Citrix Endpoint Management

Play Integrity API

The Play Integrity API helps protect your apps and games from potentially risky and fraudulent interactions, such as cheating and unauthorized access, allowing you to respond with appropriate actions to prevent attacks and reduce abuse. For more information, see Play Integrity API.

Enable the Play Integrity API

Follow these steps to switch to the Play Integrity API.

  1. Turn on the afw.safetynet.attestation.api. deprecation feature flag for the specified Citrix Endpoint Management server.
  2. On the Citrix Endpoint Management console, select Android PlayIntegrity from the Settings page.

    Enable Play Integrity

  3. Enter a value in the Attestation schedule in the hours field. It is the interval time at which the PlayIntegrity Attestation API assesses your device. The minimum value is 24 hours, and the maximum value is 1000 hours. The default value is 24 hours. Click Save.
  4. Upgrade to Citrix Secure Hub Android version 23.7.0. Sign off from your device, and sign into Citrix Secure Hub to trigger the Attest via Play Integrity API.

View and analyze Play Integrity API attestation results

  1. On the Citrix Endpoint Management console, go to Manage > Devices.
  2. Select the device for which you want to see the Play Integrity API Attestation results. Click Show More.
  3. In the Devices tab, select Properties. The results appear in the Security information section.

    Analyze Play Integrity

  4. The Play Integrity API attestation returns the following statuses:
    • If the PlayIntegrity Device Recognition Verdict field contains “MEETS_BASIC_INTEGRITY”, it means that Citrix Secure Hub running on the device at least passes the basic system integrity.
    • If the PlayIntegrity Device Recognition Verdict field doesn’t contain “MEETS_BASIC_INTEGRITY”, it means that Citrix Secure Hub on the device might be running on an unrecognized version of Android, might have an unlocked bootloader, or might not have been certified by the manufacturer.
    • If the PlayIntegrity last known status is Success, it means that the PlayIntegrity API attestation is successfully run.
    • If the PlayIntegrity last known status is Failure, it means that the PlayIntegrity API attestation has failed to run.


Admin can clear the feature flag that allows you to use SafetyNet, before the final turndown of SafetyNet Attestation - end of November 2023.


  1. Newly enrolled COSU devices and DO devices are marked incompliant, even if the devices are compliant.

    Play Integrity API returns empty for the first attest during DO enrollment, which makes the device seem incompliant. This is a known issue from Google, DPC Support Lib 20230418 is published to fix this issue.

    The fix is available from the 23.9.0 release. Until then use these steps as a workaround:

    • Clear the feature flag, and continue using the SafetyNet API to continue using the SafetyNet Attestation API.
    • Sign off and re-sign in to trigger an attestation after enrollment. You can also wait for the next periodic attest, which is the default of 24 hours.

    This issue only occurs during enrollment. The Play Integrity API works well after enrollment.

  2. Newly enrolled WPCOD devices are marked incompliant even when the devices are compliant. This issue is being reviewed by Google.

Play Integrity API