Safety Net Attestation API

When managing employee owned devices, it becomes imperative to make sure that the device adheres to compliance standards such as the device integrity, security and compatibility. Managing Employee owned devices becomes even more challenging because of the wide variety of Android devices available. Allowing access to Work Apps on a compromised device is a high security risk and can lead to critical information loss and/or theft.

To mitigate such risks MobiLock uses Google Safety Net Attestation API to check the device compliance. The SafetyNet Attestation API helps MobiLock assess the security and compatibility of the Android devices.

SafetyNet examines software and hardware information on the device where the Work Apps are being used. The service then attempts to find this same profile within a list of device models that have passed Android compatibility testing. The API also uses this software and hardware information to help you assess the basic integrity of the device. This attestation helps MobiLock to determine whether or not the particular device has been tampered with or otherwise modified. You can read more about the Google Safety Net Attestation API here.

Using MobiLock's Device Profile for Personal(BYOD) devices you can choose the SafetyNet compliance levels and the compliance actions that need to be taken in the event of violation. Follow the steps below to setup SafetyNet attestation checks,

  1. Navigate to Device Management > Device Profile.
  2. Create or Edit the Personal(BYOD) profile where you want to setup the Compliance levels.
  3. Navigate to the RESTRICTIONS > COMPLIANCE section.
  4. Here you can enable the use of SafetyNet Attestation API and the action to be taken incase there is a compliance violation,
    1. Validate using SafetyNet Attestation API: You can choose between a Strict or a Moderate level for validations. MobiLock uses the ctsProfileMatch and basicIntegrity flags to make sure that the device is compliant. A Strict check would mean both the values should be true, a Moderate check would mean at-least the basicIntegrity is true. The reference image (taken from Google's document) with additional notes show the various possibilities.
    2. Compliance Violation Action: Once you have selected a validation level, you can choose between the following two options on what action should be taken.
      1. Stop Enrollment/Disable Work Profile: Use this option to stop the devices from enrolling if they are not compliant during enrollment, or disable the work-apps but keep their data if a violation is detected later.
      2. Stop Enrollment/Remove Work Profile: Use this option to stop the devices from enrolling if they are not compliant during enrollment, or completely remove the work-apps and their data if a violation is detected later.
You can also use this section to control if you want to allow/disallow rooted devices.
Sometimes these checks or API's may return a false positive, so please choose a violation action accordingly.


How did we do?