Skip Navigation

Considerations for configuring 
SafetyNet
 attestation 

  • The 
    Google
     
    SafetyNet
     attestation failure option is a compliance profile setting for 
    Android
     devices and 
    BlackBerry Dynamics
     apps that allows you to specify the actions that occur if devices or apps do not pass 
    SafetyNet
     attestation. To set this option, navigate to 
    Policies and profiles > Compliance > Android
     tab. 
  • If you do not enable the ‘
    Google
     
    SafetyNet
     attestation failure’ compliance rule, apps that are already activated will not have compliance actions enforced on them.
  • When you enable 
    SafetyNet
    , attestation during activation is performed; you cannot use a policy to enforce attestation during activation. 
  • The 
    BlackBerry UEM Client
     is not required for you to enable 
    SafetyNet
     attestation.  
  • The 
    BlackBerry UEM Client
     does not appear in the list of 
    BlackBerry Dynamics
     apps that you can configure for 
    SafetyNet
     attestation. 
    BlackBerry UEM
     sends attestation challenges to, and receives responses from, the 
    BlackBerry UEM Client
    .
  • BlackBerry UEM
     sends attestation challenges to each 
    BlackBerry Dynamics
     app that you configure.
  • BlackBerry UEM
     does not trust old versions of apps. For example, if you want to enable attestation challenges for 
    BlackBerry Work
    , you must ensure that the version of 
    BlackBerry Work
     on your organization's devices is the latest version or new activations will fail. Note that until you enable the “Google SafetyNet Attestation failure” option in your organization’s compliance profile, even if your existing activated users are using older versions of apps, no adverse action will be taken on apps or devices. 
  • In addition to activation and periodic attestation, 
    BlackBerry UEM
     uses new REST APIs that allow you to create custom server workflows. For example, if an app needs to access a specific secure remote item, before granting access, the app server communicates with 
    BlackBerry UEM
     to enforce 
    SafetyNet
     attestation on the app or device. 
  • If a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges that 
    BlackBerry UEM
     sends and 
    BlackBerry UEM
     will consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network. 
  • If you set a time in App grace period field, only apps that do not respond within the time frame that you set will have an action taken on them. For example, if you set the App grace period value to 7 days, and your users use 
    BlackBerry Work
     every day, but do not use 
    BlackBerry Tasks
     within the 7 days, only 
    BlackBerry Tasks
     will have an action taken on it.
  • If you add a new app to 
    BlackBerry UEM
     and it fails attestation during activation, the app is not activated no matter which option you have configured in the 'Google SafetyNet attestation failure' section of your organization's compliance profile. If an app has already been activated, it is subject to the rules that you specified in the compliance profile.
  • Your organization's users must have the latest version of 
    Google Play
     services installed.
  • If a device fails attestation, there is no indication of the failure in the OS compromised column on the Managed devices page. 
  • For information about developing 
    BlackBerry Dynamics
     apps for 
    Android
     devices, see the Developer content.