Device encryption for Android
This article describes GoTo Resolve MDM's device encryption configuration profile for Android.
This configuration is available for customers of all subscription levels. Encryption configuration requires GoTo Resolve MDM's Android client version 2.3.3 or later. Full-disk encryption is not allowed on new devices running Android 10 and higher. For new devices, use file-based encryption.
Different encryptions
Full-disk encryption uses a single key to protect the whole of a device’s user data partition. It is protected with the user’s device password. This is good for security, but also means that the majority of the core functionality of the phone is not immediately available when rebooting the device.
File-based encryption makes it possible for different files to be encrypted with different keys that can be unlocked independently. It ables a feature called Direct Boot, which allows encrypted devices to boot straight to the lock screen. Each user of the device has two storage locations available to applications: Credential Encrypted storage, which is the default storage location which is only available after the user has unlocked the device. Device Encrypted storage is available both during Direct Boot mode and also after the user has unlocked the device.
What does device encryption configuration do?
Device encryption configuration for Android sets a requirement to the target device that storage encryption should be enabled.
Worth noting that it may vary between devices what is actually encrypted. It depends on how the manufacturer has decided to support this feature. Here is an excerpt from Android's developer documentation, which makes no guarantees on what is actually encrypted: "This policy controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this policy does not require or control the encryption of any other storage areas."
Things to consider before using this configuration
There are multiple issues that should be taken into consideration when enabling this configuration. None of these issues is something we can affect but are features of the Android platform itself, or features of a specific device type.
- Device encryption cannot be disabled without wiping the whole device
- The encryption might not be as secure as required if the device is not secured with a password.
An excerpt from the official documentation: "On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require (and check for) a pattern, PIN, or password."
In GoTo Resolve MDM, this can be seen in the device inventory. If the value for encryption status is Encrypted with user key, it means that the user has set up a password that is used in device encryption. If the value is Encrypted with default key, it means that encryption uses a key generated by the device. The default key is always more unsafe, as in theory, an attacker might be able to extract the password from the device, unlike with a key that only the end user knows. If the values is just Enabled, the device has an older Android version that isn't able to report which is the case.
- Encrypting the device might require the device to be wiped. We are not aware of devices that actually require a wipe, but according to documentation, this is possible.
An excerpt from the official documentation regarding the encryption dialog states: "However, on some devices this activity may never return, as it may trigger a reboot and in some cases a complete data wipe of the device."
How to deploy an encryption configuration to a device?
Create a new configuration profile and configure it. Start by navigating to Management > Configuration profiles > Device encryption and creating a restrictions configuration for Android. See Creating a configuration profile for more details.
Currently, there is only one setting, Device encryption enabled, which has to be enabled for the configuration to do anything.
How to disable encryption configurations?
Unfortunately, encryption can only be disabled by wiping the whole device.