SOTI Pulse Logo

User Cert not visible after Android 13 migration

J
JoergK
Zebra Technologies International, LLC

Hi guys,

I need to understand how to keep already installed certificates visible (after migrating from A11 to A13) on the device in the setting UI:

Settings/Security/More security settings/Encryptions & credentials/Trusted credentiakls/Tab User

My customer uses cert provisioning via SOTI profiles "Certificates".

Now, the issue is it is a Zebra SD660 (e.g. TC57x) device that has been migrated from A11 to A13 latest patch levels each. It is known that regarding the encryption method change from Full Disk Encryption (FDE) to File Base Encryption (FBE) there will be an enterprise reset performed prior to reboot into A13.

Luckily SOTI agent and wifi profile keeps fully installed and survive the migration. Using the Zebra provided ZCP (Zebra Conversion Package) shows the same result. Anyway, ZCP is not an option.

In essence all certificates previously installed also keep valid and working. 

But:

The user certs do not show up in the settings UI of the device anymore. This is seen as crucial problem because in any case of an issue the support person will check certificate in this UI via a remote control session.

The alternative to (re-)install certs via StageNow CertMgr is no option - certs are only allowed to be installed via SOTI profiles / SCEP.

Hope somebody out there have solved similar issue.

All best from Germany

Jörg

 

zebra certificates android 13
a year ago
SOTI MobiControl
ANSWERS
J
JoergK
a year ago

+ adding:

Revoking and reinstalling profile does not help

Uninstalling cert via legacy script such as certdelete -issuer "Entrust Root Certification*" -sn C2BB63xxxxxxxxxxxxxx does not work in A13 does not help to have the basis for reinstalling the profile

MD
Matt Dermody Diamond Contributor
a year ago

I have not encountered this yet myself but it seems like the issue that you're having is that the certs are not automatically re-installing after Enterprise Reset because SOTI thinks they should already be installed. To work around this you could have a Profile for the Certs and set the Filter Criteria for OS Version <= 11. Then clone that Profile and set the OS Version >= 13 on the cloned version of the Cert Profile. This could theoretically trigger SOTI to reinstall the certs once the devices check back in on A11 A13. as they'd be eligible for a new Profile that wasn't previously installed on the devices. 

J
JoergK
a year ago

Hi Matt,

firstly, I need to thank you a lot for all you do here for the community!!!

I did exactly what you recommended:

- set device back to A11

- installed profile with cert to conditionally install for A11

- cloned it with conditional install for A13

- migrate device from A11 to A13

- cloned profile is installed

- still UI does not show the cert in User Tab

For me looks that somehow the access right to the cert has changed for the UI so it cannot show the cert anymore in the User Tab. Soti console is showing it and the cert does the job - really weird!

Any other clue to get around this? I think there are millions of SD660 devices out there having same issue.

Best wishes

Jörg

MD
Matt Dermody Diamond Contributor
a year ago

I understand the issue a little better now. Evidentially the cert is present because the services that rely on it are functional. Your issue is the lack of visibility to the cert when trying to navigate to it because your support teams rely on that visibility in their troubleshooting efforts. 

My perspective is that using Remote Control and diving into the Settings to get to the certificate view on the device is inherently laborious and likely unnecessary when you have this view of installed certificates in the Security tab. It may be a change in workflow but I would think inspecting what certificates are installed on the device here would be faster:

As for why the certs are not visible anymore at the device side I can't really say. We know each version of Android comes with increasing security related restrictions and this could be one of those. Maybe it has something to do with User Mode vs Admin mode in SOTI. When you exit the kiosk in Remote Control are you also entering Admin mode at the same time?

It may also be a function of Remote Control on A13. I see that you're not using the plugin in the second screenshot based on the presence of the Chromecast looking icon in the top corner. Maybe the behavior would be different with the OEM plugin installed on that device?

J
JoergK
a year ago

The ugly thing is that certs that survive the migration by keeping the cert profile installed during that process cannot be uninstalled in A13 anymore. Revoking the profile after booting in A13 does not have any effect while in A11 revoking of the profile will delete all the user certs.

Now, I have recommended my customer to do following:

- before migration revoke the user cert profile (conditionally installed for A11)

- set a cert profile for certs conditionally for A13

- execute the migration from A11 to A13

- A13 profile gets installed, certs are then visible in the settings UI and can be revoked

only caveat is that there should not be a relevant network cert that would lead the device to disconnect. 

I will post the answer here I get from the customer.

To your questions: I am not using a kiosk in my scenario, neither use plugins since A10 anymore as these are no longer signed by Zebra anyway. 

MD
Matt Dermody Diamond Contributor
a year ago

I still use the Zebra Plugin on SD660 Helios devices, even those that are upgraded to A13, for what it's worth. I don't use the plugin on Athena or Nemesis devices though. Remote Control with the Plugin is better than Remote Control without as the new RC access causes the device screen to refresh during the connection which is disruptive to end users. The plugin allows for a more seamless background connection to Remote Control.

A
AKMOD@SOTI
a year ago

Hi Joerg,

Thanks for posting on SOTI Pulse, Thanks Matt for responding to the post, your expertise and willingness to help are greatly appreciated!

Have you had an opportunity to test the suggested solutions by Matt  and has it successfully addressed your query?

If not, or If you have any additional questions or concerns, please don't hesitate to reach out. We're dedicated to providing assistance and support.

Similar Discussions