Mobile Security FAQ

Mobile Security FAQ

1. Does mobile support mobile app distribution or Enterprise Mobility Management (EMM)?
   Yes -- internal distribution of all ServiceNow mobile apps are supported through all major EMM vendors. Customers are able to pull the iOS or Android app from the Apple App Store and Google Play respectively, dynamically configure the apps to point to the correct ServiceNow instance and distribute using the EMM App Store. This way, the MDM can fully manage the app by applying its corporate security policies. Mobile app distribution providers include: 
   - AirWatch 
   - BlackBerry 
   - Citrix 
   - Intune 
   - Jamf Pro 
   - IBM 
   - MobileIron 
   
   Customers can apply their corporate app protection policies to ServiceNow mobile app by either using their EMM suite to distribute ServiceNow mobile app to managed devices or use our mobile app with an embedded MAM SDK for personal devices. Currently, ServiceNow only supports Intune and BlackBerry SDKs.
   
   Additional information on Enterprise Mobility Management (EMM) product documentation.
   
   
2. What is App Config?
   AppConfig is a standard approach for configuring mobile app using key-value pairs created by leading EMM providers like MobileIron, SAP, IBM, VMWare, and more. For more information on application configuration, please read your MDM product documentation. ServiceNow supports two app configurations:
   - Pre-configure the default instance
   - Change the default browser
   
   
3. We are using VPN tunnel from our MDM client but it requires a manager browser for authentication. How can we change the default browser for iOS (Safari) and Android (Chrome)?
   
   When you distribute the app through an EMM suite or an embedded MAM SDK app, you can use App Config to pre-configure the default instance URL
   
   

   Field	Description
   Key	SNDefaultInstanceURL
   Value	URL for you instance (ex: https://instancename.service-now.com)

    

   Change the default browser:
   
   Because ServiceNow uses AppAuth for authentication, the app will use the default OS browser. For iOS, it uses Safari while Android uses Chrome. A customer may have browser security requirement where their app protection policy only allows their MDM managed browser or a specific browser. A common use case is the support for per-app VPN.
   
   

   Field	Key	Value	Browser
   iOS	SNAuthenticationBrowseriOS	Safari Chrome    Firefox Edge WorkspaceOne WebAtWork BlackBerry Access	Apple Safari Google Chrome Mozilla Firefox Microsoft Edge AirWatch VMWare Workspace ONE MobileIron Web @ Work BlackBerry
   Android	SNAuthenticationBrowserAndroid	Chrome    Firefox Edge Samsung WorkspaceOne BlackBerry Access	Google Chrome Mozilla Firefox Microsoft Edge Samsung Internet Browser AirWatch VMWare Workspace ONE BlackBerry

   
   

   Important notes:

   - Keys are case sensitive

   - AppConfig key-values are still supported for non-managed devices if the user installs ServiceNow app with MAM SDK.

4.  How to add custom ServiceNow Mobile apps to Intune SDK?
   
   When creating an app configuration policy, Intune will require the id of ServiceNow apps. Below is the list of ids:
   
   

   iOS	Bundle ID
   ServiceNow Agent for Intune	com.servicenow.intune.fulfiller
   Now Mobile for Intune	com.servicenow.intune.requestor
   ServiceNow Onboarding for Intune	com.servicenow.intune.onboarding
   Android	Package Names
   ServiceNow Agent for Intune	com.servicenow.fulfiller.mam.intune
   Now Mobile for Intune	com.servicenow.requestor.mam.intune
   ServiceNow Onboarding for Intune	com.servicenow.onboarding.mam.intune

   
   
   
5. How do we block ServiceNow apps that are not using the InTune version?
   For managed devices, create a device restriction policy to block a list of unapproved apps. https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure
   
   For BYOD, create a conditional access policy to allow specific apps.
   https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
   
   For additional access control features and DLP functionalities, please review your MDM documentation. 
   
