1

I am having an issue when Android phones are unable to get correct WiFi configuration policy from Intune. Intune is in 'cloud mode' (non-hybrid)

I have the following polices configured in Intune:

  • Deploy root CA certificate (works OK)
  • Deploy SCEP certificate (works OK)
  • Deploy WiFi configuration (this is where the problem is)

Things to note:

  1. Exactly the same configuration for iOS devices works perfectly. So configuration of Intune and WiFi is OK and it seems to be an issue configuring Android device WiFi policy.
  2. I tried using PFX certificate instead of SCEP, hoping it will help in solving issue. It did not
  3. Android is able to receive SCEP certificate from Intune, but it is placed in System store but not in WiFi store. Hence Android is not able to use the certificate for WiFi authentication
J-M
  • 1,492
  • 1
  • 9
  • 16

1 Answers1

0

The following blog post provides solution for Intune hybrid-setup. Unfortunately, it could not be implemented for cloud-based Intune deployment. So I ended up creating OMA-URI config for Android devices based on the information from the blog (thanks goes to Scott Breen for his blog post).

Important: replace the following values in OMA-URI config

  • Corporate WiFi: should be the name of your WiFi SSID name
  • 1234567890ABCDEF: should be hex of your WiFi SSID name (hex exact case of SSID name)
  • 00 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22: SHA-1 hash of Root CA certificate

OMA-URI config

Setting name: Corporate WiFi (replace this with your SSID)

Date type: String

OMA-URI (case sensitive): ./Vendor/MSFT/WiFi/Profile/Corporate WiFi/Settings(replace Corporate WiFi with your SSID)

Value: (replace values mentioned previously)

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>Corporate WiFi</name>
    <SSIDConfig>
        <SSID>
            <hex>1234567890ABCDEF</hex>
            <name>Corporate WiFi</name>
        </SSID>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPA2</authentication>
                <encryption>AES</encryption>
                <useOneX>true</useOneX>
                <FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
            </authEncryption>
            <PMKCacheMode>disabled</PMKCacheMode>
            <preAuthMode>disabled</preAuthMode>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <cacheUserData>false</cacheUserData>
                <authMode>User</authMode>
                <EAPConfig>
                    <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                        <EapMethod>
                            <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
                            <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                            <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                            <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                        </EapMethod>
                        <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                            <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                                <Type>13</Type>
                                <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
                                    <CredentialsSource>
                                        <CertificateStore>
                                            <SimpleCertSelection>true</SimpleCertSelection>
                                        </CertificateStore>
                                    </CredentialsSource>
                                    <ServerValidation>
                                        <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
                                        <ServerNames></ServerNames>
                                        <TrustedRootCA>00 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 </TrustedRootCA>
                                    </ServerValidation>
                                    <DifferentUsername>false</DifferentUsername>
                                    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
                                    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
                                    <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
                                        <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
                                            <CAHashList Enabled="true">
                                                <IssuerHash>00 11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF 00 11 22 </IssuerHash>
                                            </CAHashList>
                                            <EKUMapping>
                                                <EKUMap>
                                                    <EKUName>Encrypting File System</EKUName>
                                                    <EKUOID>1.3.6.1.4.1.311.10.3.4</EKUOID>
                                                </EKUMap>
                                                <EKUMap>
                                                    <EKUName>Secure Email</EKUName>
                                                    <EKUOID>1.3.6.1.5.5.7.3.4</EKUOID>
                                                </EKUMap>
                                            </EKUMapping>
                                            <ClientAuthEKUList Enabled="true">
                                                <EKUMapInList>
                                                    <EKUName>Encrypting File System</EKUName>
                                                </EKUMapInList>
                                                <EKUMapInList>
                                                    <EKUName>Secure Email</EKUName>
                                                </EKUMapInList>
                                            </ClientAuthEKUList>
                                        </FilteringInfo>
                                    </TLSExtensions>
                                </EapType>
                            </Eap>
                        </Config>
                        </EapHostConfig>
                </EAPConfig>
            </OneX>
        </security>
    </MSM>
</WLANProfile>
J-M
  • 1,492
  • 1
  • 9
  • 16