Have an iOS device switch over to a cert based ssid with no user interactio

[#Michael]

We are in the process of a POC project of migrating our iOS devices from a wpa2 ssid to a wpa2 enterprise cert based ssid.  Using our mdm platform, we are going to send out the new profile that will contain the ssid and cert.  But iOS will not automatically connect to a new network the first time...a user must tap on the network to connect to it.  After that it will auto-join to it when the network is in range.  But we want it to be a silent switch over with no user interaction.  I consider this to very similar to how iOS devices use the 'attwifi' ssid.  They auto connect with no user interaction.  Any idea how?  I found the carrier apn on the internet:

<key>attwifi</key>
		<dict>
			<key>AuthMethod</key>
			<string>WISPr</string>
			<key>AuthenticationRealm</key>
			<string>attmobilityiphone.com</string>
			<key>Password</key>
			<string>%attmd5%</string>
			<key>SharedSecret</key>
			<string>a446649326d41d87dbb8caec8caf736a</string>
			<key>TrustedDomains</key>
			<array>
				<string>.wayport.net</string>
				<string>.att.net</string>
				<string>.att.com</string>
				<string>.sbc.com</string>
			</array>
			<key>UserName</key>
			<string>%phonenumber%</string>
		</dict>
	</dict>

I was thinking that it could just be modified for our purposes and then pushed out as a custom profile through our mdm.  Would that work?

[#Michael]

Anyone?

[+BudMan MVC]

If you turn off the old one.. They will have to connect to the new one ;)  I don't see how a click to connect is worth your time and effort to be honest.  It will take the user like .2 seconds -- do they not move between networks all the time as part of their normal use of said IOS device?

 

Normally they are mobile devices and come in contact with multiple wifi networks that are used - I don't see how having a user click connect one time is a topic for discussion in a migration to a new more secure more robust system?

 

So your using EAP-TLS, pushing out individual certs to each client is quite a bit of logistics -- I would think that 1 user click, and actually this could be used as good security promotion thing - letting the users know your using a new more secure model, etc.

[#Michael]

The process that we have come up with is this:

 

1. Using our mdm platform we are going to push out the new wifi profile that contains the cert

2. Once it is confirmed that the ipad has received the new profile we will use the mdm to remove the old wifi profile

3. The ipad should now jump over and automatically connect to the new wifi network as the cert has been automatically added into the ipad keychain

 

Now we have confirmed that this works on an ipad 2 running OS 6.1.3 and 7.  But it doesn't seem to want to work on OS 5.1.1.  The reason we are testing on 3 different versions is because we have all 3 out in the field and we have to support them.  I cannot figure out why this won't work on 5.1.1.  It could be because the only devices that we have available to test with that have 5 on it are original ipads.  Did Apple change the wifi antenna with the ipad 2 and above that would cause it work with the ipad 2 but not the original ipad?