Configure attestation for Android devices and BlackBerry
Dynamics apps using SafetyNet or Play Integrity
Android
devices and BlackBerry
Dynamics
apps using SafetyNet
or Play Integrity
- On the menu bar, clickSettings > General settings > Attestation.
- To turn on attestation forAndroiddevices, selectEnable attestation challenges using SafetyNet or Play Integrity.
- SelectEnable CTS profile matchingif you want to turn onGoogle's Compatibility Test Suite. By default, this option is selected. For more information about CTS, see the information fromGoogle.
- In theChallenge frequencysection, specify, in days or hours, how often the device must return an attestation response toBlackBerry UEM. The default and minimum value is 24 hours. Considerations for configuring the challenge frequency:
- You can configure how oftenBlackBerry UEMtests the authenticity and integrity of the device, but attestation during activation of the app is mandatory.
- If you have deployed theBlackBerry UEM Client, it is added as one of the apps thatBlackBerry UEMtests forSafetyNetattestation automatically.
- TheBlackBerry UEM Clientuses a different communication channel toBlackBerry UEMthan otherBlackBerry Dynamicsapps, which must be running and authorized to connect toBlackBerry UEMto receive policy updates.BlackBerry UEMcan proactively communicate with theBlackBerry UEM Clientand start the app if it is not running. If you set a challenge frequency of 3 hours, thenBlackBerry UEMcommunicates with theBlackBerry UEM Clientevery 3 hours and the attestation check is performed. However,BlackBerry Dynamicsapp commands are stored until the app connects toBlackBerry UEM, and only the latest attestation command is stored. So, if the app is not used for 24 hours, when the user starts it, only one attestation challenge is performed.
- In theGrace periodsection, specify a grace period. After the grace period expires with no successful attestation response, a device is considered non-compliant and the device is subject to the conditions specified in the compliance profile that is assigned to the user. Also, if a user's device is out of coverage, turned off, or has a dead battery, it cannot respond to the attestation challenges thatBlackBerry UEMsends, andBlackBerry UEMwill consider the device to be non-compliant. If you have your organization's compliance policy set to wipe the device when it is out of compliance, if the device does not respond before the grace period expires, data on the device will be deleted when it connects to a wireless network.
- In theApp grace periodsection, specify a grace period. After the grace period expires, theBlackBerry Dynamicsapps are subject to the conditions specified in the compliance profile that is assigned to the user. The grace period is enforced on a per-app basis. Note that if you have deployed only theBlackBerry UEM Clientto the device, then the grace period is ignored. Also, theBlackBerry UEM Clientdoes not appear in the list ofBlackBerry Dynamicsapps. When you addBlackBerry Dynamicsapps to the list of apps that will be subject to attestation challenges, the following rules apply:
- Only apps in this list are sent attestation challenges.
- Only apps in this list are evaluated for the app grace period check.
- Only apps in this list are subject to attestation during app activation.OnlyBlackBerry Dynamicsapps that have been developed specifically forSafetyNetorPlay Integritywill display in the list. For more information, see the Developer content.
- To add an app that will be subject to attestation challenges, click
. - Do one of the following:
- Click the name of an app that is already on the list.
- Search for and click on the name of the app.
- ClickSelect.
- ClickSave.