Product documentation
Citrix Endpoint Management
View PDF

Android SafetyNet

February 29, 2024
Contributed by: 
K C

You can use the Android SafetyNet feature to assess the compatibility and security of Android devices that have Citrix Secure Hub installed. Android SafetyNet isn’t available for MAM deployments.

When this feature is enabled, the SafetyNet Attestation API examines software and hardware information on a device to create a profile of that device. The API then looks for the same profile within a list of device models that have passed Android compatibility testing. The API also uses this information to determine whether an unknown source has modified Citrix Secure Hub.

When the Android SafetyNet feature is enabled, Citrix Secure Hub sends the SafetyNet Attestation API request to Google Play services and the result is reported back to Citrix Endpoint Management. Citrix Endpoint Management then updates device information with the attestation results. You can set automated actions that use the attestation results to trigger actions on the device.

For more information about how the SafetyNet Attestation API works, see the Android developers documentation.

Estimate how many SafetyNet Attestation API requests you need

SafetyNet Attestation API requests are sent:

  • When a device is enrolled in Citrix Endpoint Management

  • When a Citrix Secure Hub online authentication occurs

    Online authentication occurs when a server session expires or when a user signs off the server and then signs back on. Citrix Secure Hub prompts the user to provide credential to authenticate with the server.

  • When a device is rebooted

  • At a recurring time interval you configure, between 24 and 1,000 hours.

If your Citrix Endpoint Management deployment makes more than 10,000 requests per day, fill out this quota request form.

Get the SafetyNet API key

To enable Android SafetyNet in Citrix Endpoint Management, you need the SafetyNet API key.

  1. Log in to the Google API console with your Google administrator account credentials.

  2. Go to the Library page.

  3. Search for “Android Device Verification API”. Google API page

  4. Click Android Device Verification API. Google API page

  5. If the API isn’t already enabled, click Enable. Google API page

  6. Click Manage.

  7. Click Create Credentials to generate an API key. Google API page

  8. Select Android Device Verification click What credentials to I need. Then click Done. Google API page

  9. In the Credentials page, click the copy icon next to the key to copy the key. Google API page

  10. Save the key so you can paste it into the Citrix Endpoint Management console when you enable the Android SafetyNet.

Enable Android SafetyNet

  1. In the Citrix Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android SafetyNet. Settings page with Android SafetyNet highlighted

  3. Configure these settings:

    • API Key. Paste in the SafetyNet API key that you got from the Google API console.

    • Attestation schedule in hours. Type interval at which the SafetyNet Attestation API assesses your Android devices, in hours. The minimum value is 24 hours. The maximum value is 1000 hours. The default value is 24 hours. Configuring Android SafetyNet

  4. Click Save.

View Android SafetyNet results

To view the results of the SafetyNet Attestation API assessment for a device:

  1. In the Citrix Endpoint Management console, click Manage > Devices.

  2. Select Android devices to see the SafetyNet Attestation API results. Then click Show more.

  3. In the Device details page, select Properties.

  4. The results appear in the Security section. Device Details page with Android SafetyNet highlighted

The SafetyNet Attestation API returns these statuses for each device:

  • SafetyNet CTS profile match: If this value is True, the device has a profile that matches one that has passed the Android Compatibility Test Suite (CTS). If this value is set as False, the device does not have a profile that matches one that has passed Android CTS.

  • SafetyNet basic integrity: If this value is True, the SafetyNet Attestation API found no evidence that an unknown source has modified the Citrix Secure Hub on the device. If this value is set as False, an unknown source has modified the Citrix Secure Hub on the device.

  • SafetyNet last known status: This value shows the last know SafetyNet status of the device:

    • Success: The SafetyNet Attestation API found no evidence that an unknown source has modified the Citrix Secure Hub on the device.

    • LOCK_BOOTLOADER: The user must lock the bootloader of the device. An unknown source has modified the Citrix Secure Hub on the device.

    • RESTORE_TO_FACTORY_ROM: The user must restore the device to a clean factory ROM. An unknown source has modified the Citrix Secure Hub on the device.

Android SafetyNet
February 29, 2024
Contributed by: 
K C
February 29, 2024
Contributed by: 
K C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.