After the application firmware has been successfully programmed, mechanisms to protect the device can be activated.
Secure Access Port Protection (SECUREAPPROTECT) prevents the secure debugger from accessing the CPU and memories. This means that memory regions marked secure in the SPU and CPU while running secure code are inaccessible.
Access Port Protection (APPROTECT) prevents all debugger access to the CPU and memories. After enabling access port protection, only a full erase through the control access port (CTRL-AP) allows debugging or flash access. This can be done by performing a CTRL-AP erase all.
Erase Protection (ERASEPROTECT) prevents a CTRL-AP erase all from lifting the access port protection. When this feature is enabled, a debugger must first authenticate with the firmware through the CTRL-AP MAILBOX and ERASEPROTECT.DISABLE registers before a CTRL-AP erase all is possible.
For more information on settings to protect the device, see Enabling device protection in nAN41 - nRF9160 Production Programming and nRF9160 CTRL-AP - Control access port in nRF9160 Product Specification.