We ran through the Windows Phone’s latest security overview PDF provided by Microsoft, and it has few details about how the storing the apps in the SD will work. Remember you need at least Class 6 and Class 10 preferably to use that feature. Let me quote the same now, from the PDF
Windows Phone devices have an SD card slot that allows users to store apps and data on an SD card. Windows Phone stores the apps on an encrypted SD card partition that is specifically designated for apps. This feature is always enabled, so there is no need to explicitly set a policy to have this level of protection. The Disable removable storage card policy prevents users from using SD cards altogether, but the primary advantage to the new SD card app partition encryption feature is that you can give users the flexibility to use an SD card while still protecting the confidential apps and data on the SD card. Windows Phone stores personal content (like photos and videos) on the SD card in an unencrypted partition so that the user can access the SD card on other devices and share content with others. If SD card use is enabled, users can sideload apps and upload data from the card. They can use this functionality to install apps that might be accessible by your MDM system as well, but any apps installed from the SD card must be signed by the Windows Phone Store or your organization’s certificate. And also note to sideload an app from an SD card, the device must be unlocked, which you can prevent by setting the Disable development unlock (side loading) policy.
On Information Rights Management
Windows Phone is one of the few smartphones that offers native support for IRM, enabling users to fully participate in IRM-protected email conversations and to access IRM-protected documents on their devices. Support for IRM in Windows Phone is based on Windows RMS. When IRM is employed, the data in rights-protected documents or email messages is encrypted, and only authorized users can view it. IRM can also be used to limit other rights to a document or message, such as limiting access to Read-only content, preventing anyone from copying content in the document or message, preventing email form being forwarded, or preventing the document or message from being printed. IRM relies on Windows RMS, a Windows Server–based technology that IT administrators can configure to manage the encryption keys for rights-protected documents. In addition, Windows RMS can be applied to email so that messages can circulate in a protected environment but not be forwarded outside the organization. Windows RMS can also be applied to documents that are attached to email or stored on Microsoft SharePoint servers, limiting distribution and editing capabilities and helping to prevent information from being leaked to unauthorized personnel. Organizations can use IRM in conjunction with Microsoft Office 365 services, such as SharePoint Online and Exchange Online. You can enable Windows Azure Active Directory Rights Management for your organization in Office 365 and use IRM just as you would if you had installed Windows RMS on your intranet. IT can configure IRM by using the Allow IRM over EAS policy in your MDM system or Microsoft Exchange Server. For more information about this policy, see the “Security-related policy settings” section later in this guide.
On S/MIME, TLS/SSL and VPN
New in Windows Phone 8.1 is S/MIME support, which allows you to digitally sign or encrypt email messages. The digital signature helps recipients know the authenticity of the sender and that the email message actually originated from the sender. Digital encryption encrypts the content of the email message and can be unencrypted by the authorized recipients only. S/MIME uses certificates that your MDM system manages or even virtual smart cards to perform encryption and signing.
Attackers commonly gain unauthorized access to information by viewing unencrypted data sent between devices and the services users access. Windows Phone provides a number of encryption methods for protecting the communication between the device and the services that manage your data, including Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Most web-based services use TLS or SSL for secure communication. Windows Phone supports TLS 1.0 – 1.2 and SSL 3.0 to help ensure that all communication is adequately protected.Windows Phone ships with several trusted root certificates that can be used with TLS and SSL, and you can easily add new trusted root certificates manually or through your MDM system.
In some instances, users require access to information that resides on servers on your organization’s private intranet. VPN connections are a common method for providing this type of secured access. You can require VPN connection encryption by configuring the VPN servers in your organization to it. Windows Phone includes support for a number of VPN vendors in addition to Microsoft VPN connections. Windows Phone 8.1 introduces support for IKEv2, IPsec, and SSL VPN connection (the SSL VPN connections require a downloadable plug-in from the VPN server vendor). VPNs also require user (and optionally device) authentication to help further protect the VPN connection.
So basically, you will have an encrypted part in your SD that is accessible only via a Windows Phone 8.1, and the rest of your card that remains as usual. In that case i recommend formatting your card in exFat as well 🙂