Data Loss Prevention
The configuration settings for Data Loss Prevention are organized in two sections, shown in the App Enhancement / Blue Cedar Enforce / Protect Data / Data Loss Prevention sections:
- Data at Rest (DAR)
- Data Sharing
Data at Rest
Data at rest (DAR) encryption protects each piece of app data before saving it on the mobile device, shielding it from malware, rogue apps, and hackers who attack the device storage. When the app needs an encrypted piece of data, the integrated DAR decrypts it.
Although you apply DAR encryption to the app when you run your workflow, this does not encrypt the entire secured app. (Otherwise, it would not be able to run on the device.) The DAR option encrypts the data that the secured app generates. For example, if you apply DAR to a browser app, the data downloaded by the browser would be encrypted.
The DAR profile is a collection of settings to apply with the DAR policy.
Option | Description |
---|---|
Encryption |
|
Exceptions | When you select the third Encryption option, the "Add an Exception" button becomes available. You can add a file or path pattern to identify files that should not be encrypted. Exception Type:
File/Path Pattern:
|
DAR notes
Optimizing security
For maximum security, apply the Authentication sub-step along with the Data at Rest sub-step. DAR encryption uses Authentication if enabled, but does not require it.
App updates and installations
When using the Data at Rest encryption, data can be lost on the mobile user’s device in these cases. This data loss may create unexpected app behavior.
- If the user uninstalls the app
All data associated with the app is deleted. - If the user installs an unprotected version of the app after using a protected version of the app:
If the mobile user replaces an app that has been secured with the DAR policy with a version that doesn’t use the DAR policy, this process leaves encrypted data on the device and deletes the encryption key—any encrypted files on the user’s device cannot be decrypted. There is no way to recover this data once the secured app has been replaced.
To remove the DAR policy from an app that you’ve deployed to users’ mobile devices, your users need a way to sync their encrypted app data before upgrading the app. - If the user installs a protected version of the app after using an unprotected version of the app:
If you upgrade an app from a version that has not been protected with the DAR policy to a version that is protected with the DAR policy, the existing data remains unencrypted. Any new data generated by the secured app is encrypted.
Updating apps
If you are updating an app secured with DAR to an app not secured with DAR, or updating from an app not secured with DAR to an app secured with DAR, Blue Cedar recommends asking your users to delete the old version and install the new version rather than updating in place.
- There should be a way to backup/sync the users data before switching between DAR-protected and -unprotected versions of the app.
- A fresh app install avoids data loss from a mix of encrypted and un-encrypted data files.
If a user upgrades from a DAR-secured version of an app to a new version of the app, secured with the same DAR policy, the existing data is preserved.
Data Sharing
Data Sharing protection allows you to constrain what kind of data users can share between apps. This data includes:
- App data:
- Copy Paste: Copy and paste between a protected app and another app.
- Drag and Drop: Drag and drop text, files, and images between a protected app and another app.
- Privacy screen: Block app screens from appearing in app switcher (iOS and Android) and disable screenshots (Android).
- Security data:
- Grouped apps: Share Authentication sub-step, Secure Microtunnel, and Single Sign-On credentials, and Data at Rest encryption keys with affiliated apps. Also allow copy and paste between grouped apps.