WiFi Profile Settings changing on IOS 11 updated devices

Malcolm
Contributor II

Our wifi wpa2 enterprise profile is randomly changing its authentication method, on random ipads on ipads that have been updated? From the back end it doesnt appear to be a setting being overwritten by a re pushed profile, rahter than IOS 11 reading the existing profile incorrectly?

It appears to be changing from a user auth login to a cert auth login

has anyone else seen this?

ee873806b67f4c34b207dfcf860aebc3

8 REPLIES 8

ncarvalheiro87
New Contributor II

Hi Malcom,

I encountered that issue before and spent hours finding solutions, only to realise its a wifi configuration profile if you set as EAP TLS requiring a cert.

Try looking at your config profiles scoped to the affected iPad to see if there is any Wifi settings and try adjusting to one that can work for your wireless environment,

my 2c experience,
Nuno C.
Technician - Pymble Ladies College (Australia)

ivanlovisi
New Contributor III

Hi Malcom,
we have had the same problem,
in the end we saw that apple does not support removes support for TLS connections using SHA-1 certificates anymore
(https://support.apple.com/en-us/HT207828)
Now, while our certificate is being updated to the sha-2 standard,
we have included in the profile besides the Intermediates Certificate also the End-User certificate.

Graeme
Contributor

We have the same issue (also on "eduSTAR.net" running SHA-2), certificate based auth just stops working and brings up the logon prompt. Often just reconnecting to any network and poling the MDM resolves the issue but lately many iOS11 devices need the profile removed (excluded fro the scope) and then added back again.

We reduced the incidence with iOS 9 & 10 by adding two identical Wi-Fi profiles. So far in iOS11 this hasn't helped.

Regards
Graeme

Malcolm
Contributor II

@Graeme I replied to your techoom post on apple config 2.5 and DEP enrollment a few questions over there for you if you have a moment.

One of which was, did you encounter any issues with having the same profile installed twice? I have a special SSID profile thats unauthenticated, for times where the shit hits the fan and you just need their wifi profiles fixed, with the SSID disabled over the network, its come in handy a few times.

Graeme
Contributor

Until now there has been no issue with having a clone of the WIFI profile installed along with the original one. Something is going on with iOS11 that I haven't got to the bottom of yet but it does not seem related to having the two profiles.

I have an open Wi-Fi access point that pretty much only allow access to .apple.com, .symcd.com, *.edge.com, mdm.ourschool.edu.au, 17.0.0.0/8, 23.0.0.0/8 and a few other sites. I add this profile to all mobile devices and often any problem is fixed when the students walk in and before they can show me it. :-)

Regards
Graeme

Malcolm
Contributor II

@Graeme Yeah we have a similar setup, but just not the double wifi profile.

Problem for us is we use sonar for our firewall, and it doesn't allow domain wildcards for firewalling these rules have to be IP natted out specific connections.

I still haven't been able to solve my wifi profile issue, yet, through this new manual DEP method the mdm profile absorbs the wifi profile installed on the device through apple config, and I haven't found a way to remove it or replace it via JSS, I've found hack ways, but nothing that is going to be straight forward for day to day.

My first method was to use an expiring profile, but that hasn't removed.

My second was to use a AC2.5 profile with the same identifier profile id code from the wifi one in JSS, but JSS hasn't overwritten it. But I think that might be a false positive, so I am going to test another device, as there was still previous data, listing the original profile, which shouldn't be showing any more.

gracetyler
New Contributor III

@Malcolm and anyone else that could possibly help me determine what issue or issues might be going on.

Did you ever have any luck removing a profile added through Configurator 2.5 on a managed device running iOS 11? I want to troubleshoot the issue we’re having by removing the enrollment WiFi profile but I haven’t found a way to remove config profiles not added through the JSS. The issue we’re experiencing is iPads dropping the Public WiFi network that’s pushed out via the JSS. I’m not convinced this is config profile related because I’m seeing the issue happening on devices that were enrolled without ever connecting to configurator and instead we had students enter the WiFi password manually. Our JSS knows of the profile because I can see it as criteria for smart groups. I’m guessing this is only because the JSS taking inventory on devices that still have it. It’s unfortunately not in the JSS as a profile that can be easily unscoped to test this because it was applied using the AC2.5 and prestage config enrollment process defined in the JAMF admin guide. The supervision identity for the manual profile links back to the JSS if that helps. The other clue that this is something new is that this same enrollment process was done the same way the year before, yet there were none of these issues.

This issue presents as iPads not wanting to stay connected to WiFi when they move around the high school/between classes. iPads sometimes drop the connection for longer periods of time while pulling 169. IP addresses until WiFi is toggled off and on. Thanks in advance to anyone who can share some wisdom on this situation.

KyleEricson
Valued Contributor

I have this same issue in a corporate environment. We are moving from AirWatch to JAMF and one remote office location devices randomly will not join even though devices in AirWatch join fine on the same network and config profile. I have seen where iOS picks user name and password for the network instead of the cert based auth. Its very random and in the radius logs it just shows that the device didn't send the cert for creds. I tested on iOS 12.0.1. Anyone else see this issue? I have also factory wiped these devices with same result.


Hire me as an independent contractor.