Skip to content
Site Header
Pricing
Contact Sales Start Free Trial
Start Free Trial
background image

How to Encrypt an iPhone

Apple MDM Definitions

Back to Definitions

Table of Contents

What is Encryption?

On any device, encryption turns digital data (plaintext) into encrypted information (ciphertext), code that can only be accessed by someone with a valid encryption key.

Encryption isn’t perfect. Because it is code, anyone who can get hold of or break the encryption key used to encode the data can decipher it. It is important to understand that data sent to or from the device can be vulnerable, unless encrypted in transit. Application-specific data encrypted on a device may also become vulnerable if services with access to that information are hacked.

Understanding Data Protection and iPhone Encryption

iPhone data is encrypted by default when a user creates an Apple ID and passcode. With those in place, information is decrypted only when the device is unlocked. It is also decrypted when shared using some applications or sometimes when stored in iCloud.

The data that iPhone encryption protects includes:

See Kandji in Action

Experience Apple device management and security that actually gives you back your time.

Start Free Trial Contact Sales

  • Passwords.
  • Wi-Fi settings, health, and location data.
  • Safari, Messages, and call history.
  • User-generated items such as photos.
  • Any documents saved on the device.

Device backups stored in iCloud are not encrypted by default (see below). For that reason, in most cases, storage of enterprise data in personal iCloud accounts is not recommended.

Apple’s Platform Security guide explains how its iPhone security model, Data Protection, uses a hierarchy of software-based encryption keys supported by encryption technologies on the processor. As files are created on an iPhone, the system provides the hardware AES engine with a new 256-bit key used to encrypt and decrypt that file. The result: Only the authorized user can access those keys and those encrypted files.

In managed environments, admins can push policies out to their fleets to enforce encryption. Apple provides two channels to give IT systems control over devices: Those owned by an organization can use Automated Device Enrollment to automatically enroll systems into an MDM solution. Employee-owned devices can be enrolled via admin-provided Enrollment Profiles. Once either path is followed, the MDM solution can be used to enforce security and encryption policies and manage access to company assets while maintaining personal user privacy.

What to Know Before Enabling iPhone Encryption

An unencrypted device is an open book, and while iPhone encryption cannot be considered 100 percent safe, its protection is extremely difficult to break. Apple’s Data Protection system imposes very short delays when the device is unlocked, as decryption takes place. Once unlocked, anyone with access to the device can also access its data.

In most cases, standard iPhone encryption only requires users to create a passcode for their device. On MDM-enrolled devices, those codes can be set remotely. MDM systems can also revoke access to company-protected data if a device is lost or a user leaves the company.

Steps to Encrypt an iPhone

Enable passcode

Encryption is enabled individually on an iPhone when you set up a passcode or Touch/Face ID to unlock the device. You can confirm that this is enabled in Settings > Face ID & Passcode, where you should see the phrase Data protection is enabled at the bottom of the page.

Enable passcodes via MDM

MDM services can be used to enforce passcode requirements and settings. In Kandji, for example, the Passcode Library Item can enable admins to do things like require a passcode; disallow simple or short passcodes; require that passcodes use a mix of alpha, numeric, and complex characters; force occasional passcode resets; and more.

Additional Security Measures to Consider

Delete data

Just as with Find My on consumer devices, if an iPhone is lost IT admins can use MDM solutions to erase all data held on the device. They can also remotely apply Activation Lock.

Encrypt Backup Files from iTunes and iCloud

Apple has always encrypted some data backed up to iCloud, but some critical data categories—including device and messages backups, iCloud drives, and photos—were left unencrypted. Apple is now introducing Advanced Data Protection for iCloud, which encrypts almost everything stored on iCloud. This is the only way to encrypt device backups stored in iCloud.

Reduce the Passcode Delay Time

If an iPhone uses Face or Touch ID or has payment cards saved in its Wallet, it will require passcode or ID verification immediately once it locks when unused. While users can change this by disabling biometric ID and deleting cards, admins can define control this duration via MDM.

Featured Resources:

Learn about Apple Device Management

Visit the Kandji Blog for more content

Read the Apple MDM Buyers Guide

More Kandji Content

  • ResourcesApple in the Enterprise Report 2024

    Apple in the Enterprise Report 2024

    Discover the trends shaping enterprise technology as Apple devices continue to gain ground in the corporate world.

    Learn more
  • Virtual EventKandji June Product Update 2024

    Introducing Assignment Maps

    Watch the virtual event recap from our latest product announcement. Kandji unveils new assignment features and automations that make administration easy and efficient regardless of scale and complexity.

    Watch the event
  • From The Customer StoriesDemandbase Saves 50 Hours a Month

    Demandbase Saves 50 Hours a Month with Automated Device Management

    Read how Demandbase reduced Mac-related support tickets by 75% after switching to Kandji.

    Keep reading
Background Amber waves

Manage and secure your Apple devices at scale.

Start Free Trial