I have also face same issue.
Please follow below steps in android 11 or 11+.
In Android 11, to install a CA certificate, users need to manually:
- Open Device settings
- Go to 'Security'
- Go to 'Encryption & Credentials'
- Go to 'Install from storage' or 'Install a certificate' (depend on devices)
- Select 'CA Certificate' from the list of types available
- Accept a warning alert.
- Browse to the certificate file on the device and open it
- Confirm the certificate install
Pixel 6 - Android 14
- Open Device settings
- Go to Security and privacy
- Go to More security and privacy (scroll to the bottom)
- Go to 'Encryption & Credentials'
- Go to 'Install from storage' or 'Install a certificate' (depending on the devices)
- Select 'CA Certificate'
- tap on 'Install anyway' and verify security (thumb or PIN etc)
- Select your downloaded certificate (it could be available in the downloaded folder)
- can see a toast message 'CA certificate installed'. Certificate installed in your device now.
On "modern" Samsung phones
it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway
Answer from Yogendra on Stack OverflowCan't install CA certificate on Android 11 - Stack Overflow
SOTI Discussion Forum
New ways to inject system CA certificates in Android 14
Installing the certificate on Android device?
Videos
I have also face same issue.
Please follow below steps in android 11 or 11+.
In Android 11, to install a CA certificate, users need to manually:
- Open Device settings
- Go to 'Security'
- Go to 'Encryption & Credentials'
- Go to 'Install from storage' or 'Install a certificate' (depend on devices)
- Select 'CA Certificate' from the list of types available
- Accept a warning alert.
- Browse to the certificate file on the device and open it
- Confirm the certificate install
Pixel 6 - Android 14
- Open Device settings
- Go to Security and privacy
- Go to More security and privacy (scroll to the bottom)
- Go to 'Encryption & Credentials'
- Go to 'Install from storage' or 'Install a certificate' (depending on the devices)
- Select 'CA Certificate'
- tap on 'Install anyway' and verify security (thumb or PIN etc)
- Select your downloaded certificate (it could be available in the downloaded folder)
- can see a toast message 'CA certificate installed'. Certificate installed in your device now.
On "modern" Samsung phones
it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway
There's a tiny note about this in the Android 11 enterprise changelog here, which says:
Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.
Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.
Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.
That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.
If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729
Hi all. I was just gifted a Samsung Android tablet. I was trying to figure out how to get the certificate running on it so I can have it as a bit of a general purpose family device and figured having it run against the filtered side of my XG would be the best bet. On my iPad, it was simple, as I just downloaded the .pem, imported it accordingly, and I was off to the races. On Android I need to install a separate app it seems? And it requires login? I was previously using clientless users for the general purpose/kid-specific devices. Should I be using an actual user account to log in to this app in order to get the certificate rolling? I looked up the documentation but it basically said download app, then visit user portal (https://IP.of.XG.here without the :4444) and then log in. But I looked at the log in step like... why? Log in with what?
Guess I'm just a little taken back as I didn't have to do this on iPad. Should I be using user accounts? Are they superior to clientless users in some way?
EDIT - I started thinking about this more and while I still haven't been able to add the cert on this Android device (PS, it's Android 7, and I read about some issues with Nougat??), I realized I can still do content filtering without HTTPS scanning. For some reason in my mind I thought I had to have a cert installed to do that.
I simply cloned my existing Child-Devices firewall rule but unchecked HTTPS decryption and also changed out the source in the firewall rule from Child-Devices to a new group I made; Child-Devices-No-HTTPS-Scan. With my home LAN I base everything on segments of my IP range mostly because it's easy for home and I can handle it without issue, so I created a small 5 address IP range and plopped the Android tablet in there, and just like clockwork, I was getting blocked on various sites (things like playboy.com etc) WITH the block page (as opposed to the "certificate error" page you can often get). I was certain the block page only came up with the cert installed. I was even able to maintain safe search enforcement + YouTube restriction. Thinking back I believe I was previously pushed to intercept Google/Bing/etc search results which the cert/HTTPS decrypt was required for. I'd still like to get the cert installed on this Android tablet if at all possible but 99% of my concern with some sort of basic filtering being on this device was effectively fixed with that realization. Anyway, felt the need to follow up in case anybody in the future ends up here. :)