💡 ArborXR supports the remote provisioning of Wi-Fi configurations where users can create and configure a library of Wi-Fi networks, then remotely provision configurations to devices to remotely connect them to new networks. Below are details on the supported security types, certificates, and proxies.
For more information about remotely provisioning Wi-Fi configurations to devices, see this article.
Security
Open
Open (Unsecured)
This type has no further settings.
OWE (Opportunistic Wireless Encryption)
Only supported by devices that run Android 10 (or later) and are certified as "WiFi Certified Enhanced Open".
This type has no further settings.
Personal
WPA/WPA2
Technical name is PSK (Pre-Shared Key).
This is either WPA-Personal (WPA-PSK) or WPA2-Personal (WPA2-PSK).
Password: String 8 to 63 characters.
WPA3
Only supported by devices that run Android 10 (or later) and specifically advertise support for this.
Technical name is SAE.
Also called WPA3-Personal (WPA3-PSK).
Password: String of 1 to 63 characters.
Enterprise
WPA/WPA2
Technical name is EAP.
This is either WPA-Enterprise or WPA2-Enterprise.
EAP Method, one of:
PEAP (Protected Extensible Authentication Protocol, also called "Protected EAP")
Phase2 Method, one of:
MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)
Identity: String
Password: String
GTC (Generic Token Card)
Identity: String
Password: String
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Anonymous Identity: String
TLS (Transport Layer Security)
(Optional) User Certificate: X.509 certificate (see below section for details)
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Identity: String
TTLS (Tunneled Transport Layer Security)
Phase2 Method, one of:
PAP (Password Authentication Protocol)
MSCHAP (Microsoft's Challenge Handshake Authentication Protocol version 1)
MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)
GTC (Generic Token Card)
CA Certificate: X.509 certificate (see below section for details)
OCSP stapling: See below section for details.
Domain: String
Identity: String
Anonymous Identity: String
Password: String
PWD (Password)
Identity: String
Password: String
WPA3-Enterprise
Only supported by devices that run Android 10 (or later) and specifically advertise support for this.
Technical name is EAP Suite-B.
Settings: Except for more supported authentication methods, this is the same as EAP-TLS. However, the user certificate is required.
Certificate Enrollment (SCEP)
SCEP (Simple Certificate Enrollment Protocol) allows devices to self enroll for a certificate that can be used to connect to a secured network. The headset must be able to reach the SCEP server in order to exchange signatures and information to generate a certificate.
Configuration:
SCEP URL: URL to the SCEP server that will be used for the certificate enrollment.
SCEP Challenge Password: A password that was pre-shared between the SCEP server and the client. This password will be used during the enrollment to authenticate the client device. Currently, only static passwords are supported.
CA Certificate Type: This is an optional field for added security. CA Certificate is mainly used for the client to ensure that it is communicating and exchanging information with the intended SCEP server
Select
CUSTOMto upload the CA certificate of the SCEP server, if it is available.Select
SYSTEMif the the CA certificate of the SCEP server is already available at the system level on the headset.Select
DO NOT VALIDATEto skip CA certificate validation.
Limitations:
Only static challenge passwords are supported for enrollment.
The SCEP enrollment process should be automatic. Manual approval per enrollment is not supported.
Server Mandatory Functionality:
At a minimum, the SCEP server should support the following:
GetCaCaps
GetCaCert
PKCSReq
Communication of binary data via HTTP Post
AES 128-CBC
SHA-256
Certificate Import (Imported PKCS)
Some enterprise WPA3 (i.e. EAP) methods require the use of (CA or user) certificates.
Certificates must meet the standard of X.509 certificates.
CA certificates (trusted root CA certificates) are mainly used for server certificate validation on the device. It is generally optional and it is an extra layer of security to ensure that the device did not connect to an impersonated network with an identical SSID.
CA certificates should be in a .cer, .crt or .pem format.
Instead of specifying a CA certificate, the device's system certificates can be used.
User certificates are used by the server to identify and to authenticate the device. The user certificate should meet the standard of PKCS 12 in the format of .p12 or .pfx. The certificate should contain both a certificate and a private key.
