Skip to main content

Supported WiFi & Certificate Configurations

Current list of supported WiFi configurations, including security types, certificates, and proxy types.

Josh Franzen avatar
Written by Josh Franzen
Updated over a week ago

💡 ArborXR supports the remote provisioning of Wi-Fi configurations where users can create and configure a library of Wi-Fi & certificate configuration presets, then remotely provision these presets to devices to remotely connect them to new networks. Below are details on the supported Wi-Fi security types, certificates, and proxies.

Security

  • Open

    • Open (Unsecured)

      • This type has no further settings.

    • OWE (Opportunistic Wireless Encryption)

      • Only supported by devices that run Android 10 (or later) and are certified as "WiFi Certified Enhanced Open".

      • This type has no further settings.

  • Personal

    • WPA/WPA2

      • Technical name is PSK (Pre-Shared Key).

      • This is either WPA-Personal (WPA-PSK) or WPA2-Personal (WPA2-PSK).

      • Password: String 8 to 63 characters.

    • WPA3

      • Only supported by devices that run Android 10 (or later) and specifically advertise support for this.

      • Technical name is SAE.

      • Also called WPA3-Personal (WPA3-PSK).

      • Password: String of 1 to 63 characters.

  • Enterprise

    • WPA/WPA2

      • Technical name is EAP.

      • This is either WPA-Enterprise or WPA2-Enterprise.

      • EAP Method, one of:

        • PEAP (Protected Extensible Authentication Protocol, also called "Protected EAP")

          • Phase2 Method, one of:

            • MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)

              • Identity: String

              • Password: String

            • GTC (Generic Token Card)

              • Identity: String

              • Password: String

          • CA Certificate: X.509 certificate (see below section for details)

            • OCSP stapling: See below section for details.

            • Domain: String

          • Anonymous Identity: String

        • TLS (Transport Layer Security)

          • (Optional) User Certificate: X.509 certificate (see below section for details)

          • CA Certificate: X.509 certificate (see below section for details)

            • OCSP stapling: See below section for details.

            • Domain: String

          • Identity: String

        • TTLS (Tunneled Transport Layer Security)

          • Phase2 Method, one of:

            • PAP (Password Authentication Protocol)

            • MSCHAP (Microsoft's Challenge Handshake Authentication Protocol version 1)

            • MSCHAPv2 (Microsoft's Challenge Handshake Authentication Protocol version 2)

            • GTC (Generic Token Card)

          • CA Certificate: X.509 certificate (see below section for details)

            • OCSP stapling: See below section for details.

            • Domain: String

          • Identity: String

          • Anonymous Identity: String

          • Password: String

        • PWD (Password)

          • Identity: String

          • Password: String

    • WPA3-Enterprise

      • Only supported by devices that run Android 10 (or later) and specifically advertise support for this.

      • Technical name is EAP Suite-B.

      • Settings: Except for more supported authentication methods, this is the same as EAP-TLS. However, the user certificate is required.

Certificate Enrollment (SCEP)

Option 1: Static SCEP (Pre-shared Password)

Use static SCEP when you have a single, manually configured challenge password.

Required Settings:

  • SCEP URL: The endpoint for certificate enrollment

  • SCEP Type: Static

  • Challenge Password: A pre-shared credential for client authentication during enrollment

When to Use:

  • Your SCEP server uses a single, long-lived challenge password

  • You're using Microsoft NDES with a simple challenge configuration

  • You prefer manual challenge password management

Option 2: Dynamic SCEP (Automatic Password Retrieval)

Use dynamic SCEP when your SCEP server provides challenge passwords via an API endpoint.

Required Settings:

  • SCEP URL: The endpoint for certificate enrollment

  • SCEP Type: Dynamic

  • Challenge Request URL: The HTTPS endpoint that provides challenge passwords

  • Challenge Request Username: Username for authenticating to the challenge endpoint

  • Challenge Request Password: Password for authenticating to the challenge endpoint

Optional Settings:

  • Challenge Request CA Certificate: Upload a custom CA certificate for SSL verification when connecting to the challenge endpoint (useful for self-signed certificates or internal CAs)

When to Use:

  • Your SCEP server provides an API endpoint for retrieving challenge passwords

  • You're using Microsoft NDES with dynamic challenge password generation

  • You want automatic password retrieval and rotation

  • Your challenge passwords are time-limited or single-use

How It Works:

When a device requests SCEP enrollment, ArborXR servers automatically request a challenge password from your Challenge Request URL and provide it to the device for enrollment.

Challenge Endpoint Requirements:

  • Supports multiple response formats:

    • JSON: Looks for `challengePassword`, `challenge`, or `password` fields (e.g., `{"challengePassword": "xyz"}`)

    • HTML: Parses HTML responses (supports UTF-8 and UTF-16LE encoding)

    • Plain text: Accepts raw challenge password (automatically strips "challenge:" or "password:" prefixes)

  • Supported authentication: NTLM, Basic Auth

Common Configuration (Both Static & Dynamic)

Optional Settings:

  • Entity: Subject information the device presents during enrollment, with support for custom formatting including device serial numbers and Subject Alternative Names (SANs)

  • CA Certificate: Upload a custom CA certificate for validating the SCEP server's SSL certificate (leave blank to use device's default certificate store)

Limitations

Manual approval per enrollment is not supported. The SCEP enrollment process must be automatic for both static and dynamic types.

