Advanced searching

As data sets get larger, it is increasingly important to have a powerful search. You can use advanced search to build complex queries using the full set of available criteria (see Using the query builder and Using both the query builder and manual editing.) You can also create a new label using the advanced search criteria.

To access advanced search:

  1. Log into the Admin Portal.
  2. Go to Device & Users > Devices.
  3. Click the Advanced Search button located at the top right, above the table to display the query builder.
  4. Enter search criteria using the query builder, or type the search expression directly. See Device field definitions.
  5. Click Search. Verify your results.
  6. (Optional) Click Save to Label button. This will save your new search query as a new label and in Devices & Users > Labels, you can utilize this new label as a filtered label.
  7. If Notes for Audit Logs is enabled, a text dialog box opens. Enter the reason for the change and then click Confirm. For more information, see Best practices: label management.

Searchable fields

To see the complete list of searchable fields in the query builder:

  1. Click Field to see the categories
  2. Click Expand All.

The fields are organized alphabetically into the following categories for convenience:

  • Device fields: apply to device type based on their operating system.
  • OS-specific fields: apply to devices of the selected platform.

  • User fields: apply to the device’s user, including LDAP fields for groups and custom attributes.

Device field definitions

This section covers the device field definitions found in the Devices & Users > Devices page. They also display in the Advanced Search field on the same page.

Table 5.   Device field definitions

Device Type

Field

Description

Android Fields

Admin Activated

True / false if device activated by admin.

 

Android Automated Enrollment

(This field is valid for Core 10.6.0.0 or supported newer versions.)

Once automated Android registration is completed, the following values display:

Google Zero Touch

Knox Mobile Enrollment

Non Zero Touch AE Enrollment - this is for Managed Devices / Device Owner types (afw#, QR code, NFC)

Unknown - this value displays if versions before Core 10.6.0.0 were used. This means the "In-App Registration Requirement field in Settings > System Settings > Users & Devices > Device Registration was used. It can also mean that an old client was used with Core version 10.6.0.0 or later.

 

Android Client Version Code

 

Version code of the client.

 

Android for Work Capable

True if the device is Android Enterprise capable, otherwise false.

 

Attestation

Result of Samsung Attestation.

 

Brand

Brand of the device.

 

C2DM Token

C2DM token of the device if present, otherwise blank.

 

Code Name

Code name of the Mobile@Work client

 

Developer Mode

True if the Android device has Developer mode enabled, otherwise false. This is reported on all Android device configurations and also on Knox.

 

Device

Brand name of device, for example, Mako.

 

Device Encryption Status

Device encryption status.

 

Device Roaming Flag

True if the device is roaming, otherwise false.

 

Elapsed Time Since Reboot (minutes)

Indicates, in minutes, the amount of time since the device was last rebooted.

 

File encryption

True if the Android device has enabled file encryption, otherwise false. This is reported on all Android device configurations and also on Knox.

 

GCM/FCM Token Present

GCM token of the device if present, otherwise blank.

 

Google Device Account Present

True if the device has a Google Device Account (eg: Android Enterprise), false otherwise.

 

ICCID

Integrated Circuit Card Identifier number.

 

Kiosk Enabled

True if the device is kiosk enabled, otherwise false.

 

Manufacturer OS Version

Manufacturer OS version.

 

MDM Enabled

True if MDM is enabled, otherwise false.

 

Media Card Capacity

Amount of memory capacity of the media / SD card.

 

Media Card Free

Amount of free memory on the media / SD card.

 

Multi MDM

Indicates true/false.

 

OS API Level

The Android OS API level. See https://developer.android.com/studio/releases/platforms for more details.

This number is used so administrators can use a numerical comparison of OS versions.

 

OS Build Number

OS build number.

 

OS Update Path

OS Update Path.

 

OS Update Status

OS Update Status.

 

OS Version

Lists the OS version of the device.

 

Password/PIN Days Before Expiring

 

Represents the number of days before the password / PIN will expire. This numerical value is controlled by the Security policy's Maximum Password Age field value. This field is a dynamic field, its value decreases every day by 1 until the password / PIN is renewed. At renewal, the value returns to the original number stated in the Maximum Password Age field and starts a new daily count-down. See Working with default policies.

 

Platform Flags

Internal string representing the capabilities of the Mobile@Work application.

