Page updated: 18/01/2024

Where to get geteduroam

What is geteduroam?

The geteduroam app works by tapping into the central eduroam CAT (cat.eduroam.org) service. geteduroam is being developed for the global education sector by several organisations in Europe, amongst them NORDUnet and SURF. Its homepage is here.

Not all organisations providing eduroam are present on eduroam CAT, but by starting to type the name of your organisation, the list of organisations is filtered down. If your organisation cannot be found, please contact their IT department and ask them to join eduroam CAT (it's free through their national eduroam operator, in the UK's case, Jisc).

eduroam CAT stands for 'eduroam Configuration Assistance Tool', and it does what it says on the box - It attempts to provide a standardised way for organisations (universities, colleges, schools, research organisations, etc) to on-board their students and staff onto eduroam. Because setting up enterprise-class Wi-Fi used to require messing about with registry keys and API calls (on Windows) and either overly-simplified settings (Apple) or overly-complex settings (Android), providing installers (Windows), configuration files that the phone understood (Apple and Google Chrome) and apps that could read standardised configuration files and set things up (Android) for you was the next best solution.

Veteran Android users will know the 'eduroam CAT' app (the 'CAT app') well. Unfortunately, the CAT app is no longer developed, mostly because it uses old application calls in Android that Google no longer supports, and Google will not allow apps that use them to be updated. The geteduroam app now provides the same functionality in a better user experience, including the ability to check that your username is in the correct format (a common problem when connecting to eduroam). geteduroam also provides the ability to use newer ways to connect to eduroam (such as EAP-TLS client certificates), which apps like the CAT app were unable to. Because the geteduroam app provides this more consistent way of connecting to eduroam, it is also available on iOS and iPadOS, and Windows. 

NOTE: Because of the way the geteduroam app installs the eduroam settings (and the fact that it supports EAP-TLS), you must keep the geteduroam app on your phone. If you delete the app, the eduroam settings will also be deleted, and you will not be able to connect to eduroam anymore without either reinstalling the app or by manually configuring your device. 

Common Issues and Questions:

Here are some common issues that are discovered when using geteduroam on Android and Apple devices.

1. Unable to find your organisation on geteduroam: This is likely because your organisation is either not set up on the eduroam CAT, or, if it is, has not set the profile to be published on eduroam CAT. It has to be marked as 'production ready' before it shows up on eduroam CAT. In this instance, please contact your organisation's IT department and ask them to set that flag.
    
2. Unable to set up eduroam because an existing eduroam connection exists: If you set up eduroam yourself by tapping on the eduroam Wi-Fi name and typing in your username and password (on iOS) or configuring it with all the settings (on Android), you have to delete the network connection by tapping on the info icon or the Wi-Fi connection and choose 'Forget Network'. That should delete the details, and geteduroam should be able to set up the connection. 
    
3. Unable to set up eduroam because a 'profile' exists: This usually happens when you downloaded a profile from the eduroam CAT website and installed it (usually this happens on iOS phones). You need to delete or uninstall the profile first. It usually is called 'eduroam'. Then try the geteduroam app again.
    
4. Getting an 'Invalid profile' error: This is the most annoying error. It can indicate that there is a problem with the profile. The problems include:
   • Additional checks made by the device's OS that don't like one of the settings in the profile and rejecting them,
   • The Certificate Authority root certificate not having a name (i.e. the CN setting does not exist),
   • Or, most often, the subjectAltName setting in the server certificate being missing or not matching the CN setting.
    
   These usually mean that your IT department has to fix that, and then ask you to retry. We at eduroam(UK) will be happy to test the profile using one of the many Android and iOS devices we have access to, so please raise this with your IT department 
    
   On some iOS versions, and some phones (such as Samsung phones) it actually means that it was successful, but it didn't connect to eduroam. The best way to check is to turn Wi-Fi off, wait a few moments, and then turn it back on. Then check in the Wi-Fi settings whether it has connected to eduroam. If the problem persists, please also check point 8 below, or let your IT department know and ask them to escalate it to us. We'll try and find out why this happens.
    
