How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?

letuanvn · Feb 18, 2020, 8:31 AM

Hi All,
I facing a problem. I installed Squid Proxy & Squid Guard, successfully.
I applied Group ALCs to reject some website done for windows, linux, Mac.
But i wonder that how do i use wifi on LAN network
--> HOW i can deploy Certificate automation to mobile ?
Could you please help me resolve this problems?

Thanks and best regards,
Tony

Gertjan · Feb 18, 2020, 1:57 PM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

--> HOW i can deploy Certificate automation to mobile ?

Not just a certificate. Your question is valid for everything : files, settings, programs, updates, just everything.
There is only one answer possible : you can't.
You have to take control physically of every device, use it's interface to import certs and other stuff into it - and this has to been done every time for every device when changes happen.
And why do you think that it is even possible to automate these kind of things ? It would have been known by everybody ! (like " hey, someone put in something into my device without me knowing about it" [ You would like this ?? ]) Have a close look at an iOS (example) based device. Not the look the end user has, but the "network admin look". An iOS based device is a closed environment. Only Apple might pull this one of : "pushing" info into the device. The rest of us : read = the device owners, are just "pulling".

As you might know, Microsoft has build something based on group policy management that enables managing close to everything on a central point. This works pretty good, if your network is pure "Microsoft only", of course.

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

But i wonder that how do i use wifi on LAN network

I don't understand.
What about : insert a AP into your LAN and call it a day ?

letuanvn · Feb 19, 2020, 1:34 AM

Thanks for quick feedback! Gertjan

As you know, Squid Guard is required Certificate to apply rules reject URL and apply blacklist.
If one PC or mobile have not a Certificate (of Pfsense), it's could not access to internet.
So, with a PC you can install easily & I wonder about the mobile phone. How I can install CER to mobile phone? (IOS, Android)

Gertjan · Feb 19, 2020, 3:21 AM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

So, with a PC you can install easily & I wonder about the mobile phone. How I can install CER to mobile phone? (IOS, Android)

That's the core question.
Guess so .... not sure. But Google showed me that it can be done https://support.quovadisglobal.com/kb/a64/how-do-i-install-a-digital-certificate-onto-an-iphone-or-ipad.aspx
pfSense can export p12 certs.
So, mail it up, and instruct the iPhone user.
It might be wise not to use non-trusted certs. That's where the acme package kicks in, and you'll be needing a domain name.
Samsung devices : probably also.

So, actually, it could be done - although not fully automated. But hey, I could be wrong twice today ^^

letuanvn · Feb 19, 2020, 4:06 AM

Hi Gertjan,
Thank you again for your answer!
I have to refer some Guide on google seem to you. But it's manual to add to the phone.
I would like to take easy for end users --> Automatic.

Example: Network Policy Server (NPS) of Microsoft, auto apply certificate when the mobile connect to wifi, end user only hit TRUST the certificate and access internet successfully.

Many thanks if have more any good for me to process the next step.
Thanks,
Tony

Gertjan · Feb 19, 2020, 9:49 AM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

Example: Network Policy Server (NPS) of Microsoft, auto apply certifi

A notable difference here is : these devices are not owned by the users, they are merely the tools they use to work with. The owner - the company, will state what to do when and how up front.
Devices used on a captive portal are owned by the users themselves.

letuanvn · Feb 20, 2020, 2:06 AM

Actually, i would like to protect personal device access to LAN network.
So, i use Squid Guard and i get the trouble with Mobile Phone. (Can not install Certificate, can not access to internet)

letuanvn · Feb 20, 2020, 9:46 AM

Anybody can help?

Gertjan · Feb 20, 2020, 10:27 AM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

Mobile Phone

Well ... for the iPhones/iPad, etc your ok, right ? You saw the link. It's hands-on time now.
Pretty sure by now that 'the other one' (Samsung) can import certs also.

Why do you want to protect devices ? With Squid ?
All traffic is already TLS ... Mobile devices have no open ports (users can't mess them up as they do with their PC's).
You could even put your AP's in "isolating mode" (something that Windows does as an OS when it asks you if the network is Private or Public).

NollipfSense · Feb 22, 2020, 5:01 PM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

Anybody can help?

You're stubborn...as Gertjan already stated, it won't work...for Samsung, get an OTG cable and transfer the certificate to a jump drive, then connect the drive to the OTG cable and install...for IOS, you can use iTunes or the iCloud or email as that's a closed environment.

letuanvn · Feb 24, 2020, 2:55 AM

@NollipfSense Thanks for your feedback!
I understood Gertjan mean. But it's a manual action.

NollipfSense · Feb 24, 2020, 3:16 PM

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?:

@NollipfSense Thanks for your feedback!
I understood Gertjan mean. But it's a manual action.

It cannot be done automatically as you're wanting to do.