Use the Data Loss Prevention (DLP) sub-step to prevent loss of corporate data in your apps and add local app encryption. You can configure the DLP controls to disable copy and paste from apps, disallow text drag and drop, restrict opening of links and attachments, block app data sharing and app information from appearing in the app switcher by using privacy screens.


StageApp Enhancement
StepBlue Cedar Enforce

Using this sub-step in a workflow

In the workflow builder for your app:

  • Add the App Enhancement stage.
  • Add the Blue Cedar Enforce step to the workflow.
  • Add the Data Loss Prevention sub-step to the Blue Cedar Enforce step.

Click on the options gear icon next to Data Loss Prevention in the workflow outline. Configure the options:

Data Loss Prevention

The configuration settings for Data Loss Prevention are organized in two sections, shown in the App Enhancement / Blue Cedar Enforce / Data Loss Prevention section of the workflow builder as these tabs:

  • Data at Rest
  • Data Sharing

Data at Rest

Data at rest (DAR) encryption protects each piece of app data before saving it on the mobile device, shielding it from malware, rogue apps, and hackers who attack the device storage. When the app needs an encrypted piece of data, the integrated DAR decrypts it.

Although you apply DAR encryption to the app when you run your workflow, this does not encrypt the entire secured app. (Otherwise, it would not be able to run on the device.) The DAR option encrypts the data that the secured app generates. For example, if you apply DAR to a browser app, the data downloaded by the browser would be encrypted.

The DAR profile is a collection of settings to apply with the DAR policy.

OptionDescription
​Encryption
  • Do not encrypt. Default behavior. 
  • Encrypt everything
  • ​Encrypt everything except the files/patterns listed below
Exceptions

When you select the third Encryption option, the "Add an Exception" button becomes available. You can add a file or path pattern to identify files that should not be encrypted.

Exception Type:

  • App Sandbox: Common area on iOS and Android for files internal to the app.
  • SD Card: Area for Android apps to write files for external storage.

File/Path Pattern:

  • Paths/filenames to match. The * wildcard matches any string, including paths and ".".
DAR notes

Optimizing security

For maximum security, apply the Authentication sub-step along with the Data at Rest sub-step. DAR encryption uses Authentication if enabled, but does not require it.

App updates and installations

When using the Data at Rest encryption, data can be lost on the mobile user’s device in these cases. This data loss may create unexpected app behavior.

  • If the user uninstalls the app

    All data associated with the app is deleted.
  • If the user installs an unprotected version of the app after using a protected version of the app:

    If the mobile user replaces an app that has been secured with the DAR policy with a version that doesn’t use the DAR policy, this process leaves encrypted data on the device and deletes the encryption key—any encrypted files on the user’s device cannot be decrypted. There is no way to recover this data once the secured app has been replaced.

    To remove the DAR policy from an app that you’ve deployed to users’ mobile devices, your users need a way to sync their encrypted app data before upgrading the app.
  • If the user installs a protected version of the app after using an unprotected version of the app:

    If you upgrade an app from a version that has not been protected with the DAR policy to a version that is protected with the DAR policy, the existing data remains unencrypted. Any new data generated by the secured app is encrypted.

Updating apps

If you are updating an app secured with DAR to an app not secured with DAR, or updating from an app not secured with DAR to an app secured with DAR, Blue Cedar recommends asking your users to delete the old version and install the new version rather than updating in place.

  • There should be a way to backup/sync the users data before switching between DAR-protected and -unprotected versions of the app.
  • A fresh app install avoids data loss from a mix of encrypted and un-encrypted data files.

If a user upgrades from a DAR-secured version of an app to a new version of the app, secured with the same DAR policy, the existing data is preserved.


Data Sharing 

Data Sharing protection allows you to constrain what kind of data users can share between apps. This data includes:

  • App data: 
    • Copy Paste: Copy and paste between a protected app and another app. 
    • Drag and Drop: Drag and drop text, files, and images between a protected app and another app. 
    • Privacy screen: Block app screens from appearing in app switcher (iOS and Android) and disable screenshots (Android).
  • Security data: 
    • Grouped apps: Share Authentication sub-step, Secure Microtunnel, and Single Sign-On credentials, and Data at Rest encryption keys with affiliated apps. Also allow copy and paste between grouped apps.