To convert a private key and a certificate together to create a PKCS 12:
openssl pkcs12 -export -in Cert.PEM -inkey PrivateKey.key -out UserCert.p12
For the above conversion, we recommend the use of 3.x OpenSSL.OCSP (Online Certificate Status Protocol) Stapling
Only supported by devices that run Android 11 (or later). This setting is ignored on devices running earlier version of Android.
Formally known as the "TLS Certificate Status Request" extension.
Enum, one of:
None (Don't staple)
Request Status (Try to staple, but don't require a response)
Require Status (Require a valid response)
Require All non-trusted status (Require a valid response for all non-trusted certificates in the server certificate chain)
Domain or Domain Suffix Match is used to validate server certificates. If set, the fully qualified domain name will be used as a suffix check and requirement for the server certificate in SubjectAltName DNS Name elements.
💡 On Android 11+ devices, in environments where you have a RADIUS server that you're authenticating against, the "Domain" field needs to be populated with the SubjectAltName of the NPS server.
Identity is used to validate the user’s identity along with the user certificate. Usually this field is required to go along with a user certificate.
Certificate Enrollment (EST)
EST (Enrollment over Secure Transport) is a certificate management protocol defined by RFC 7030. It allows devices to securely enroll for certificates over HTTPS (TLS). The headset must be able to reach the EST server in order to exchange information to generate a certificate.
Configuration:
Well-known URL: The URL of the EST server that devices will contact for enrollment, typically including the /.well-known/est path (e.g., https://est.example.com/.well-known/est).
User Certificate: Depending on your EST server’s configuration, mutual TLS may be required for enrollment. If so, you can provide a client-side (“user”) certificate that the device will present when connecting to the EST server. This must be a valid certificate in PKCS#12 (.p12 or .pfx) format with a private key.
Password: If your EST server requires HTTP Basic Authentication, you can provide a username (often referred to as “Identity” or “Entity” in some systems) and a password to authenticate the device.
Entity (Optional): This is the Subject entity information the device presents when requesting enrollment (e.g., a Common Name (CN) or another identifier). This is an optional field, and by default the device will send the serial number as the CN field. If you’d like to override this field, you can enter a static value or use our custom format which can also allow you to configure a SAN. Here is the format for specifying the CN as the serial number, with the SAN customized with the values:
{CN="[DEVICE_SERIAL_NUMBER]"; SAN={UPN=[DEVICE_SERIAL_NUMBER]@example.com;EMAIL=[DEVICE_SERIAL_NUMBER]@example.com}}CA Certificate (Optional): As with SCEP, you may optionally provide a CA certificate to allow the device to verify the EST server’s TLS certificate chain.
Custom: Upload your own trusted root CA certificate if it is not already in the device’s system store.
System: Use the device’s built-in system certificates.
Do Not Validate: Skip CA certificate validation (not recommended in production environments).
Requirements & Limitations
The device must be able to reach the EST server on the network over HTTPS (TLS).
Only static authentication (Basic Auth) is supported for enrollment (if required by the server). No interactive/manual approval flows are supported on the device side.
As with any certificate-based enrollment, ensure that the device clock is accurate—incorrect device time can cause TLS handshake or certificate validation failures.
Server Requirements
Your EST server should implement the endpoints defined by RFC 7030, particularly:
/cacerts for retrieving the CA certificate(s).
/simpleenroll for initial enrollment requests.
/simplereenroll for certificate re-enrollment (if desired).
The server must support secure (HTTPS) connections and provide valid server certificates trusted by either the system certificate store or the custom CA you have configured on the device.
Proxy
Only supported by devices that run Android 8.0 (or later).
Static
Host name: String
Port number: Integer from 0 to 65535
(Optional) List of hosts to bypass: String list
Can include wildcards, e.g. *.example.com, *.google.com
PAC (Proxy Auto-Config)
URL that points to a "PAC file": The file contains a JavaScript function FindProxyForURL(url, host) to dynamically decide whether to connect via a particular proxy server, or directly