Inability to Connect NOW Mobile with the Self-Hosted Instance


Description

The Now mobile application is unable to connect to the self-hosted instance. Receive the below error message (as per the screenshot image):
“The instance you are trying to connect to does not support this mobile app. Contact your administrator”

The self-hosted instance is configured for mobile access. The "ServiceNow NowMobile App Screens and Applet Launcher" plugin is installed and configured as well on production and sub-production instances. The instance is not published to internet, however the mobile device has VPN access to the instance.

When we configure the NOW mobile to connect to the instance it keeps giving an error message that the instance is not configured for mobile (Check the screenshot).

When we use the Mobile browser to connect to the instance it works well (gives an indicator that VPN works well on the mobile), but it fails using the native app.

Cause

"User-added CAs
Protection of all application data is a key goal of the Android application sandbox. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack surface and encourages consistent handling of network and file-based application data."

Affected customer is using a user certificate as a part of their auth flow. In newer versions of Android (7+), Google does not trust these certificates by default.

Here is the link to the blog post when they made this change:
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html.

Resolution

ServiceNow aligns with Google's decision and therefore does not trust user certs in our public Google Play Store apps. The test app we shared with the customer opts in to trust these certs which is why they were able to successfully authenticate.

PFB two options for how to proceed:

- Remove the user cert and replace it with a certificate signed from a public certificate authority. Then the customer can use our Google Play store applications.

- Sign up for our mobile publishing product which allows customers to build APKs that trust this certificate. Since the instance is on-prem, which is currently unsupported for Mobile Publishing, they would have to launch a cloud instance to submit the requests. Post this you can then use Airwatch MDM to distribute the android application.