Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.16
  3. Administration
  4. Managing device features
  5. Managing attestation for devices
  6. Manage attestation for Android devices and BlackBerry Dynamics apps using SafetyNet
  7. Considerations for configuring SafetyNet and Play Integrity attestation

Considerations for configuring
SafetyNet
 and
Play Integrity
 attestation

  • The
    SafetyNet
     or
    Google Play Integrity
     attestation failure option is a compliance profile setting for
    Android
     devices and
    BlackBerry Dynamics
     apps that allows you to specify the actions that occur if devices or apps do not pass attestation. To set this option, navigate to
    Policies and profiles > Compliance > Android
     tab.
  • BlackBerry UEM
     uses the
    Play Integrity
     API with
    UEM Client
     versions that support it to provide additional protection from application tampering.
    Play Integrity
     will replace
    SafetyNet
     based on the migration schedule that is determined by
    Google
     and will continue to use
    SafetyNet
     for earlier
    UEM Client
     versions. For more information about migrating from
    SafetyNet
    , see the information from
    Google
    .
  • In
    BlackBerry UEM
     12.18 and later, when you click "Details" on the Device details page >
    SafetyNet
     or
    Play Integrity
     attestation, any devices that failed attestation have the status "Failed (Recoverable)." If the issue on the device is resolved before the next attestation test, the status is updated to "Success." Any devices that had a status of "Failed (Non-Recoverable)" before an upgrade to
    UEM
     12.18 will continue to show that status.
  • Play Integrity
     is not supported in
    UEM
     dark site environments.
  • If you do not enable the "
    SafetyNet
     or
    Play Integrity
     attestation failure" compliance rule, apps that are already activated will not have compliance actions enforced on them.
  • When you enable
    SafetyNet
     or
    Play Integrity
    , attestation is performed during activation. You cannot use a policy to enforce attestation during activation.
  • The
    BlackBerry UEM Client
     is not required for you to enable
    SafetyNet
     or
    Play Integrity
     attestation.
  • The
    BlackBerry UEM Client
     does not appear in the list of
    BlackBerry Dynamics
     apps that you can configure for
    SafetyNet
     or
    Play Integrity
     attestation.
    BlackBerry UEM
     sends attestation challenges to, and receives responses from, the
    BlackBerry UEM Client
    .
  • BlackBerry UEM
     sends attestation challenges to each
    BlackBerry Dynamics
     app that you configure.
  • BlackBerry UEM
     does not trust old versions of apps. For example, if you want to enable attestation challenges for
    BlackBerry Work
    , you must ensure that the version of
    BlackBerry Work
     on your organization's devices is the latest version or new activations will fail. Note that until you enable the “Google SafetyNet Attestation failure” option in your organization’s compliance profile, even if your existing activated users are using older versions of apps, no adverse action will be taken on apps or devices.
  • In addition to activation and periodic attestation,
    BlackBerry UEM
     uses new REST APIs that allow you to create custom server workflows. For example, if an app needs to access a specific secure remote item, before granting access, the app server communicates with
    BlackBerry UEM
     to enforce
    SafetyNet
     or
    Play Integrity
     attestation on the app or device.
  • If a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges that
    BlackBerry UEM
     sends, and
    BlackBerry UEM
     will consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network.
  • If you set a time in App grace period field, only apps that do not respond within the time frame that you set will have an action taken on them. For example, if you set the App grace period value to 7 days, and your users use
    BlackBerry Work
     every day, but do not use
    BlackBerry Tasks
     within the 7 days, only
    BlackBerry Tasks
     will have an action taken on it.
  • If you add a new app to
    BlackBerry UEM
     and it fails attestation during activation, the app is not activated no matter which option you have configured in the "
    SafetyNet
     or
    Play Integrity
     attestation failure" section of your organization's compliance profile. If an app has already been activated, it is subject to the rules that you specified in the compliance profile.
  • Your organization's users must have the latest version of
    Google Play
     services installed.
  • If a device fails attestation, there is no indication of the failure in the OS compromised column on the Managed devices page.
  • For information about developing
    BlackBerry Dynamics
     apps for
    Android
     devices, see the Developer content.