Set up managed end user devices to automatically connect to GovWifi
Technical teams should follow this implementation guide to enable their users to connect to GovWifi in government buildings.
The GovWifi service is currently in private beta, which means we’re still testing and improving it. It’s available only in government organisations taking part in the private beta. Request to take part by emailing firstname.lastname@example.org.
This guidance from Common Technology Services sets out how to enable your end users to connect to GovWifi. Follow this guide to configure managed end user devices for secure wifi access to:
- the internet
- corporate networks using a virtual private network (VPN)
This guidance is not intended to inform your organisation’s buying decisions. Government Digital Service (GDS) does not recommend specific products.
On managed and unmanaged devices, end users must follow the terms and conditions for connecting to GovWifi.
Meet GovWifi requirements
Your wifi installation must meet the requirements defined in sharing workplace wireless networks and your end users’ wireless devices must support WPA2-Enterprise (AES) encryption. Deploy client isolation on your wireless network to prevent someone with an account from attacking other users’ devices.
You must configure:
- managed devices to automatically check that the correct certificate is presented by the network so users don’t connect to fake networks
- WPA2-Enterprise (AES) encryption to ensure privacy
- anonymous identity to encrypt usernames
Technical teams should automate this process by deploying profiles to managed devices. Users who set up their own devices must compare wireless certificates to the information they receive on sign up.
Deploy GovWifi profiles to managed devices remotely
You should deploy profiles to your managed devices for automatic certificate checking. Use mobile device management solutions across multiple platforms, or operating system specific mechanisms such as Windows Group Policy or Apple Profile Manager.
Download the XML profile for Windows
Download this xml file and store it in a network location available to users. Devices with this profile installed will automatically check the certificate. The user just needs to enter their details once they have signed up to the service.
Deploy the XML profile to managed devices
Add the following to your users’ login script:
netsh wlan add profile filename="govwifi.xml" user=all
Replace the filename with the full path to the profile.
Prioritise the GovWifi profile
GovWifi must be the highest priority service set identifier (SSID) in your organisation, except for SSIDs that provide access to privileged networks using device certificates.
Add the following to your users’ login script (you may need to change the interface name for your environment):
netsh wlan set profileorder name="GovWifi" interface="Wi-Fi" priority=1
Default behaviour on operating systems
The table below shows the default behaviour when connecting to GovWifi on different operating systems.
|Operating system||Default behaviour||wifi network verification|
|Windows XP, Windows 7 and Windows 8.0 (no profile configured)||The end user is presented with an error message: ‘Can’t connect to network’. To fix this, install the Windows profile and see behaviour below.||Not applicable|
|Windows (profile configured)||Prompts for credentials||This is defined in the Windows profile - the certificate name and certificate authority (CA) are checked automatically.|
|Windows 8.1 and 10||Presents thumbprint||The end user should compare the thumbprint with the details available during sign up. You can install a profile to automate certificate checking. Devices on a domain will need to add a backslash (
|Apple OS X||Presents certificate||The user should compare the certificate name and CA with the details available during sign up.|
|Apple IOS||Presents certificate||The user should compare the certificate name and CA with the details available during sign up.|
|Blackberry||Depends on Blackberry Enterprise Server policy||Not applicable|
|Android versions previous to 7 (Nougat)||Prompts for credentials and CA certificate||The end user device doesn’t check the certificate unless one is installed. It doesn’t check the certificate name so is insecure. You can download the certificate.|
|Android version 7 (Nougat) or later||Prompts for credentials and CA certificate||The end user device doesn’t check the certificate unless one is installed. You can download the certificate.|
|ChromeOS||Prompts for credentials and CA certificate||The end user device doesn’t check the certificate unless one is installed. You can download the certificate.|
Provide support for GovWifi
As a technical team, you must provide technical support to users of the devices you manage, even if they are in a different building. You should provide a ‘best effort’ support service for unmanaged devices trying to connect to your wifi infrastructure.
GDS does not support end users of GovWifi and talks to technical teams:
- once they have completed all diagnostic tests
- if they find a problem with the central authentication service
Published: 13 December 2016