General guidelines for offline mode security and compliance

  • Release version: Australia
  • Updated June 1, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of General guidelines for offline mode security and compliance

    These guidelines provide ServiceNow customers with best practices for maintaining security and compliance when using offline mode in mobile applications. They focus on protecting sensitive data, controlling access, and ensuring secure data handling to optimize usability and user experience.

    Show full answer Show less

    Key Features

    • Offline Data Encryption: Data stored offline is encrypted using AES-256, with encryption enforced if a device passcode is set, and always on Android devices.
    • Access Control by Role: The glide.sg.offline.roles system property allows administrators to restrict offline mode access to specific user roles, such as field agents.
    • PII Protection and Compliance: ServiceNow's data security policies cover data at rest, in transit, and offline cache configurations to align with regulatory requirements.
    • Secure Data Transmission: All data exchanged between mobile apps and the ServiceNow instance uses HTTPS with SSL/TLS encryption to protect data in transit.
    • Offline Cache Management: Administrators can configure offline access workflows and set cache expiration using the glide.sg.offline.expiration property, defaulting to 48 hours, to reduce risk from lost or stolen devices.
    • Local Protection Features: Offline data supports local authentication and optional app-level PIN enforcement to prevent unauthorized access.
    • Data Loss Prevention Controls: Features include copy/paste restrictions, PIN password enforcement, and attachment blocking to protect sensitive content on mobile devices.
    • Cache Deletion Conditions: Cached data is deleted automatically upon expiration, on user logout, or manual cache clearance, ensuring data freshness and security.

    Practical Implications for ServiceNow Customers

    • Enable device passcodes and leverage Android’s default encryption to safeguard offline data.
    • Use system properties to tailor offline mode access to appropriate roles, enhancing security and compliance.
    • Rely on built-in encryption standards (AES-256) and secure transmission protocols (SSL/TLS) to protect sensitive information both offline and online.
    • Configure offline cache expiration to limit data retention on devices, reducing exposure in case of device loss or theft.
    • Implement local app security measures, such as PIN enforcement, to further restrict access to cached data.
    • Apply data loss prevention policies and content restrictions to control sensitive information handling on mobile devices.

    When working offline mode, keep these security and compliance general guidelines in mind for usability and a good user experience.

    Note:
    Many of the issues discussed can be resolved using system properties. See the Perry system property file for more information.
    Offline data encryption

    Offline data is encrypted if the user has a passcode enabled on their device. On Android, all data is encrypted regardless of whether a passcode is set.

    Restricting offline mode by role
    Use the glide.sg.offline.roles system property to define which roles can access offline mode, such as field agents. If left empty, all users can use offline mode.
    PII protection and security compliance

    ServiceNow supports the protection of personally identifiable information (PII) and is designed to align with organizational and regulatory security requirements.

    The following are examples of this policy:
    • Data security policies: ServiceNow's data security framework governs the handling of PII across all mobile and platform experiences. These policies cover data at rest, data in transit, and offline access configurations.
    • Data at REST: ServiceNow mobile apps do not store record data such as incidents and problems on the device unless your organization has specifically enabled offline syncing. Record data is encrypted using AES-256.
    • Data in transit: All data transmitted between the mobile app and the ServiceNow instance is secured via SSL/TLS and encrypted using HTTPS.
    • Offline access and cache configuration: Administrators can configure offline access by enabling cache downloads for designated workflows. Offline cached data is encrypted using native encryption and expires after a set period, typically 48 hours or upon user sign-out.
    • Local protection: Offline data supports additional protection through local authentication and optional app-level PIN enforcement, helping to reduce unauthorized access to cached content.
    Data loss prevention
    ServiceNow helps support data loss prevention through a combination of content restrictions, secure data transmission, and encryption protocols.
    Content restrictions:
    • Copy/paste controls: Prevents unauthorized copying of sensitive information via MAM policy.
    • PIN password enforcement: Strengthens access security on mobile devices.
    • Attachment blocking: Allows administrators to block file attachments from mobile apps.
    Secure mobile traffic:
    • All mobile data is transmitted over a secure SSL/TLS channel and encrypted using HTTPS, ensuring protection during transit.
    • Data encryption:
      • Local storage: Only non-sensitive app preference data are cached locally. For example, favorites, home screen layouts, and navigator items.
      • Offline mode: When enabled, record data and related mobile tables, like screens, are encrypted using  AES-256, providing protection for data at rest.
    Offline cache expiration
    Set the glide.sg.offline.expiration system property to define how long cached data remains on the device. The default is 48 hours, after which data is automatically deleted, reducing risk if a device is lost or stolen and ensuring data stays fresh.
    Conditions for cached data deletion
    Cached data is only deleted under the following conditions:
    • Expiration: The cache automatically clears when it reaches its expiration time.
    • Manual deletion: The user manually deletes the cache.
    • Logout: The user logs out of the app.
    Note:
    A new cache download only updates the existing cache.