Android Configuration: Difference between revisions

From Opendium Documentation
Jump to navigation Jump to search
(Created page with " ==Important note: compatibility with safeguarding obligations== In July 2016, Google [https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html announced] that Android applications would no longer trust any certificates which are installed by the user. This limitation cannot be overridden by the user, nor by the administrator of devices that are managed through an MDM. This limitation does not ''currently'' affect web browsing from Android...")
 
(I have amended how to install a CA certificate for a stand alone android device.)
 
(3 intermediate revisions by one other user not shown)
Line 10: Line 10:


==One-to-one devices==
==One-to-one devices==
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device.  Scroll down for information regarding shared devices.
This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device.  Scroll down for information regarding [[Android Configuration#Shared devices|shared devices]].


*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system.  Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''.  If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''Single User Devices''.
*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking a network access controller to the Opendium system|send RADIUS accounting data]] to the Opendium system.  Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''RADIUS''.  If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User identification|User Identification]] mode to ''Single User Devices''.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.  Some devices can automatically log in to the captive portal using the WISPr protocol. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.  Some devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.


If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium interception certificate, either through an MDM or:
If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate, either through an MDM or:


*Ensure that a lock screen PIN is configured on the Android device
*Ensure that a lock screen PIN is configured on the Android device
*Launch Chrome and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
*Launch Chrome and browse to https://''<your Opendium host name>''/opendium.crt or scan the QR code that is displayed on the [[Web]] tab.
*You will be asked to name the certificate, enter "Opendium" and press OK
*Once downloaded you will get a pop up message saying: "Install CA certificates in Settings - This certificate from null must be installed in Settings. Only install CA certificates from organisations that you trust" Select close
*Open Settings -> Security -> Encryption & Credentials -> Install a certificate.
*Select CA certificate: a message appears saying "Your data won't be private....snip....data is encrypted" select Install anyway
*Enter your pin or biometrics to install and locate the opendium.crt file you saved above, tap this and you should a message flash up saying "CA certificate installed"
*Tap back, and confirm the certificate is installed by clicking "Trusted credentials" then select User and you should see the opendium.crt there.
*The certificate should now be installed in the system and browsing to https pages no longer give you an insecure warning.


Note that once the decryption certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".
Note that once the decryption certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".
Line 33: Line 38:
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).


If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium interception certificate.  This is usually done through your MDM system.
If the network's [[Web: Permissions & Limits#HTTPS decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate.  This is usually done through your MDM system.


Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting.  If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User identification|User Identification]].
Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting.  If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User identification|User Identification]].
[[Category:Client Configuration]]
[[Category:Client Configuration]]

Latest revision as of 16:09, 27 February 2024

Important note: compatibility with safeguarding obligations

In July 2016, Google announced that Android applications would no longer trust any certificates which are installed by the user. This limitation cannot be overridden by the user, nor by the administrator of devices that are managed through an MDM. This limitation does not currently affect web browsing from Android devices, but does make it impossible for most other apps to be appropriately filtered or monitored, beyond simply allowing or blocking the entire app. This also introduces a significant administrative overhead, as it forces administrators to make a decision over which apps to allow through unfiltered, and to maintain lists of the services that must therefore not be decrypted.

Despite numerous attempts by filtering suppliers and schools to open a dialogue with Google, Google has stated that this is the intended behaviour and that it will not be fixed.

We firmly believe that schools cannot meet their statutory safeguarding obligations, to appropriately filter and monitor the children who are under their care, if they are not able to use HTTPS decryption technologies. Through their hostility towards these important online safety technologies, Google are unnecessarily endangering children and creating significant liabilities for schools. Unfortunately, we feel that we cannot recommend that schools purchase Android devices, and that they should instead opt for Apple or Microsoft.

We do acknowledge that, where Bring Your Own Device networks are concerned, schools do not have a choice over which devices are used. We will always endeavour to provide the best possible support for all types of devices, no matter what the supplier's position is regarding online safety technologies.

One-to-one devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices.

  • If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system. Set the User Identification mode to RADIUS. If 802.1x authentication cannot be used, Set the User Identification mode to Single User Devices.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. Some devices can automatically log in to the captive portal using the WISPr protocol whenever the device reconnects to the network. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.

If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate, either through an MDM or:

  • Ensure that a lock screen PIN is configured on the Android device
  • Launch Chrome and browse to https://<your Opendium host name>/opendium.crt or scan the QR code that is displayed on the Web tab.
  • Once downloaded you will get a pop up message saying: "Install CA certificates in Settings - This certificate from null must be installed in Settings. Only install CA certificates from organisations that you trust" Select close
  • Open Settings -> Security -> Encryption & Credentials -> Install a certificate.
  • Select CA certificate: a message appears saying "Your data won't be private....snip....data is encrypted" select Install anyway
  • Enter your pin or biometrics to install and locate the opendium.crt file you saved above, tap this and you should a message flash up saying "CA certificate installed"
  • Tap back, and confirm the certificate is installed by clicking "Trusted credentials" then select User and you should see the opendium.crt there.
  • The certificate should now be installed in the system and browsing to https pages no longer give you an insecure warning.

Note that once the decryption certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".

Shared devices

This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

  • Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to send RADIUS accounting data to the Opendium system.
  • Set the User Identification mode to RADIUS.
  • Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-tablet". This user must exist on the Opendium system.
  • The user must use the captive portal to authenticate.
  • When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's HTTPS Decryption mode is set to Active, you must install your unique Opendium inspection certificate. This is usually done through your MDM system.

Shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable User Identification.