An Android device indicates no internet connection but is successfully connected to the network and is not able to download updates from the Google Play Store.
This issue happens when an Android device tries to connect to a network with a HTTPS Decrypt & Inspect policy. This happens because the Google and Android security checks the connectivity, which can break some application’s downloads and updates on the device, even though the "normal" web browser traffic is intercepted successfully.
- From the Guardian menu, under the Policy object submenu, click Categories and create a custom category called "Connectivity Checks" with these URL's in the Domain/URL filtering box.
- Place the "Connectivity Check" category within a block policy above a Whitelist for Connect for Chromebooks policy in your web filter policy table.
- Make sure you have a “Do Not Inspect” policy for Connect for Chromebooks above your normal “Decrypt & Inspect” policy in your HTTPS inspection policy table.
This was tested with the following Authentication policy behaviour successfully: Block HTTPS traffic with no SNI header, Allow HTTPS Incompatible sites & Allow HTTPS Incompatible sites and filter others by using name from certificate.
Once the Android device connects to the network, you can see an "x" icon and the Wi-Fi indicates a connection but no Internet. It also provides a "Sign in to a Wi-Fi network" option, which when you click it, a Smoothwall blockpage is displayed. You can then choose the "Use this network as is" option, which makes the "x" icon disappear. The device should now download updates and install new software from the Google Play Store correctly.
This happens because when the device connects to the network with MiTM running, Google and Android perform a connectivity check and they try to get to one of the above URLs, which they expect a blank page/empty response. As the network is being MiTM'd with Decrypt & Inspect this is not possible. So instead, by selecting the “sign in to a Wi-Fi network” option bypasses this connectivity check, until the next time the device connects to the network.