February 07, 2024

Elevating Security: The Transition from Google’s SafetyNet Attestation to Play Integrity API

This blog introduces the transition from Google's SafetyNet Attestation to the Play Integrity API in Workspace ONE UEM version 2310. It discusses the Play Integrity API update, provides details on its configuration, and outlines troubleshooting tips.

The introduction of Workspace ONE UEM 2310 empowers administrators to utilize the Play Integrity API which has replaced SafetyNet Attestation for safeguarding endpoints.

As an IT administrator, you might have encountered compromised status for Android devices in your organization and would have leveraged SafetyNet Attestation API to check the device's integrity. The latest Google update now requires you to use the Play Integrity API. By the end of Jan 2025, the SafetyNet Attestation API will no longer work and all admins will have to use Play Integrity API henceforth.

If you are already using SafetyNet attestation then no changes are required on the UEM console (as the KVP value is the same). But if you have not, then this blog will help you understand how to configure Play Integrity API while providing more details on how Play Integrity API is a bit different than SafetyNet Attestation API.

Let’s look at how to use Play Integrity API

To start using Play Integrity API, verify that you have the following prerequisites validated in your Workspace ONE UEM environment.

Workspace ONE UEM console and device-based prerequisites:

  • Intelligent Hub 23.05 and later
  • Android 7+ 
  • Workspace ONE UEM 2310 and later
  • For UEM hosted on-premises, complete all network prerequisites

How does Play Integrity API function?

Figure 1: Play Integrity API Workflow with Intelligent Hub

  1. Intelligent Hub gets a nonce from Workspace ONE UEM API Server (nonce is a unique encrypted number used in communication), and the communication is done via REST API with the UEM API Server.
  2. Intelligent Hub calls Play Integrity API which is hosted on Google Cloud.
  3. Google Cloud evaluates the device integrity and provides a response to Intelligent Hub.
  4. Intelligent Hub sends the response to Workspace ONE UEM.

    Workspace ONE UEM decrypts the response and verifies it; the device is flagged as compromised if the response does not meet the system integrity criteria and carries out a device wipe.

The workflow is similar between Play Integrity and SafetyNet Attestation API, however, a few enhancements are listed below:

  1. The Play Integrity API has improved its ability to capture certain edge cases, aiming to prevent false positive results.
  2. Using Play Integrity API response to Intelligent Hub, Google shares the integrity details of a device to Intelligent Hub by categorizing them into verdicts such as “MEETS_DEVICE_INTEGRITY” or “MEETS_BASIC_INTEGRITY” or “MEETS_STRONG_INTEGRITY”. To learn more, refer to Google’s article on Integrity Verdicts.

Configuring Play Integrity API

Now that you know the backend flow, let’s look at how you can configure it on the Workspace ONE UEM console.

Log in to the Workspace ONE UEM console and navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Settings > Custom Settings >Enter {"SafetyNetEnabled":true} and Save.

 

Figure 2: Configuring Play Integrity API

Note: Ensure that Custom Settings is Enabled.

To validate if Play Integrity API has been enabled, navigate to your Device > List View > Click Friendly name. The Security details under the Summary tab will contain Play Integrity details.

A screenshot of a computer</p> <p>Description automatically generated

Figure 3: Validate if Play Integrity is enabled successfully

You should see Play Integrity with a green tick which confirms that it has been enabled and you can check the last scan by hovering your cursor over the tick symbol.

Troubleshooting Tips

What if you do not see the green tick? Here are some troubleshooting steps that you can take to investigate the issue at hand.

  1. Confirm {"SafetyNetEnabled":true} is entered correctly and saved without any errors in Custom Settings.
  2. Check that all network prerequisites are met as per the details mentioned in Network Requirements for Android.
  3. Ensure the device has Google Mobile Service aka GMS (Check your Play Protect certification status).
  4. Hover your cursor over Play Integrity to read the error.
  5. A simple reboot will help trigger the scan to occur and check if the status changes.
  6. Collect Hub logs while you try replicating the issue–note that the scan occurs every hour so you will have to trigger it manually.
  7. While you collect Hub logs and Device Service Server logs, scan for Play Integrity-related errors.
  8. Check for any HMAC Authentication errors in the Event Logs on the UEM console – if these errors occur, it causes the flow to fail as SDK uses endpoints in UEM which require HMAC.

Summary

Play Integrity API is an update to the SafetyNet Attestation API which helps IT administrators check the system integrity of Android devices. 

To learn more about Play Integrity API, check out the following articles:

You can also learn more about how to manage Android devices with this Tech Zone article:

 

 

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview Android

Siddesh Patil

Read More from the Author

Senior Technical Marketing Architect, End-User Computing, VMware. Siddesh Patil is a Senior Technical Marketing Architect with over a decade of expertise in the support, deployment, and design of Workspace ONE solutions. He has contributed to various teams at VMware and currently lives in Bangalore, India.