   If you are using an HONOR phone (with MagicOS 7.1 / Android 13), scroll to point 15 at the bottom where we have a solution for you!
    
5. The eduroam settings disappeared from the phone when geteduroam was deleted: Yes, that is correct. geteduroam installs the settings, but they are not set up to be independent from the app. So, when you delete the app, the settings are deleted too, and so is your eduroam connection. This is particularly a requirement when your organisation uses so-called client certificates to connect you to eduroam (using an authentication method called EAP-TLS), because the app keeps tabs on when your certificate is due to expire and will remind you to renew it. 
    
   It's not ideal, but the user experience is better. Leave the app on the phone, it doesn't use your location and it does not track you. It only requires the ability to modify your Wi-Fi settings and, on some devices, access to your files to be able to read the config file and write certificates out. 
    
6. Why use the geteduroam app when the 'eduroam CAT' app works? The answer is simple: the 'eduroam CAT' app is no longer being maintained. The primary reason is Google. Google publishes new versions of so-called APIs (Application Programming Interfaces), and they regularly stop supporting old versions of these APIs (you can see the API versions at this Wikipedia entry about Android's version history). This means that on Android 10 and earlier, some features cannot be implemented, and fixes to apps are no longer possible. If you as an app developer want to update your app, you have to use new versions of the APIs which may make apps unusable. So a lot of fixes that were requested for the old 'eduroam CAT' app cannot be implemented because the API version is locked.
    
   The 'eduroam CAT' App is still the best way to set up eduroam on your Android phone if it is a phone with Android 4 to Android 7. Android 8 (Oreo), Android 9 (Pie) and Android 10 (Q) should preferably use the geteduroam app, but can still use the 'eduroam CAT' app. Android 11 and newer require the use of geteduroam.
    
7. It doesn't look like geteduroam worked because there are no details in the eduroam Wi-Fi connection? geteduroam uses what's called a profile, and this means that the details are not necessarily available in the Wi-Fi connection. If you set up your eduroam Wi-Fi connection manually, there is nothing else to manage it and thus the details are shown there. If you need to change the password or re-configure your eduroam connection after having set it up with geteduroam, you should use the geteduroam app again, provided that your organisation continues to provide a profile on the eduroam CAT website. 
    
8. geteduroam says it configured eduroam, but when I tap on my 'Eduroam' network, it asks me for a password! Why? The eduroam SSID is case-sensitive and must be all lower-case (i.e. 'eduroam'). If your organisation has set up an SSID called 'Eduroam' or 'EDUROAM' (or any other variation), please ask them to fix it because that breaches the eduroam technical specification (specifically, Section 4.8 in the UK version thereof).
    
   If the network was set up for test purposes, your organisation can temporarily add the non-compliant Wi-Fi SSID as an additional SSID in their profile on the CAT website so that it is also configured, but please note that this should not continue to be configured as a production network.
    
   Also, if you are visiting a location that advertises eduroam being available and the network SSID is not all lower-case, please report the location to us via help@jisc.ac.uk (mark it for eduroam UK's attention). We'll get in touch with the organisation that manages the location to have them fix it.
    
9. Why use the geteduroam app when I can just tap on the Wi-Fi network and connect to eduroam that way? eduroam is based on what is called enterprise Wi-Fi, or 802.1X. This requires a certificate, and to make sure that you only provide your username and password to the server that your organisation runs, you have to provide settings to tell your phone to only trust a certificate issued for the server your organisation runs.
    
   On iOS devices, this is not possible without either a so-called .mobileconfig profile (which is available from the eduroam CAT profile page for your organisation), or by setting it up with something like geteduroam. Simply connecting and providing a username and password is not enough because on iOS, the device takes what's called a fingerprint of the certificate issued for the server your organisation runs. It compares this fingerprint with the certificate it gets every time, and if it does not match, stops the authentication. While this sounds good, when your organisation changes their certificate, your eduroam authentication stops working permanently until you forget the network and then reconnect to it to get the new certificate fingerprint. That action leaves you open to potentially being fooled into giving another server your username and password (which is bad news - we issued an advisory in October 2021 on this here).
    
