This article describes Miradore’s device encryption configuration profile for Android. This configuration is available for customers of all subscription levels. Encryption configuration requires Miradore’s Android client version 2.3.3 or newer.
What does device encryption configuration do?
Device encryption configuration for Android sets a requirement to the target device that storage encryption should be enabled. This configuration also shows a status bar notification to the user. It is visible until the user either accepts or declines the encryption request. Device encryption cannot be forced without user consent.
It should be noted that it may vary between devices what is actually encrypted. It depends on how the manufacturer has decided to support this feature. Here is an excerpt from Android’s developer documentation, which makes no guarantees on what is actually encrypted: “This policy controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this policy does not require or control the encryption of any other storage areas.“
Things to consider before using this configuration
There are multiple issues that should be taken into consideration when enabling this configuration. None of these issues are something we can affect, but are features of the Android platform itself, or features of a specific device type.
- Device encryption cannot be disabled without wiping the whole device
- The encryption might not be as secure as required, if the device is not secured with a password.
An excerpt from the official documentation: “On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require (and check for) a pattern, PIN, or password.“
In Miradore, this can be seen in device inventory. If the value for encryption status is Encrypted with user key, it means that the user has set up a password which is used in device encryption. If the value is Encrypted with default key, it means that encryption uses a key generated by the device. Default key is always more unsafe, as in theory an attacker might be able to extract the password from the device, unlike with a key that only the end user knows. If the values is just Enabled, the device has an older Android version that isn’t able to report which is the case.
- Encrypting the device might require the device to be wiped. We are not aware of devices that actually require a wipe, but according to documentation, this is possible.
An excerpt from the official documentation regarding the encryption dialog states: “However, on some devices this activity may never return, as it may trigger a reboot and in some cases a complete data wipe of the device.“
How to deploy an encryption configuration to a device
First you need to create a new configuration profile and configure it. Start by navigating to Mobile management > Configuration profiles and creating a restrictions configuration for Android. See Creating a configuration profile for more details.
Currently there is only one setting, Device encryption enabled, which has to be enabled for the configuration to do anything.
How to disable encryption configurations
Unfortunately, encryption can only be disabled by wiping the whole device.