============================================================ GWS Device Certificate — Android Installation Guide ============================================================ REQUIREMENTS: - Android 7.0+ (Nougat or later) - Chrome browser installed - The .p12 certificate file - The CA certificate file (ca.crt) — optional but recommended ============================================================ METHOD 1: Manual Install (any Android device) ============================================================ Step 1: Transfer the .p12 file to your Android device - Email it to yourself (open on device) - Transfer via USB - Download from CertManager web UI (open URL in Chrome on device) Step 2: Install the client certificate - Go to: Settings → Security → Advanced → Encryption & credentials → Install a certificate → VPN & app user certificate - Browse to the .p12 file - Enter the import password (if any, otherwise leave blank) - Give it a name (e.g., "GWS Device Cert") Step 3: Install the CA certificate (recommended) - Go to: Settings → Security → Advanced → Encryption & credentials → Install a certificate → CA certificate - Browse to the ca.crt file - Confirm the security warning Step 4: Verify - Open Chrome → navigate to https://auth.indomaret.co.id - Chrome should prompt you to select the certificate - Select your device cert → authentication should succeed NOTE: On Android, Chrome will always show a certificate picker dialog. There is no auto-select policy like on desktop. ============================================================ METHOD 2: Google Workspace MDM (managed devices) ============================================================ If Android devices are managed via Google Workspace: Step 1: Google Admin Console - Go to: Devices → Mobile & endpoints → Settings → Networks - Add a new certificate profile Step 2: Upload certificates - Upload the .p12 client certificate - Upload the CA certificate (ca.crt) - Set the certificate type to "Identity" Step 3: Assign to OUs - Assign the certificate profile to target OUs - Devices will automatically receive the cert on next sync Step 4: Chrome policy (optional) - Device management → Chrome → Settings → Content - Add AutoSelectCertificateForUrls policy ============================================================ METHOD 3: Android Enterprise (Work Profile) ============================================================ If using Android Enterprise work profiles: - The IT admin can push certificates via: - Google Workspace device management - Microsoft Intune - VMware Workspace ONE - Other EMM/MDM solutions - Certificates are installed in the work profile's keystore - Only work apps (including work Chrome) can access them ============================================================ TROUBLESHOOTING ============================================================ Q: Chrome doesn't show the certificate picker A: Make sure the certificate is installed as "VPN & app user certificate", NOT as a "CA certificate". Also restart Chrome. Q: "Certificate not trusted" error A: Install the CA certificate (ca.crt) via Settings → Security → Install certificate → CA certificate Q: Can I use Firefox on Android? A: Firefox on Android uses its own certificate store. You'd need to import via Firefox settings → Certificates. Recommended: use Chrome for the best experience. Q: Certificate auto-select? A: Unlike desktop Chrome, Android Chrome does NOT support AutoSelectCertificateForUrls unless the device is managed via Android Enterprise / MDM. Users will see a picker dialog. ============================================================ SUPPORTED ANDROID VERSIONS ============================================================ Android 7.0+ : Full support (manual install) Android 10+ : Recommended (improved cert management UI) Android 11+ : Best experience (scoped storage, better security) Android 13+ : Per-app certificate selection available ============================================================