Install Certificate Authority on personnally owned device via Android Management API Policies

pp123p
Level 1.5: Cupcake

Hello community,

 

I am trying to install a Certificate Authority on android devices via work profiles. The devices have been enrolled via Android Management API, and the policy is applied on devices without any problems (as reported by Android Management API).

 

I used the openNetworkConfiguration field on the policy as followed : 

 

    "openNetworkConfiguration": {
        "Type": "UnencryptedConfiguration",
        "NetworkConfigurations": [],
        "Certificates": [
            {
                "GUID": "company-certificate-authority-19201",
                "Type": "Authority",
                "X509": "MIIF... (base64 encoded DER certificate authority)",
                "TrustBits": ["Web"]
            }
        ]
    }

 

Nevertheless, this do not seem to work. I checked in the phone settings > certificate authorities and there is no certificate authority on the work profile. When I try to visit a website with a certificate signed by the aforementionned CA, I get certificate authority unknown error.

 

Are these settings ignored on-purpose ? Did I missed something ?


By the way, I already tried the following without success:

 

  • Use PEM-encoded-base64ed in the X509 field instead of DER-encoded (DER-encoded certs is used in the example provided in the openNetworkConfiguration spec).
  • Use "Server" type instead of "Authority"
  • Do not use the "TrustBits" setting


Thanks for your help 🙂

4 REPLIES 4

Lizzie
Google Community Manager
Google Community Manager

Hello @pp123p,

 

Welcome to the Customer Community. 

 

@jasonbayton @Moombas wondering if you have any thoughts on this? 

 

Thanks so much,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

Moombas
Level 4.1: Jelly Bean

I have no experience in coding steps which our MDM is doing via GUI.

And not that confident with work profile in combination with certificates (yet).

So i can't help here. Sorry.

 

The only thing i see here: Didn't Google change something that you need to provide the domain when using certificates as authorization method for Wifi in the configuration?

We had such an issue in our MDM where we wait for a final fix.

pp123p
Level 1.5: Cupcake

Hello and thanks for your answer,

 

I do not need to configure wifi authentication via MDM. What I wanted to do is install a certificate as a trusted certificate authority for the work profile, so that Chrome (for example) does not warn users about "untrusted" certificates signed by our internal certificate authority. 

 

Thanks for your help !

Moombas
Level 4.1: Jelly Bean

I understand but as said "Google has changed the required data", starting with a security patch (don't ask me which it's exactly) you need to provide the domain as well.

You can check this in the device wifi settings if you choose the enterprise certificate authentication. When there's a field apperaing with "domain" you need to provide this as well, otherwise installation of the wifi will fail.