How to Encrypt an iPhone
What is Encryption?
On any device, encryption turns digital data (plaintext) into encrypted information (ciphertext), code that can only be accessed by someone with a valid encryption key.
Encryption isn’t perfect. Because it is code, anyone who can get hold of or break the encryption key used to encode the data can decipher it. It is important to understand that data sent to or from the device can be vulnerable, unless encrypted in transit. Application-specific data encrypted on a device may also become vulnerable if services with access to that information are hacked.
Understanding Data Protection and iPhone Encryption
iPhone data is encrypted by default when a user creates an Apple ID and passcode. With those in place, information is decrypted only when the device is unlocked. It is also decrypted when shared using some applications or sometimes when stored in iCloud.
The data that iPhone encryption protects includes:
- Wi-Fi settings, health, and location data.
- Safari, Messages, and call history.
- User-generated items such as photos.
- Any documents saved on the device.
Device backups stored in iCloud are not encrypted by default (see below). For that reason, in most cases, storage of enterprise data in personal iCloud accounts is not recommended.
Apple’s Platform Security guide explains how its iPhone security model, Data Protection, uses a hierarchy of software-based encryption keys supported by encryption technologies on the processor. As files are created on an iPhone, the system provides the hardware AES engine with a new 256-bit key used to encrypt and decrypt that file. The result: Only the authorized user can access those keys and those encrypted files.
In managed environments, admins can push policies out to their fleets to enforce encryption. Apple provides two channels to give IT systems control over devices: Those owned by an organization can use Automated Device Enrollment to automatically enroll systems into an MDM solution. Employee-owned devices can be enrolled via admin-provided Enrollment Profiles. Once either path is followed, the MDM solution can be used to enforce security and encryption policies and manage access to company assets while maintaining personal user privacy.
What to Know Before Enabling iPhone Encryption
An unencrypted device is an open book, and while iPhone encryption cannot be considered 100 percent safe, its protection is extremely difficult to break. Apple’s Data Protection system imposes very short delays when the device is unlocked, as decryption takes place. Once unlocked, anyone with access to the device can also access its data.
In most cases, standard iPhone encryption only requires users to create a passcode for their device. On MDM-enrolled devices, those codes can be set remotely. MDM systems can also revoke access to company-protected data if a device is lost or a user leaves the company.
Steps to Encrypt an iPhone
Encryption is enabled individually on an iPhone when you set up a passcode or Touch/Face ID to unlock the device. You can confirm that this is enabled in Settings > Face ID & Passcode, where you should see the phrase
Data protection is enabled at the bottom of the page.
Enable passcodes via MDM
MDM services can be used to enforce passcode requirements and settings. In Kandji, for example, the Passcode Library Item can enable admins to do things like require a passcode; disallow simple or short passcodes; require that passcodes use a mix of alpha, numeric, and complex characters; force occasional passcode resets; and more.
Additional Security Measures to Consider
Just as with Find My on consumer devices, if an iPhone is lost IT admins can use MDM solutions to erase all data held on the device. They can also remotely apply Activation Lock.
Encrypt Backup Files from iTunes and iCloud
Apple has always encrypted some data backed up to iCloud, but some critical data categories—including device and messages backups, iCloud drives, and photos—were left unencrypted. Apple is now introducing Advanced Data Protection for iCloud, which encrypts almost everything stored on iCloud. This is the only way to encrypt device backups stored in iCloud.
Reduce the Passcode Delay Time
If an iPhone uses Face or Touch ID or has payment cards saved in its Wallet, it will require passcode or ID verification immediately once it locks when unused. While users can change this by disabling biometric ID and deleting cards, admins can define control this duration via MDM.