 

Registration Status

Registration status of the device. Registration Status can be used as part of a dynamic label evaluation and criteria for tier compliance.

In the Select Type drop-down, select one of these options:

Device Admin

Device Admin Not Required

Work Managed Device

Managed Device with Work Profile

Work Profile

Work Profile for Company Owned Device

Unknown

 

SafetyNet Enabled

True if SafetyNet is enabled, false otherwise.

 

SafetyNet Exception

SafetyNet exception during error.

 

SafetyNet Status

SafetyNet status if enabled and no error.

 

SafetyNet Timestamp

Timestamp of when last SafetyNet check was run.

 

Samsung Carrier Code

Samsung Carrier code.

 

Samsung DualDAR Enabled

Indicates if the Samsung DualDAR on client is enabled. If not client enabled or device is in Device Owner mode, lists as "Unsupported."

 

Samsung DualDAR Version

Represents the Samsung Knox v3 license key for DualDAR. Lists the Samsung DualDAR version if client is enabled. If not client enabled or device is in Device Owner mode, lists as "Unsupported."

 

Samsung E-FOTA Capable

True if the device supports Samsung E-FOTA, false otherwise.

 

Samsung KNOX Version

Knox version, if present.

 

Samsung Model Number

Samsung Model Number.

 

Samsung SAFE Version

Samsung Safe Version.

 

Screenlock PIN Change Prompt – Showing

Indicates if device user was prompted to change the device's screen lock password / PIN and the device user skipped the prompt. Values are:

Unknown - If coming from an older client device, value is unknown.

True - Indicates the PIN is to expire in 7 days or less.

False - (default) Indicates the device user is not being prompted to change the password / PIN (it has not reached its 7-day expiration window.)

The value listed stays until the device user successfully changes the password /PIN on the device. See Working with default policies.

 

Secure Apps Enabled

True if Secured Apps / AppConnect is enabled, otherwise false.

 

Secure Apps Encryption Enabled

True if Secured Apps Encryption is enabled, otherwise false.

 

Secure Apps Encryption Mode

Type of Secured Apps / AppConnect Encryption.

 

Security Detail

Reason for security failure if it occurs.

 

Security Patch Level

Security Patch Level string or timestamp.

 

Security Patch Level Date

Date of the Security Patch Level of the OS.

 

Security Reason

Reason device is considered jailbroken.

 

USB Debugging

True if USB debugging is enabled, otherwise false.

 

Wear OS Client installed

True only if one or more paired-watches have Mobile@Work installed on the Wear OS device.

 

Wear OS Device is Paired

True if one or more Wear OS device is paired to device via Bluetooth.

 

Zebra Build Fingerprint

Fingerprint of the firmware build currently present on the Zebra device.

 

Zebra Device Build Id

Current Build ID of the Zebra device.

 

Zebra Device System Update
  • Unknown - Not supported by client or OS version
  • Current - The most current update is installed. Applicable to Android 8. 0 or supported newer versions. Applicable to Zebra 6 or supported newer versions.
  • Pending - The client has accepted a system update configuration, but the update is not yet downloaded or installed. Applicable for Zebra 6 or supported newer versions.
  • Downloading - An update is being downloaded. Applicable for Zebra 6 or supported newer versions.
  • Available - An update is available (Android 8 or supported newer versions) or downloaded (Zebra 6 or supported newer versions) but is not yet installed.

 

Zebra OTA Capable

True if the device supports Zebra OTA (Over The Air), otherwise false.

 

Zebra Patch Version

The version of firmware for the Zebra device to be upgraded to. This is the target firmware version of the firmware applied to the Zebra device through firmware policy.

Common Fields

Anti-phishing native status

Content Blocker anti-phishing status for iOS device, and URL Handler anti-phishing for Android devices when MTD Anti-phishing is configured.

 

Anti-phishing VPN status

Status of VPN which analyzes malicious URLs when MTD Anti-phishing is configured.

 

APNS Capable

Only true if there is an APNS token for the Mobile@Work client, otherwise false.

 

AppConnect Terms of Service

True/false for if the AppConnect Terms of Service was accepted.

 

AppConnect Terms of Service Date

Represents the date/time the AppConnect Terms of Service was accepted.

 

Authenticator Only

True/false if the device is registered in Authenticator Only mode.

 

Azure Client Status Code

Indicates whether device is connected to Azure. The possible values are:

  • Success - Able to retrieve device ID.

  • Internal_Error - An unrecoverable error occured either within the client or on server side.

  • Workplace_Join_Required - Registration of device required. Device user can mitigate this status.

  • Interaction_Required - An interactive log-in is required. Device user can mitigate this status.

  • Server_Declined_Scopes - Some scopes were not granted access to.

  • Server_Protection_Policies_Required - The requested resource is protected by an Intune Conditional Access policy.

  • User_Canceled -The device user cancelled the web Auth session by tapping the "Done" or "Cancel" button in the web browser.

  • Account_logged_out - Account logged out.

 

Azure Device Compliance Report Status

Lists the device's compliance status in Azure. Possible values are:

  • In-progress

  • Successful

  • Failed

 

Azure Device Compliance Report Time

The time Core reported the device compliance status to Microsoft Intune. A blank field indicates one of the following:

  • because that feature is disabled

  • Core just received the data and has yet to call the Microsoft API

  • there is an error such as user_Cancelled or Internal Error so server will not report the device to Microsoft

 

Azure Device Compliance Status

Indicates Azure account has been deactivated or the device is not in compliance. Possible values are: Compliant / Not Compliant.

 

Azure Device Identifier

The device ID reported by Microsoft to the iOS or Android device. For example: 007c8232-9489-4074-9b35-345b16f0a72d. This is Microsoft’s ID for that device. Core receives this device ID as device users are required to register to Microsoft Authenticator application in order to use this feature.

If unable to retrieve the Device ID, this field is left blank.

 

Background Status

True if iOS background status is enabled, otherwise false.

 

Battery Level

Percentage of battery left.

 

Block Reason

A list of reasons why the device is blocked.

 

Blocked

True if the device is blocked, otherwise false.

 

Cellular Technology

GSM, CDMA, or blank if the device does not support cellular.

 

Client Build Date

The build date of the client, if registered with Mobile@Work client.

 

Client Id

The unique client ID if the device was registered with Mobile@Work client.

 

Client Last Check-in

Date/Time of last check-in.

 

Client Migration Status

Status of Mobile@Work client migration from Core to Cloud (true/false).

 

Client Name

The name of the client, if registered with Mobile@Work client.

 

Client Version

The version of the client, if registered with Mobile@Work client; otherwise, false.

 

Cloud Migration Status

Status of device migration from Core to Cloud (true/false).

 

Comment

A field that the admin uses to add their own comments for the device.

 

Compliant

True if the device is in compliance, otherwise false.

 

Creation Date

The creation date of this device record.

 

Current Country Code

Current country code of the device.

 

Current Country Name

Current country name of the device.

 

Current Operator Name

Short name of the cellular carrier, if there is a cellular service.

 

Current Phone Number

Current phone number of device, if the device has cellular service.

 

Device Admin Enabled

True if device admin (Android) is enabled, otherwise false.

 

Device Encrypted

True if the device is encrypted, otherwise false.

 

Device is Compromised

True if the device is compromised, for example, jailbroken.

 

Device Locale

Locale of the device.

 

Device Owner

Company or Personal.

 

Device Space

Name of the space the device belongs to.

 

Device UUID

Unique ID of the device generated from Core.

 

Display Size

Size of device's display.

 

EAS Last Sync Time

Exchange ActiveSync last sync time.

 

Ethernet MAC

Ethernet MAC ID.

 

Home Country Code

Home (Initial) country code of the device.

 

Home Country Name

Home country name of the device.

 

Home Operator Name

Home Operator Name.

 

Home Phone Number

Home Phone Number.

 

IMEI

IMEI (International Mobile Equipment Identity) number.

 

IMSI

ISMI (International Mobile Subscriber Identity) number.

 

IP Address

Current IP address of the device.

As new GDPR fields (such as IP Address and eSIM ID) are added throughout Core releases, the administrators who have configured GDPR already will need to edit the GDPR profile if they want to hide the new fields.

 

Language

Language of the device.

 

Last Check-in

Last check-in time of the device.

 

Manufacturer

Manufacturer of the device.

 

MDM Last Check-in

Last MDM check-in time of the device.

 

MDM Managed

True if the device is MDM managed, otherwise false.

 

Memory Capacity

Memory capacity of the device.

 

Memory Free

Amount of free memory in the device.

 

MobileIron Threat Defense Status

Mobile Threat Defense Status.

 

MobileIron Tunnel App Installed

True / false if the Tunnel app was installed.

 

Model

Model of the device.

 

Model Name

Model name of the device.

 

Modified Date

Date/Time for last updates to device details.

 

MTD Activation Status

MTD Activation Status.

 

MTD Anti-Phishing Status

MTD Anti-Phishing Status.

 

Non-compliance Reason

Reason why the device is not in compliance.

 

OS Version

OS version number string.

 

Passcode

Contains registration PIN for a preregistered device, empty if none exists.

 

Passcode Expiration Time

The expiration time for the registration pin for a prereigstered device, empty if none exists.

 

Platform

Operating system of the device.

 

Platform Name

Operating system and OS version of the device.

 

Processor Architecture

Architecture of the processor for the device.

 

Quarantined

True if the device is quarantined, false otherwise.

 

Quarantined Reason

Reason for quarantined, empty if the device is not quarantined.

 

Registration Date

Registration date of the device.

 

Registration IMSI

Registration of ISMI (international mobile subscriber identity) number.

 

Registration UUID

Unique ID when registering from the client.

 

Retired

True if the device is retired, otherwise false.

 

Roaming

True if the device is roaming, otherwise false.

 

SD Card Encrypted

True/faise if SD card is encrypted.

 

Security State

Security state of the device.

 

Serial Number

Serial number of the device.

 

Status

Status of the device.

 

Storage Capacity

Total storage capacity, in bytes, of the device.

 

Storage Free

Number of bytes of free storage on the device.

 

Terms of Service Accepted

True if the End user Terms of Service was accepted, otherwise false.

 

Terms of Service Accepted Date

Date for when the End User Terms of Service was accepted, otherwise blank.

 

Wi-Fi MAC

Wi-FI MAC address of the device.

iOS Fields

Activation Lock Bypass Code

Code to bypass activation lock.

 

Activation Lock is Enabled

True if Activation Lock is enabled on the device, otherwise false. Applicable to iOS.

 

APNS Token

Mobile@Work client APNS wakeup token. Applicable to iOS.

 

Apple Device Mac Address

iPhone (media access control address) MAC address. Applicable to iOS and OS X.

 

Apple Device Version

iPhone version code. Applicable to iOS and OS X.

 

Apple OS Update Product Key

Available OS update product key. Applicable to iOS and macOS.

 

Apple OS Update Product Version

Available OS update product version. Applicable to iOS and macOS.

 

Apple OS Update Status

OS update status. Applicable to iOS and macOS.

 

Apple User Enrolled Device

True/false the device is enrolled in User Enrollment.

 

Bluetooth MAC

Bluetooth MAC address. Applicable to and OS X.

 

Build Version

MDM build version. Applicable to iOS and OS X.

 

Carrier Settings Version

Carrier settings version. Applicable to iOS.

 

Current Mobile Country Code

Current mobile country code. Applicable to iOS.

 

Current Mobile Network Code

Current mobile network code. Applicable to iOS.

 

Data Protection

Applicable to iOS.

 

Data Roaming Enabled

True if device is data roaming enabled, otherwise false. Applicable to iOS.

 

DEP Device

True if the device is Apple Device Enrolled, otherwise false. Applicable to iOS, macOS, and tvOS.

 

DEP Enrolled

True if the device is Apple Device Enrolled, otherwise false. Applicable to iOS.

 

Device Locator Service is Enabled

True if device locator service is enabled, otherwise false. Applicable to iOS.

 

Device Name

Name of the device. Applicable to iOS and OS X.

 

Do Not Disturb is in Effect

True if Do Not Disturb is enabled, otherwise false. Applicable to iOS.

 

Force Encrypted Backup

True if backups are forced to be encrypted, otherwise false. Applicable to iOS.

 

Full Disk Encryption Enabled

True if full disk encryption is enabled, otherwise false. Applicable to macOS 10.9+.

 

Full Disk Encryption Has Institutional Recovery Key

True if full disk encryption has institutional recovery key, otherwise false. Applicable to macOS 10.9+.

 

Full Disk Encryption Has Personal Recovery Key

True if full disk encryption has personal recovery key, otherwise false. Applicable to macOS 10.9+.

 

Hardware Encryption Caps

Hardware encryption capabilities. Applicable to iOS.

 

iCloud Backup is Enabled

True if Cloud backup is enabled, otherwise false. Applicable to iOS.

 

iOS Background Status

True if iOS background status is enabled, otherwise false. Applicable to iOS.

 

iOS ICCID

Device's integrated circuit card identifier number. Applicable to iOS.

 

IT Policy Result

Applicable to iOS.

 

iTunes Store Account Hash

iTunes Store Account Hash.

 

iTunes Store Account is Active

Ttrue if iTunes Store Account is active, otherwise false. Applicable to iOS.

 

Languages

Language of the device. Applicable to tvOS.

 

Last Acknowledged Lock PIN

PIN to unlock a locked macOS device. Applicable to macOS.

 

Last Acknowledged Wipe PIN

PIN to proceed after wiping a macOS device. Applicable to macOS.

 

Last iCloud Backup Date

Last iCloud backup date. Applicable to iOS.

 

Last MTD Sync Time

Last MTD check-in time. Applicable to iOS.

 

Locales

Locale of the device. Applicable to tvOS.

 

macOS User ID

macOS user ID. Applicable to OS X.

 

macOS User Long Name

macOS user's long name. Applicable to OS X.

 

macOS User Short Name

macOS user's short name.Applicable to OS X.

 

Managed Apple ID

The Apple ID allocated by the company to the device user. For Shared iPad devices, this field is populated once the iPad user logs in.

 

Maximum Resident Users

Only for use with iOS Education Shared iPad devices. Tells the device how many users will have their data cache on the device. When the device reaches this number, the next logged-in user that is not already present will be cached and one of the cached users will be removed from the cache (up to Apple which user.) Applicable to iOS.

 

MDM Lost Mode Enabled

True if MDM Lost Mode is enabled, otherwise false. Applicable to iOS.

 

MDM Service Enrolled

True if the device is was enrolled via MDM Service (non-over air Apple Device Enrollment), otherwise false. Applicable to iOS.

 

MEID

Mobile Equipment Identity Number.

 

Modem Firmware Version

Modem firmware version. Applicable to iOS.

 

Network Tethered

True if the device was reported as currently network tethered, otherwise false. Applicable to macOS.

 

Organization Info

Organization for the device. Applicable to iOS.

 

Passcode Compliant

True if passcode is in compliance, otherwise false. Applicable to iOS.

 

Passcode Compliant with Profiles

True if passcode is compliant with rules specified from profiles. Applicable to iOS.

 

Passcode Present

True if Passcode is present on device, otherwise false. Applicable to iOS.

 

Personal Hotspot Enabled

True if Personal Hotspot is enabled, otherwise false. Applicable to iOS.

 

Product Code

iPhone Product code. Applicable to iOS and OS X.

 

Product Name

Product name. Applicable to iOS and OS X.

 

Security Reason Code

Security reason code. Applicable to iOS.

 

Shared iPad: Active Resident Users

Lists the number of users who have logged into the device and have user sessions stored on the device.

The number displayed will never be larger than the Shared iPad: Allocated Resident Users number, even if a Guest/Temporary user logged into that device.

 

Shared iPad: Allocated Resident Users

Lists the number of user sessions that can be stored on the device. If more users log in, older users will be removed to make room for the new user. This is configured in the Device enrollment profile and will either be the number set as the Maximum Resident Users or will be calculated if the Quota size is set.

 

Shared iPad: Guest/Temporary Session Only

If the device was configured to only allow Guest/Temporary sessions and is true, only guest access is allowed. This is configured in the Device Enrollment Profile.

If left blank, the timeout will use the iPad's system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds.

 

Shared iPad: Guest/Temporary Session Timeout

Lists the timeout for guest/temporary sessions. This will log out the user after inactivity for the allotted time. Guest/temporary users will be completely logged out, not just have the screen locked. This is configured in the Device Enrollment Profile. If set to zero, there will be no timeout.

 

Shared iPad: Is Multi User

True/false if the device is a shared iPad.

