Setting up Wi-Fi Profiles with Certificate-based Authentication on Android via Intune Hybrid and the Case of the Missing Wi-Fi Certificate
I was recently at a customer that was having trouble getting their user certificate to be used for the corporate Wi-Fi profile on Android devices. When checking the user certificates in settings the user certificate only showed up under "user" while "Wi-Fi" was empty.
After a device is enrolled, it begins to download policy. Once it receives the policy to request certificates using SCEP, the device will attempt to get a certificate and place it in the user certificate store. After this, the Company Portal will begin to evaluate the Wi-Fi profile settings and try and match a certificate to use. If the Company Portal finds a certificate, it will insert it into the Wi-Fi profile and install it on the device. When the Company Portal has configured a Wi-Fi profile, a notification will be displayed on the device.
If the Company Portal finds the certificate - it is injected into the profile before it's added, not referenced from the system store. If successful, the certificate will be visible under the Wi-Fi section in user certificates.
If it's not successful, the certifiate won't be listed under Wi-Fi.
After many hours of troubleshooting, I found the following configuration worked for this customer so I thought I'd share it in case it works for you. The important thing to note here is that the criteria on the Certificate Selection screen (Wi-Fi Profile > Security Configuration > Configure > Advanced) must match the certificate template you are installing so that the Company Portal can find and inject the certificate into the Wi-Fi profile. This seems to differ on iOS and Windows Phone where the criteria can be less specific (unverified in general, but certainly the case at this customer).
Finding the right settings for each platform (and even platform version) can be a bit of an art. I recommend having a specific Wi-Fi profile for each platform. Changing a setting for one profile might accidently affect another and unless you are testing each platform each time you make a change this can result in unhappy customers. You can restrict which platforms the profile applies to on the Supported Platforms tab of the Wi-Fi profile in Configuration Manager.
Certificate Template Requirements
The template requirements will vary depending on your Wi-Fi infrastructure. However from a Configuration Manager / Android perspective, the certificate will require at least:
- The Client Authentication EKU, and;
- The UPN in the subject alternative names.
Configuration Manager Wi-Fi Profile Settings
Each of the settings screen below are found from within the Security Configuration tab of the Wi-Fi profile:
On the Wi-Fi Profile > Security Configuration > Configure screen:
- Select Use a certificate on this computer, and;
- Tick Use simple certificate selection;
- Click Advanced and follow the instructions in the next section to specify the certificate selection rules.
The Verify the server's identity by validating the certificate section of this screen is used by Android to filter connections to Wi-Fi networks that are signed by a particular authority. This is NOT required for certificte selection but can be used as an extra level of security.
On the Configure Certificate Selection screen under Wi-Fi Profile > Security Configuration > Configure > Advanced;
- Select the attributes that directly match the certificate template you want to associate with the Wi-Fi profile (matching the Enhanced Key Usage (EKU) with the certificate template on this screen is critical).
Tip: Untick All Purpose and Any Purpose and directly match the EKUs of the certificate you want to match (the certificate being isused by SCEP).
Tip: Only select the Certificate Authority that will actually issue the certificate, not each certificate in the chain. Android only accepts one CA for selection, if multiples are provided the selection will fail.
Remember, once you've updated the configuration in Configuration Mangaer it needs to be uploaded to Inune (monitor via dmpuploader.log) before it will be available to mobile devices. The sync happens approx every 5 minutes. During testing I found that the SCEP certificate and Wi-Fi profile were applied to the device in different syncs (never in the same sync). I didn't get a chance to see how long it would take for this to all download and apply without continuely clicking "check compliance" (because I'm impatient).
If you found this blog post interesting or useful, please comment below or use the stars at the top of the page to rate the post!