   
6. Where can I learn more about Intune?
   Best practices from Microsoft:
   
   Microsoft training: ​Protect Identity and Access with Azure Active Directory
   Microsoft training: Manage Identity & Access with Azure Active Directory
   Microsoft training: Manage Identities & Governance in Azure
   Microsoft training: Manage your Enterprise Deployment with Microsoft 365
   Microsoft training: Manage Devices using Microsoft Intune (MDM)
   Microsoft training: Manage Devices using Microsoft Intune (MAM)
   Best practice doc for supporting Mobile SSO and Intune app protection policies
   
   
7. How to enable BlackBerry Authentication Setup?
   In order to use BlackBerry’s managed browser in ServiceNow app, you must do the following in BlackBerry Access portal:
   
   Go to Apps and add BlackBerry Access.
   Open BlackBerry Access and click on “App Config With Default Values” (on the BlackBerry Dynamics tab)
   Check “Allow external apps to open HTTP/HTTPS URLs through BlackBerry Access”
   Check “Enable 3rd Party Applications”
   Add these values with no space: “snappauth,snempappauth” and save
   
   
8. What is mobile device management (MDM)?
   Mobile devices are commonly used in the work space. In order for corporations to protect their data and network, they use MDM software to enable IT admins to control, secure, and enforce policies on mobile devices. 
   
   Some MDM abilities include:
   - Remote device wipe
   - Jailbreak detection
   - PIN/password enforcement
   - Device enrollment
   
   
9. What is mobile application management (MAM)?
   Companies that allow employees to bring their own device (BYOD), implement a MAM approach. MAM enables IT admins to secure and enforce policies on the specific app that accesses corporate data.  ​
   
   Some MAM abilities include:
   - Remote wipe app data (personal data will not be impacted)
   - Per-app VPN
   - Data-loss-prevention (DLP)
   - Data-at-rest encryption
   - Data-in-motion encryption
   
   
10. Can the application and data be remote wiped?
    Only if the application is managed by MDM.
    
    
11. What are the different ways to distribute mobile apps to enterprise users?
    - Direct download from Apple’s App Store or Google Play​store
    - Internal MDM app store or pushed onto user’s corporate-owned device(s) if the app is registered with MDM​
    
    To see all possible ways of mobile distribution, please see the MDM/MAM diagram.​
    
    
12. What does ServiceNow not allow for MDM/MAM?
    - ServiceNow does not provide the iOS file (.ipa) directly to the customer. To be compliant with Apple’s developer license, 3rd party vendors are required to submit and distribute their app(s) through Apple’s app stores only.
    - ServiceNow does not currently allow customer modification (embedding SDK or app wrapping) of the original app.
    
    
13. Does mobile support platform authentication?
    Yes -- ServiceNow mobile apps support platform authentication using OAuth 2.0. User authentication supports:
    - Multi Provider SSO
    - Multifactor authentication
    - LDAP
    - Local DB
    - Digest
    - Storage & keychain
    - Session length & timeouts
    - User termination
    
    Additional information on User Authentication for ServiceNow Mobile product documentation.
    
    
14. What are all available security practices for Mobile?
    Mobile security practices include mobile-specific system properties, attachment control, password reinforcement, security patching, and controlling shared data.
    
    In the event that a security patching is needed, the mobile development teams align with standard SDLC properties in order to patch.
    
    
15. Have the mobile clients been thoroughly assessed by an independent 3rd party security organization (e.g. PEN Test)?
    Yes, ServiceNow uses Preatorian for a penetration test
    
    To get access to this report, make a request via ServiceNow CORE
    
    
16. For mobile are there any security controls that I need to configure?
    Yes -- you can configure security controls to restrict copy/paste, enforce PIN, or block attachment functionality for Mobile Agent or Now Mobile.
    
    Additional information on Mobile Security Practices product documentation.
    
    
17. Can I restrict attachments on Mobile?
    Yes -- you can use ACLs to block specific access to attachments on ServiceNow mobile.
    
    Additional information on Mobile Security Practices product documentation.
    
    
18. How does ServiceNow support data-loss-prevention policies?
    Restrict content
    - Restrict copy/paste​
    - Pin/Password reinforcement​
    - Block Attachments from Mobile
    
    Secure mobile traffic
    - Data is secured over SSL/TLS channel and encrypted with HTTPS.
    
