Skip Navigation

Android
: Compliance profile settings

See Common: Compliance profile settings for descriptions of the possible actions if you select a compliance rule.
Android
: Compliance setting
Description
Rooted OS or failed
Knox
attestation
This setting creates a compliance rule that specifies the actions that occur if a user or attacker gains access to the root level of an
Android
device. A device is rooted when a user or attacker gains access to the root level of the
Android
OS. This rule applies to the rooted state of the device the
UEM Client
, the
BlackBerry Dynamics SDK
or
Knox
Attestation detects it.
If you select this setting, users will be unable to complete new activations for rooted devices, regardless of the enforcement action that you set.
If you set a compliance rule for "Rooted OS or failed
Knox
attestation," selecting "Enable anti-debugging for BlackBerry Dynamics apps"  stops
BlackBerry Dynamics
apps if the
BlackBerry Dynamics
Runtime detects an active debugging tool.
SafetyNet
or
Play Integrity
attestation failure
This setting creates a compliance rule that specifies the actions that occur if devices do not pass
SafetyNet
or
Play Integrity
attestation.
When you use
SafetyNet
or
Play Integrity
attestation,
BlackBerry UEM
  sends challenges to test the authenticity and integrity of
Android
devices and apps in your organization's environment.
For these settings to take affect, you must enable the
SafetyNet
or
Play Integrity
attestation feature in the management console under Settings > Attestation >
SafetyNet
or
Play Integrity
attestation frequency.
For more information about configuring
SafetyNet
or
Play Integrity
attestation, see Configure attestation for Android devices and BlackBerry Dynamics apps using SafetyNet.
Non-assigned app is installed
This setting creates a compliance rule to ensure that devices do not have apps installed that were not assigned to the user.
When you select this setting and a non-assigned app is installed on an
Android
device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance is displayed.
For
Android Enterprise
and
Samsung Knox
devices, users can't install non-assigned apps in the work space. The enforcement actions do not apply.
This setting is not valid for devices activated with
User privacy
.
Required app is not installed
This setting creates a compliance rule to ensure that devices have required apps installed.
When you select this setting and a required app is not installed on an
Android
device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance is displayed.
For
Android Enterprise
devices the enforcement actions do not apply.
For
Samsung Knox
devices, required internal apps are automatically installed. The enforcement actions apply only to required public apps.
Restricted OS version is installed
This setting creates a compliance rule to ensure that devices do not have a restricted OS version installed.
You can select the restricted OS versions.
If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set.
Restricted device model detected
This setting creates a compliance rule to restrict device models.
You can choose one of these options:
  • Allow selected device models
  • Do not allow selected device models
You can specify the devices models that are allowed or restricted.
If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set.
Device out of contact
This setting creates a compliance rule to monitor whether devices are out of contact with
BlackBerry UEM
for more than a specified amount of time.
The "Last contact time" setting specifies the number days a device can be out of contact with
BlackBerry UEM
before the device is out of compliance.
Required security patch level is not installed.
This setting creates a compliance rule to ensure that devices have required security patches installed.
You can specify the device models that must have security patches installed and a security patch date. Devices running a security patch equal to or later than the specified security patch date are considered compliant.
After an upgrade, if you have previously created a compliance profile with the "Required security patch level is not installed" setting enabled, the enforcement action is set to "Monitor and log".
This setting is valid for devices and for
BlackBerry Dynamics
apps developed with
BlackBerry Dynamics SDK
6.0 and later.
BlackBerry Dynamics
library version verification
This setting creates a compliance rule that allows you to select the
BlackBerry Dynamics
library versions that cannot be activated.
You can select the blocked library versions.
BlackBerry Dynamics
connectivity verification
This setting creates a compliance rule to monitor whether
BlackBerry Dynamics
apps are out of contact with
BlackBerry UEM
for more than a specified amount of time. The enforcement action is applied to
BlackBerry Dynamics
apps.
The "Base connectivity interval on authentication delegate apps" setting specifies that the connectivity verification is based on when an authentication delegate app connects to
BlackBerry UEM
. This setting applies only if an authentication delegate is specified in a BlackBerry Dynamics profile.
The "Last contact time" setting specifies the number days a device can be out of contact with
BlackBerry UEM
before the device is out of compliance.
BlackBerry Dynamics
apps don’t prompt users for compliance for this rule. If you set the “Prompt behavior” setting to “Prompt for compliance,” the user is not prompted. If the device is able to contact UEM, the device returns to compliance when the user opens the
BlackBerry Dynamics
app.
Restricted app is installed
This setting creates a compliance rule to ensure that devices do not have restricted apps installed. To restrict apps, see Add an app to the restricted app list.
For
Android Enterprise
devices, users can't install restricted apps in the work space. The enforcement actions do not apply.
For
Samsung Knox
devices, restricted apps in the work space are automatically disabled. The enforcement actions do not apply.
For
Android Enterprise
and
Samsung Knox
devices with
Work and personal - full control
activations, select "Enforce compliance actions in the personal space" to apply the rule to apps in both the work profile and the personal profile. This option is supported only on
Android
10 and earlier devices.
This setting is not valid for devices activated with
User privacy
.
When you select this setting and a restricted app is installed on an
Android
device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance displays.
If you have activated a device using the
Android Enterprise
- Full Control activation type, and you use this option to disable apps on the personal side of the device, when the device is upgraded from Android 10 to Android 11 those apps become permanently disabled unless you re-activate the device. For more information, visit support.blackberry.com/community to read article 76852.
Password does not meet complexity requirements
This setting creates a compliance rule to ensure that the user has set device or work space passwords that meet the complexity requirements defined in the IT policy assigned to them.