Enterprise Wi-Fi Profiles Fail to Install After Google Pushes OTA Security Update for Android 11+

Issue

A recent firmware update pushed by Google to Android 11 and later devices may impact management of these devices due to a Wi-Fi configuration issue.

All versions of SOTI MobiControl are impacted.

802.1x Enterprise Wi-Fi configurations will fail to install, resulting in devices losing their Wi-Fi network configuration. If no alternative network is available, such as cellular data, the device may completely lose network connectivity.

This affects Android

Issue

A recent firmware update pushed by Google to Android 11 and later devices may impact management of these devices due to a Wi-Fi configuration issue.

All versions of SOTI MobiControl are impacted.

802.1x Enterprise Wi-Fi configurations will fail to install, resulting in devices losing their Wi-Fi network configuration. If no alternative network is available, such as cellular data, the device may completely lose network connectivity.

This affects Android 11+ devices that receive Google’s OTA Android mainline April 2023 update, and are enrolled as Android Enterprise Work Managed, Corporate Personal or Android Classic.

Cause

As of Google’s Android mainline April 2023 update, Wi-Fi authentication for 802.1x Enterprise Wi-Fi profiles will fail if a domain suffix match and matching Root certificate has not been provided in the configuration. 

Prior to this update, the domain field was ignored during the Wi-Fi authentication process on Android devices. 

Since the domain field was previously ignored by Android, SOTI MobiControl does not provide a mechanism to set the domain field for the Enterprise Wi-Fi payload. 

On devices that have received the update, when the Wi-Fi certificate is renewed or its configuration is reinstalled, the 802.1x Enterprise Wi-Fi profile will fail to install. 

Resolution

We recommend you follow the steps below to establish your Enterprise Wi-Fi connection.  

1. Upgrade to SOTI MobiControl Android Agent version 15.4.4.  

2. Obtain the Root certificate from the Authentication server and the correct Domain name suffix/value of that certificate. This will be used in the script shared in the next step. 

3. Push the following script to all devices with the upgraded Android agent: 

      writeprivateprofstring WifiExtraDomainSuffixMatch "<SSID>" "<Domain Name>"

          For example:

      writeprivateprofstring WifiExtraDomainSuffixMatch "SSID ABC" "ABC.com"

 4.  Repeat step 2 and 3 for each Enterprise SSID to be configured. Additional domain names can be accounted for in your script by using semicolons, e.g., “ABC.com;Otherdomain.com”. 

 5. Update the Wi-Fi Profile including the correct Root certificate for the Authentication server. 

If you are using a public certificate on authentication server, please call SOTI MobiControl Support team for assistance. 

Workaround

Plan for a Backup Wi-Fi Configuration

If unable to deploy the resolution in a timely manner, it is recommended that customers configure a backup Wi-Fi profile that is a non-Enterprise Wi-Fi profile (WPA/WP2) which will allow the Android agent to re-establish its connection to the SOTI MobiControl server if the 802.1x Enterprise Wi-Fi profile is lost. You can also use an OEM tool like Zebra StageNow or Honeywell Enterprise Provisioner to configure the Wi-Fi profile on Zebra and Honeywell devices, respectively. 

 
If you have any questions about this contact our support team.  Customers with Enterprise Service should direct their inquiries to their Technical Account Manager.