Updating the BlackBerry
Dynamics application policy file
BlackBerry
Dynamics
application policy fileDuring a
SafetyNet
attestation process, BlackBerry UEM
uses the app response to verify that it is communicating with the official version of the app. You must provide this information in the application policy file.Consider the following example from the Greetings Client sample app in the
BlackBerry Dynamics SDK
: <?xml version="1.0" encoding="utf-8"?> <apd:AppPolicyDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apd="urn:AppPolicySchema1.good.com" xsi:schemaLocation="urn:AppPolicySchema1.good.com AppPolicySchema.xsd" > <pview> <pview> <sendto client="None" /> <desc>SafetyNet Attestation Supported</desc> <pe ref="apkCertificateDigestSha256"/> <pe ref="apkPackageName" /> <pe ref="Description" /> </pview> </pview> <setting name="apkCertificateDigestSha256"> <hidden> <key>blackberry.appMetadata.android.apkCertificateDigestSha256</key> <value>DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24: 0D:7B:E3:BA:BD:FB:A9:2B:F9:D6</value> </hidden> </setting> <setting name="apkPackageName"> <hidden> <key>blackberry.appMetadata.android.apkPackageName</key> <value>com.good.gd.example.services.greetings.client</value> </hidden> </setting> <setting name="Description" > <text> <key>snet</key> <label>Safety Net</label> <value>Safety Net</value> </text> </setting> </apd:AppPolicyDefinition>
The app is uniquely identified by the combination of the official package name (in the example above, blackberry.appMetadata.android.apkPackageName) and the digest hash of the official signing key (in the example above, blackberry.appMetadata.android.apkCertificateDigestSha256). To determine the digest hash, you can use the following keytool command, specifying the keystore and key name that was used to sign the app:
keytool -list -v -keystore <KEYSTORE_NAME> -alias <KEY_NAME>
This command will provide a response like the following:
Creation date: 4-Sep-2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Sample Issuer: CN=Sample Serial number: 27c738c9 Valid from: Tue Sep 04 08:28:10 BST 2018 until: Wed Aug 22 08:28:10 BST 2068 Certificate fingerprints: MD5: 4C:30:85:93:5E:96:12:90:CF:A0:77:48:A5:CA:63:8F SHA1: 3C:52:A0:2A:76:63:15:C9:20:C1:06:D9:4D:75:7C:14:D6:7C:30:BC SHA256: DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24:0D:7B:E3: BA:BD:FB:A9:2B:F9:D6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key
After you update the application policy file, coordinate with the
BlackBerry UEM
administrator to upload the app to UEM
(see Deploying your BlackBerry Dynamics app) and to upload the application policy file in the management console (see Manage settings for a BlackBerry Dynamics app in the UEM Administration Guide
). Before the administrator uploads the application policy file, verify that the Android
app package ID has been specified or that the app source file has been uploaded; both settings are configured in the app entitlement settings (Android
tab) in the management console.UEM
validates the format of the input package name and digest hash. If you update the application policy file and upload the app again, it can take up to 24 hours for the change to synchronize to all UEM
instances. When the app is uploaded again, it is removed from the current list of apps that are enabled for attestation and must be added again.