I'm running CyanogenMod 12.1 on a Motorola Moto G3. When I tried setting up some app, it failed on me with the message that it won't run on rooted devices, even though I disabled root access.
Now I'm looking for a way to sandbox said app, to prevent it from knowing about the ROM.
Due to changes in the SafetyNet API, which is a mandatory part of Google Play Services, most apps cannot have the fact you are rooted, or modified in anyway (such as running CM), hidden from them. Most financial apps, Android Pay, Pokemon Go and others use this API to check and there is no known work around at the moment, and according to some developers this may never be possible anymore IF the app is using the SafetyNet API to check for modifications.
Until recently (early October 2016), it was fairly easy to get around this check, but today it is almost impossible due to changes over the last month. The only known work around is to go back to stock. Be aware than starting with Android 7, even having an unlocked bootloader with no other modifications will cause a SafetyNet API check to fail.
If the app is just checking for su or standard root calls, then RootCloak or Suhide should work, but most apps are switching to SafetyNet now that Google is actively updating and enforcing it.
http://phandroid.com/2016/10/06/safetynet-update-no-longer-hides-root/
http://www.androidpolice.com/2016/10/19/safetynet-api-fails-unlocked-android-phones-android-pay-affected/
There are multiple other sources, but to see why this is nearly a foolproof method, or will be soon, see how SafetyNet works here.
Q & A