What is Android encryption and how does TinyMDM protect your data?

26th of November 2021

Between the generalization of remote work and the more and more frequent use of mobile devices at a professional level, many security flaws are detected. A study recently published by NordLocker reveals that this year, the five countries where companies are the most attacked are the United States, the United Kingdom, Canada, France and Germany. This is the umpteenth study confirming what you probably already know: it is essential today to protect your company’s data. Names, email addresses, passwords, credit cards… All of these data are hackable. #Cybersecurity has become more and more important in the last few years and is now the focus of security concerns in the working world.

As a specialist in the management of Android devices within companies, TinyMDM protects the data circulating on mobiles through encryption.

What is data encryption?

Device encryption is an additional layer of protection for all data stored on your Android device. The process involves scrambling the data into unreadable code and making it undecryptable by anyone without a password or recovery key that expressly allows it. Android supports two methods of device encryption:

Full Disk Encryption (FDE)

Available as early as Android 5, but dropped as of Android 10. The FDE method uses the 128-Bit AES encryption algorithm, or 256-Bit on some devices, and its primary recovery key is kept in a Trusted Execution Environment (or fully secure execution environment).

File Based Encryption (FBE)

Available from Android 7, which is now mandatory and automatically applied from Android 10. The FBE encryption method encrypts storage areas with unique, user-dependent recovery keys randomly generated by the AES 256-Bit encryption algorithm. The keys are also protected by a component similar to the Trusted Execution Environment, as in the FDE implementation.

How does TinyMDM protect my data?

Today, any Android device with an operating system version higher than 6, and which has the GMS (Google Mobile Services) license, will always be ready for encryption. Both of these requirements are also needed to be compatible with TinyMDM, since as an official Android EMM partner, we seamlessly integrate Android Enterprise (AFW) and thus the Android encryption protocol. In other words, if the device is not encrypted from the start (i.e. before Android 10), the encryption process will be automatically applied when the device is enrolled in Android Enterprise, i.e. when the device is enrolled in TinyMDM.

In addition to data encryption, an EMM solution helps companies on other levels of cybersecurity: protection against malware, unwanted applications, device reset in case of theft, password policy implementation… All Android devices that a company manages via an EMM console such as TinyMDM automatically install a DPC (Device Policy Controller) application upon enrollment. A DPC is an agent that applies the management policies defined in the MDM console to the devices and ensures that the Android device complies with the security policy defined by the administrator.

What about the work profile configuration (BYOD)?

The work profile provides a secure and protected separation between work and personal applications on the same device. The security policy is enforced via a DPC application installed in the work profile and controlled by TinyMDM. The separation of personal and business profile data is based on the multi-user logic of Android.


This means that even if the personal part of the Android device (e.g. on Android 6) is not encrypted, the business part will be encrypted automatically when the work profile is created via TinyMDM. In addition, file-based encryption (FBE), available from Android 6 onwards and mandatory on devices running Android 10 or higher, further strengthens data separation with different encryption keys for each profile.

To summarize

  • Android encryption is based on the AES 256-Bit algorithm
  • Starting with Android 10, the FBE encryption method is mandatory and automatically applied
  • All devices enrolled with TinyMDM (Android 6 and above, with the GMS license) are imperatively and systematically encrypted during the enrollment process
  • Using an EMM solution such as TinyMDM allows you to ensure, via the DPC, that the devices comply with the security policy set up by the company

Simple Android Mobile Device Management solution

Keep a complete control over your entire professional fleet.
Lock screen
Remote control
BYOD mode
Kiosk mode
Internet filtering
Screen control
Apps whitelist
Files sharing

30 day free trial period

All features available