Can't install CA certificate on Android 11 on Work Profile

Question

Given self-signed CA certificate file which was generated on device, I'm trying to figure out a way to install it on work profile, since the traditional way of installing CA certificates using android.security.KeyChain.createInstallIntent() no longer works, neither on personal profile nor work profile.

I noticed that on some devices (for example, Pixel device), there is no system settings UI for installing CA certificate on work profile (only for personal profile), while other devices (for example, Samsung Galaxy S10+ and Galaxy S8+) does provide a system UI to install CA certificates on work profile. But since it's not available across all device manufacturers, I cannot rely on it.

According to Android Developers documentation of Android Enterprise changes in Android 11, only DPC apps or apps delegated by DPC apps can install and revoke CA certificates in work profile programatically.

But not all DPC apps support this API (exist in Test DPC but not in Microsoft's Intune Company Portal).

I'm lost, does anybody know a way that will always work?

Answer 1

It's been a while and I made progress and observed multiple MDM platforms.

Most MDM clients does use this API to install certificates programmatically but it's being activated from the MDM management platform, rather then the MDM DPC app itself.

So if my goal is to install certificate that is generated on device it cannot be done using the MDM DPC app (all least not using the MDM platforms I encountered).

However, I can still install certificate using the MDM management platform, usually for root CA certificates which are deployed on multiple devices, rather then per-device certificates.