Monday, 19 September 2022

Android Enterprise devices losing Wi-Fi network when using proxy

This was a little awkward to solve, especially as the devices were single app kiosks and the device settings were not available. This was my scenario:

  • Devices: Zebra TC52X handheld scanner
  • Management platform: Microsoft Endpoint Manager (Intune)
  • Android Enterprise: Corporate-owned dedicated devices
  • Kiosk: single app (Chrome)
  • Proxy: Zscaler (devices could not connect to corporate apps without going through proxy)

This would periodically show up on the devices (No internet connection). It would also present after every restart.


On restart, kiosk operators were told that the device had limited Wi-Fi connectivity. It was a straightforward temporary workaround. The operator had to double-click the message.


The operator had to check the box Don't ask again for this network and click Yes.

This would solve the problem for a while, but would inconvenience the operators. I wanted to solve this programatically. Before I could do that I had to understand what was happening.

This issue is caused by captive portal detectionA captive portal is what we call a network that requires your action before it allows you to connect to the Internet. This action could be to log in using a username and password, or just to accept the network's terms and conditions.

The way most networks do this is by redirecting you to such a page. Chrome will make automatic connections to detect these redirects. When those happen, you may see a notification indicating that you may need to log into the network. Normally, after you do this, the tab will be closed automatically. Occasionally, it will be kept around to display a message from the network's owners. These actions can happen seamlessly using open Wi-Fi systems. However, this becomes problematic in conjunction with a corporate proxy. The solution is to disable captive portal detection.

Luckily Zebra (and other vendors) provide a solution for that. I can create a Zebra StageNow profile which can be exported to and deployed by Intune. See the Zebra documentation for details on installing and using StageNow.

Launch StageNow and create new profile.


Choose your MX version (10.1 in my case) and select Xpert Mode. Click Create.


Give your profile a name and click Next.


Select Wi-Fi and click the Plus icon to move it over Config column. Click Add.


Scroll down and check the "Specify Advanced options" box to expose more options.


Search for Captive Portal detection and choose Disable.


Complete the wizard.


Complete the profile and generate the StageNow configuration barcode. You can also export to XML after creating your StageNow profile by clicking Export for MDM.

<wap-provisioningdoc>
  <characteristic version="10.1" type="Wi-Fi">
    <parm name="UseRegulatory" value="0" />
    <parm name="UseDiagnosticOptions" value="0" />
    <parm name="UseAdvancedOptions" value="1" />
    <characteristic type="AdvancedOptions">
      <parm name="CaptivePortalDetection" value="0" />
    </characteristic>
    <parm name="UseHotspotOptions" value="0" />
  </characteristic>
</wap-provisioningdoc>

This is the XML generated. Once we have the XML we can import into Intune and assign to a group.


In the MEM admin console, create a Device Configuration profile of type OEMConfig.


Enter a name and select the OEMConfig app, in this case it's for Zebra. Each vendor will have their own OEMConfig app, which must be added in advance to Intune.


Select Configure > select the three dots next to Transaction Steps > and then select Add setting.


You will see a list of settings.



From the list of settings select, Device Administration Configuration.


Under Device Administration Configuration only two settings are required.
  • Action = SubmitXML
  • Submit XML = the .xml data we copied above. Paste it into this field.

Complete the wizard to create the device configuration profile and assign it to a group of your devices. You won't see the No internet connection warning again or be prompted that you have limited connectivity.

Until next time......







No comments:

Post a Comment