Android

One-to-One Devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM (e.g. in a BYOD setting), this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • If possible, configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. Some devices can automatically log in to the captive portal using the WISPr protocol. Unfortunately WISPr has been patented by Apple and is therefore not supported by most Android devices.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate, either through an MDM or:

  • Ensure that a lock screen PIN is configured on the Android device
  • Launch Chrome and browse to https://<your Web Gateway / UTM host name>/opendium.crt or scan the QR code that is displayed on the Web Proxy page.
  • You will be asked to name the certificate, enter "Opendium" and press OK

Note that once the interception certificate is installed, the device will always show a notification that states "Network may be monitored by an unknown third party".

Setting the proxy on the device is optional, but can be done by following these steps:

  • Launch the Settings app
  • Tap Wi-Fi
  • Long-press your wifi network in the list
  • Tap Modify network config
  • Tick Show advanced options
  • Scroll down to Proxy settings
  • Set the proxy to Manual
  • Set the proxy address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128
  • Tap Save

Shared Devices

This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM, this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • Configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • Log the device onto the network with a user name that ends in "$".
  • The user must use the captive portal to authenticate.
  • When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate. This is usually done through your MDM system.

Setting the proxy on the device is optional, but recommended and is usually done through your MDM system.

Authenticated shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting.