Updating the BlackBerry Dynamics application policy file Skip Navigation

Updating the
BlackBerry Dynamics
application policy file

During a
Play Integrity
attestation process,
BlackBerry UEM
uses the app response to verify that it is communicating with the official version of the app. You must provide this information in the application policy file.
In order to configure
Play Integrity
, you will need to provide a Play App signing key. You have two options for a Play app signing key: you can use the
Google Play
generated app signing key or upload your own private app signing key. For information on finding your app signing keys in your
Google Play
Console, see Prerequisites for Play Integrity attestation. The digest hash in your application policy file must correspond to your Play app signing key in your
Google Play
Console.
Consider the following example from the Greetings Client sample app in the
BlackBerry Dynamics SDK
:
<?xml version="1.0" encoding="utf-8"?> <apd:AppPolicyDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apd="urn:AppPolicySchema1.good.com" xsi:schemaLocation="urn:AppPolicySchema1.good.com AppPolicySchema.xsd" > <pview> <pview> <sendto client="None" /> <desc>Play Integrity Attestation Supported</desc> <pe ref="apkCertificateDigestSha256"/> <pe ref="apkPackageName" /> <pe ref="Description" /> </pview> </pview> <setting name="apkCertificateDigestSha256"> <hidden> <key>blackberry.appMetadata.android.apkCertificateDigestSha256</key> <value>DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24: 0D:7B:E3:BA:BD:FB:A9:2B:F9:D6</value> </hidden> </setting> <setting name="apkPackageName"> <hidden> <key>blackberry.appMetadata.android.apkPackageName</key> <value>com.good.gd.example.services.greetings.client</value> </hidden> </setting> <setting name="Description" > <text> <key>snet</key> <label>Play Integrity</label> <value>Play Integrity</value> </text> </setting> </apd:AppPolicyDefinition>
The app is uniquely identified by the combination of the official package name (in the example above, blackberry.appMetadata.android.apkPackageName) and the digest hash of the official signing key (in the example above, blackberry.appMetadata.android.apkCertificateDigestSha256).
After you update the application policy file, coordinate with the
BlackBerry UEM
administrator to upload the app to
UEM
(see Deploying your BlackBerry Dynamics app) and to upload the application policy file in the management console (see Manage settings for a BlackBerry Dynamics app in the UEM Administration Guide). Before the administrator uploads the application policy file, verify that the
Android
app package ID has been specified or that the app source file has been uploaded; both settings are configured in the app entitlement settings (
Android
tab) in the management console.
UEM
validates the format of the input package name and digest hash. If you update the application policy file and upload the app again, it can take up to 24 hours for the change to synchronize to all
UEM
instances. When the app is uploaded again, it is removed from the current list of apps that are enabled for attestation and must be added again.