   On Android devices, something equivalent to the iOS .mobileconfig file does not exist, and you have to set up specific parameters when you connect to eduroam manually. There is one setting in particular that is often set but shouldn't be, because it allows something that is even worse than what happens on iOS. This setting is called the 'Do not validate certificate' option. When you select it, it effectively means that any server anywhere can claim to be the server your organisation runs, and your device will send it the username and password without checking whether it is true or not. The option no longer exists on most Android 11 phones (and definitely no longer exists in Android 12), so you have to be able to know which certificate authority issued the certificate that your organisation uses on their server. geteduroam makes this simple and straight-forward by setting it from information in the CAT profile that your organisation provides. 
    
   Windows is very similar to Android in that you have to provide specific details to be able to connect to eduroam manually, and the geteduroam app (on Windows 10) and the Windows installation executable (which you can download from the eduroam CAT profile webpage for your organisation) make this easy and straight-forward for you.
     
10. Using the geteduroam app on iOS 15 fails, but downloading the profile directly from the eduroam CAT website works. What gives? Unfortunately there was a bug in iOS 15 and iOS 15.1 that prevented apps (like geteduroam) from installing certificates in profiles like eduroam's. The file from the eduroam CAT website is an Apple Configurator profile (a .mobileconfig file), so that continued to work.
     
    Apple confirmed that this bug was fixed in iOS 15.2. Please upgrade your phone to iOS 15.2 and geteduroam should function as it did before you upgraded to iOS 15 or 15.1.
     
11. Trying to use geteduroam on Android 12 fails. It installs the profile but it won't authenticate! This worked before I upgraded to Android 12! Android 12 has become a lot stricter in its requirements without specifying what was changed. As part of our investigation into this, we discovered that Android 12 strictly applies the X.509 certificate specification (i.e. it will not apply any workarounds that have worked in past versions or with older operating systems), and it also blocks certificates signed with the obsolete SHA1 and MD5 hashing algorithms. 
     
    The eduroam EAP Server Certificate considerations page at the global eduroam Wiki specifies which settings the server certificate should (read, must) comply with. Your IT department can verify their server certificate with the command: openssl verify -x509_strict -verbose -CAfile <ca.certificate> <server.certificate>. An OK message means it will comply with the strict specification. Additionally, if you are from a UK organisation, your IT department can run a certificate check in the eduroam(UK) Support portal to check the server certificate against the considerations on the global eduroam Wiki.
     
    We are also happy to test your IT department's CAT profile on an Android 12 device we have access to to ensure it works. Your IT department can request this via our support portal.
     
12. You say in point 5. that geteduroam doesn't need anything other than the ability to read some files and write certificates out, so why does it ask for access to my photos and when I try to open PDFs it shows up as the default? Unfortunately some early versions of geteduroam on Android had file associations that were wrong. But because those versions are now 'frozen' because they targeted earlier versions of Android with APIs (see point 6.) that are no longer supported, they can not be fixed to remove the broken file associations. Be assured that the app does not read your photos or PDFs. The only files it needs to read are eapconfig files to be able to install the root certificate(s) within.
     
    You can however, if you are happy to download an updated Android app from outside the Google Play store, side-load an updated app. The link to such a side-loaded app will be published here once we have it.
     
13. So, I noticed that geteduroam is available on Windows, but my laptop won't let me download it and tells me to go to the Microsoft Store! What's going on? The chances are that you are running on Windows 10 or Windows 11 in what's called 'S-mode'. This is the default setting that Windows 10 and 11 are configured as when you buy a new laptop. Microsoft has an FAQ about S-mode here: https://support.microsoft.com/en-gb/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85
     
    Unfortunately, in S-mode, you are limited to running applications and executables that are from the Microsoft Store only. geteduroam is  currently not available in the Microsoft Store because of requirements that the app developers cannot meet at this stage. You will have to make a decision whether you would like to switch off S-mode or not. If you do not wish to switch S-mode off, I'm afraid we currently don't have a solution, but once we do, we'll publish it. Warning: Treat switching S-mode off with care, because once you have switched S-mode off, you cannot switch it back on!
     
