Android

Important Note: Compatibility With Safeguarding Obligations

In July 2016, Google announced that Android applications would no longer trust any certificates which are installed by the user.  This limitation cannot be overridden by the user, nor by the administrator of devices that are managed through an MDM.  This limitation does not currently affect web browsing from Android devices, but does make it impossible for most other apps to be appropriately filtered or monitored, beyond simply allowing or blocking the entire app.  This also introduces a significant administrative overhead, as it forces administrators to make a decision over which apps to allow through unfiltered, and to maintain lists of the services that must therefore not be decrypted.

Despite numerous attempts by filtering suppliers and schools to open a dialogue with Google, Google has stated that this is the intended behaviour and that it will not be fixed.

We firmly believe that schools cannot meet their statutory safeguarding responsibilities, to appropriately filter and monitor the children who are under their care, if they are not able to use HTTPS decryption technologies.  Through their hostility towards these important online safety technologies, Google are unnecessarilly endangering children and creating significant liabilities for schools.  Unfortunately, we feel that we cannot recommend that schools purchase Android devices, and that they should instead opt for Apple or Microsoft.

We do acknowledge that, where Bring Your Own Device networks are concerned, schools do not have a choice over which devices are used.  We will always endeavour to provide the best possible support for all types of devices, no matter what the supplier's position is regarding online safety technologies.

One-to-One Devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM (e.g. in a BYOD setting), this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • If possible, configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. Some devices can automatically log in to the captive portal using the WISPr protocol. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate, either through an MDM or:

  • Ensure that a lock screen PIN is configured on the Android device
  • Launch Chrome and browse to https://<your Web Gateway / UTM host name>/opendium.crt or scan the QR code that is displayed on the Web Proxy page.
  • You will be asked to name the certificate, enter "Opendium" and press OK

Note that once the interception certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".

Setting the proxy on the device is optional, but can be done by following these steps:

  • Launch the Settings app
  • Tap Wi-Fi
  • Long-press your wifi network in the list
  • Tap Modify network config
  • Tick Show advanced options
  • Scroll down to Proxy settings
  • Set the proxy to Manual
  • Set the proxy address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128
  • Tap Save

Shared Devices

This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM, this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • Configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • Log the device onto the network with a user name that ends in "$".
  • The user must use the captive portal to authenticate.
  • When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate. This is usually done through your MDM system.

Setting the proxy on the device is optional, but recommended and is usually done through your MDM system.

Authenticated shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting.