- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
10-23-2019 02:47 PM - edited 09-15-2023 01:22 PM
Mobile Security FAQ
- Does mobile support mobile app distribution or Enterprise Mobility Management (EMM)?
Yes -- internal distribution of all ServiceNow mobile apps are supported through all major EMM vendors. Customers are able to pull the iOS or Android app from the Apple App Store and Google Play respectively, dynamically configure the apps to point to the correct ServiceNow instance and distribute using the EMM App Store. This way, the MDM can fully manage the app by applying its corporate security policies. Mobile app distribution providers include:
- AirWatch
- BlackBerry
- Citrix
- Intune
- Jamf Pro
- IBM
- MobileIron
Customers can apply their corporate app protection policies to ServiceNow mobile app by either using their EMM suite to distribute ServiceNow mobile app to managed devices or use our mobile app with an embedded MAM SDK for personal devices. Currently, ServiceNow only supports Intune and BlackBerry SDKs.
Additional information on Enterprise Mobility Management (EMM) product documentation. - What is App Config?
AppConfig is a standard approach for configuring mobile app using key-value pairs created by leading EMM providers like MobileIron, SAP, IBM, VMWare, and more. For more information on application configuration, please read your MDM product documentation. ServiceNow supports two app configurations:
- Pre-configure the default instance
- Change the default browser - We are using VPN tunnel from our MDM client but it requires a manager browser for authentication. How can we change the default browser for iOS (Safari) and Android (Chrome)?
When you distribute the app through an EMM suite or an embedded MAM SDK app, you can use App Config to pre-configure the default instance URL
Field Description Key SNDefaultInstanceURL Value URL for you instance (ex: https://instancename.service-now.com)
Because ServiceNow uses AppAuth for authentication, the app will use the default OS browser. For iOS, it uses Safari while Android uses Chrome. A customer may have browser security requirement where their app protection policy only allows their MDM managed browser or a specific browser. A common use case is the support for per-app VPN.
Field Key Value Browser iOS SNAuthenticationBrowseriOS Safari
Chrome
Firefox
Edge
WorkspaceOne
WebAtWork
BlackBerry AccessApple Safari
Google Chrome
Mozilla Firefox
Microsoft Edge
AirWatch VMWare Workspace ONE
MobileIron Web @ Work
BlackBerryAndroid SNAuthenticationBrowserAndroid Chrome
Firefox
Edge
Samsung
WorkspaceOne
BlackBerry AccessGoogle Chrome
Mozilla Firefox
Microsoft Edge
Samsung Internet Browser
AirWatch VMWare Workspace ONE
BlackBerry
Important notes:
- Keys are case sensitive
- AppConfig key-values are still supported for non-managed devices if the user installs ServiceNow app with MAM SDK.
- How to add custom ServiceNow Mobile apps to Intune SDK?
When creating an app configuration policy, Intune will require the id of ServiceNow apps. Below is the list of ids:
iOS Bundle ID ServiceNow Agent for Intune com.servicenow.intune.fulfiller Now Mobile for Intune com.servicenow.intune.requestor ServiceNow Onboarding for Intune com.servicenow.intune.onboarding Android Package Names ServiceNow Agent for Intune com.servicenow.fulfiller.mam.intune Now Mobile for Intune com.servicenow.requestor.mam.intune ServiceNow Onboarding for Intune com.servicenow.onboarding.mam.intune - How do we block ServiceNow apps that are not using the InTune version?
For managed devices, create a device restriction policy to block a list of unapproved apps. https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure
For BYOD, create a conditional access policy to allow specific apps.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
For additional access control features and DLP functionalities, please review your MDM documentation. - Where can I learn more about Intune?
Best practices from Microsoft:
Microsoft training: Protect Identity and Access with Azure Active Directory
Microsoft training: Manage Identity & Access with Azure Active Directory
Microsoft training: Manage Identities & Governance in Azure
Microsoft training: Manage your Enterprise Deployment with Microsoft 365
Microsoft training: Manage Devices using Microsoft Intune (MDM)
Microsoft training: Manage Devices using Microsoft Intune (MAM)
Best practice doc for supporting Mobile SSO and Intune app protection policies - How to enable BlackBerry Authentication Setup?