    Encrypt data
    - Application preference data such as favorites, home screen, and the mobile navigator items are stored and cached locally on the device. The mobile app does not store record data such as incidents, problems, etc. on the device unless the organization has specifically enabled offline syncing for Field Services. In this case when offline is enabled, the record data is encrypted with AES 256.
    ​
19. Do mobile clients collect any user data?
    The mobile app does not specifically collect any user data.
    
    Any user transactions or usage within the app is tracked on the ServiceNow instance just as it is on the web. For user credentials, after a user logs in, the mobile app negotiates an OAuth Token that is stored in the Apple Keychain or the Android Keystore. User credentials are never saved. If the user opts in, the following information is collected:
    - Location
    - Access to camera
    - Notifications
    
    
20. Is there any sensitive data that gets stored in cookies by the mobile clients?
    No
    
    
21. Are sensitive fields such as credentials marked as secure so they are not cached in plaintext on the device or transmitted insecurely to an unauthorized party?
    Yes
    
    
22. How do I create a QR code and use it for mobile login?
    You can create and use a QR code containing JSON to provide a method for your users to log in with pre-defined parameters.
    
    Refer to Create a QR code for Mobile Login product documentation.
    
    
23. Can I control and configure mobile app session timeout?
    Yes -- the native mobile apps time out after a certain amount of inactivity. Sessions are considered active if the app is in the foreground or if the app is processing a long running task in the background.
    
    Refer to Mobile App Session Timeout product documentation to configure the length of time it takes for the app to time out.
    
    
24. Can I restrict users from downloading the Mobile Classic app?
    If devices are managed, MDM can create a blacklist to block installs. If following bring-your-own-device policy (BYOD), instance can be restricted using IP restriction. You can also define roles to restrict mobile access.
    
    
25. Does Mobile Classic have all the same security controls as Mobile Agent & Now Mobile?
    No -- Mobile Classic predates technology available since new mobile apps and does not contain all the security controls that are available in new mobile apps such as data-loss-prevention controls.
    
    
26. Can I access an instance on a mobile device web browser instead of inside the native app?
    Yes -- you can access an instance anywhere using your mobile device.
    
    Additional information on Accessing an Instance on a Mobile Device Web Browser product documentation.
    
    
27. Is it possible to block certain web browsers on the mobile device?
    Mobile Agent, Now Mobile, and Mobile Onboarding require SFAuthenticationSession, which also require Safari/Chrome access. However, it is possible to enable Safari/Chrome and block users from being able to access the instance via a web browser and instead only through Service Portal on the native mobile device.
    
    This configuration will allow you to redirect any users on a browser to a web page of your choosing.
    
    *Refer to KB0750275 -- this KB explains how to block mobile browsers like Safari but allow portal on ServiceNow mobile apps
    
    
28. How does IP restrictions affect mobile?
    For IP restricted instances, mobile will need an IP from either:
    - using a VPN client or by using app tunneling via MDM SDK
    - using adaptive authentication policy framework
    
    
29. Does mobile support multi-factor authentication (MFA)?
    Yes -- refer to Multi-factor Authentication product documentation to learn how to enable MFA on an instance by user or role.
    - Enable MFA for high privileged roles
    - Tested third-party authenticators with MFA
    
    
30. Does ServiceNow mobile solution support FedRAMP environment?
    Yes -- mobile platform supports FedRAMP environment.
    - Mobile GCC Compliance
    
    
31. Does mobile support domain separation? 
    Yes -- mobile platform supports domain separation.
    - Domain seperation for mobile
    
    
32. Are credentials stored in iOS Keychain or Android Keystore for mobile?
    No user credentials or record data is stored -- only OAuth tokens are stored on Keychain/Keystore.
    
    
33. What is the data protection of local data stored by the app on the device?
    ServiceNow mobile apps have "complete" data protection (The file is accessible only when the device is locked)
    
    Refer to Apple Developer site for more information.
    
    
34. Are biometrics supported for mobile apps?
    Wherever PIN can be invoked -- our mobile apps will support TouchID and FaceID if your mobile device supports it.
    
    To enable this please refer to PIN enforcement product documentation.
    
