Android

: Compliance profile settings

This setting creates a compliance rule that specifies the actions that occur if a user or attacker gains access to the root level of an

Android

device.

If you select this setting, users will be unable to complete new activations for rooted devices, regardless of the enforcement action that you set.

Selecting "Enable detection of debuggers and emulators when running BlackBerry Dynamics applications"  stops

BlackBerry Dynamics

apps if the

BlackBerry Dynamics

Runtime detects an active debugging or emulation tool.

Selecting "Enable detection of unlocked or unverified boot device detection for BlackBerry Dynamics apps" will enable

UEM

to check the boot state of the device.

This setting creates a compliance rule that specifies the actions that occur if devices do not pass

SafetyNet

or

Play Integrity

attestation. When you use

SafetyNet

or

Play Integrity

attestation,

UEM

sends challenges to test the authenticity and integrity of

Android

devices and apps in your organization's environment. See Configure attestation for Android devices and BlackBerry Dynamics apps.

This setting creates a compliance rule to ensure that devices do not have apps installed that were not assigned to the user.

When you select this setting and a non-assigned app is installed on an

Android

device, a warning message and a link is displayed on the Managed devices screen in the console. When you click the link, a list of non-assigned apps is displayed.

For

Android Enterprise

,

Android Management

, and

Samsung Knox

devices, users can't install non-assigned apps in the work space. The enforcement actions do not apply.

This setting is not valid for devices activated with

User privacy

.

This setting creates a compliance rule to ensure that devices have required apps installed.

When you select this setting and a required app is not installed on an

Android

device, a warning message and a link is displayed on the Managed devices screen in the console.

For

Android Enterprise

and

Android Management

devices, the enforcement actions do not apply. For

Samsung Knox

devices, required internal apps are automatically installed. The enforcement actions apply only to required public apps.

This setting creates a compliance rule to ensure that devices do not have a restricted OS version installed. You can select the restricted OS versions.

If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set.

This setting creates a compliance rule to restrict device models. You can specify the devices models that are allowed or restricted.

If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set.

This setting creates a compliance rule to execute compliance actions if a user does not apply a pending OS update within a time period that you specify.

This setting creates a compliance rule to monitor whether devices are out of contact with

UEM

for more than a specified amount of time. The "Last contact time" setting specifies the number days a device can be out of contact with

UEM

before the device is out of compliance.

This setting creates a compliance rule to ensure that devices have required security patches installed. You can specify the device models that must have security patches installed and a security patch date. Devices running a security patch equal to or later than the specified security patch date are considered compliant.

After an upgrade, if you have previously created a compliance profile with the "Required security patch level is not installed" setting enabled, the enforcement action is set to "Monitor and log".

This setting creates a compliance rule that allows you to select the

BlackBerry Dynamics

library versions that cannot be activated. You can select the blocked library versions.

This setting creates a compliance rule to monitor whether

BlackBerry Dynamics

apps are out of contact with

UEM

for more than a specified amount of time. The enforcement action is applied to

BlackBerry Dynamics

apps.

The "Base connectivity interval on authentication delegate apps" setting specifies that the connectivity verification is based on when an authentication delegate app connects to

UEM

. This setting applies only if an authentication delegate is specified in an assigned

BlackBerry Dynamics

profile.

The "Last contact time" setting specifies the number days a device can be out of contact with

UEM

before it is considered out of compliance.

This setting creates a compliance rule to ensure that devices do not have restricted apps installed. To restrict apps, see Add an app to the restricted app list.

For

Android Enterprise

and

Android Management

devices, users can't install restricted apps in the work space. The enforcement actions do not apply.

For

Samsung Knox

devices, restricted apps in the work space are automatically disabled. The enforcement actions do not apply.

For devices with the

Work and personal - full control

(

Samsung Knox

) activation type, select "Enforce compliance actions in the personal space" to apply the rule to apps in both the work profile and the personal profile.

This setting is not valid for devices activated with

User privacy

.

When you select this setting and a restricted app is installed on an

Android

device, a warning message and a link is displayed on the Managed devices screen in the console. When you click the link, a list of restricted apps is displayed.

This setting creates a compliance rule to ensure that the user has set device or work space passwords that meet the complexity requirements defined in the assigned IT policy.