Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/articles/configure-eap-tls-wifi-android.md
Marko Lisica 49491a75bb
[Guide] Android EAP-TLS Wi-Fi configuration (#42324) 
Guide explaining how to configure EAP-TLS Wi-Fi network on Android

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
2026-04-03 14:43:35 +02:00

86 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Configure Wi-Fi on Android
_Available in Fleet Premium_
This guide walks through configuring enterprise Wi-Fi network (802.1X) with EAP-TLS method on Android hosts. Supported on fully-managed and work profile (BYOD) hosts.
Follow the steps below to connect your Android hosts to enterprise Wi-Fi:
1. [Add SCEP certificate authority](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#any-scep-simple-certificate-enrollment-protocol-ca) to Fleet
2. [Deployed SCEP certificate](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#android-deploy-certificate) to Android hosts.
3. [Add Wi-Fi configuration profile](#add-a-wi-fi-configuration-profile) to Fleet.
## Add a Wi-Fi configuration profile
1. Create a JSON file (e.g., `wifi-eap-tls.json`) with the following content, replacing the placeholder values described below.
2. In Fleet, head to **Controls > OS settings > Custom settings**, select **Add profile**, and upload file below.
```json
{
"openNetworkConfiguration": {
"Type": "UnencryptedConfiguration",
"NetworkConfigurations": [
{
"GUID": "enterprise-wifi",
"Name": "Enterprise Wi-Fi",
"Type": "WiFi",
"WiFi": {
"SSID": "<your_SSID>",
"EAP": {
"Outer": "EAP-TLS",
"Identity": "name@example.com",
"DomainSuffixMatch": ["<CN_of_RADIUS_server_certificate>"],
"ClientCertType": "KeyPairAlias",
"ClientCertKeyPairAlias": "<fleet_certificate_name>",
"ServerCARefs": ["root_ca"]
},
"AutoConnect": false,
"Security": "WPA-EAP"
}
}
],
"Certificates": [
{
"GUID": "root_ca",
"Type": "Authority",
"X509": "<content_of_root_ca_certificate_without_header_and_footer>"
}
]
}
}
```
### Fields to replace
| Field | Description |
|---|---|
| `SSID` | Must match the router's SSID exactly (case-sensitive). |
| `Name` | Display label, can be anything. For human readability only. |
| `GUID` | Unique identifier for the network. Use a different GUID for each network if you have multiple networks under `NetworkConfigurations`, or multiple configuration profiles with `openNetworkConfiguration` setting. |
| `AutoConnect` | Determines if the network is automatically connected. This setting is independent of the auto-connect option per network available to end users in the host's Wi-Fi settings. |
| `Identity` | Usually the user's email. |
| `DomainSuffixMatch` | Domain suffix used to verify the RADIUS server's identity. The host checks that the server certificate's SAN DNS name (or CN if no SAN is present) ends with this suffix. |
| `ClientCertKeyPairAlias` | Name of the certificate you added in Fleet under **Controls > OS settings > Certificates**. |
| `X509` | Base64-encoded content of the root CA certificate that signed both server and client certificates. Exclude header and footer (`-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`). |
## See status
To check the status, go to the host and select **OS settings** in Fleet.
If the profile shows `"openNetworkConfiguration" setting couldn't apply to a host. Reason: INVALID_VALUE.` error, the certificate specified in `ClientCertKeyPairAlias` isn't available on the host. Verify the name matches the certificate in **Controls > OS settings > Certificates** and that the certificate deployed successfully.
If a WiFi configuration profile is deployed before the certificate is installed on the host, it will fail with the same error. This will be fixed in [#42405](https://github.com/fleetdm/fleet/issues/42405). In the meantime, delete and re-add the WiFi profile after the certificate is installed.
## End user experience
The network is saved, but the end user must select it once in Wi-Fi settings. After that, the device reconnects automatically.
To skip the manual step, set `AutoConnect` to `true` in the profile — the device will connect automatically without end user action, unless the end user disables auto-connect for this network.
<meta name="articleTitle" value="Configure Wi-Fi on Android">
<meta name="authorFullName" value="Marko Lisica">
<meta name="authorGitHubUsername" value="marko-lisica">
<meta name="category" value="guides">
<meta name="publishedOn" value="2026-03-24">
<meta name="description" value="Learn how to configure enterprise Wi-Fi network (802.1X) with EAP-TLS method on Android hosts in Fleet.">
Reference in a new issue View git blame Copy permalink