THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE
OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE
IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD
NOTICE AT ANY TIME.
Initial Public Release
VGE-DRM-EXP-K9, VGE-DRM-PRO-K9, and VGE-DRM-ULT-K9 - All versions
This issue affects ONLY devices that run iOS 10.3 or later, protected by VideoGuard DRM.
ONLY devices that run iOS 10.3 or later and protected by VideoGuard DRM are affected by this issue.
Each time the VideoGuard Everywhere (VGE) client application is uninstalled and reinstalled on a device that runs iOS 10.3, a new VGE External Unique Identifier (EUID) is generated. The new VGE EUID no longer matches records in the service provider's VGE headend and/or device management system. For service providers that use the VGE EUID in the device activation/reactivation workflow, the device would be presented to the service provider's VGE headend as a new device that needs activation.
Based on the service provider's configuration, this could result in multiple device entries for the same physical device in the service provider's system or denial of service to authorized users.
Likelihood - for devices that run iOS 10.3 or later, the VGE EUID change is consistent behavior when the application is uninstalled and later reinstalled.
Cisco's VGE over-the-top (OTT) product generates two types of unique identifiers for each consumer device:
When VideoGuard DRM is used, an EUID is generated by the VGE client after installation and prior to activation. The client exposes an application programming interface (API) in order to allow the application to get this identifier value. The VGE client maintains this EUID for as long as the application is installed.
Note: EUID generation is platform-dependent, and uses accessible platform-specific parameters. Cisco does not control the values or the accessibility of those parameters, and as such cannot guarantee the EUID value will not change.
As part of the consumer device activation/registration process, a DRM Device ID is generated by the VGE headend for use by VideoGuard DRM, or any native DRM. As part of the activation process, the VGE OTT headend supports reporting of this DRM Device ID to the service provider's device management system.
In iOS devices protected by VideoGuard DRM, the EUID (or more correctly, the random seed from which the EUID was generated), was stored in the Keychain (a persistent secure storage container on iOS devices) in order to ensure its persistence and prevent access by others. This was a good solution through iOS 10.2. From iOS 10.3, Apple decided, due to privacy rules, to delete related Keychain content as the corresponding application is uninstalled from the device. As a result, the EUID is no longer available after the application is uninstalled. Instead, a new EUID is generated the next time the application is installed and a new DRM device ID is generated when the application is launched.
Service providers that use the VGE EUID and/or DRM device ID in the device activation/reactivation workflow must take this new behavior into account, and make workflow modifications in order to enable uninterrupted viewing by the consumer.
When a consumer uninstalls and later reinstalls the application, then tries to play video, a new device activation or reactivation workflow is initiated.
Service providers that use the VGE EUID and/or DRM device ID for device management need to take this new behavior into account, and make workflow modifications in order to enable uninterrupted viewing by the consumer. Specifically, service providers must ensure the device can be reactivated with the new EUID and/or DRM device ID.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Videoguard Everywhere DRM field notice team or reach out to your Cisco Account Manager.
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.