f7293042b3
I learned that it doesn't matter if the client certificate is signed by a root CA certificate specified under `Certificates[0].X509` when `Type` is `Authority`. In the case of `customer-pingali`, they have a client certificate signed by a different CA, which confused their IT team. They initially used the root CA that signed the client certificate and assumed that the same certificate also signed the server certificate.
4.4 KiB
Configure Wi-Fi on Android
Available in Fleet Premium
This guide walks through configuring enterprise Wi-Fi network (802.1X) with EAP-TLS method on Android hosts. Supported on fully-managed and work profile (BYOD) hosts.
Follow the steps below to connect your Android hosts to enterprise Wi-Fi:
- Add SCEP certificate authority to Fleet
- Deployed SCEP certificate to Android hosts.
- Add Wi-Fi configuration profile to Fleet.
Add a Wi-Fi configuration profile
-
Create a JSON file (e.g.,
wifi-eap-tls.json) with the following content, replacing the placeholder values described below. -
In Fleet, head to Controls > OS settings > Custom settings, select Add profile, and upload file below.
{
"openNetworkConfiguration": {
"Type": "UnencryptedConfiguration",
"NetworkConfigurations": [
{
"GUID": "enterprise-wifi",
"Name": "Enterprise Wi-Fi",
"Type": "WiFi",
"WiFi": {
"SSID": "<your_SSID>",
"EAP": {
"Outer": "EAP-TLS",
"Identity": "name@example.com",
"DomainSuffixMatch": ["<CN_of_RADIUS_server_certificate>"],
"ClientCertType": "KeyPairAlias",
"ClientCertKeyPairAlias": "<fleet_certificate_name>",
"ServerCARefs": ["root_ca"]
},
"AutoConnect": false,
"Security": "WPA-EAP"
}
}
],
"Certificates": [
{
"GUID": "root_ca",
"Type": "Authority",
"X509": "<content_of_root_ca_certificate_without_header_and_footer>"
}
]
}
}
Fields to replace
| Field | Description |
|---|---|
SSID |
Must match the router's SSID exactly (case-sensitive). |
Name |
Display label, can be anything. For human readability only. |
GUID |
Unique identifier for the network. Use a different GUID for each network if you have multiple networks under NetworkConfigurations, or multiple configuration profiles with openNetworkConfiguration setting. |
AutoConnect |
Determines if the network is automatically connected. This setting is independent of the auto-connect option per network available to end users in the host's Wi-Fi settings. |
Identity |
Usually the user's email. |
DomainSuffixMatch |
Domain suffix used to verify the RADIUS server's identity. The host checks that the server certificate's SAN DNS name (or CN if no SAN is present) ends with this suffix. |
ClientCertKeyPairAlias |
Name of the certificate you added in Fleet under Controls > OS settings > Certificates. |
X509 |
Base64-encoded content of the root CA certificate that signed the server certificate. Exclude header and footer (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). |
See status
To check the status, go to the host and select OS settings in Fleet.
If the profile shows "openNetworkConfiguration" setting couldn't apply to a host. Reason: INVALID_VALUE. error, the certificate specified in ClientCertKeyPairAlias isn't available on the host. Verify the name matches the certificate in Controls > OS settings > Certificates and that the certificate deployed successfully.
If a Wi‑Fi configuration profile is deployed before the certificate is installed on the host, it will fail with the same error. This will be fixed in #42405. In the meantime, delete and re-add the Wi‑Fi profile after the certificate is installed.
End user experience
The network is saved, but the end user must select it once in Wi-Fi settings. After that, the device reconnects automatically.
To skip the manual step, set AutoConnect to true in the profile — the device will connect automatically without end user action, unless the end user disables auto-connect for this network.