Configure Android Wifi profile with Intune

By | February 19, 2019

I have come over many errors when creating Android and Android Enterprise/for work Wifi profile to authenticate with certificate.
there seems to be a bug in the normal wifi profile creator in Microsoft Intune. The only way I have succeeded to create Wifi profile for Android to validate with a certificate was with custom OMA-URI string.

To do before deploying Wifi profile:
1. Deploy RootCA to device
2. Deploy intermediate certificate ( if you have one)
3. Deploy user Certificate to device

To configure Custom Wifi profile do the following:

Go to Azure portal and navigate to Intune from “All Services” on top.

Create a profile with the following values:
Name: Type the name of your profile
Platform: Choose “Android” or “Android Enterprise” it will work for both
Profile Type: Custom


Configure OMA-URI Settings with the following value:
Name: Corporate WiFi
OMA-URI: ./Vendor/MSFT/WiFi/Profile/SSIDNAME/Settings
Data Type: String
Value: See XML below

1. SSIDNAME: Replace “SSIDNAME” with your broadcast SSID in the OMA-URI setting above and in XML text ( Line7 ).
2. SSIDHEXNAME: Replace “SSIDHEXNAME” with your broadcast SSID hex name in the XML text(Line6). ( use text to hex converter to find your SSID hex value)
3. TrustedRootCA: Replace the “aa” in the XML text(Line45), with you RootCA thumbprint that you have deployed to your devices.
4. IssuerHash: Replace the “bb” in the XML text(Line53), with you intermediate thumbprint that you have deployed to your devices.
NOTE!: if you don’t use Intermediate Certificate replace “bb” with your RootCA Thumbprint

<?xml version="1.0"?>
<WLANProfile xmlns="">
<name>Corporate WiFi</name>
<FIPSMode xmlns="">false</FIPSMode>
<OneX xmlns="">
<EapHostConfig xmlns="">
<Type xmlns="">13</Type>
<VendorId xmlns="">0</VendorId>
<VendorType xmlns="">0</VendorType>
<AuthorId xmlns="">0</AuthorId>
<Config xmlns="">
<Eap xmlns="">
<EapType xmlns="">
<TrustedRootCA>aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa </TrustedRootCA>
<PerformServerValidation xmlns="">false</PerformServerValidation>
<AcceptServerName xmlns="">false</AcceptServerName>
<TLSExtensions xmlns="">
<FilteringInfo xmlns="">
<CAHashList Enabled="true">
<IssuerHash>bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb </IssuerHash>
<EKUName>Encrypting File System</EKUName>
<EKUName>Secure Email</EKUName>
<ClientAuthEKUList Enabled="true">
<EKUName>Encrypting File System</EKUName>
<EKUName>Secure Email</EKUName>

Leave a Reply

Your email address will not be published.