SOTI Pulse Logo

QR-Code Enrollment for EAP (PEAP-MSCHAPV2)

JD
John Doe
Eisen Karl GmbH

Hello,

ive came up with the following barcode payload for enrolling devices with built in qr-code reader for using enterprise wifi, please dont ask why we do not validate server certificate etc.. :

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://soti.net/apk/ae2",
"android.app.extra.PROVISIONING_WIFI_SSID":"SSID",
"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"EAP",
"android.app.extra.PROVISIONING_WIFI_EAP_METHOD":"PEAP",
"android.app.extra.PROVISIONING_WIFI_PHASE2_AUTH":"MSCHAPV2",
"android.app.extra.PROVISIONING_WIFI_IDENTITY":"User",
"android.app.extra.PROVISIONING_WIFI_PASSWORD":"Password",
"android.app.extra.PROVISIONING_WIFI_PROXY_HOST":"proxy",
"android.app.extra.PROVISIONING_WIFI_PROXY_PORT":"8080",
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true,
"android.app.extra.PROVISIONING_LOCALE":"de_DE",
"android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,
"android.app.extra.PROVISIONING_TIME_ZONE":"Europe/Amsterdam",
"android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS":true,
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
    "enrollmentId":"Local Adress",
    "PROVISIONING_MODE":"FULLY_MANAGED_DEVICE"}
}

This code is then read but android doesnt even try to use the network declared

(there are no logins registered on the radius server)

Is here anyone out there that has done this before?
Also i was wondering if the manafacturere has to implement the new EAP Functionality first for enrollment?
This was released with Android 10, when i was searching for it.

2 years ago
Android
ANSWERS
RS
Rafael Schäfer
2 years ago

As you gat the base data from me i can only confirm that it worked using WPA/WPA2.

But i also remember i had problems using proxy, please try without (just for testing).

And i think you can only enter en ernrollment ID in the enrollmentid field. If you want to provide the enrollment url you have to use a different identifier, but I'm not quite sure.

JD
John Doe
2 years ago

Using the URL works.

In theory it should also be possible to download the agent file from a internal http server as described in here:

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"hn8mSNJMPcovWbnnWrb-uMpWZjNlNp-jyV_2A-Whumc=","android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"net.soti.mobicontrol.androidwork/net.soti.mobicontrol.admin.DeviceAdminAdapter","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"http://<INTERNAL_SERVER_IP>/GoogleMobiControl1501_1051.apk","android.app.extra.PROVISIONING_SKIP_ENCRYPTION":true,"android.app.extra.PROVISIONING_LOCALE":"pt_BR","android.app.extra.PROVISIONING_WIFI_SSID":"<INTERNAL_SSID>","android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":false,"android.app.extra.PROVISIONING_WIFI_IDENTITY":"<INTERNAL_USER_ID>","android.app.extra.PROVISIONING_WIFI_PASSWORD":"<INTERNAL_USER_ID_PASSWORD>","android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE":"EAP","android.app.extra.PROVISIONING_WIFI_EAP_METHOD":"PEAP","android.app.extra.PROVISIONING_SKIP_USER_CONSENT":true,"android.app.extra.PROVISIONING_TIME_ZONE":"America/Sao_Paulo"}Source - https://discussions.soti.net/thread/device-deployment-without-internet-access-v15-2?order=Votes

RC
Raymond Chan Diamond Contributor
2 years ago

Hi John,

How did you "come up" with keywords such as "android.app.extra.PROVISIONING_WIFI_EAP_METHOD" and
"android.app.extra.PROVISIONING_WIFI_PHASE2_AUTH"?  From some official on-line document(s) from Google or hearsay from other forum?  Or from Rafael, as he just claimed?

I believe if you choose "PEAP" and "MSCHAPV2" respectively as the arguments for the two mentioned keyword fields, you AT LEAST need to specify  the CA certificate and/or Domain in the config file.  Without all the required parameters, doing any test on real hardware is simply a waste of time.

As I do not have all the required hardware/infrastructure to do any tests, I cannot be 100% sure, but  I strongly believe the device firmware as well as the provisioning software (MobiControl Stage app in this case) need to support such Wifi mode and provisioning method.  I hope some forum moderators from Soti can give an official answer whether the latest MobiControl Stage app supports or not device provisioning via EAP/PEAP Wifi  as officially defined by Google.  You might need to contact the device OEM support directly to officially confirm whether their device model supports QR/NFC enrollment with an EAP/PEAP Wifi connection.  

Without personally getting positive test result on real hardware myself,  I wouldn't bother to mention any of the possible keywords for proper configurations for using various EAP Wifi connection topologies/modes, as I don't want to spread possible misinformation or disinformation to audience in this forum, wasting anyone's time on trying out some tasks that are likely to fail.  I just have different style from some irresponsible participants on this forum.

     

RS
Rafael Schäfer
2 years ago

Hi Raymond,

just to clarify, i didn't gave him those identifiers, only the basic ones with showing up the structure. I only provided additionally the link to the official documentation about them (https://developer.android.com/reference/android/app/admin/DevicePolicyManager) and you can find both  identifiers, he used, there.

But i even don't have experience with EAP Wifi setup especially using it for enrollment/QR Code etc.

JD
John Doe
2 years ago

Hi, 

those types are included in the DPC Documentation from Google themself.
And i found a Post from Zebra talking about DPC Barcode enrollment using the said Keys for EAP.

In the Post from Zebra they also said leaving CA empty sets the mode to "Do not Validate"

JD
John Doe
2 years ago
G
GPMOD@SOTI
2 years ago

Hi John,

Thanks for posting on SOTI Pulse and thank you Raymond and Matt for your response on the post. 

I can confirm that for android 11, we need certificate to configure Wi-Fi. 

Please find attached a screenshot for more detail. 

Thank you. 

Kind regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

K
Klaus
2 years ago

Enrollment with this does not work anymore for devices that is updated in Android version

So I also have some problems with this, we do not use the proxy settings, but I can understand from GPMOD@SOTI that this is something with the certificate settings that have changed with Andorid 11?

What must be done for this to work?

I have looked in the documentation and can see both

EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
and
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE

What is needed to add them?

TA
Thibaud A.
a year ago

Hello,

Does anyone found a solution on this ? 

Happened to have the same issue. Tried obviously since the latest android patch, to add the user certificate within the enrollment QR code. 

But the format needed according to the android documentation : 

https://developer.android.com/reference/android/app/admin/DevicePolicyManager#EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
 
is already 2000+  bytes long certificates. 
 
With all other information, my QR is up to 3300 bytes now. Which is way too much for a QR code, it can't be proceed like that.
 
Any workaround ? 

Similar Discussions