ArborXR offers remote WiFi provisioning where users can create and configure a library of WiFi networks, then remotely provision the configurations to devices to connect them to new networks.
Provision WiFi Configuration
Navigate to the configuration group question.
Select the Settings tab.
Select WiFi from the accordion menu.
Click Add Configuration to open the WiFi management modal.
If you have configured WiFi network(s) previously, those will show in the Library tab where you can select one or more listed WiFi configurations then click Add.
If you do not have WiFi networks configured, or if you need to add a new one, tab over to Create New, enter your WiFi network's details, then click Add.
SCEP (Simple Certificate Enrollment Protocol) allows devices to self enroll for a certificate that can be used to connect to a secured network. The headset must be able to reach the SCEP server in order to exchange signatures and information to generate a certificate.
SCEP URL: URL to the SCEP server that will be used for the certificate enrollment.
SCEP Challenge Password: A password that was pre-shared between the SCEP server and the client. This password will be used during the enrollment to authenticate the client device. Currently, only static passwords are supported.
CA Certificate Type: This is an optional field for added security. CA Certificate is mainly used for the client to ensure that it is communicating and exchanging information with the intended SCEP server.
CUSTOMto upload the CA certificate of the SCEP server, if it is available.
SYSTEMif the the CA certificate of the SCEP server is already available at the system level on the headset.
DO NOT VALIDATEto skip CA certificate validation.
Only static challenge passwords are supported for enrollment.
The SCEP enrollment process should be automatic. Manual approval per enrollment is not supported.
SCEP Server Mandatory Functionality:
Communication of binary data via HTTP Post
Some enterprise WPA3 (i.e. EAP) methods require the use of (CA or user) certificates.
Certificates must meet the standard of X.509 certificates.
CA certificates (trusted root CA certificates) are mainly used for server certificate validation on the device. It is generally optional and it is an extra layer of security to ensure that the device did not connect to an impersonated network with an identical SSID.
CA certificates should be in a .cer, .crt or .pem format.
Instead of specifying a CA certificate, the device's system certificates can be used.
User certificates are used by the server to identify and to authenticate the device. The user certificate should meet the standard of PKCS 12 in the format of .p12 or .pfx. The certificate should contain both a certificate and a private key.
To convert a private key and a certificate together to create a PKCS 12:
openssl x509 pkcs12 -export -in Cert.PEM -inkey PrivateKey.key -out UserCert.p12
For the above conversion, we recommend the use of 3.x OpenSSL.
OCSP (Online Certificate Status Protocol) Stapling
Only supported by devices that run Android 11 (or later). This setting is ignored on devices running earlier version of Android.
Formally known as the "TLS Certificate Status Request" extension.
Enum, one of:
None (Don't staple)
Request Status (Try to staple, but don't require a response)
Require Status (Require a valid response)
Require All non-trusted status (Require a valid response for all non-trusted certificates in the server certificate chain)
Domain or Domain Suffix Match is used to validate server certificates. If set, the fully qualified domain name will be used as a suffix check and requirement for the server certificate in SubjectAltName DNS Name elements.
Identity is used to validate the user’s identity along with the user certificate. Usually this field is required to go along with a user certificate.
The uploaded client certificate is converted into an encrypted string. When a device requests the certificate, the certificate is unencrypted and the device bundles it into a pkcs12 file that is saved in the android keystore system.
The configured SCEP server will provide the certificate which is bundled into a pkcs12 file that is saved to the android keystore.
The new client certificate needs to be uploaded via the ArborXR web portal before/when the previous one expires.
If renewals are available from the SCEP server, the device will attempt to re-enroll before the certificate expires.