49491a75bb
Guide explaining how to configure EAP-TLS Wi-Fi network on Android --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
4.4 KiB
Configure Wi-Fi on Android
Available in Fleet Premium
This guide walks through configuring enterprise Wi-Fi network (802.1X) with EAP-TLS method on Android hosts. Supported on fully-managed and work profile (BYOD) hosts.
Follow the steps below to connect your Android hosts to enterprise Wi-Fi:
- Add SCEP certificate authority to Fleet
- Deployed SCEP certificate to Android hosts.
- Add Wi-Fi configuration profile to Fleet.
Add a Wi-Fi configuration profile
-
Create a JSON file (e.g.,
wifi-eap-tls.json) with the following content, replacing the placeholder values described below. -
In Fleet, head to Controls > OS settings > Custom settings, select Add profile, and upload file below.
{
"openNetworkConfiguration": {
"Type": "UnencryptedConfiguration",
"NetworkConfigurations": [
{
"GUID": "enterprise-wifi",
"Name": "Enterprise Wi-Fi",
"Type": "WiFi",
"WiFi": {
"SSID": "<your_SSID>",
"EAP": {
"Outer": "EAP-TLS",
"Identity": "name@example.com",
"DomainSuffixMatch": ["<CN_of_RADIUS_server_certificate>"],
"ClientCertType": "KeyPairAlias",
"ClientCertKeyPairAlias": "<fleet_certificate_name>",
"ServerCARefs": ["root_ca"]
},
"AutoConnect": false,
"Security": "WPA-EAP"
}
}
],
"Certificates": [
{
"GUID": "root_ca",
"Type": "Authority",
"X509": "<content_of_root_ca_certificate_without_header_and_footer>"
}
]
}
}
Fields to replace
| Field | Description |
|---|---|
SSID |
Must match the router's SSID exactly (case-sensitive). |
Name |
Display label, can be anything. For human readability only. |
GUID |
Unique identifier for the network. Use a different GUID for each network if you have multiple networks under NetworkConfigurations, or multiple configuration profiles with openNetworkConfiguration setting. |
AutoConnect |
Determines if the network is automatically connected. This setting is independent of the auto-connect option per network available to end users in the host's Wi-Fi settings. |
Identity |
Usually the user's email. |
DomainSuffixMatch |
Domain suffix used to verify the RADIUS server's identity. The host checks that the server certificate's SAN DNS name (or CN if no SAN is present) ends with this suffix. |
ClientCertKeyPairAlias |
Name of the certificate you added in Fleet under Controls > OS settings > Certificates. |
X509 |
Base64-encoded content of the root CA certificate that signed both server and client certificates. Exclude header and footer (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). |
See status
To check the status, go to the host and select OS settings in Fleet.
If the profile shows "openNetworkConfiguration" setting couldn't apply to a host. Reason: INVALID_VALUE. error, the certificate specified in ClientCertKeyPairAlias isn't available on the host. Verify the name matches the certificate in Controls > OS settings > Certificates and that the certificate deployed successfully.
If a Wi‑Fi configuration profile is deployed before the certificate is installed on the host, it will fail with the same error. This will be fixed in #42405. In the meantime, delete and re-add the Wi‑Fi profile after the certificate is installed.
End user experience
The network is saved, but the end user must select it once in Wi-Fi settings. After that, the device reconnects automatically.
To skip the manual step, set AutoConnect to true in the profile — the device will connect automatically without end user action, unless the end user disables auto-connect for this network.