Updating the 
BlackBerry Dynamics
 application policy file

During a 
SafetyNet
 attestation process, 
BlackBerry UEM
 uses the app response to verify that it is communicating with the official version of the app. You must provide this information in the application policy file.
Consider the following example from the Greetings Client sample app in the 
BlackBerry Dynamics SDK
<?xml version="1.0" encoding="utf-8"?> <apd:AppPolicyDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:apd="urn:AppPolicySchema1.good.com" xsi:schemaLocation="urn:AppPolicySchema1.good.com AppPolicySchema.xsd" > <pview> <pview> <sendto client="None" /> <desc>SafetyNet Attestation Supported</desc> <pe ref="apkCertificateDigestSha256"/> <pe ref="apkPackageName" /> <pe ref="Description" /> </pview> </pview> <setting name="apkCertificateDigestSha256"> <hidden> <key>blackberry.appMetadata.android.apkCertificateDigestSha256</key> <value>DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24: 0D:7B:E3:BA:BD:FB:A9:2B:F9:D6</value> </hidden> </setting> <setting name="apkPackageName"> <hidden> <key>blackberry.appMetadata.android.apkPackageName</key> <value>com.good.gd.example.services.greetings.client</value> </hidden> </setting> <setting name="Description" > <text> <key>snet</key> <label>Safety Net</label> <value>Safety Net</value> </text> </setting> </apd:AppPolicyDefinition>
The app is uniquely identified by the combination of the official package name (in the example above, blackberry.appMetadata.android.apkPackageName) and the digest hash of the official signing key (in the example above, blackberry.appMetadata.android.apkCertificateDigestSha256). To determine the digest hash, you can use the following keytool command, specifying the keystore and key name that was used to sign the app:
keytool -list -v -keystore <KEYSTORE_NAME> -alias <KEY_NAME>
This command will provide a response like the following:
Creation date: 4-Sep-2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Sample Issuer: CN=Sample Serial number: 27c738c9 Valid from: Tue Sep 04 08:28:10 BST 2018 until: Wed Aug 22 08:28:10 BST 2068 Certificate fingerprints: MD5: 4C:30:85:93:5E:96:12:90:CF:A0:77:48:A5:CA:63:8F SHA1: 3C:52:A0:2A:76:63:15:C9:20:C1:06:D9:4D:75:7C:14:D6:7C:30:BC SHA256: DD:83:CA:47:09:FA:C5:33:75:FE:F4:A1:B5:FB:F4:A8:E8:C2:7A:DF:AF:24:0D:7B:E3: BA:BD:FB:A9:2B:F9:D6 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key
After you update the application policy file, coordinate with the 
BlackBerry UEM
 administrator to upload the app to 
UEM
 (see Deploying your BlackBerry Dynamics app) and to upload the application policy file in the management console (see Manage settings for a BlackBerry Dynamics app in the 
UEM Administration Guide
). Before the administrator uploads the application policy file, verify that the 
Android
 app package ID has been specified or that the app source file has been uploaded; both settings are configured in the app entitlement settings (
Android
 tab) in the management console.
UEM
 validates the format of the input package name and digest hash. If you update the application policy file and upload the app again, it can take up to 24 hours for the change to synchronize to all 
UEM
 instances. When the app is uploaded again, it is removed from the current list of apps that are enabled for attestation and must be added again.