I was recently at a customer that was having trouble getting their user certificate to be used for the corporate Wi-Fi profile on Android devices. When checking the user certificates in settings the user certificate only showed up under “user” while “Wi-Fi” was empty.
User certiticate visible under System, but not under Wi-Fi on Android
After a device is enrolled, it begins to download policy. Once it receives the policy to request certificates using SCEP, the device will attempt to get a certificate and place it in the user certificate store. After this, the Company Portal will begin to evaluate the Wi-Fi profile settings and try and match a certificate to use. If the Company Portal finds a certificate, it will insert it into the Wi-Fi profile and install it on the device. When the Company Portal has configured a Wi-Fi profile, a notification will be displayed on the device.
Company Portal Configured Networks
If the Company Portal finds the certificate – it is injected into the profile before it’s added, not referenced from the system store. If successful, the certificate will be visible under the Wi-Fi section in user certificates.
Wi-Fi Certificate
If it’s not successful, the certifiate won’t be listed under Wi-Fi.
After many hours of troubleshooting, I found the following configuration worked for this customer so I thought I’d share it in case it works for you. The important thing to note here is that the settings on the Security Configuration screen must match the certificate template you are installing so that the Company Portal can find and inject the certificate into the Wi-Fi profile. This seems to differ on iOS and Windows Phone where the criteria can be less specific (unverified in general, but certainly the case at this customer).
Each of the settings below are found from the Security Configuration tab of the Wi-Fi profile:
Wi-Fi Profile > Security Configuration > Configure
On the Wi-Fi Profile > Security Configuration > Configure screen, select to Use a certificate on this computer and Use simple certificate selection. Click Advanced and follow the instructions in the next section.
Wi-Fi Profile Security Configuration Smart Card Configuration
Wi-Fi Profile > Security Configuration > Configure > Advanced
On the Advanced screen under Wi-Fi Profile > Security Configuration > Configure > Advanced, select the attributes that directly match the certificate you want to associate with the Wi-Fi profile.
Wi-Fi Profile Security Configuration Smart Card Configuration Advanced
Tip: Untick All Purpose and Any Purpose and directly match the EKUs of the certificate you want to match (the certificate being isused by SCEP).
Wi-Fi Profile > Security Configuration > Root CA
On the Root Certificates screen, select the tick box for the Root CA certificate profile you want to associate with the Wi-Fi profile. You will need to have created this before you create the Wi-Fi profile under Configuration Manager Console > Assets and Compliance > Compliance Settings > Company Resource Access > Certificate Profiles.
Wi-Fi Profile Security Configuration Root CA
Tip: Only select the Root Certificate Authority that will actually issue the certificate, not each certificate in the chain.
Wi-Fi Profile > Security Configuration > Client Authentication Certificate
On the Client Certificate screen, select the tick box for the SCEP certificate profile you want to associate with the Wi-Fi profile. You will need to have created this before you create the Wi-Fi profile under Configuration Manager Console > Assets and Compliance > Compliance Settings > Company Resource Access > Certificate Profiles.
Wi-Fi Profile Security Configuration Client Authentication Certificate
Remember, once you’ve updated the configuration in Configuration Mangaer it needs to be uploaded to Inune (monitor via dmpuploader.log) before it will be available to mobile devices. The sync happens approx every 5 minutes. During testing I found that the SCEP certificate and Wi-Fi profile were applied to the device in different syncs (never in the same sync). I didn’t get a chance to see how long it would take for this to all download and apply without continuely clicking “check compliance” (because I’m impatient).