Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
fleet/articles/configure-eap-tls-wifi-android.md
Steven Palmesano 54c7ae76ef
Improve Android Wi-Fi docs (#44041) 
- Add details on the Identity field, stating that it may not be
required, and that Fleet variables aren't supported yet.
- Clarify which cert to use for the X509 field.

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
2026-04-24 09:01:12 -05:00

5 KiB
Raw Blame History

Configure Wi-Fi on Android

Available in Fleet Premium

This guide walks through configuring enterprise Wi-Fi network (802.1X) with EAP-TLS method on Android hosts. Supported on fully-managed and work profile (BYOD) hosts.

Follow the steps below to connect your Android hosts to enterprise Wi-Fi:

  1. Add SCEP certificate authority to Fleet
  2. Deployed SCEP certificate to Android hosts.
  3. Add Wi-Fi configuration profile to Fleet.

Add a Wi-Fi configuration profile

  1. Create a JSON file (e.g., wifi-eap-tls.json) with the following content, replacing the placeholder values described below.

  2. In Fleet, head to Controls > OS settings > Custom settings, select Add profile, and upload file below.

{
  "openNetworkConfiguration": {
    "Type": "UnencryptedConfiguration",
    "NetworkConfigurations": [
      {
        "GUID": "enterprise-wifi",
        "Name": "Enterprise Wi-Fi",
        "Type": "WiFi",
        "WiFi": {
          "SSID": "<your_SSID>",
          "EAP": {
            "Outer": "EAP-TLS",
            "Identity": "name@example.com",
            "DomainSuffixMatch": ["<CN_of_RADIUS_server_certificate>"],
            "ClientCertType": "KeyPairAlias",
            "ClientCertKeyPairAlias": "<fleet_certificate_name>",
            "ServerCARefs": ["root_ca"]
          },
          "AutoConnect": false,
          "Security": "WPA-EAP"
        }
      }
    ],
    "Certificates": [
      {
        "GUID": "root_ca",
        "Type": "Authority",
        "X509": "<content_of_root_ca_certificate_without_header_and_footer>"
      }
    ]
  }
}

Fields to replace

Field Description
SSID Must match the router's SSID exactly (case-sensitive).
Name Display label, can be anything. For human readability only.
GUID Unique identifier for the network. Use a different GUID for each network if you have multiple networks under NetworkConfigurations, or multiple configuration profiles with openNetworkConfiguration setting.
AutoConnect Determines if the network is automatically connected. This setting is independent of the auto-connect option per network available to end users in the host's Wi-Fi settings.
Identity The identity sent to the RADIUS server during EAP-TLS authentication. Check with your network team whether your RADIUS server requires this field, as some servers derive identity from the CN of the client certificate instead, in which case this field can be omitted. If your RADIUS server requires it, use a static value (e.g., a shared identifier). Support for Fleet variables (such as $FLEET_VAR_HOST_END_USER_IDP_USERNAME) in Android profiles is coming soon.
DomainSuffixMatch Domain suffix used to verify the RADIUS server's identity. The host checks that the server certificate's SAN DNS name (or CN if no SAN is present) ends with this suffix.
ClientCertKeyPairAlias Name of the certificate you added in Fleet under Controls > OS settings > Certificates.
X509 Base64-encoded content of the root CA certificate that signed the RADIUS server's certificate. Paste the base64 content from the .pem file directly, excluding the header and footer (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).

See status

To check the status, go to the host and select OS settings in Fleet.

If the profile shows "openNetworkConfiguration" setting couldn't apply to a host. Reason: INVALID_VALUE. error, the certificate specified in ClientCertKeyPairAlias isn't available on the host. Verify the name matches the certificate in Controls > OS settings > Certificates and that the certificate deployed successfully.

If a WiFi configuration profile is deployed before the certificate is installed on the host, it will fail with the same error. This will be fixed in #42405. In the meantime, delete and re-add the WiFi profile after the certificate is installed.

End user experience

The network is saved, but the end user must select it once in Wi-Fi settings. After that, the device reconnects automatically.

To skip the manual step, set AutoConnect to true in the profile — the device will connect automatically without end user action, unless the end user disables auto-connect for this network.