Category filter

What is Direct Boot Mode in Android?

Android is one of the most commonly used operating systems. The Google Android team had implemented a full-disk data encryption methodology to protect the data stored on Android devices. It is a hardware-centered encryption mode that uses a single authentication key for the entire device. The device encrypts the data and uses the PIN, password, or pattern for decryption. Hence, the data stored on the device cannot be accessed unless the user logs in. It protects the data from being accessed by outsiders even when the storage disk is inserted on another device. However, full-disk encryption exhibits some limitations.

Rebooting a full-disk encrypted Android device with a secure start-up causes its storage to remain encrypted. Moreover, the stored data becomes unavailable, provided the device stays locked. Thus, specific apps and system services do not work as expected unless the user unlocks the device by entering the password. Until the device is decrypted with the user’s login credentials, most applications are prevented from accessing the device storage. As a result, apps will no longer be able to perform essential operations such as scheduled notifications or alarms, and they may not run normally.

But with the introduction of file-based encryption on Android 7, this shortcoming is covered. An encrypted device no longer waits for decryption, consuming its remaining battery life until unlocked. Instead, the devices perform file-specific encryption that uses different keys to encrypt different files. Above all, the Direct Boot mode functionality supported by file-based encryption enables apps to perform a limited set of tasks in a restricted mode even before the user unlocks the device. Once the device reboots and is still unlocked, it enters into a specific mode called Direct Boot mode. During this mode, a device’s operating system is fully functional. However, access to private app data is constrained, and only applications registered with the system as encryption aware can access the Device encrypted storage to perform necessary operations.

Android uses two different storage locations to support Direct Boot mode:

  • Credential encrypted storage: The default storage location that is accessible once the user unlocks the device. It also means that this storage area remains accessible even when the user enables the lock screen after logging in. Apps configured to run on Direct Boot mode cannot access this encrypted storage area.
  • Device encrypted storage: This storage location is available during Direct Boot mode and after the user has unlocked the device. It contains data encrypted with a key available only after the device undergoes a verified boot. However, app components configured as Direct Boot aware can access the Credential encrypted storage once the device is unlocked.

The data stored on the Device encrypted storage is also encrypted but with a different key other than the user’s PIN/password/pattern. This key is associated with the physical device and is available following a successful reboot. The decryption proceeds soon after the device turn on, and the apps can access this storage after it. Thus, the users do not miss out on any app-based services when the device undergoes an unexpected reboot. It achieves the right balance between security and convenience.

Direct Boot mode for Hexnode MDM app

Not every application runs while the device is in Direct Boot mode by default. Yet, applications can take action during Direct Boot mode if their app components are configured to run on this mode. It enables work-critical or other relevant apps to operate without remaining idle until the user unlocks the device following the device reboot. These apps use the Device encrypted storage to access data while on Direct Boot mode.

Hexnode MDM/Hexnode for Work app supports a few operations while in the Direct Boot mode. It helps administrators to execute basic device management tasks in Direct Boot mode. The following remote actions can be executed on the devices during this mode:

  1. Scan Device
  2. Wipe Device

Other actions executed on the devices while on Direct Boot mode remain in either state, In Progress or Suspended, on the device’s Action History. The user has to unlock the device to execute any other operations.

Every file-based encryption-enabled device running Android 7.0 and higher supports Direct Boot mode per Android OS specifications. Hence, the ability to operate on Direct Boot mode is dependent on the OS version, hardware architecture, OEM and device model, etc.

Direct Boot mode for Hexnode for Work app

The Direct Boot mode works differently with work profiles. After a reboot, the work profile remains locked in Direct Boot mode until the user unlocks the work profile with the work profile password. Resultantly, apps in the work profile continue to be locked in the Direct Boot. In contrast, the apps outside the work profile can function normally after the user provides the login credentials.

  • Deploying and Managing Apps