uses an AES (Advanced Encryption Standard) 256-bit crypto engine, which has been validated for compliance with U.S. Federal Information Processing Standards (FIPS) 140-2 Level 1.
Data Protection Entitlement
There is a way to use this policy even if your app was not not built with the Data Protection entitlement enabled. When you sign the app with the Admin Portal it automatically enables the Data Protection entitlement in the app as long as you sign with a distribution provisioning profile that has the Data Protection (Complete Protection) entitlement enabled.
Even if an app was built with the Data Protection entitlement enabled, you must still sign it with a provisioning profile that has the Data Protection (Complete Protection) entitlement enabled. This is a standard iOS requirement: apps must be signed with provisioning profiles that have entitlements that match the app, otherwise users will not be able to install the app onto their devices.
An entitlement is a single right granted to an app that gives it additional permissions beyond what it would ordinarily have. There are different terms used to enable entitlements depending on where you are working. When building an app in Xcode, a developer turns capabilities ON or OFF to grant entitlements. When creating an App ID in the Apple Developer Portal, you enable app services to identify the entitlements for the app or apps associated with that App ID. Some app services are enabled by default for an explicit App ID that exactly matches the bundle ID. When you create a distribution provisioning profile, you associate it with an App ID; this is what determines which entitlements (or app services) are enabled for the provisioning profile. For more information on adding capabilities in Xcode, see the iOS Developer Library. For more information on enabling app services when creating an App ID, see Manage App Identifiers.
When the Data Protection Enforcement policy is applied to an app, it is important that it is signed with a provisioning profile associated with an App ID that has the Data Protection (with Complete Protection Sharing and Permissions) service enabled.
Capabilities Selected for the app in Xcode:
App Services selected for the app in the Apple iOS Dev Center:
For more information on entitlements, see App Extensions and Entitlements.
Even if data encryption is not a requirement for an app, you can apply this policy simply to ensure that users run the app only on devices that are secured with a passcode.
The User Experience
When a user attempts to open an app with the Data Protection Enforcement policy applied, Apperian checks that the app and its distribution provisioning profile have the Data Protection (Complete Protection) entitlement enabled, the device is running iOS 8 or higher, and a passcode is enabled on the device. If these conditions are met, the app opens.
If any of these conditions are not met, Apperian displays the following message and the app closes: