Enabling SafetyNet attestation on Android devices

In the Admin Portal, you can enable Google SafetyNet attestation on Android devices to verify the integrity of the devices' software and hardware. This action provides Ivanti EPMM with the devices' SafetyNet attestation status. With this status, you can:

• Take actions on untrusted devices.

• Deliver policies, configurations, and apps to only trusted devices.

• Assess whether the Ivanti [email protected] app running on a device is valid, or if it is a malicious app pretending to be Ivanti [email protected] .

This feature attests, or verifies, various information about the device. Specifically, this feature:

• Certifies the manufacturer and model of devices

• Provides information about Ivanti [email protected]

• Certifies the device is intact and has not been tampered with

• Verifies that the Google Play version installed on the device supports SafetyNet

SafetyNet attestation works with any Android deployment, including work profiles, managed devices, and managed devices with work profiles. It also works when the device is in Device Admin mode.

If SafetyNet is enabled on the security policy of the device, Ivanti EPMM initiates a SafetyNet attestation check when:

• The device has been rebooted or

• The last SafetyNet check was performed more than 24 hours ago.

Safety attestation requires that the device is running Ivanti [email protected] 10.1 for Androidor supported newer versions.

SafetyNet attestation flow

When Ivanti EPMM initiates a SafetyNet attestation check for a device, it sends a request to Ivanti [email protected] . Ivanti [email protected] requests Google Play Services to do the check, and Google Play Services communicates with Google Play. Google Play Services returns the results to Ivanti [email protected] , which returns the results to Ivanti EPMM. The following figure illustrates this flow.

Figure 1. SafetyNet attestation flow

Setting SafetyNet attestation

To configure Ivanti EPMM to initiate SafetyNet attestation for devices, do the following.

Procedure 

1. Log into the Admin Portal.

2. Go to Policies & Configs > Policies.

3. Select a security policy and select Edit.

Alternatively, create a new security policy by selecting Add New > Security.

1. Scroll down to the Android section.

2. Select “Require Google SafetyNet Attestation”.

3. Select Save.

Related topics 

"Security policies" in Getting Started with Ivanti EPMM

Basic integrity check and CTS profile verification

SafetyNet attestation provides two checks for the device:

• The basic integrity check

Verifies that the device has not been tampered with.

• The Google Compatibility Test Suite (CTS) profile verification.

Verifies that the device meets the requirements of a device that has passed Android compatibility testing.

SafetyNet attestation information in device details

In the Admin Portal, in the Device Details of a device at Devices & Users > Devices, you can view the following fields about SafetyNet attestation. You can also use these fields in Advanced Search, including creating labels.

Table 1. SafetyNet attestation information

Status on Device	Description
SafetyNet Enabled	Indicates whether the security policy applied to the device has SafetyNet enabled.
SafetyNet Exception	Indicates an exception occurred while running SafetyNet attestation on the device.
SafetyNet Timestamp	The date and time when Ivanti EPMM last received a SafetyNet attestation response from the device.
SafetyNet Status	The results of the last SafetyNet attestation, described in the next table.

The following table explains the values of the SafetyNet Status field in a device's Device Details.

Table 2. SafetyNet status values

Ivanti EPMM Status	Description
Compatible	Ivanti EPMM received a successful response, indicating a positive response to both the basic integrity test and the CTS profile verification.
Basic	Ivanti EPMM received a successful response to the basic integrity check, but received a failed response to the CTS profile verification.
Fail	Ivanti EPMM received a response, but received failed responses to basic integrity and CTS profile. This status indicates that a device is uncertified.
Unsupported	This status occurs when either: Ivanti [email protected] determines that SafetyNet attestation is not supported on the device. The device is running a version of Ivanti [email protected] for Android prior to Ivanti [email protected] 10.1.
Unknown	Either Ivanti [email protected] timed out waiting for results, or Ivanti EPMM did not receive results in the acceptable time interval. Examples of legitimate reasons for an Unknown state are when a user is in airplane mode or has lost network connectivity. Therefore, be cautious about the actions you assign to devices that display this status.
Tampered Client	Ivanti EPMM received a response that Ivanti [email protected] is not valid, indicating the device has been tampered with.
Error	Either an exception occurred when calling SafetyNet or there was some other error.