androidandroid-wifiemm

How to save EAP wifi network in Android 10 after Android Enterprise provisioning


Up to API lvl 29 we have been using WifiConfiguration to set up wifi connections with our DPC (both device and Profile Owner modes). Since API lvl 29 we can still save Open, WEP, WPA networks, but any attempt of saving EAP network is completely ignored. We tried to use WifiSuggestions method and the suggestion is properly displayed in the notification bar, but when the user taps on "allow" - nothing happens. There are no errors in the log, addNetworkSuggestions() method returns STATUS_NETWORK_SUGGESTIONS_SUCCESS.

This problem exists only when our DPC is provided Device/Profile Owner permissions with full provisioning process (work profile creation or fully managed during the first start). Getting Device Owner status using ADB lets us save the network by allowing the network suggestion.

This is how we set up the network suggestion:

@RequiresApi(api = Build.VERSION_CODES.Q)
public static WifiNetworkSuggestion setupWifiNetworkSuggestion (WifiConfiguration wifiConfiguration){
  return new WifiNetworkSuggestion.Builder()
          .setSsid(wifiConfiguration.SSID)
          .setIsHiddenSsid(wifiConfiguration.hiddenSSID)
          .setWpa2EnterpriseConfig(wifiConfiguration.enterpriseConfig)
          .build();
}

after that we call:

List<WifiNetworkSuggestion> networkSuggestionList = new ArrayList<>();
networkSuggestionList.add(setupWifiNetworkSuggestion(wifiConfiguration));

int status = mWifiManager.addNetworkSuggestions(networkSuggestionList);

if (status != WifiManager.STATUS_NETWORK_SUGGESTIONS_SUCCESS) {
  _logger.error("Problem adding network suggestion, status code: " + status);
}

Are we missing something? The same code works in our other app where we do not use EMM provisioning to get Device Owner. All the requested permissions are the same in both apps. We tried to get some error info or set up some logs but we only get success statuses all the way.


Solution

  • We finally made it work! The problem was caused by three separate issues:

    1. We were lacking allowed key management setting WifiConfiguration.KeyMgmt.WPA_EAP

    2. Our test RADIUS server rejects connection attempts when any domain is provided in the enterprise config. It was giving us unnecessary disconnections even at the point when we resolved Android-side issues

    3. MOST IMPORTANT: For some reason our password policy was not enforced and on test environment we use self-signed certificates. Without at least PIN-lock set up on the device, the certificates cannot be attached to the network profile, therefore it cannot be added/connected to. Even if the network is saved, it lacks the certificate which has to be selected manually (it is deployed properly to the certificate store, though)