Server Requirements

SCEP servers must minimally support GetCaCaps, GetCaCert, PKCSReq, HTTP Post binary communication, AES 128-CBC encryption, and SHA-256 hashing.

Certificate Import (Imported PKCS)

Some enterprise WPA3 (i.e. EAP) methods require the use of (CA or user) certificates.

  • Certificates must meet the standard of X.509 certificates.

  • CA certificates (trusted root CA certificates) are mainly used for server certificate validation on the device. It is generally optional and it is an extra layer of security to ensure that the device did not connect to an impersonated network with an identical SSID.

    • CA certificates should be in a .cer, .crt or .pem format.

    • Instead of specifying a CA certificate, the device's system certificates can be used.

  • User certificates are used by the server to identify and to authenticate the device. The user certificate should meet the standard of PKCS 12 in the format of .p12 or .pfx. The certificate should contain both a certificate and a private key.
    To convert a private key and a certificate together to create a PKCS 12:
    openssl pkcs12 -export -in Cert.PEM -inkey PrivateKey.key -out UserCert.p12
    For the above conversion, we recommend the use of 3.x OpenSSL.

  • OCSP (Online Certificate Status Protocol) Stapling

    • Only supported by devices that run Android 11 (or later). This setting is ignored on devices running earlier version of Android.

    • Formally known as the "TLS Certificate Status Request" extension.

    • Enum, one of:

      • None (Don't staple)

      • Request Status (Try to staple, but don't require a response)

      • Require Status (Require a valid response)

      • Require All non-trusted status (Require a valid response for all non-trusted certificates in the server certificate chain)

  • Domain or Domain Suffix Match is used to validate server certificates. If set, the fully qualified domain name will be used as a suffix check and requirement for the server certificate in SubjectAltName DNS Name elements.

    💡 On Android 11+ devices, in environments where you have a RADIUS server that you're authenticating against, the "Domain" field needs to be populated with the SubjectAltName of the NPS server.

  • Identity is used to validate the user’s identity along with the user certificate. Usually this field is required to go along with a user certificate.

Certificate Enrollment (EST)

EST (Enrollment over Secure Transport) is a certificate management protocol defined by RFC 7030. It allows devices to securely enroll for certificates over HTTPS (TLS). The headset must be able to reach the EST server in order to exchange information to generate a certificate.

Configuration:

  • Well-known URL: The URL of the EST server that devices will contact for enrollment, typically including the /.well-known/est path (e.g., https://est.example.com/.well-known/est).

  • User Certificate: Depending on your EST server’s configuration, mutual TLS may be required for enrollment. If so, you can provide a client-side (“user”) certificate that the device will present when connecting to the EST server. This must be a valid certificate in PKCS#12 (.p12 or .pfx) format with a private key.

  • Password: If your EST server requires HTTP Basic Authentication, you can provide a username (often referred to as “Identity” or “Entity” in some systems) and a password to authenticate the device.

  • Entity (Optional): This is the Subject entity information the device presents when requesting enrollment (e.g., a Common Name (CN) or another identifier). This is an optional field, and by default the device will send the serial number as the CN field. If you’d like to override this field, you can enter a static value or use our custom format which can also allow you to configure a SAN. Here is the format for specifying the CN as the serial number, with the SAN customized with the values:
    {CN="[DEVICE_SERIAL_NUMBER]"; SAN={UPN=[DEVICE_SERIAL_NUMBER]@example.com;EMAIL=[DEVICE_SERIAL_NUMBER]@example.com}}

  • CA Certificate (Optional): As with SCEP, you may optionally provide a CA certificate to allow the device to verify the EST server’s TLS certificate chain.

    • Domain: This field is required to install CA Certificates on Android 14+ devices.

    • Custom: Upload your own trusted root CA certificate if it is not already in the device’s system store.

    • System: Use the device’s built-in system certificates.

    • Do Not Validate: Skip CA certificate validation (not recommended in production environments).

Requirements & Limitations

  • The device must be able to reach the EST server on the network over HTTPS (TLS).

  • Only static authentication (Basic Auth) is supported for enrollment (if required by the server). No interactive/manual approval flows are supported on the device side.

  • As with any certificate-based enrollment, ensure that the device clock is accurate—incorrect device time can cause TLS handshake or certificate validation failures.

Server Requirements

  • Your EST server should implement the endpoints defined by RFC 7030, particularly:

    • /cacerts for retrieving the CA certificate(s).

    • /simpleenroll for initial enrollment requests.

    • /simplereenroll for certificate re-enrollment (if desired).

  • The server must support secure (HTTPS) connections and provide valid server certificates trusted by either the system certificate store or the custom CA you have configured on the device.

Proxy

Only supported by devices that run Android 8.0 (or later).

  • Static

    • Host name: String

    • Port number: Integer from 0 to 65535

    • (Optional) List of hosts to bypass: String list

      • Can include wildcards, e.g. *.example.com, *.google.com

  • PAC (Proxy Auto-Config)

    • URL that points to a "PAC file": The file contains a JavaScript function FindProxyForURL(url, host) to dynamically decide whether to connect via a particular proxy server, or directly

Related Articles
Client App Changelog
Create WiFi Configuration Presets
Create Certificate Configuration Presets
Add CA Certificate Configuration Presets
Why You Should Use ArborXR with Horizon Managed Services
Did this answer your question?