Security controls

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security controls

    This content explains how ServiceNow customers can configure various security controls on their mobile applications to enhance data protection and user security. It covers settings to restrict copy/paste operations, enforce PIN entry, block attachments, blur app content when not in focus, and prevent access from rooted or jailbroken devices. Additionally, it describes penetration testing processes ServiceNow follows to ensure app security.

    Show full answer Show less

    Key Features

    • Restrict copy/paste: Customers can configure system properties to clear the clipboard when the ServiceNow app is backgrounded, reducing the risk of sensitive data leakage.
    • Require an app PIN: Enforce a six-digit PIN for user sign-in or after five minutes of app inactivity by enabling the corresponding system property. This adds an extra layer of authentication on mobile devices.
    • Disable attachments on mobile devices: Use Access Control Lists (ACLs) with the isMobile() method to block read/write access to attachments specifically on mobile devices. Multiple ACLs must have the Admin override option unchecked, and elevated privileges are required to create these ACLs.
    • Enable blur app option: Blur app content when the app is not in focus by setting the relevant system property. This feature is supported on both iOS and Android. On Android, enabling this setting disables screen sharing and screenshots for enhanced privacy, while iOS does not impose these restrictions.
    • Block rooted and jailbroken devices: Prevent mobile app login from devices that are rooted or jailbroken by configuring the appropriate system property, thereby reducing security risks from compromised devices.
    • Penetration testing: ServiceNow engages third-party vendors to conduct penetration tests on the mobile app, typically annually. Customers can access test results on CORE and coordinate their own instance penetration tests following established procedures.

    What This Enables for ServiceNow Customers

    By implementing these security controls, ServiceNow customers can protect sensitive data accessed via mobile apps, enforce stronger authentication, limit risky behaviors such as attachment handling on mobile, and ensure compliance with security standards by blocking compromised devices. These measures help mitigate common mobile security vulnerabilities and support secure mobile operations.

    Additionally, access to penetration testing results provides transparency about app security and supports customers in performing their own security assessments.

    Configure security controls to restrict copy/paste, enforce PIN, or block attachment functionality.

    Restrict copy/paste

    Copy/paste restrictions are defined in the system properties [sys_properties] table. There are two applicable security properties.

    glide.sg.clear_pasteboard_when_background: Clears the copy/paste clipboard when a ServiceNow app enters the background. For more information on clearing the clipboard, see Configure clear clipboard.

    Require an app PIN

    Require users to enter a six digit PIN each time they sign in from their mobile device, or when an app has been inactive for five minutes. Requiring an app PIN is controlled by the glide.sg.require_mobile_application_pin system property. For more information on requiring an app PIN, see Require an app PIN.

    Disabling attachments on a mobile device

    Use an ACL to block specific access on mobile. Use the isMobile method to check if a request comes from a mobile device. For example, you could add an ACL for the attachment [sys_attachment] table where the read and write scripted ACLs includes the following check. You can also add this code to any existing ACLs you have for the attachment table. If have multiple attachment ACLs, all of the need to have Admin override option unchecked.
    if( gs.isMobile() ){
     answer = false;
}
    Note:
    You need elevated privileges to create ACLs.

    Enable the blur app option

    Blur a mobile app when not in focus on a mobile device using the following system property in the system properties [sys_properties] table.

    glide.sg.blur_ui_when_backgrounded
    Important:
    • The glide.sg.blur_ui_when_backgrounded system property is supported on both iOS and Android devices.
    • By default, the value for this property is set to false, which turns it off.

    • For Android devices, when this property is enabled by setting the value to true, the following restrictions apply:

      • The screen share feature isn't supported and the shared app screen appears black.
      • Users are prevented from taking screenshots.

      These restrictions don't apply to iOS devices when the glide.sg.blur_ui_when_backgrounded property is enabled.

    For more information, see Configure the blur app option

    Block rooted and jailbroken devices

    To improve security on your mobile device, block the logging in of mobile apps when a rooted or jailbroken device is used. Use the following security property:

    glide.sg.allow_rooted_jailbroken_devices system

    For more information, see Configure the status for rooted and jailbroken devices.

    Penetration testing

    ServiceNow engages a third party to perform penetration testing of a mobile app. This typically happens annually but sometimes occurs more frequently. The results of these tests are available to customers on CORE. Customers can test the mobile application in conjunction with a pen test of their instance per the process outlined in KB0538598.