Android SafetyNet 编辑

You can use the Android SafetyNet feature to assess the compatibility and security of Android devices that have Secure Hub installed. Android SafetyNet isn’t available for MAM deployments.

When this feature is enabled, the SafetyNet Attestation API examines software and hardware information on a device to create a profile of that device. The API then looks for the same profile within a list of device models that have passed Android compatibility testing. The API also uses this information determine whether Secure Hub has been modified by an unknown source.

When the Android SafetyNet feature is enabled, Secure Hub sends the SafetyNet Attestation API request to Google Play services and the result is reported back to Endpoint Management. Endpoint Management then updates device information with the attestation results. You can set automated actions that use the attestation results to trigger actions on the device.

For more information about how the SafetyNet Attestation API works, see the Android developers documentation.

Estimate how many SafetyNet Attestation API requests you need

SafetyNet Attestation API requests are sent:

• When a device is enrolled in Endpoint Management.

• When a Secure Hub online authentication occurs. Online authentication occurs when a server session expires or when a user signs off the server and then signs back on. Secure Hub prompts the user to provide credential to authenticate with the server.

• When a device is rebooted.

• At a recurring time interval you configure, between 24 and 1,000 hours.

If your Endpoint Management deployment will make more than 10,000 requests per day, fill out this quota request form.

Get the SafetyNet API key

To enable Android SafetyNet in Endpoint Management, you need the SafetyNet API key.

1. Log in to the Google API console with your Google administrator account credentials.

2. Go to the Library page.

3. Search for “Android Device Verification API”.

4. Click Android Device Verification API.

5. If the API isn’t already enabled, click Enable.

6. Click Manage.

7. Click Create Credentials to generate an API key.

8. Select Android Device Verification click What credentials to I need. Then click Done.

9. In the Credentials page, click the copy icon next to the key to copy the key.

10. Save the key so you can paste it into the Endpoint Management console when you enable the Android SafetyNet.

Enable Android SafetyNet

1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

2. On the Settings page, click Android SafetyNet.

3. Configure these settings:

   • API Key. Paste in the SafetyNet API key that you got from the Google API console.

   • Attestation schedule in hours. Type interval at which the SafetyNet Attestation API assesses your Android devices, in hours. The minimum value is 24 hours. The maximum value is 1000 hours. The default value is 24 hours.

4. Click Save.

View Android SafetyNet results

To view the results of the SafetyNet Attestation API assessment for a device:

1. In the Endpoint Management console, click Manage > Devices.

2. Select Android devices to see the SafetyNet Attestation API results. Then click Show more.

3. In the Device details page, select Properties.

4. The results appear in the Security section.

The SafetyNet Attestation API returns these statuses for each device:

• SafetyNet CTS profile match: If this value is True, the device has a profile that matches one that has passed Android Compatibility Test Suite (CTS). If this value is False, the device does not have a profile that matches one that has passed Android CTS.

• SafetyNet basic integrity: If this value is True, the SafetyNet Attestation API found no evidence that Secure Hub on the device has been modified by an unknown source. If this value is False, Secure Hub on the device has been modified by an unknown source.

• SafetyNet last known status: This value shows the last know SafetyNet status of the device:

  • Success: The SafetyNet Attestation API found no evidence that Secure Hub on the device has been modified by an unknown source.

  • LOCK_BOOTLOADER: The user should lock the bootloader of the device. Secure Hub on the device has been modified by an unknown source.

  • RESTORE_TO_FACTORY_ROM: The user should restore the device to a clean factory ROM. Secure Hub on the device has been modified by an unknown source.