Enabling attestation on Android devices

In the Admin Portal, you can enable Google PlayIntegrity attestation on Android devices to verify the integrity of the devices' software and hardware. This action provides Ivanti EPMM with the devices' PlayIntegrity attestation status. With this status, you can:

  • Take actions on untrusted devices.

  • Deliver policies, configurations, and apps to only trusted devices.

  • Assess whether the Ivanti Mobile@Work app running on a device is valid, or if it is a malicious app pretending to be Ivanti Mobile@Work .

This feature attests, or verifies, various information about the device. Specifically, this feature:

  • Certifies the manufacturer and model of devices

  • Provides information about Ivanti Mobile@Work

  • Certifies the device is intact and has not been tampered with

  • Verifies that the Google Play version installed on the device supports SafetyNet/PlayIntegrity

SafetyNet/PlayIntegrity attestation works with any Android deployment, including work profiles, managed devices, and managed devices with work profiles. It also works when the device is in Device Admin mode.

If SafetyNet/PlayIntegrity is enabled on the security policy of the device, Ivanti EPMM initiates a SafetyNet/PlayIntegrity attestation check when:

  • The device has been rebooted or

  • The last SafetyNet/PlayIntegrity check was performed more than 24 hours ago.

SafetyNet/PlayIntegrity attestation requires that the device is running Ivanti Mobile@Work 10.1 for Androidor supported newer versions.

SafetyNet attestation flow

When Ivanti EPMM initiates a SafetyNet attestation check for a device, it sends a request to Ivanti Mobile@Work . Ivanti Mobile@Work requests Google Play Services to do the check, and Google Play Services communicates with Google Play. Google Play Services returns the results to Ivanti Mobile@Work , which returns the results to Ivanti EPMM. The following figure illustrates this flow.

Figure 1. SafetyNet attestation flow

Flow of SafetyNet Attestation

PlayIntegrity attestation flow

With this release, Ivanti EPMM switches to PlayIntegrity from SafetyNet. Play Integrity attestation workflow is supported on Android 14 devices and above. The older OS version devices go through the safety net attestation workflow. As a failback, if the Android 14 devices are unable to attest via Play integrity, then the attestation falls back to Safety Net.

Setting PlayIntegrity attestation

To configure Ivanti EPMM to initiate PlayIntegrity attestation for devices, do the following.

Procedure 

  1. Log into the Admin Portal.

  2. Go to Policies & Configs > Policies.

  3. Select a security policy and select Edit.

Alternatively, create a new security policy by selecting Add New > Security.

  1. Scroll down to the Android section.

  2. Select “Require Google PlayIntegrity Attestation”.

  3. Select Save.

Related topics 

"Security policies" in Getting Started with Ivanti EPMM

PlayIntegrity attestation information in device details

In the Admin Portal, in the Device Details of a device at Devices & Users > Devices, you can view the following fields about PlayIntegrity attestation. You can also use these fields in Advanced Search, including creating labels.

Table 1. PlayIntegrity attestation information

Status on Device

Description

PlayIntegrity Enabled

Indicates whether the security policy applied to the device has PlayIntegrity enabled.

PlayIntegrity Exception

Indicates an exception occurred while running PlayIntegrity attestation on the device.

PlayIntegrity Timestamp

The date and time when Ivanti EPMM last received a PlayIntegrity attestation response from the device.

PlayIntegrity Status

The results of the last PlayIntegrity attestation, described in the next table.

The following table explains the values of the PlayIntegrity Status field in a device's Device Details.

Table 2. Status values

Ivanti EPMM Status

Description for SafetyNet

Description for PlayIntegrity

Compatible

Ivanti EPMM received a successful response, indicating a positive response to both the basic integrity test and the CTS profile verification.

Ivanti EPMM received a successful response, indicating a positive response to both the basic integrity test and the Meets Device Integrity Verdict.

Basic

Ivanti EPMM received a successful response to the basic integrity check, but received a failed response to the CTS profile verification.

Ivanti EPMM received a successful response to the basic integrity check, but received a failed response to the Meets Device Integrity Verdict.

Fail

Ivanti EPMM received a response, but received failed responses to basic integrity and CTS profile. This status indicates that a device is uncertified.

Ivanti EPMM received a response, but received failed responses to basic integrity and CTS profile. This status indicates that a device is uncertified.

Unknown

Either Ivanti Mobile@Work timed out waiting for results, or Ivanti EPMM did not receive results in the acceptable time interval.

Examples of legitimate reasons for an Unknown state are when a user is in airplane mode or has lost network connectivity. Therefore, be cautious about the actions you assign to devices that display this status.

Either Ivanti Mobile@Work timed out waiting for results, or Ivanti EPMM did not receive results in the acceptable time interval.

Examples of legitimate reasons for an Unknown state are when a user is in airplane mode or has lost network connectivity. Therefore, be cautious about the actions you assign to devices that display this status.

Tampered Client

Ivanti EPMM received a response that Ivanti Mobile@Work is not valid, indicating the device has been tampered with.

Ivanti EPMM received a response that Ivanti Mobile@Work is not valid, indicating the device has been tampered with.

Error

Either an exception occurred when calling SafetyNet or there was some other error.

Either an exception occurred when calling PlayIntegrity or there was some other error.