IBM MaaS360

IBM MaaS360

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Strengthening Android Security with Enhanced Attestation Support in IBM MaaS360

By Rajneesh Dwivedi posted 2 days ago

  

Authors : @Rajneesh Dwivedi and @Vanshika Kuchhal

Introduction

With the rise of mobile threats, maintaining the security and trustworthiness of Android devices is more important than ever. IBM MaaS360 has long supported Attestation, a Google-backed security feature that verifies the integrity of Android devices. Recent enhancements to this capability in MaaS360 allow IT administrators to take more granular control, enforce compliance, and integrate attestation signals more effectively into their security policies.

What Is Attestation?

Attestation helps verify whether an Android device and the apps running on it are genuine and untampered. It assesses:

  • Whether the device is rooted or compromised
  • Whether the app’s binary has been modified
  • If the device is running with genuine Google Play services

These checks enable organizations to detect high-risk devices and ensure that only secure endpoints access corporate resources.

Why Attestation Matters for MaaS360 Users

  • Deeper Device Trust Insights – Access real-time integrity signals directly within the MaaS360 device view.
  • Advanced Policy Enforcement – Use Attestation results to drive security and compliance actions.
  • Better Protection for Sensitive Apps – Ensure apps operate only in secure environments.
  • Alignment with Zero Trust Principles – Reinforce a Zero Trust strategy by validating device trust.

Key Use Cases

  • Prevent Access from Rooted or Tampered Devices – Detect and remediate compromised devices.
  • Secure Enterprise App Usage – Limit or disable functionality on failing devices.
  • Strengthen Multi-Layered Security – Combine Attestation with MaaS360’s risk engine for strong trust validation.

How to Configure and Use Attestation in IBM MaaS360

Enable Attestation During Device Enrollment

Control when and how device attestation is performed during onboarding:

  • Log into the MaaS360 Portal.
  • Go to Setup ? Settings.
  • Under Directory & Enrollment, select Advanced Enrollment Settings.
  • In Device Attestation, choose the desired Security Level (Strong, Medium, Basic).
  • Optionally, enable Attestation checks during device enrollment.

Understanding Attestation Security Levels

Attestation Setting Android OS 13 & Above Android OS 12 & Below
Strong
  • Play Protect Certified.
  • Locked Bootloader.
  • Certified OS.
  • Security update within last one year.
  • Runs Google Play Services.
  • Strong hardware backed proof of boot integrity.
Medium
  • Play Protect Certified.
  • Locked Bootloader.
  • Certified OS.
  • Runs Google Play Services.
  • Locked Bootloader.
  • Certified OS.
Basic
  • Device is a physical device not an emulator (Does not ensure bootloader status & Play Protect Certified).
  • Basic System Integrity (Unrecognized bootloader & Lack of Manufacturer Certification).
Attestation Settings

Set Attestation Frequency via MDM Policies

Manage how often devices perform attestation checks:

  • Navigate to Security ? Policies.
  • Select your MDM policy.
  • Go to Security ? Device Security.
  • Enable Device Attestation.
  • Choose a frequency: Twice a day, Once a day, Once in two days, Once a week.
  • Publish the policy and apply it to targeted devices.
Attestation Frequency

Define Enforcement Rules for Attestation Failures

Trigger automatic actions when devices fail integrity checks:

  • Navigate to Security ? Compliance Rules.
  • Create or modify a rule.
  • Enable: “Jailbroken (iOS) or Rooted (Android) or Health Attestation Failed (Windows) Devices”.
  • Choose enforcement actions: Alert, Selective Wipe, Full Wipe, Change Policy, Hide Device.
Attestation Rules

View Attestation Failure Details

With the latest MaaS360 updates, IT admins can now view detailed reasons for attestation failures directly from the device summary page.

Understanding Attestation Failure Reason

Attestation Failure Reason Cause of Failure
Device Check Failed due to Security Level Mismatch. This occurs when the device doesn't meet Organization's security requirements. For example, if attestation is set to "Strong" and the device runs Android 13+ without a security patch from the past year, the check will fail.
Other Reasons Other attestation failures may occur due to token decryption issues, corrupted responses, device integrity checks failing, agent package or certificate mismatches, or missing/unevaluated values.

Conclusion

While Attestation has been a foundational feature in IBM MaaS360, its enhanced integration and configurability now allow organizations to better enforce device integrity, prevent access from risky endpoints, and ensure secure app execution. These improvements align MaaS360 with modern enterprise security needs — providing a flexible, policy-driven, and zero trust–ready approach to Android device management.

Reference

MaaS360 Documentation - https://www.ibm.com/docs/en/maas360?topic=security-understanding-device-attestation-verdict

Google Documentation - https://developer.android.com/google/play/integrity/improvements

0 comments
19 views

Permalink

https://community.ibm.com/community/user/blogs/rajneesh-dwivedi/2025/07/13/strengthening-android-security-with-enhanced-attes