Configure Android Wifi profile with Intune

By | February 19, 2019

I have come over many errors when creating Android and Android Enterprise/for work Wifi profile to authenticate with certificate.
there seems to be a bug in the normal wifi profile creator in Microsoft Intune. The only way I have succeeded to create Wifi profile for Android to validate with a certificate was with custom OMA-URI string.

To do before deploying Wifi profile:
1. Deploy RootCA to device
2. Deploy intermediate certificate ( if you have one)
3. Deploy user Certificate to device

To configure Custom Wifi profile do the following:

Go to Azure portal and navigate to Intune from “All Services” on top.

Create a profile with the following values:
Name: Type the name of your profile
Platform: Choose “Android” or “Android Enterprise” it will work for both
Profile Type: Custom

 

Configure OMA-URI Settings with the following value:
Name: Corporate WiFi
OMA-URI: ./Vendor/MSFT/WiFi/Profile/SSIDNAME/Settings
Data Type: String
Value: See XML below

YOU HAVE TO REPLACE THE FOLLOWING VALUES WITH YOUR OWN:
1. SSIDNAME: Replace “SSIDNAME” with your broadcast SSID in the OMA-URI setting above and in XML text ( Line7 ).
2. SSIDHEXNAME: Replace “SSIDHEXNAME” with your broadcast SSID hex name in the XML text(Line6). ( use text to hex converter to find your SSID hex value)
3. TrustedRootCA: Replace the “aa” in the XML text(Line45), with you RootCA thumbprint that you have deployed to your devices.
4. IssuerHash: Replace the “bb” in the XML text(Line53), with you intermediate thumbprint that you have deployed to your devices.
NOTE!: if you don’t use Intermediate Certificate replace “bb” with your RootCA Thumbprint

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>Corporate WiFi</name>
<SSIDConfig>
<SSID>
<hex>SSIDHEXNAME</hex>
<name>SSIDNAME</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<preAuthMode>disabled</preAuthMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>User</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
<TrustedRootCA>aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa </TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<CAHashList Enabled="true">
<IssuerHash>bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb </IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Encrypting File System</EKUName>
<EKUOID>1.3.6.1.4.1.311.10.3.4</EKUOID>
</EKUMap>
<EKUMap>
<EKUName>Secure Email</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.4</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true">
<EKUMapInList>
<EKUName>Encrypting File System</EKUName>
</EKUMapInList>
<EKUMapInList>
<EKUName>Secure Email</EKUName>
</EKUMapInList>
</ClientAuthEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>

Leave a Reply

Your email address will not be published.