Using WPA3 Wi-Fi Networks with Workspace ONE UEM

While the definition of Wi-Fi Protected Access 3 (WPA3) was published in January 2018 from the Wi-Fi Alliance there seems still not that much usage in the field. I got asked some week ago where we are with this and putted together a list and tested with a Android & iOS Device. While macOS has the same APIs as iOS , but the GUI is a bit different I broke it down for every single operating system.

Note: This Blog is coming out early July 2023 and is representing the current state.

Android

On Android there is no Differences between WPA or WPA2 or WPA3 , so you just can select the “WPA/WPA2” setting of Workspace ONE UEM and it will connect even to a WPA3 Network.

Documentation from Android Enterprise: https://developer.android.com/reference/android/net/wifi/WifiConfiguration

iOS

For iOS there are 3 APIs that can be used with the 23.02 UEM Version . You can select the “Any (Personal)” section or the “WPA2 Personal” or the “WPA3”. This is due to Apple having the WPA2 setting in the Encryption Type used for WPA2 and WPA3. The “Any” option is not filtering any WPA/ WEP version and will connect to the network as long as the SSID and the password matches. The option “WPA3” will only connect to WPA3 Networks.

This is the same for “WPA2 Enterprise” and “Any (Enterprise)” and “WPA3 Enterprise”as they use the same API for setting the Encryption type, so just select them even through the label is not 100% accurate.

the Documentation from Apple is available here:

https://developer.apple.com/documentation/devicemanagement/wifi

macOS

For macOS there are 2 APIs that can be used with the 23.02 UEM Version (might change in future) . You can select the “Any (Personal)” section or the “WPA2 Personal”. This is due to Apple having the WPA2 Setting in the Encryption Type used for WPA2 and WPA3. The “Any” option is not filtering any WPA/ WEP version and will connect to the network as long as the SSID and the Password matches.

This is the same For “WPA2 Enterprise” and “Any (Enterprise)” as they use the same API for setting the level, so just select them even through the label is not 100% accurate.

the Documentation from Apple is available here:

https://developer.apple.com/documentation/devicemanagement/wifi

Windows

Windows supports WPA3 as well as Wifi 6 since Windows 10 2004:

  • WPA3-Enterprise 192-bit mode authentication.
  • WPA3-Enterprise authentication.
  • WPA3-Simultaneous Authentication of Equals (WPA3-SAE) authentication AKA Personal

Workspace ONE UEM does not have the interface to create the profile from the UI for WPA3 but as this is supported by CSP, we can create a custom profile and use that to configure the device.

Note : The certificate are not specified in the Wifi configuration so can be deployed in a separate profile if needed.

Create WlanXML

Configure the SSID on a Windows Machine using the Windows interface. Once created run the following command to export the XML.

netsh wlan export profile "My Network" folder=C:\temp

You can list all the wifi configured on the machine by using this command

netsh wlan show profiles

If you need to edit and want to understand the format the reference is available here :
WLAN Profile Schema : https://learn.microsoft.com/en-us/windows/win32/nativewifi/wlan-profileschema-schema
Also 802.1x use the OneX Format detailled here : https://learn.microsoft.com/en-us/windows/win32/nativewifi/onexschema-schema

Create custom profile

You will need to “escape” the WLAN profile

From < > to &lt; &gt;

You can use notepad++ with the “XML Tools” plugin

Change {Device|User} to Device for machine profile and User for user profile and add the escaped WLAN XML into the Data section

Install Profile

<Replace>
	<CmdID>9c25464e-037d-4c0e-99a6-0c4eef5e4c44</CmdID>
	<Item>
		<Target>
			<LocURI>./{Device|User}/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml</LocURI>
		</Target>
		<Meta>
			<Format xmlns="syncml:metinf">chr</Format>
		</Meta>
		<Data> { WLan XML } </Data>
	</Item>
</Replace>

Note : The {SSID} variable need to match the real SSID and is case sensitive. If the SSID contains spaces you need to convert them to html. Example : My Network convert to My%20Network