In order to use BlackBerry’s managed browser in ServiceNow app, you must do the following in BlackBerry Access portal:
Go to Apps and add BlackBerry Access.
Open BlackBerry Access and click on “App Config With Default Values” (on the BlackBerry Dynamics tab)
Check “Allow external apps to open HTTP/HTTPS URLs through BlackBerry Access”
Check “Enable 3rd Party Applications”
Add these values with no space: “snappauth,snempappauth” and save - What is mobile device management (MDM)?
Mobile devices are commonly used in the work space. In order for corporations to protect their data and network, they use MDM software to enable IT admins to control, secure, and enforce policies on mobile devices.
Some MDM abilities include:
- Remote device wipe
- Jailbreak detection
- PIN/password enforcement
- Device enrollment - What is mobile application management (MAM)?
Companies that allow employees to bring their own device (BYOD), implement a MAM approach. MAM enables IT admins to secure and enforce policies on the specific app that accesses corporate data.
Some MAM abilities include:
- Remote wipe app data (personal data will not be impacted)
- Per-app VPN
- Data-loss-prevention (DLP)
- Data-at-rest encryption
- Data-in-motion encryption - Can the application and data be remote wiped?
Only if the application is managed by MDM. - What are the different ways to distribute mobile apps to enterprise users?
- Direct download from Apple’s App Store or Google Playstore
- Internal MDM app store or pushed onto user’s corporate-owned device(s) if the app is registered with MDM
To see all possible ways of mobile distribution, please see the MDM/MAM diagram. - What does ServiceNow not allow for MDM/MAM?
- ServiceNow does not provide the iOS file (.ipa) directly to the customer. To be compliant with Apple’s developer license, 3rd party vendors are required to submit and distribute their app(s) through Apple’s app stores only.
- ServiceNow does not currently allow customer modification (embedding SDK or app wrapping) of the original app. - Does mobile support platform authentication?
Yes -- ServiceNow mobile apps support platform authentication using OAuth 2.0. User authentication supports:
- Multi Provider SSO
- Multifactor authentication
- LDAP
- Local DB
- Digest
- Storage & keychain
- Session length & timeouts
- User termination
Additional information on User Authentication for ServiceNow Mobile product documentation. - What are all available security practices for Mobile?
Mobile security practices include mobile-specific system properties, attachment control, password reinforcement, security patching, and controlling shared data.
In the event that a security patching is needed, the mobile development teams align with standard SDLC properties in order to patch. - Have the mobile clients been thoroughly assessed by an independent 3rd party security organization (e.g. PEN Test)?
Yes, ServiceNow uses Preatorian for a penetration test
To get access to this report, make a request via ServiceNow CORE - For mobile are there any security controls that I need to configure?
Yes -- you can configure security controls to restrict copy/paste, enforce PIN, or block attachment functionality for Mobile Agent or Now Mobile.
Additional information on Mobile Security Practices product documentation. - Can I restrict attachments on Mobile?
Yes -- you can use ACLs to block specific access to attachments on ServiceNow mobile.
Additional information on Mobile Security Practices product documentation. - How does ServiceNow support data-loss-prevention policies?
Restrict content
- Restrict copy/paste
- Pin/Password reinforcement
- Block Attachments from Mobile
Secure mobile traffic
- Data is secured over SSL/TLS channel and encrypted with HTTPS.
Encrypt data
- Application preference data such as favorites, home screen, and the mobile navigator items are stored and cached locally on the device. The mobile app does not store record data such as incidents, problems, etc. on the device unless the organization has specifically enabled offline syncing for Field Services. In this case when offline is enabled, the record data is encrypted with AES 256.
- Do mobile clients collect any user data?
The mobile app does not specifically collect any user data.
Any user transactions or usage within the app is tracked on the ServiceNow instance just as it is on the web. For user credentials, after a user logs in, the mobile app negotiates an OAuth Token that is stored in the Apple Keychain or the Android Keystore. User credentials are never saved. If the user opts in, the following information is collected:
- Location
- Access to camera
- Notifications - Is there any sensitive data that gets stored in cookies by the mobile clients?
No - Are sensitive fields such as credentials marked as secure so they are not cached in plaintext on the device or transmitted insecurely to an unauthorized party?
Yes - How do I create a QR code and use it for mobile login?
You can create and use a QR code containing JSON to provide a method for your users to log in with pre-defined parameters.
Refer to Create a QR code for Mobile Login product documentation. - Can I control and configure mobile app session timeout?
Yes -- the native mobile apps time out after a certain amount of inactivity. Sessions are considered active if the app is in the foreground or if the app is processing a long running task in the background.
Refer to Mobile App Session Timeout product documentation to configure the length of time it takes for the app to time out. - Can I restrict users from downloading the Mobile Classic app?
If devices are managed, MDM can create a blacklist to block installs. If following bring-your-own-device policy (BYOD), instance can be restricted using IP restriction. You can also define roles to restrict mobile access. - Does Mobile Classic have all the same security controls as Mobile Agent & Now Mobile?
No -- Mobile Classic predates technology available since new mobile apps and does not contain all the security controls that are available in new mobile apps such as data-loss-prevention controls. - Can I access an instance on a mobile device web browser instead of inside the native app?
Yes -- you can access an instance anywhere using your mobile device.
Additional information on Accessing an Instance on a Mobile Device Web Browser product documentation. - Is it possible to block certain web browsers on the mobile device?
Mobile Agent, Now Mobile, and Mobile Onboarding require SFAuthenticationSession, which also require Safari/Chrome access. However, it is possible to enable Safari/Chrome and block users from being able to access the instance via a web browser and instead only through Service Portal on the native mobile device.
This configuration will allow you to redirect any users on a browser to a web page of your choosing.
*Refer to KB0750275 -- this KB explains how to block mobile browsers like Safari but allow portal on ServiceNow mobile apps - How does IP restrictions affect mobile?
For IP restricted instances, mobile will need an IP from either:
- using a VPN client or by using app tunneling via MDM SDK
- using adaptive authentication policy framework - Does mobile support multi-factor authentication (MFA)?
Yes -- refer to Multi-factor Authentication product documentation to learn how to enable MFA on an instance by user or role.
- Enable MFA for high privileged roles
- Tested third-party authenticators with MFA - Does ServiceNow mobile solution support FedRAMP environment?
Yes -- mobile platform supports FedRAMP environment.
- Mobile GCC Compliance - Does mobile support domain separation?
Yes -- mobile platform supports domain separation.
- Domain seperation for mobile - Are credentials stored in iOS Keychain or Android Keystore for mobile?
No user credentials or record data is stored -- only OAuth tokens are stored on Keychain/Keystore. - What is the data protection of local data stored by the app on the device?
ServiceNow mobile apps have "complete" data protection (The file is accessible only when the device is locked)
Refer to Apple Developer site for more information. - Are biometrics supported for mobile apps?
Wherever PIN can be invoked -- our mobile apps will support TouchID and FaceID if your mobile device supports it.
To enable this please refer to PIN enforcement product documentation.
*Note that this is not for authentication, this is just a device security feature when your mobile app goes into the background and only if your mobile phone allows for biometrics - If cloud storage backup (iCloud, Google Drive, etc) is enabled, will record data be stored in the cloud?
No -- record data will not be stored. - Are ServiceNow Mobile apps protected against reverse engineering through industry-standard techniques (e.g. code obfuscation, encryption, etc)?
Yes -- we follow OWASP for secure code development. Data-at-rest is AES 256 encrypted and TLS for data-in-motion. For Android, we use ProGuard for jailbreak detection which does the following:
- Optimizes the bytecode
- Removes unused code instructions
- Obfuscates the remaining classes, fields, and methods with short names
- The obfuscated code makes the APK difficult to reverse engineer. For root detection -- if we see a system property that states to disallow root, we use a library to try and determine if the device is rooted. https://github.com/scottyab/rootbeer
If the property is set and the library thinks the device is rooted, then we log the user out of the app. - Do the mobile clients implement any anti-tampering techniques to deter or increase the amount of time it takes for an attacker to breach the apps?
No - Can RSA secure tokens be used for MFA with Mobile?
We do not support RSA secure tokens for MFA natively in the platform but will be addressed in future releases. - When the device goes offline to cache data -- when is the cache cleared?
The expiration is defaulted to 48 hours on the instance but can be customized. When the offline cache expires it is deleted when the app is running. So if it expires while the app is not running, the cache is deleted upon the next app launch. - What data is stored in the cache and where is it stored?
Offline record data and user preferences like favorites are stored on the filesystem. - Can we use certificate-based authentication or Kerberos?
Officially they are not supported. - Our instance is IP restricted, how can mobile access the instance?
The devices will either need a VPN client or use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group - Will mobile support on-premise instances?
Yes, but it may require a VPN client if it's behind a firewall, and push notification will not work. - If the mobile clients utilize SMS/MMS/Push Notification services; does the application only send user agnostic information?
Push notifications can be configured to contain user-specific information or user-agnostic
It is up to the administrator to enable/disable out-of-the-box notifications, or create their own, as needed - Are event log monitoring controls in place to monitor access and event by all users?
No client-event login is implemented
Mobile analytics events are recorded for some interaction, but no activity monitoring. Learn more about User Experience Analytics - Can we block specific apps to our instance? For example, allow Mobile Agent with Intune SDK only.
Yes. You can 'control specific app usage' to support your organization's authentication policies, admins can control which mobile apps can log in to ServiceNow instances. By configuring a system property, admins can create a list of mobile apps that can connect to ServiceNow instances. (apps not on allow list will be blocked) - Is certificate pinning supported?
Certificate pinning is not supported because our mobile app supports lots of different cloud hosted and on-premise customers. ServiceNow's on-prem customers provision ServiceNow instances with own TLS certificates, so embedding certificate pin logic within the app would break those customers. Because of this, we are unable to ship the app with certificate pinning implemented. A different countermeasure to the person-in-the-middle threat is to rely on the TLS validation mechanisms of the mobile platform. In this case, the attacker would need to trick the user into bypassing several warnings to install a new certificate authority on the device, or compromise a well-known certificate authority, before a person-in-the-middle attack could be leveraged.
On Android, our mobile app leverages additional behavior introduced in Android API Level 24 where our app does not trust user or admin-added CAs for secure connections by default. This means that our application will only trust the standard CAs installed by the Android device OEM, and not one installed by a malicious actor through social engineering. - If we find a vulnerability with ServiceNow mobile apps, how do we report it?
If a customer discovers a vulnerability, they can submit the finding in the Security Findings tracker for each vulnerability identified. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1048209
If the vulnerability requires immediate attention, customers will need to submit a case with P1 priority in order for our engineers to investigate/fix.
- 16,462 Views

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Regarding item #32
We are in a similar situation where we require a managed browser to access our instances. We leverage Intune for MDM, Azure SSO for authentication, and Edge as our managed browser. We configure the app in Intune as suggested above. But when the mobile app re-directs to Edge, the browser starts to re-direct to the Microsoft page for authentication, but just stops and never loads. Any suggestions?
After successful authentication in the managed browser, is it supposed to re-direct to the mobile app?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi John,
That is the correct behavior where after successful authentication from external browser, it will pass control back to ServiceNow mobile app.
Are you still having this issue?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi John, Fu
Did this resolve? I have the same exact problem both on iOS and Android devices. As part of the troubleshooting steps we removed all MDM policies and it worked for both iOS and Android, however the moment we re-introduce MDM policies we go back to exact same problem you described. Any suggestions please

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Our MDM policies only allow data to be passed between managed apps. When I first tried this, I was using the standard mobile app. Once I moved to the Intune-managed version, it started working. Now that it’s managed by our MDM, it can accept the verification from Edge.
Hopefully that helps. Let me know if you have any other questions.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thank you John, this helps
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
https://hi.service-now.com/kb_view.do?sysparm_article=KB0688475

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
In regards of item 26, could you provide more details about the App Tunneling options in a scenario where we are using MS Intune?
Thanks

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Is Mobile Publishing required for using MDM?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Our instance is onprem/self-hosted instance. So when are trying to log in to now mobile or agent app from android devices particularly we are getting and error "Error loggin". when I click on learn more it is showing "SSLHandshakeException". Please refer to the picture