Skip Navigation

Considerations for configuring
SafetyNet
and
Play Integrity
attestation

  • The
    SafetyNet
    or
    Google Play Integrity
    attestation failure option is a compliance profile setting for
    Android
    devices and
    BlackBerry Dynamics
    apps that allows you to specify the actions that occur if devices or apps do not pass attestation. To set this option, navigate to
    Policies and profiles > Compliance > Android
    tab.
  • BlackBerry UEM
    uses the
    Play Integrity
    API with
    UEM Client
    versions that support it to provide additional protection from application tampering.
    Play Integrity
    will replace
    SafetyNet
    based on the migration schedule that is determined by
    Google
    and will continue to use
    SafetyNet
    for earlier
    UEM Client
    versions. For more information about migrating from
    SafetyNet
    , see the information from
    Google
    .
  • In
    BlackBerry UEM
    12.18 and later, when you click "Details" on the Device details page >
    SafetyNet
    or
    Play Integrity
    attestation, any devices that failed attestation have the status "Failed (Recoverable)." If the issue on the device is resolved before the next attestation test, the status is updated to "Success." Any devices that had a status of "Failed (Non-Recoverable)" before an upgrade to
    UEM
    12.18 will continue to show that status.
  • Play Integrity
    is not supported in
    UEM
    dark site environments.
  • If you do not enable the "
    SafetyNet
    or
    Play Integrity
    attestation failure" compliance rule, apps that are already activated will not have compliance actions enforced on them.
  • When you enable
    SafetyNet
    or
    Play Integrity
    , attestation is performed during activation. You cannot use a policy to enforce attestation during activation.
  • The
    BlackBerry UEM Client
    is not required for you to enable
    SafetyNet
    or
    Play Integrity
    attestation.
  • The
    BlackBerry UEM Client
    does not appear in the list of
    BlackBerry Dynamics
    apps that you can configure for
    SafetyNet
    or
    Play Integrity
    attestation.
    BlackBerry UEM
    sends attestation challenges to, and receives responses from, the
    BlackBerry UEM Client
    .
  • BlackBerry UEM
    sends attestation challenges to each
    BlackBerry Dynamics
    app that you configure.
  • BlackBerry UEM
    does not trust old versions of apps. For example, if you want to enable attestation challenges for
    BlackBerry Work
    , you must ensure that the version of
    BlackBerry Work
    on your organization's devices is the latest version or new activations will fail. Note that until you enable the “Google SafetyNet Attestation failure” option in your organization’s compliance profile, even if your existing activated users are using older versions of apps, no adverse action will be taken on apps or devices.
  • In addition to activation and periodic attestation,
    BlackBerry UEM
    uses new REST APIs that allow you to create custom server workflows. For example, if an app needs to access a specific secure remote item, before granting access, the app server communicates with
    BlackBerry UEM
    to enforce
    SafetyNet
    or
    Play Integrity
    attestation on the app or device.
  • If a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges that
    BlackBerry UEM
    sends, and
    BlackBerry UEM
    will consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network.
  • If you set a time in App grace period field, only apps that do not respond within the time frame that you set will have an action taken on them. For example, if you set the App grace period value to 7 days, and your users use
    BlackBerry Work
    every day, but do not use
    BlackBerry Tasks
    within the 7 days, only
    BlackBerry Tasks
    will have an action taken on it.
  • If you add a new app to
    BlackBerry UEM
    and it fails attestation during activation, the app is not activated no matter which option you have configured in the "
    SafetyNet
    or
    Play Integrity
    attestation failure" section of your organization's compliance profile. If an app has already been activated, it is subject to the rules that you specified in the compliance profile.
  • Your organization's users must have the latest version of
    Google Play
    services installed.
  • If a device fails attestation, there is no indication of the failure in the OS compromised column on the Managed devices page.
  • For information about developing
    BlackBerry Dynamics
    apps for
    Android
    devices, see the Developer content.