Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.11
  3. Administration
  4. Managing device features
  5. Enforcing compliance rules for devices
  6. Compliance profile settings
  7. Android: Compliance profile settings

Android
: Compliance profile settings

See Common: Compliance profile settings for descriptions of the possible actions if you select a compliance rule.
Android
: Compliance profile setting
Description 
Rooted OS or failed attestation
This setting creates a compliance rule that specifies the actions that occur if a user or attacker gains access to the root level of an 
Android
 device. A device is rooted when a user or attacker gains access to the root level of the 
Android
 OS. This rule applies to the rooted state of the device the 
UEM Client
, the 
BlackBerry Dynamics SDK
 or 
KNOX
 Attestation detects it.
If you select this setting, users will be unable to complete new activations for rooted devices, regardless of the enforcement action that you set. 
SafetyNet
 attestation failure
This setting creates a compliance rule that specifies the actions that occur if devices do not pass 
SafetyNet
 attestation.
When you use 
SafetyNet
 attestation, 
BlackBerry UEM
  sends challenges to test the authenticity and integrity of 
Android
 devices and apps in your organization's environment.
For these settings to take affect, you must enable the 
SafetyNet
 attestation feature in the management console under Settings > Attestation > 
SafetyNet
 attestation frequency.
For more information about configuring  
SafetyNet
 attestation, refer to the information in the Administration content. 
Non-assigned app is installed
This setting creates a compliance rule to ensure that devices do not have apps installed that were not assigned to the user.
When you select this setting and a non-assigned app is installed on an 
Android
 device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance is displayed.
For 
Android Enterprise
 and 
Samsung KNOX
 devices, users cannot install non-assigned apps in the work space. The enforcement actions do not apply.
This setting is not valid for devices activated with 
User privacy
.
Required app is not installed
This setting creates a compliance rule to ensure that devices have required apps installed.
When you select this setting and a required app is not installed on an 
Android
 device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance is displayed.
For 
Android Enterprise
 devices the enforcement actions do not apply.
For 
Samsung KNOX
 devices, required internal apps are automatically installed. The enforcement actions apply only to required public apps.
Restricted OS version is installed
This setting creates a compliance rule to ensure that devices do not have a restricted OS version installed as specified in this setting.
You can select the restricted OS versions.
If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set. 
Restricted device model detected
This setting creates a compliance rule to restrict device models as specified in this setting.
Possible values:
  • Allow selected device models
  • Do not allow selected device models
You can select the devices models that are allowed or restricted.
If you select this setting, users will be unable to complete new activations for devices that are not compliant, regardless of the enforcement action that you set. 
Device out of contact
This setting creates a compliance rule to ensure that devices are not out of contact with 
BlackBerry UEM
 for more than a specified amount of time.
The device verifies compliance with this rule and can delete work data, delete all data, or deactivate itself from 
BlackBerry UEM
 if it's out of compliance.
Last contact time
This setting specifies the number days a device can be out of contact with 
BlackBerry UEM
Required security patch level is not installed.
This setting creates a compliance rule to ensure that devices have required security patches installed as specified in this setting.
You can specify the device models and security patch dates. Devices running a security patch equal to or later than the specified security patch dates are considered compliant.
Enforcement action for BlackBerry Dynamics apps
This setting defines what happens with 
BlackBerry Dynamics
 apps when a device is not in compliance with the security patch level. Possible values:
  • Delete BlackBerry Dynamics app data
  • Do not allow BlackBerry Dynamics apps to run
  • None 
The default value is "Do not allow BlackBerry Dynamics apps to run”.
 After an upgrade, if you have previously created a compliance profiles with the ‘Required security patch level is not installed’ rule enabled, the value is set to ‘None’.
This setting is valid only for devices running 
Android
 6.0 and later.
This setting is valid only for the latest 
BlackBerry Dynamics
 apps.
BlackBerry Dynamics
 library version verification
This setting creates a compliance rule that allows you to select the 
BlackBerry Dynamics
 library versions that cannot be activated.
You can select the blocked library versions.
BlackBerry Dynamics
 connectivity verification
This setting creates a compliance rule to ensure that 
BlackBerry Dynamics
 apps are not out of contact with 
BlackBerry UEM
 for more than a specified amount of time. The enforcement action is applied to 
BlackBerry Dynamics
 apps.
Base connectivity interval on authentication delegate apps
This setting specifies that the connectivity verification is based on when an authentication delegate app connects to 
BlackBerry UEM
.
Last contact time
This setting specifies the number of days before the device must connect to 
BlackBerry UEM
.
Possible values:
  • 8 hours
  • 16 hours
  • 1 day
  • 2 days
  • 3 days
  • 7 days
  • 14 days
  • 30 days
  • 60 days
  • 90 days
  • 180 days
  • 365 days
Restricted app is installed
This setting creates a compliance rule to ensure that devices do not have restricted apps installed. To restrict apps, see Add an app to the restricted app list.
For 
Android Enterprise
 devices, users cannot install restricted apps in the work space. The enforcement actions do not apply.
For 
Samsung KNOX
 devices, restricted apps in the work space are automatically disabled. The enforcement actions do not apply.
This setting is not valid for devices activated with 
User privacy
.
When you select this setting and a restricted app is installed on an 
Android
 device, a warning message and a link is displayed on the Managed Devices tab. When you click the link, a list of applications that are putting the device out of compliance is displayed.
Password does not meet complexity requirements
This setting creates a compliance rule to ensure that the user has set device or work space passwords that meet the complexity requirements defined in the IT policy assigned to them.
Enforce compliance actions in the personal space
For 
Samsung KNOX
 devices, you can select this setting to prevent users from installing a restricted app in the personal space as well as the work space.