Guidance

Set up managed end user devices to automatically connect to GovWifi

Technical teams should follow this implementation guide to enable their users to connect to GovWifi in government buildings.

GovWifi, developed by GDS, is currently in public beta. This means we’re still testing and improving it. It’s only available in government organisations taking part in the public beta. Request to take part by emailing govwifi-support@digital.cabinet-office.gov.uk.

This guidance explains how to help your end users to connect to GovWifi. Follow this guide to configure managed end user devices for secure wifi access to:

  • the internet
  • corporate networks using a virtual private network (VPN)

This guidance is not intended to inform your organisation’s buying decisions. Government Digital Service (GDS) does not recommend specific products.

On managed and unmanaged devices, end users must follow the terms and conditions for connecting to GovWifi.

Meet GovWifi requirements

Your wifi installation must meet the GovWifi technical requirements.

You must configure:

  • managed devices to automatically check that the correct certificate is presented by the network so users don’t connect to fake networks
  • WPA2-Enterprise (AES) encryption to ensure privacy
  • anonymous identity to encrypt usernames

You should automate this process by deploying profiles to managed devices. End users who set up their own devices must compare wireless certificates to the information they receive on sign up.

Deploy GovWifi profiles to managed devices remotely

You should deploy profiles to your managed devices for automatic certificate checking. Use mobile device management solutions across multiple platforms, or operating system specific mechanisms such as Windows Group Policy or Apple Profile Manager.

Get the XML profile for Windows

Copy and paste this XML file to a network location available to users. Devices with this profile installed will automatically check the certificate. The user just needs to enter their details once they have signed up to the service.

Deploy the XML profile to managed devices

Add the following to your users’ login script:

netsh wlan add profile filename="govwifi.xml" user=all

Replace the filename with the full path to the profile.

Read about Active Directory Group Policy and how to create certificate profiles in configuration manager.

Prioritise the GovWifi profile

GovWifi must be the highest priority service set identifier (SSID) in your organisation, except for SSIDs that provide access to privileged networks using device certificates.

Add the following to your users’ login script (you may need to change the interface name for your environment):

netsh wlan set profileorder name="GovWifi" interface="Wi-Fi" priority=1

Default behaviour on operating systems

The table below shows the default behaviour when connecting to GovWifi on different operating systems.

Operating system Default behaviour wifi network verification
Windows XP, Windows 7 and Windows 8.0 (no profile configured) The end user is presented with an error message: ‘Can’t connect to network’. To fix this, install the Windows profile and see behaviour below. Not applicable
Windows (profile configured) Prompts for credentials This is defined in the Windows profile - the certificate name and certificate authority (CA) are checked automatically.
Windows 8.1 and 10 Presents thumbprint The end user should compare the thumbprint with the details available during sign up. You can install a profile to automate certificate checking. Devices on a domain will need to add a backslash (\) before the username.
Apple OS X Presents certificate The user should compare the certificate name and CA with the details available during sign up.
Apple IOS Presents certificate The user should compare the certificate name and CA with the details available during sign up.
Blackberry Depends on Blackberry Enterprise Server policy Not applicable
Android versions previous to 7 (Nougat) Prompts for credentials and CA certificate The end user device doesn’t check the certificate unless one is installed. It doesn’t check the certificate name so is insecure. You can download the certificate.
Android version 7 (Nougat) or later Prompts for credentials and CA certificate The end user device doesn’t check the certificate unless one is installed. You can download the certificate.
ChromeOS Prompts for credentials and CA certificate The end user device doesn’t check the certificate unless one is installed. You can download the certificate.

Read connect to GovWifi for more information about manually connecting different operating systems

Provide support for GovWifi

You must provide technical support to users of the devices you manage, even if they are in a different building. You should provide a ‘best effort’ support service for unmanaged devices trying to connect to your wifi infrastructure.

GDS does not support end users of GovWifi, but will support you:

  • once you have completed all diagnostic tests
  • if you find a problem with the central authentication service
Published 13 December 2016