The Security page adds additional security settings for Android devices to protect sensitive data from unauthorized access to the device database. As part of the enrollment process, end users will create a passphrase code, which generates a key used to access the device database. When Key Encryption With User Input is enabled on the Security page and someone tries to access the database without that passphrase, access is denied. To enable this feature, Single Sign On must be enabled through the AirWatch SDK.

What can you do with Security Settings page

To access the Service Application settings navigate to: Groups & Settings > All Settings > Devices & Users > Android > Security.

  • Adds additional security settings for Android devices

Determine your Organization group hierarchy

Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.
  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

The passphrase requirements can be set to allow the end user to only enter the passphrase during enrollment for a one-time prompt by enabling Allow Remember Authentication.

Important: If you enable Allow Remember Authentication, this stores the user key on the device but renders the sensitive data vulnerable to unauthorized access.
Note: In order for the Workspace ONE Intelligent Hub for Android to share an application passcode or SSO session with other SDK apps, you must enable Key Encryption with User Input.
Setting Description
Key Encryption with User Input Allows the Workspace ONE Intelligent Hub to encrypt the sensitive data with a user-derived key. Enable this only when required.
Allow Remember Authentication Enable to save the user-derived key on the device so it does not need to be entered each time.
  • Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.