14. When I tried to follow the advice of my university/college to download the 'CAT executable' for Windows, it asked me for an administrator account to be able to make changes. I don't have such an account (and my IT department won't give me one either)! Will geteduroam require the same or can I use geteduroam to configure my Windows laptop instead? The CAT installer executable for Windows that you can download from the eduroam CAT profile page for your university/college installs the root certificate for your university's eduroam server once for everyone. It will only require administrative privileges when the profile you install also includes the need to install a wired eduroam profile if your university/college chose that option. 
     
    geteduroam on the other hand only makes changes for you only, so if you are sharing your laptop, only when you log in will it connect to eduroam using your user details as provided/instructed by your university. If your friend or fellow student needs to use eduroam too, they must run geteduroam themselves and then set it up with their own account details. This should also mean that you are not responsible for anything your friend or fellow student does online when they've logged into their account on the laptop because they use their own eduroam account to log onto eduroam.
     
15. I try to use geteduroam on my new HONOR phone with Android 13 and it won't work! It complains about an invalid profile, but my college helpdesk says that no other Android 13 phone has this issue, what gives! The problem is not your phone per se, but it's not the eduroam CAT profile either. If the profile installs fine on other Android 13 phones, it appears that there is an issue with a Google Android API that Google wants developers to use now, but on the HONOR it fails for an unknown reason.
     
    At the time of this update, the newest version of geteduroam on Android, v2.0(678), has been tested on HONOR and Xiaomi phones (Xiaomi phones had similar issues) and it has been found to work. However, the experience will be different from version 1.x, in that the Wi-Fi settings portions will not display your information. This is because of an older API made available in Android 10 that does the same thing as the newer APIs but has a different end-user experience.
     
    Alternatively, download the previous version of geteduroam (you will need to temporarily give Chrome the ability to install apps) from APKPure here:
    https://apkpure.net/geteduroam/app.eduroam.geteduroam/download/1.0.16 - This will install version 1.0.16, which has been confirmed to still work on the HONOR phone. We're very sorry about that inconvenience; the geteduroam folks are looking into the issue to try and fix it as soon as they can!

Questions?

Do you have any questions about geteduroam? Do you have problems with it? If you do, please start at your local IT department helpdesk first. It might be something simple (like Wi-Fi coverage being broken), or something more extensive. Please help your IT department by providing them with this kind of information (to take screenshots, press Power and the Home button together on iOS, Power and the Volume Down button on Android):

• What device (phone, tablet, laptop) do you use? The make and the model will be very helpful.
• What version of operating system does it run? A screenshot can be very helpful:
  On iOS, you can look in the Settings under General, About for the Software Version.
  On Android, you can look in the Settings under About phone, Software Information. 
  On Windows, you should be able to look in the 'Help' menu under 'About' to get more information
• Which version of geteduroam are you running?
  On Android, go to Settings, then Apps, find 'geteduroam', tap it and scroll to the bottom.
  On iOS, go to General, iPhone Storage, search for 'geteduroam' and tap it. 
  On Windows, it will probably be an executable you had to download. 
• What did you try and do. Note each step down, or, if you can, take screenshots.
• Send all of this to your helpdesk. If they can't help, they will probably send it to us, which means we can look at the screenshots and see what might be the problem. 

Last words

We are here to help your university or college try to give you the best eduroam experience. If you find that eduroam doesn't work on your campus, tell your IT department who will investigate. And if they don't know what's broken, they come to us to check. Sometimes it's something simple, sometimes it's something more substantial.

But - we and your organisation are here to try and make your eduroam experience as good as possible because it's a useful service once set up correctly.