    *Note that this is not for authentication, this is just a device security feature when your mobile app goes into the background and only if your mobile phone allows for biometrics
    
    
35. If cloud storage backup (iCloud, Google Drive, etc) is enabled, will record data be stored in the cloud?
    No -- record data will not be stored.
    
    
36. Are ServiceNow Mobile apps protected against reverse engineering through industry-standard techniques (e.g. code obfuscation, encryption, etc)?
    Yes -- we follow OWASP for secure code development. Data-at-rest is AES 256 encrypted and TLS for data-in-motion. For Android, we use ProGuard for jailbreak detection which does the following:
    - Optimizes the bytecode
    - Removes unused code instructions
    - Obfuscates the remaining classes, fields, and methods with short names
    - The obfuscated code makes the APK difficult to reverse engineer. For root detection -- if we see a system property that states to disallow root, we use a library to try and determine if the device is rooted. https://github.com/scottyab/rootbeer
    
    If the property is set and the library thinks the device is rooted, then we log the user out of the app.
    
    
37. Do the mobile clients implement any anti-tampering techniques to deter or increase the amount of time it takes for an attacker to breach the apps?
    No
    
    
38. Can RSA secure tokens be used for MFA with Mobile?
    We do not support RSA secure tokens for MFA natively in the platform but will be addressed in future releases.
    
    
39. When the device goes offline to cache data -- when is the cache cleared?
    The expiration is defaulted to 48 hours on the instance but can be customized. When the offline cache expires it is deleted when the app is running. So if it expires while the app is not running, the cache is deleted upon the next app launch.
    
    
40. What data is stored in the cache and where is it stored?
    Offline record data and user preferences like favorites are stored on the filesystem.
    
    
41. Can we use certificate-based authentication or Kerberos?
    Officially they are not supported.
    
    
42. Our instance is IP restricted, how can mobile access the instance?
    The devices will either need a VPN client or use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group
    
    
43. Will mobile support on-premise instances?
    Yes, but it may require a VPN client if it's behind a firewall, and push notification will not work.
    
    
44. If the mobile clients utilize SMS/MMS/Push Notification services; does the application only send user agnostic information?
    Push notifications can be configured to contain user-specific information or user-agnostic
    
    It is up to the administrator to enable/disable out-of-the-box notifications, or create their own, as needed
    
    
45. Are event log monitoring controls in place to monitor access and event by all users?
    No client-event login is implemented
    
    Mobile analytics events are recorded for some interaction, but no activity monitoring. Learn more about User Experience Analytics
    
    
46. Can we block specific apps to our instance? For example, allow Mobile Agent with Intune SDK only.
    Yes. You can 'control specific app usage'  to support your organization's authentication policies, admins can control which mobile apps can log in to ServiceNow instances. By configuring a system property, admins can create a list of mobile apps that can connect to ServiceNow instances. (apps not on allow list will be blocked)
    
    
47. Is certificate pinning supported?
    Certificate pinning is not supported because our mobile app supports lots of different cloud hosted and on-premise customers. ServiceNow's on-prem customers provision ServiceNow instances with own TLS certificates, so embedding certificate pin logic within the app would break those customers. Because of this, we are unable to ship the app with certificate pinning implemented. A different countermeasure to the person-in-the-middle threat is to rely on the TLS validation mechanisms of the mobile platform. In this case, the attacker would need to trick the user into bypassing several warnings to install a new certificate authority on the device, or compromise a well-known certificate authority, before a person-in-the-middle attack could be leveraged.
    
    On Android, our mobile app leverages additional behavior introduced in Android API Level 24 where our app does not trust user or admin-added CAs for secure connections by default. This means that our application will only trust the standard CAs installed by the Android device OEM, and not one installed by a malicious actor through social engineering.
    
    
48. If we find a vulnerability with ServiceNow mobile apps, how do we report it? 
    If a customer discovers a vulnerability, they can submit the finding in the Security Findings tracker for each vulnerability identified. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1048209
    
    If the vulnerability requires immediate attention, customers will need to submit a case with P1 priority in order for our engineers to investigate/fix.