 

Shared iPad: Maximum Resident Users

Lists the Maximum Resident Users allowed to be set on the device. If the Device Enrollment Profile sets the Maximum Resident Users to a number larger than this, the Allocated Resident Users will be set to this number. This number is controlled by the system based on the size of the device.

 

Shared iPad: Quota Size (MB)

Lists the amount of space allocated per user. This is configured in the Device Enrollment Profile and will either be the number set as the Quota size or will be calculated if Maximum Resident Users is set.

 

Shared iPad: User Session Timeout

Lists the timeout for logged-in user sessions. This will log out the user after inactivity for the allotted time. Users will be completely logged out, not just have the screen locked. This is configured in the Device Enrollment Profile. Maximum limit is 1800 seconds.

 

SIM EID 1, 2, 3

The SIM ID of the carrier assigned to the SIM of a specific device. The EID will be included in the response of the simdetails API call. (For more information, see the V2 API Guide.)

In the Device Details page, clicking on the number in the field opens the SIM Information dialog box allowing the administrator to see SIM information, including the EID. Applicable to iOS 14.0 through the latest version of Core.

 

SIM Label 1, 2, 3

The label for the associated SIM card. Up to 3 SIM cards, physical and virtual, are stored.

 

SIM MCC 1, 2, 3

SIM card mobile country code associated to the phone number.

 

SIM MNC 1, 2, 3

SIM card mobile network code associated to the phone number

 

SIM Phone Number 1, 2, 3

The phone number associated with the SIM card / eSIM.

 

SIMs

Lists the number of SIMs associated to the device. This includes embedded SIMs (eSIM) and physical SIMs.

There can be multiple SIMs associated with the eSIM.

For eSIMs in iPhone XS, iPhone XS Max, or iPhone XR with iOS 12.1 or supported newer versions.

 

Subscriber Carrier Network

SIM card subscriber carrier network. Applicable to iOS.

 

Subscriber MCC

SIM card mobile country code. Applicable to iOS.

 

Subscriber MNC

SIM card mobile network code Applicable to iOS.

 

Supervised

True if the device is MDM supervised, otherwise false. Applicable to iOS.

 

Time Zone

Lists the time zone applied to the device.

 

UDID

iPhone unique device identifier. Applicable to iOS and OS X.

 

Voice Roaming Enabled

True if voice roaming is enabled, otherwise false. Applicable to iOS.

 

VPN IP Address

VPN IP address. Applicable to iOS and tvOS.

 

Wakeup Status

Device Wakeup status.

User Fields

Display Name

The display name of the device user.

 

Email Address

Device user's email address.

 

First Name

Device user's first name.

 

Last Admin Portal Login Time

Date of admin's last log in into Core.

 

Last Name

Device user's last name.

 

LDAP > Attribute Distinguished Name

The Attribute Distinguished Name for an LDAP user.

 

LDAP > Groups > LDAP Group Distinguished Name

LDAP Users who are members of an LDAP group with a specific group distinguished name.

 

LDAP > Groups > Name

LDAP Users who are members of an LDAP group with a specific group name.

 

LDAP > LDAP User Distinguished Name

The LDAP distinguished Name of the user.

 

LDAP > LDAP User Locale

An LDAP User who are members of a specific locale.

 

LDAP > Organizational Units > LDAP Organizational Units Distinguished Name

LDAP users who are members of an organizational unit with a specific distinguished name.

 

LDAP > Principal

Value of the attribute specified as the User ID in the LDAP server configuration.

 

LDAP > upn

Value of the attribute specified as the User Principal Name in the LDAP server configuration.

 

LDAP > User Account Control > Account Disabled

Indicates whether the LDAP user account is disabled (true/false).

 

LDAP > User Account Control > 

Locked Out

Indicates whether the LDAP user account is locked out (true/false).

 

LDAP > User Account Control >

Password Expired

Indicates whether the LDAP user 's password has expired (true/false).

 

LDAP > User Attributes >

custom1, custom2, custom3, custom4

The value of the LDAP user attribute is defined in Services > LDAP.

 

LDAP > User Attributes >

memberOf

The value of the LDAP user attribute is defined in Services > LDAP.

 

SAM Account Name

The security account name. This was the login name for earlier versions of Windows.

 

User ID

The LDAP user ID.

 

User UUID

The LDAP Universally Unique Identifier.

For Windows field definitions, see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp.