Dec 05 2018 06:44 AM
I'm currently using Intune to push a wireless profile to iOS devices and encountering issues connecting automatically to the wireless network in question. Here is the scenario:
In my case, the root CA cert is being delivered to the devices. The client certificate is successfully being requested by the device using SCEP. The Wi-Fi profile is also being pushed out to the device successfully. I've even tried pushing out the intermediate CA that issues the certificates for the authentication server and client devices as a trusted certificate.
When users attempt to connect to the wireless network, they are prompted for credentials. They then have to select the client certificate and the encryption type before connecting to the network. Once users select the certificate, they connect successfully. What I would like is for this step to be avoided to improve the user experience and to eliminate the likelihood of users selecting the wrong certificate. Is this even possible or will the user always be required to select the cert? I've been told it is.
It's not even a case where the certificate being presented by the authentication server is not trusted. The device though seems unable to identify which certificate to present to the authentication server for authentication.
Dec 06 2018 05:40 AM
SolutionI believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).
It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.
Get a support call logged and add your name to the list of customers with this issue.
Dec 06 2018 05:59 AM
Thanks Andrew.
I've been banging my head against the wall with this issue for a couple weeks.
I've opened a case with Microsoft so hopefully, they shed some light on the issue soon.
Do you know whether there are any public comms on the issue? Do you know whether it's primarily an Intune issue, iOS or a bit of both?
Dec 06 2018 06:04 AM
There is no public comms because Microsoft support are treating it as an edge case.
The issue appears to be partially Intune and partially iOS. An identical configuration profile works on Android because Android does not appear to care about certificate trust!
Dec 06 2018 06:07 AM
Thanks Andrew,
I thought as much. My next step was to deploy to Android devices when I'm back on site to see whether I encountered the same issue.
Let's see what Microsoft support comes back with.
Jan 07 2019 07:23 AM
Jan 15 2019 09:25 PM
The case is still with Engineering as far as I know. I would advise opening your own support case.
This might need a change from Apple because the options to create a Wi-Fi profile with the correct root certificates are missing from the Apple configurator.
Jan 16 2019 02:32 PM
I do have my own case open... for the past 40 days now but support has been slow.
Interestingly, devices enrolled yesterday have started connecting to the Wi-Fi network automatically since I had a chat with an escalation engineer and even though I haven't made any changes to the profiles so perhaps it's being resolved on the backend. I'll see if this happens consistently as more users enrol onto Intune in the next few weeks. Hopefully it does.
Nov 20 2019 09:59 PM
@SRoach Is this working for you now? We're looking at doing something very similar with Windows and iOS devices soon.
Mar 05 2020 07:20 PM
Dec 06 2018 05:40 AM
SolutionI believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).
It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.
Get a support call logged and add your name to the list of customers with this issue.