Remove Profile

<Delete>
	<CmdID>bee0ccd6-64f2-47a8-9c98-42677cdd1526</CmdID>
	<Item>
		<Target>
			<LocURI>./{Device|User}/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml</LocURI>
		</Target>
	</Item>
</Delete>

XML Example

<Replace>
	<CmdID>9c25464e-037d-4c0e-99a6-0c4eef5e4c44</CmdID>
	<Item>
		<Target>
			<LocURI>./Vendor/MSFT/WiFi/Profile/My%20Network/WlanXml</LocURI>
		</Target>
		<Meta>
			<Format xmlns="syncml:metinf">chr</Format>
		</Meta>
		<Data>&lt;WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"&gt;&lt;name&gt;My Network&lt;/name&gt;&lt;SSIDConfig&gt;&lt;SSID&gt;&lt;name&gt;NdolCorpSSID&lt;/name&gt;&lt;/SSID&gt;&lt;nonBroadcast&gt;false&lt;/nonBroadcast&gt;&lt;/SSIDConfig&gt;&lt;connectionType&gt;ESS&lt;/connectionType&gt;&lt;connectionMode&gt;auto&lt;/connectionMode&gt;&lt;MSM&gt;&lt;security&gt;&lt;authEncryption&gt;&lt;authentication&gt;WPA2&lt;/authentication&gt;&lt;encryption&gt;AES&lt;/encryption&gt;&lt;useOneX&gt;true&lt;/useOneX&gt;&lt;/authEncryption&gt;&lt;OneX xmlns="http://www.microsoft.com/networking/OneX/v1"&gt;&lt;authMode&gt;machine&lt;/authMode&gt;&lt;EAPConfig&gt;&lt;EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"&gt;&lt;EapMethod&gt;&lt;Type xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;21&lt;/Type&gt;&lt;VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;311&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"&gt;&lt;EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1"&gt;&lt;ServerValidation&gt;&lt;DisablePrompt&gt;true&lt;/DisablePrompt&gt;&lt;/ServerValidation&gt;&lt;Phase2Authentication&gt;&lt;EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"&gt;&lt;EapMethod&gt;&lt;Type xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;13&lt;/Type&gt;&lt;VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;0&lt;/VendorId&gt;&lt;VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;0&lt;/VendorType&gt;&lt;AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon"&gt;0&lt;/AuthorId&gt;&lt;/EapMethod&gt;&lt;Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"&gt;&lt;Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"&gt;&lt;Type&gt;13&lt;/Type&gt;&lt;EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"&gt;&lt;CredentialsSource&gt;&lt;CertificateStore&gt;&lt;SimpleCertSelection&gt;true&lt;/SimpleCertSelection&gt;&lt;/CertificateStore&gt;&lt;/CredentialsSource&gt;&lt;ServerValidation&gt;&lt;DisableUserPromptForServerValidation&gt;true&lt;/DisableUserPromptForServerValidation&gt;&lt;ServerNames /&gt;&lt;TrustedRootCA&gt;QWERTYUIOPLKJHGFDSAZXCVBNM&lt;/TrustedRootCA&gt;&lt;/ServerValidation&gt;&lt;DifferentUsername&gt;false&lt;/DifferentUsername&gt;&lt;PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"&gt;false&lt;/PerformServerValidation&gt;&lt;AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"&gt;false&lt;/AcceptServerName&gt;&lt;/EapType&gt;&lt;/Eap&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/Phase2Authentication&gt;&lt;Phase1Identity&gt;&lt;IdentityPrivacy&gt;true&lt;/IdentityPrivacy&gt;&lt;/Phase1Identity&gt;&lt;/EapTtls&gt;&lt;/Config&gt;&lt;/EapHostConfig&gt;&lt;/EAPConfig&gt;&lt;/OneX&gt;&lt;/security&gt;&lt;/MSM&gt;&lt;/WLANProfile&gt;</Data>
	</Item>
</Replace>

Reference :

Written by
Website | + posts

vExpert, blogger and VMware & Omnissa champion. Worked 10 years as a Architect for a partner before joining VMware in 2017. Moved to Omnissa in 2024.

Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP