Encrypted Data at Rest profiles

When you apply the Encrypted Data at Rest policy to an app, you choose a profile that specifies a list of exceptions (perform or bypass encryption/decryption on a file). You can create as many Encrypted Data at Rest profiles as you want. 

Use these parameters in the JSON structure when you apply the Encrypted Data at Rest policy (POLICY_CODE_DAR) to the app with app-market/policy.


A list of JSON objects with location, pathMatch, platforms, and appId keys. The DAR policy does not encrypt any files identified by these rules:

  • location: 
    • sandbox: Common area on iOS and Android for files internal to the app.
    • sdcard: Area for Android apps to write files for external storage.
  • pathMatch: File or path pattern to match. The * wildcard matches any string, including paths and ".".
  • platforms: Android and/or iOS.
  • appId: Apply this rule only to the app that matches the appId. To apply the exclusion rule to all apps, use the wildcard "*".
intercept_foundationUsed for debugging per direction of Support; disables Objective C interception layer.
null_cipherUsed for debugging per direction of Support; disables confidentiality.

Encrypted Data at Rest API resources

To manage DAR profiles, use these resources:

  • profile : Use type="dar" to create a DAR profile. See example below.
  • profile/catalog/{policytype} : Use "dar" for "{policytype}". GET returns an array of details for all policy profiles of the specified type.
  • profile/{GUID} : Use the profile ID to specify a policy profile. GET returns details for the specified profile, PUT updates the details in the specified profile, and DELETE archives the profile.
  • settings/dar-default-profile (settings/{policytype}-default-profile):  POST sets one of the DAR profiles as the default. GET returns the GUID of the current default profile. DELETE archives the current default.

To retrieve details for the policy:

  • app-policy/{GUID} : Use the policy ID to specify a policy. GET returns details for the specified policy.
  • app-policy/code/{code} : Use POLICY_CODE_DAR to specify the policy. GET returns details for the specified policy.

To secure apps with DAR policy, use these resources:

Creating an Encrypted Data at Rest profile

This example creates a DAR profile with the profile API, specifying all options.


curl -k -v -L -b c.txt -c c.txt -X POST http://bc.qwe.com/mocana-app-control/rest/profile \
  -F name="TestProfile" \
  -F type="dar" \
  -F desc="Default Profile" \
  -F data="{\"null_cipher\":true,\"intercept_foundation\":true, \
    \"exceptions\":[{\"location\":\"sandbox\",\"pathMatch\":\"databases\", \
    \"platforms\":[\"android\",\"ios\"],\"appId\":\"*\"}, \


{"message": "",
 "profiles": {
   "data": {
     "profile_data": "{\"null_cipher\":true,\"intercept_foundation\":true,
     "profile_data_id": "d02c51ac-e15b-4e5d-9ea3-aaeba4848dcf",
     "profile_data_stamp": "2016-08-19 15:15:07.0"
   "profile_desc": "Default Profile",
   "profile_id": "fababbaf-a5f9-4431-8e0e-39a213fc140e",
   "profile_name": "TestProfile",
   "profile_type": "dar",
   "profile_url": "http://bc.qwe.com/mocana-app-control/rest/profile/fababbaf-a5f9-4431-8e0e-39a213fc140e"
 "status": "OK"

On this page

Related topics