Data Sharing protection allows you to constrain what kind of data users can share between apps. This data includes:
- App data:
- Copy Paste: Copy and paste between a protected app and another app.
- Drag and Drop: Drag and drop text, files, and images between a protected app and another app.
- Preferred apps: Open links and attachments in approved external apps.
- Privacy screen: Block app screens from appearing in app switcher (iOS and Android) and disable screenshots (Android).
- Security data:
- Grouped apps: Share Local App Authentication, Secure Microtunnel, and Single Sign-On credentials, and Data at Rest encryption keys with affiliated apps. Also allow copy and paste between grouped apps.
The Mobile User Experience
Block Copy and/or Block Paste controls whether mobile users may copy text, images, or other data in a protected app and paste into another app. It does not affect copying and pasting within an app.
- Block copy: If a user tries to copy data from a protected app into another app, the data isn’t available. This option is available whether Block paste is enabled or not.
- Block paste: If a user tries to paste data into a protected app from another app, the data isn't available. This option is only available if you have enabled Block copy.
When the Data Sharing policy is applied and enabled to block both copy and paste, copying from one app to another is blocked. No data is pasted, and no error appears.
Apps secured with the grouped apps setting are always allowed to copy and paste between grouped apps, whether the copy paste settings are enabled or not. If the copy paste settings are enabled, they must be the same for all apps in the same group.
See Data Sharing copy and paste scenarios for more use cases.
Drag and Drop
Block drag and/or Block drop controls whether mobile users may use drag and drop to copy text, images, or other data in a protected app and paste into another app. Drag and drop is only available on iOS 11+; Block drag and Block drop only apply when the app allows drag and drop.
- Block drag: If a user tries to copy data from a protected app into another app via drag and drop, the data isn’t available. This option is available whether Block drop is enabled or not.
- Block drop: If a user tries to paste data into a protected app from another app via drag and drop, the data isn't available. This option is only available if you have enabled Block drag.
When the Data Sharing policy is applied and enabled to block both drag and drop, copying from one app via drag and drop to another is blocked. No data is pasted, and no error appears.
The privacy screen prevents data compromise when a protected app appears in the task switcher. Usually, the task switcher shows the most recent app screen when scrolling through the open apps. To avoid exposing app data this way, you can enable the privacy screen. The privacy screen behavior varies per device.
On Android, the privacy screen setting replaces the app screen with a device-specific screen, often a black or white screen. On Android, the privacy screen feature also disables screenshots and screen sharing for the protected app.
On iOS, this setting replaces the app screen with the background image from the App Customization policy, either the Blue Cedar background or one you have customized. If you are not using App Customization, this setting replaces the app screen with a white screen. If you go to the task switcher while the protected app is in the foreground, the screen shown in the task switcher is the current app screen. The privacy screen only appears when you have switched away from the app.
All apps that are secured with this setting must also be configured with the same Local App Authentication and Secure Microtunnel profiles. This combination allows all grouped apps to share a common PIN, one-time enrollment, and Data-at-Rest key.
When using the Local App Authentication policy, each grouped app uses the same passphrase—if a member app changes the passphrase, it changes for each app in the group. Users only need to enter the passphrase once to unlock the rest of the apps in a group of apps, unless the Local App Authentication policy requires re-authentication when switching between apps.
Idle timeout is calculated for the entire group. For example, if a user authenticates with a Local App Authentication PIN to one app, then switches to another app in the group, neither app times out. In other words, even though the first app is idle, the group as a whole is not idle.
If mobile users need to force the grouped apps to logout, they can do so from the Blue Cedar Information screen. Bring any of the grouped apps to the foreground, and while the Blue Cedar screen is still displayed, tap the info circle (labeled i) at the bottom of the screen. The Information screen appears. Users can tap Logout and confirm, then the next time a grouped app opens, they need to re-enter Local App Authentication credentials.
Updating grouped apps
If you are updating a grouped app to a non-grouped app, or updating from a non-grouped app to grouped app, Blue Cedar recommends asking your users to delete the old version and install the new version rather than updating in place. This is because the key used to sign grouped apps is different than the key used to sign individual apps.
When a user is using a protected app and requests an external app, for example, to open a web site in an external web browser, or a document within an app specific for that type of file, the preferred apps settings control what happens.
- If "Block data sharing with all external apps" is applied, users receive alerts informing them that external apps are not allowed.
- The Web Links options control if and how web links open. The user sees one of these behaviors, depending on the web links setting:
- Web links don't open at all.
- Web links open only in Compass.
- Web links follow the device's default behavior. For example, there might be a default browser for the device, or the device may present the user with a choice of all browser apps.
- The data (link or attachment) opens in an approved app. The app lists specify which apps are explicitly trusted on Android and iOS. These trusted apps don't necessarily have to be secured with Blue Cedar.