Considerations for configuring SafetyNet attestation
- TheSafetyNetattestation failure option is a compliance profile setting forAndroiddevices andBlackBerry Dynamicsapps that allows you to specify the actions that occur if devices or apps do not passSafetyNetattestation. To set this option, navigate toPolicies and profiles > Compliance > Androidtab.
- If you do not enable the ‘SafetyNetattestation failure’ compliance rule, apps that are already activated will not have compliance actions enforced on them.
- When you enableSafetyNet, attestation during activation is performed; you cannot use a policy to enforce attestation during activation.
- TheBlackBerry UEM Clientis not required for you to enableSafetyNetattestation.
- TheBlackBerry UEM Clientdoes not appear in the list ofBlackBerry Dynamicsapps that you can configure forSafetyNetattestation.BlackBerry UEMsends attestation challenges to, and receives responses from, theBlackBerry UEM Client.
- BlackBerry UEMsends attestation challenges to eachBlackBerry Dynamicsapp that you configure.
- BlackBerry UEMdoes not trust old versions of apps. For example, if you want to enable attestation challenges forBlackBerry Work, you must ensure that the version ofBlackBerry Workon your organization's devices is the latest version or new activations will fail. Note that until you enable the “Google SafetyNet Attestation failure” option in your organization’s compliance profile, even if your existing activated users are using older versions of apps, no adverse action will be taken on apps or devices.
- In addition to activation and periodic attestation,BlackBerry UEMuses new REST APIs that allow you to create custom server workflows. For example, if an app needs to access a specific secure remote item, before granting access, the app server communicates withBlackBerry UEMto enforceSafetyNetattestation on the app or device.
- If a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges thatBlackBerry UEMsends andBlackBerry UEMwill consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network.
- If you set a time in App grace period field, only apps that do not respond within the time frame that you set will have an action taken on them. For example, if you set the App grace period value to 7 days, and your users useBlackBerry Workevery day, but do not useBlackBerry Taskswithin the 7 days, onlyBlackBerry Taskswill have an action taken on it.
- If you add a new app toBlackBerry UEMand it fails attestation during activation, the app is not activated no matter which option you have configured in the 'Google SafetyNet attestation failure' section of your organization's compliance profile. If an app has already been activated, it is subject to the rules that you specified in the compliance profile.
- Your organization's users must have the latest version ofGoogle Playservices installed.
- If a device fails attestation, there is no indication of the failure in the OS compromised column on the Managed devices page.
- For information about developingBlackBerry Dynamicsapps forAndroiddevices, see the Developer content.