Summary
An Android device connected to a WiFi network where Decrypt and Inspect policies are employed will display messages suggesting that internet access is restricted, and will not be able to download items from the Google Play store.
Problem
Android devices on Android 7 or above use certificate pinning to prevent network devices from decrypting and inspecting HTTPS traffic. Certificate pinning allows the client (Android) to ensure that communication with a server isn't being tampered with, by checking that the server certificate is signed by a certificate authority trusted by the client.
Unfortunately, on Android 7 and above, user installed certificate authorities are not trusted by Android, which means many applications will not work when Decrypt and Inspect policies are applied.
When an Android device connects to a Wireless network, it will send out a number of HTTP and HTTPS requests in an attempt to identify if it has internet access and if it is sat behind a captive portal. When Decrypt and Inspect policies are applied, these HTTPS requests will fail due to the use of certificate pinning, and the device will believe internet access to be restricted.
You should still be able to browse the internet through your browser, but Android will display a warning message, and display either an "x" or an "!" next to the WiFi icon. An attempt to access the Google Play store will fail and a message will be displayed to the user informing them that the device does not have an internet connection.
Solution
NOTE: The solution involves placing the "google.com" domain into a "Do Not Inspect" HTTPS policy. Doing this means that Smoothwall will have no visibility of search terms entered on Google, and you will need to set up the "Force SafeSearch via CONNECT header" content modification policy to ensure SafeSearch is always turned on for your users.
- Navigate to 'Guardian > Policy objects > Categories' and create a custom category named "Android connectivity checks".
- Under the "Domains/URLs" heading enter the following:
https://google.com
https://ggpht.com
https://googleusercontent.com
https://gvt1.com
https://googleapis.com - Navigate to 'Guardian > HTTPS Inspection > Policy Wizard' and create a new policy as below:
Who: Everyone*
What: Android connectivity checks
Where: Everywhere*
When: Always*
Action: Do not inspect
* Change as appropriate
Save your new policy and in the HTTPS Inspection table. ('Guardian > HTTPS Inspection > Manage Policies'). Ensure that it is placed at the top of the table.
You should now find that Android devices are able to connect to the WiFi immediately with no cosmetic indicators to suggest otherwise, and you should be able to download applications from the Google Play store.