Considerations for configuring SafetyNet and Play Integrity attestation
SafetyNet
and Play Integrity
attestation - TheSafetyNetorGoogle Play Integrityattestation failure option is a compliance profile setting forAndroiddevices andBlackBerry Dynamicsapps that allows you to specify the actions that occur if devices or apps do not pass attestation. To set this option, navigate toPolicies and profiles > Compliance > Androidtab.
- BlackBerry UEMuses thePlay IntegrityAPI withUEM Clientversions that support it to provide additional protection from application tampering.Play Integritywill replaceSafetyNetbased on the migration schedule that is determined byGoogleand will continue to useSafetyNetfor earlierUEM Clientversions. For more information about migrating fromSafetyNet, see the information fromGoogle.
- InBlackBerry UEM12.18 and later, when you click "Details" on the Device details page >SafetyNetorPlay Integrityattestation, any devices that failed attestation have the status "Failed (Recoverable)." If the issue on the device is resolved before the next attestation test, the status is updated to "Success." Any devices that had a status of "Failed (Non-Recoverable)" before an upgrade toUEM12.18 will continue to show that status.
- Play Integrityis not supported inUEMdark site environments.
- If you do not enable the "SafetyNetorPlay Integrityattestation failure" compliance rule, apps that are already activated will not have compliance actions enforced on them.
- When you enableSafetyNetorPlay Integrity, attestation is performed during activation. You cannot use a policy to enforce attestation during activation.
- TheBlackBerry UEM Clientis not required for you to enableSafetyNetorPlay Integrityattestation.
- TheBlackBerry UEM Clientdoes not appear in the list ofBlackBerry Dynamicsapps that you can configure forSafetyNetorPlay Integrityattestation.BlackBerry UEMsends attestation challenges to, and receives responses from, theBlackBerry UEM Client.
- BlackBerry UEMsends attestation challenges to eachBlackBerry Dynamicsapp that you configure.
- BlackBerry UEMdoes not trust old versions of apps. For example, if you want to enable attestation challenges forBlackBerry Work, you must ensure that the version ofBlackBerry Workon your organization's devices is the latest version or new activations will fail. Note that until you enable the “Google SafetyNet Attestation failure” option in your organization’s compliance profile, even if your existing activated users are using older versions of apps, no adverse action will be taken on apps or devices.
- In addition to activation and periodic attestation,BlackBerry UEMuses new REST APIs that allow you to create custom server workflows. For example, if an app needs to access a specific secure remote item, before granting access, the app server communicates withBlackBerry UEMto enforceSafetyNetorPlay Integrityattestation on the app or device.
- If a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges thatBlackBerry UEMsends, andBlackBerry UEMwill consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network.
- If you set a time in App grace period field, only apps that do not respond within the time frame that you set will have an action taken on them. For example, if you set the App grace period value to 7 days, and your users useBlackBerry Workevery day, but do not useBlackBerry Taskswithin the 7 days, onlyBlackBerry Taskswill have an action taken on it.
- If you add a new app toBlackBerry UEMand it fails attestation during activation, the app is not activated no matter which option you have configured in the "SafetyNetorPlay Integrityattestation failure" section of your organization's compliance profile. If an app has already been activated, it is subject to the rules that you specified in the compliance profile.
- Your organization's users must have the latest version ofGoogle Playservices installed.
- If a device fails attestation, there is no indication of the failure in the OS compromised column on the Managed devices page.
- For information about developingBlackBerry Dynamicsapps forAndroiddevices, see the Developer content.