Ask Slashdot: Managing Encrypted Android Devices In State and Local Gov't? 138
An anonymous reader writes "I am a systems administrator for a mid size state agency. We currently offer Blackberries to our staff, but we are migrating to Android devices in the near future. Since phones have sensative data (email, documents, etc.), what is a good choice for encrypting that data? Options abound, like OS-level encryption from Motorola and Samsung, 3rd party apps from GoTrusted and even a LUKS port for Android. Does anyone have experience managing encrypted Android devices? What are the important features I should be looking at? Many thanks in advance." (And, for that matter, are there good options for doing the same with iPhones? Other options to consider?)
iPhone (Score:4, Informative)
Re:iPhone (Score:5, Informative)
If they're going to have Active Sync... (Score:4, Informative)
Re:iPhone (Score:5, Informative)
Considering that any meaningful encryption (I will assume you want some sort of volume group/full disk encryption) will require root access and probably a custom kernel module, you will need android.
iOS devices have AES 256 encryption baked right into the hardware inside the DMA path between flash storage and the main system memory. It's always enabled, and can't be disabled by users, administrators, or anyone else [apple.com]. No custom kernel modules required -- XNU already has built-in AES 256 support, and the platform already implements it for each and every device.
Yaz
iOS has encryption and management built-in (Score:5, Informative)
I'm a former Apple engineer, current independent consultant, so I'm not going to address the Android side. That's a lot more complicated -- I'll stick with talking about the iOS info that I know about.
That said, wow, there's a lot of snarky comments but not a lot of information posted.
iOS has full-device hardware encryption built-in on the iPhone 3GS and later, activated as soon as you set up a passcode. This top-level encryption layer is for quick device wipes, not for data protection. Each user data file is then encrypted on top of that using its own unique key, then set into a protection class by the app developer:
- Complete Protection - decrypted only when the device is unlocked; file key is removed from memory when the device is locked.
- Protected Unless Open - decrypted when the device is unlocked; if file is open when the device locks, the file stays open/decrypted.
- Protected Until First User Authentication - decrypted on first unlock, stays decrypted until reboot
- No Protection - file system encryption only; no per-file encryption key
Apple has really been on developers cases to tighten down the data protection classes for their apps on iOS.
In addition, iOS has a huge number of remote management options. Apple provides a basic management tool called Profile Manager in Lion Server, and there are third-party Mobile Device Managers (MDMs) that take the basics and go even further. You can force complex passcodes, pre-configure e-mail accounts, restrict usage of features, and so on. The enterpriseios.com site has a pretty complete listing.
One of the cool things about using iOS MDM is that all of the configuration profiles are tied to the management profile that gets installed when the device is first enrolled with the MDM. If you're in a BYOD situation and a user leaves on bad terms, the IT department can retract the management profile, which automatically retracts all of the other configuration profiles. This will delete corporate e-mail accounts, remove in-house apps (and their data!), take away VPN and 802.1X access, and so on, without erasing the person's device entirely. All of the pictures the person took are still there, not blown away as they would be after a complete device wipe.
Anyway, a few links that may help you out:
http://www.apple.com/iphone/business/integration/ [apple.com]
http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf [apple.com]
http://www.enterpriseios.com/ [enterpriseios.com]
http://consultants.apple.com/index.php [apple.com] - look for consultants with the Mobility specialization
https://help.apple.com/advancedserveradmin/mac/10.7/ [apple.com] - go into "Manage Users" --> "Profile Manager" on the right
Hope this helps.
--Paul