Updating the BlackBerry
Dynamics application policy file
BlackBerry
Dynamics
application policy fileDuring a
Play Integrity
attestation process, BlackBerry UEM
uses the app response to verify that it is communicating with the official version of the app. You must provide this information in the application policy file.In order to configure
Play Integrity
, you will need to provide a Play App signing key. You have two options for a Play app signing key: you can use the Google
Play
generated app signing key or upload your own private app signing key. For information on finding your app signing keys in your Google
Play
Console, see Prerequisites for Play Integrity attestation. The digest hash in your application policy file must correspond to your Play app signing key in your Google
Play
Console.Consider the following example from the Greetings Client sample app in the
BlackBerry Dynamics SDK
: <?xml version="1.0" encoding="utf-8"?> <apd:AppPolicyDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apd="urn:AppPolicySchema1.good.com" xsi:schemaLocation="urn:AppPolicySchema1.good.com AppPolicySchema.xsd" > <pview> <pview> <sendto client="None" /> <desc>Play Integrity Attestation Supported</desc> <pe ref="apkCertificateDigestSha256"/> <pe ref="apkPackageName" /> <pe ref="Description" /> </pview> </pview> <setting name="apkCertificateDigestSha256"> <hidden> <key>blackberry.appMetadata.android.apkCertificateDigestSha256</key> <value>DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24: 0D:7B:E3:BA:BD:FB:A9:2B:F9:D6</value> </hidden> </setting> <setting name="apkPackageName"> <hidden> <key>blackberry.appMetadata.android.apkPackageName</key> <value>com.good.gd.example.services.greetings.client</value> </hidden> </setting> <setting name="Description" > <text> <key>snet</key> <label>Play Integrity</label> <value>Play Integrity</value> </text> </setting> </apd:AppPolicyDefinition>
The app is uniquely identified by the combination of the official package name (in the example above, blackberry.appMetadata.android.apkPackageName) and the digest hash of the official signing key (in the example above, blackberry.appMetadata.android.apkCertificateDigestSha256). If the app is not publicly listed in the
Google
Play
Store, you may extract the certificate using keytool. To determine the digest hash, you can use the following keytool command, specifying the keystore and key name that was used to sign the app:keytool -list -v -keystore <KEYSTORE_NAME> -alias <KEY_NAME>
This command will provide a response like the following:
Creation date: 4-Sep-2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Sample Issuer: CN=Sample Serial number: 27c738c9 Valid from: Tue Sep 04 08:28:10 BST 2018 until: Wed Aug 22 08:28:10 BST 2068 Certificate fingerprints: MD5: 4C:30:85:93:5E:96:12:90:CF:A0:77:48:A5:CA:63:8F SHA1: 3C:52:A0:2A:76:63:15:C9:20:C1:06:D9:4D:75:7C:14:D6:7C:30:BC SHA256: DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24:0D:7B:E3: BA:BD:FB:A9:2B:F9:D6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key
After you update the application policy file, coordinate with the
BlackBerry UEM
administrator to upload the app to UEM
(see Deploying your BlackBerry Dynamics app) and to upload the application policy file in the management console (see Manage settings for a BlackBerry Dynamics app in the UEM Administration Guide). Before the administrator uploads the application policy file, verify that the Android
app package ID has been specified or that the app source file has been uploaded; both settings are configured in the app entitlement settings (Android
tab) in the management console.UEM
validates the format of the input package name and digest hash. If you update the application policy file and upload the app again, it can take up to 24 hours for the change to synchronize to all UEM
instances. When the app is uploaded again, it is removed from the current list of apps that are enabled for attestation and must be added again.