SOTI Pulse Logo

Enterprise Wi-Fi profile no longer applying to certain devices

Solved
MR
Mike Robertson
Nagel Langdons

Hi all,

I have a problem with an existing Android enterprise Wi-Fi profile which I created a year or so ago, it pushes the hidden SSID network with the RADIUS certificate (which expires 2027) to all "manager" devices across our entire company. An authentication profile is deployed with some other bits and pieces in another profile as that is a requirement for the certificate. The new SSID has only been available at our head office over the last year, and our 8 other offices were going to get the enterprise SSID at a later date.

For the past year this profile has been working fine at our head office and hasn't been changed in that time either. The enterprise SSID configuration has been copied across our other 8 sites over the last month via Aruba Central and I have seen most enrolled devices connect to it automatically as they already had the profile in place from when it was implemented a year ago to all manager devices. This should allow all manager devices to join even if they are at a different location to normal. And that should be the end of it!

I started noticing a few devices not joining the hidden SSID automatically when other devices in the same location were joining fine... and I thought perhaps the managers had their Wi-Fi switched off on their device, so I pushed a SOTI script to enable the Wi-Fi radio... no luck. I also found that some devices had automatically made the users aware of an open "Guest" SSID in the same location we have available, and they tried to join that instead but it's a captive portal which requires a logon so does nothing, it in fact breaks their internet connection. "Forgetting" the Guest SSID forced some devices onto the correct SSID. But some were still not joining the required SSID.

In an attempt to force all devices off of the Guest SSID in case that was the problem, I created a new Wi-Fi profile for the Guest SSID and applied it to my device (which was already happily on the correct hidden enterprise Wi-Fi) and I then revoked the profile in an attempt to make it "forget" the Guest Wi-Fi. This worked as expected but for some reason forgot the enterprise SSID that I want manager devices to be on at the same time. Strange I thought, so I revoked that enterprise Wi-Fi profile and reinstalled again. SOTI thinks it's applied, the device thinks it's applied (within the SOTI MobiControl profile list), the device gets the certificate, but the SSID network does not join. I would expect to see it in the "known Wi-Fi" list, but nothing appears. I've removed it from the group, applied it again, restarted, forgotten all network settings and applied it, recreated a brand-new profile to apply the same SSID again, nothing. I cannot deploy this hidden enterprise SSID that hasn't changed or this Wi-Fi profile which also hasn't changed to this device that has happily been using it for the past year. I have the same issue with my colleague in the same office, we re-created the exact same steps, and he cannot join this Wi-Fi now either. I have checked 2/3 other users that I was struggling to see on the correct SSID and can confirm via SOTI remote control that they also do not know of this SSID. 

I enrolled a brand-new device and that picked up all of the configurations as expected, so it does work... but is just being selective!

I spoke to SOTI support and asked them to restart our cloud instance or services as it seems like a niggle rather than a configuration error/issue. No luck.

We were running MobiControl 15.6.0 and I requested they upgrade to the latest version 15.6.4 because our devices are running the latest MobiControl agent from the Google Play Store and I thought they may be some incompatibility mismatch where the agent has upgraded faster than the MobiControl instance. After the MobiControl upgrade, still no luck.

I still have the case open with SOTI but I’m at a loss, I have literally no idea why it won't work for certain devices. No config changes have been made with MobiControl at all! It has been happily working at one site for a year and additional sites were seemingly working as I was adding them and now my device at head office is playing silly buggers, it just seems to be certain devices. Not a specific Android version or type of device, random! Any ideas welcome! If someone had the same issue and a fix, even better!

mobicontrol android enterprise wi-fi
2 years ago
SOTI MobiControl
ANSWERS
MR
Mike Robertson
2 years ago

EDIT 2: I got it working! So turns out the "domain" field isn't always a domain.. it depends on peoples setup. For example, in our case it is actually the name of the certificate authority server! The easiest thing to do is to copy the "Common Name" value that is on the deployed certificate. In our case it was a self signed Active Directory Certification Services server. Put that on the script instead of the actual domain (AD domain I originally was trying) and then revoke certificate and re-deploy. Bam!

EDIT: I spoke too soon. I have got further, the SSID's appear on the device now. But it comes up with "Authentication failure" when attempting to join the SSID. Has anyone else tried the below got any further?

Hi all,

Soti haved fixed it! Temporary workaround in place and a permanent fix in 15.6.5 when it is released. Article: Enterprise Wi-Fi Profiles Fail to Install After Google Pushes OTA Security Update for Android 11+

Snippit from the article here for the workaround:

"This issue has been resolved in the 15.4.4 SOTI MobiControl Android Agent Release.

For new enrollments or upgrades to Agent 15.4.4, a script can be used to associate the domain name with the 802.1x Enterprise Wi-Fi profiles which are being deployed via the MobiControl server.

The following script should be sent to all devices, inclusive of those currently enrolled and those which will be enrolled in the future.

writeprivateprofstring WifiExtraDomainSuffixMatch "<SSID>" "<Domain Name>"

For example:

writeprivateprofstring WifiExtraDomainSuffixMatch "SSID ABC" "ABC.com"

where, “SSID ABC” is the SSID and “ABC.com” is the domain name.

For a successful 802.1x Enterprise Wi-Fi connection, it is imperative that the authentication server’s certificate aligns with the domain name specified in the script command.  Additional information about this can be found here.

Repeat the script for each SSID to be configured. Additional domain names can be accounted for by using semicolons, e.g., “ABC.com;Otherdomain.com”.

In the upcoming SOTI MobiControl 15.6.5 server version, the script will no longer be necessary as we will have the domain field available in the web console. We will update this article with details of the updated web console upon its release."

I personally found that you need to push out this script to all required devices, revoke the Wi-Fi profile from each device and then reinstall. But you could probably revoke from all and then redeploy for the same effect.

Thanks all, we got there in the end!

Mike

Solution
RS
Rafael Schäfer
2 years ago

We are currently investigating with Soti a Wifi issue wihch sounds similar to yours.

Does this only happen if you use a certificate based authentication Wifi or also password based?

MR
Mike Robertson
2 years ago

Yes we only have certificate based authentication in our environment except one SSID which is like a "Staging Wi-Fi" for when we deploy new devices, that appears to work fine. Sounds like the same issue.

I've had no response really from SOTI regarding this, have you got any further information that you'd be willing to share or a case number I could also point our case owner in the direction of?

The reason we opted for Enterprise (certificate based authentication) Wi-Fi was to avoid end users sharing the password for the Wi-Fi as password based allows you to view the password in clear text or share via NFC or QR code and end user personal devices could end up in our environment with no MDM.

RS
Rafael Schäfer
2 years ago

Regarding the case: For sure: You got the case number via PM
But we have this issue only on one specific device, so not sure if it's really the same issue.

Regarding the sharing of Wifi:
Because of this we decided to lock the possibility of changing Wifi settings (wifi management) via feature control which also blocks the sharing because you can't access such a menu then anymore.

They still can enable/disable it but not able to manage any Wifi. I would also recommend to disable tethering if not needed (and having SIM cards in the devices) to prevent them to use the mobile data for their private devices.

MR
Mike Robertson
2 years ago

Thanks for the case ref. I'll mention it to SOTI if they come up with nothing. I'll be sure to post any resolution here if they do get it sorted if you don't here anything before me.

MD
Matt Dermody Diamond Contributor
2 years ago

Are these Android 13 devices by chance that are impacted? I have seen issues with recent security updates on A13 relative to Enterprise Wifi. 

MR
Mike Robertson
2 years ago

Hi Matt,

A mixture unfortunately. I have noticed SOME of the "corporate owned" devices affected are running Android 10/Android 11. (Motorola Macro One and Motorola G9 Play devices). But my personal device set up in Work Profile (BYOD) is also affected by this and a colleagues, that is running Android 13. (Samsung S22 Ultra and my colleagues is Samsung A54). But I have a test device (Nokia XR20) which is Android 13, which has no problems when deploying and if I forget the Wi-Fi and then revoke and reinstall the profile, the Wi-Fi comes back as expected. It seems so random, unless it hates Motorola and Samsung devices all of a sudden!

RS
Rafael Schäfer
2 years ago

@Matt: In our case: Yes and no (A12/A13), and Soti is still investigating. The starnge thing is, that (in our case) devices which have been enrolled in the past with an older agent and rebooted are no longer able to (re-)install that certificate based Wifi (initial setup wents fine, always) but if you enroll with latest agent (>=15.4.2) the issue is gone and no issue.

So in our case we only wait for a fix so we don't need to enroll all our devices from that model.

MR
Mike Robertson
2 years ago

Hi Rafael,

What you've explained ties in with my suspicion of the agent being the only factor which has changed since the issue has started. We have the agent update via Google Play so is always on the latest version. Our MobiControl instance was still on 15.6 so that hadn't changed. We upgraded to 15.6.4 but no luck unfortunately. I was hoping that upgrade would maybe plug an incompatibility gap between the instance and the new agent.

New deployments seem fine in CorpOwned mode. Existing ones are the ones affected. But I can't redeploy 100+ manager devices. My personal phone is in Work Profile mode but that still seems affected after a re-enrollment.

MD
Matt Dermody Diamond Contributor
2 years ago
MR
Mike Robertson
2 years ago

I'm glad to see this as it sounds like exactly what is happening but I don't think it is soley linked to the June 2023 security update. My Samsung S22 Ultra is on July 2023 update so I'm not in a position to attempt to downgrade it. But my work phone (running Android 11) in Corporate Owned mode hasn't had a security patch released since September 2022 and is affected by this fault. I managed to source an older APK and I attempted to try 15.3.4 (the last build before they changed the SOTI logo) as it was released early May.. just before the June security updates... on my Samsung S22 in Work Profile mode but unfortunately it didn't work, but this could be because of the June/July 23 updates being installed as per the post you supplied. I sourced the latest APK from https://downloads.soti.net/apk/AEAgent/GoogleMobiControl1543_1054.apk and then I manually changed the URL link to "GoogleMobiControl1534_1113.apk" to get the build before the logos and stuff changed. So it's officially sourced from SOTI directly. I can't test it on an older device until tomorrow. I noticed that SOTI MobiControl shows no errors in the device logs but if you look at the device logs on the SOTI MobiControl agent on the device, it says "Wireless configuration failed: SSID name". I can't get anymore information but I can send device logs to SOTI, so i'll try that with them tomorrow hopefully when they call me back.

SS
Stinus Stoumann Hoeks
2 years ago

I am a colleague of Rafael's, and I have to agree with him and Mike; this issue is not isolated to the mentioned security patch. For us, it is seen only on one specific phone model - but on both Android 12 and 13 and on various security patch levels.

Hopefully, SOTI will take this into account when developing a solution - and it would be great to have a new Agent soon, which will mitigate the problem.

SB
Simon Breuer
2 years ago
MR
Mike Robertson
2 years ago

I spoke too soon. I have got further, the SSID's appear on the device now. But it comes up with "Authentication failure" when attempting to join the SSID. Has anyone else tried the above and got any further?

MR
Mike Robertson
2 years ago

I got it working! So turns out the "domain" field isn't always a domain.. it depends on peoples setup. For example, in our case it is actually the name of the certificate authority server! The easiest thing to do is to copy the "Common Name" value that is on the deployed certificate. In our case it was a self signed Active Directory Certification Services server. Put that on the script instead of the actual domain (AD domain I originally was trying) and then revoke certificate and re-deploy. Bam!

AF
Allen Foster
2 years ago

Question.  Are you referring to the common name of the identity cert or the CA cert?

Similar Discussions