Zo you can not zee das boobie.

Profiles are installed so the IT department can push install their crap onto your product. Only reason this would happen is if your device is school property, otherwise very unethical.

Unless the school is requiring them to use their Wi-Fi, why is it unethical? Most employers will require a similar Profile when using a personal device on a corporate network, for security purposes.

Your Schulen is spyen on you

Edit: I have no idea why people are relying with a crying face emoji and at this point I'm too scared to ask

This looks like a 802.1x certificate. The authentification endpoint (Radius) is secured by this. The only bad thing is the „Not signed“.

Es sieht nach einem Endpunktzertifikat für einen Radiusserver für eine 802.1x Authentifizierung aus. Wir setzen das bei unseren Schulen auch ein. Das einzige was nicht so toll ist, ist wohl das nicht signiert.

Wi-Fi is password protected and you agree to terms if/when you log into it. Profiles can allow unrestricted access and are generally used in managed environments. I’m yet to see a company that uses this method vs VPN for personal device use. And note I’m not talking about a phone your company provides you, I’m talking about your phone on their networks

Many companies use Profiles. I’ve worked at them, lol!

It looks like a wifi cert

Wrong

Explain

😭

This is right wing or uneducated propaganda. Profiles are to protect a companies information and do not give the company unrestricted access to the phone. Yes they are able to push software or wifi certificates to the phones but they are not able to see everything on your phone. Saying this is “unethical” is just flat out wrong.

I don’t know what schools use for managing these things and I’m sure there are many..my experience with enterprise software using Casper is what I base my comments on. I don’t see what politics have to do with this.

found the swiss person

Wahrscheinlich ähnlich wie eduroam. Ein Zertifikat fürs WLAN, mit dem man an jeder Uni europaweit online gehen kann.

[removed]

Auf euren eigenen Geräten?

😭

😭

I dont understand speak german(?)But common reasons why certificates are installed on a computer, mobile device etc. is to skip the certificate error a user encounters or allows the device to "present" itself to a network device when attempting to use it; such use cases are:

1. Decryption: They are inspecting your traffic; like the actual data(payload); many security products do this. This allows these said products to be inspect/protect you. HOWEVER, highlighting this allows your school to see your data. (this is actually a MiTM(Man in the Middle Attack) if it was not coming from a trusted source
2. Authentication: Certificate-based client authentication; could be used for RADIUS or client authentication

I'm also reading that it is unsigned? This is actually normal; these tend to be self-signed certificates (SSC). Since basically you are trusting a Root CA Certificate ((this is whole another level of discussion which I wont get into detail to)).

Considering I can see the word WLAN in there; it's likely used for Authentication i.e., allow you to connect to your schools WiFi ; could be using EAP-TLS since they are using certificates.

-Source: Working as a Systems Engineer specializing on these stuff

-Recommendation: Just take note you've installed said certificate; dont forget to delete it after like your term end there at your school. Also install it on devices you actually use for school. e.g., if you just want to connect your phone to get free internet and not use it to access school resources; then dont do it

EDIT: I am assuming your iphone is school owned, like you work at that school? If this is a personal device; tbh I would not install it, trusting a certificate is a major consideration when installing it in a personal device and is honestly a breach of your own personal privacy (especially considering your school IT likely did not tell you what its purpose is since you asked it here in this reddit)

😭

It is extremely common practice to have employees sign agreements and install profiles on BYOD (bring your own device) endpoints.

Aside from the back and forth in the comments, if it’s your personal device, you probably shouldn’t install any profiles. Under no circumstances, outside of maybe government and the likes, is it ethical to agree your personal devices to anything beyond required passcode, encryption and, if it’s the nature of where you work, audits of the device or device’s security.

If they want access to push software or have any control of the device, they need to provide the device to do that with.

Das boobies ja? Me guten tag das boobies ja

Wilkommen in Zürich

It‘s a wifi-certificate. not a master key to decrypt all his informations and overtake his device remotely.

😭

It’s a wifi cert likely so your phone can more easily connect you to the schools wifi network. If you click “more details” it will tell you what it can do

That it is common, won’t say it’s normal to do. They can get full access to your device by such profiles. You better can use your own mobile provider to access the internet instead of the company WiFi. Even without a installed profile they can track all your internet traffic.

Das Boot.

😭

This is definitely not right-wing propaganda, where are you getting that?

Seriously, I'm a "terminally online" leftist and I can't imagine an interpretation where "don't install self-signed root CAs to your personal device" is right-wing propaganda. I think you're wrong here, but I'm genuinely curious about how you arrive to this conclusion.

Installing a root CA to your personal device breaks a lot of security assumptions. I assume Apple has carved out an exception for their own updates and app installs, because a root CA would feasibly allow them to "see everything on your phone". As it stands, a root CA only allows them to intercept and modify everything in the network data.

That said, I don't speak German(?) well-enough (or use iPhones enough) to know if this is indeed a self-signed root CA.

😭

😭

😭

Since it says right there that it’s for the WLAN, that’s going to be required to authenticate to the wi-fi.

😭

Specifically, an 802.1X certificate, just happens to be used primarily to authenticate to the WiFi and secure the connection.

😭

Wifi certificate (WLAN cleared up any doubt about that). Essentially it’s to allow your phone to connect to the school wifi without having to log in through their portal each time.

I also have 3 certificates like this installed, my company mandates it to use the company Zoom and outlook. Iphone doesn’t have something’s like android where there is a separate work profile that can be triggered

Certificate authentication to access enterprise Wi-Fi networks is extremely common. Products like ClearPass exist for this exact use case. The “password” for a WiFi network (pre shared key) is an encryption key, not an authentication or authorization method, and is only typically used on small-scale personal networks.

This is completely separate from VPN which allows remote secured access to internal company networks. Certificate authentication to the network provides authentication, authorization, and accounting, as well as robust encryption of the wireless link.

That’s not what’s happening here.

😭

Das Booties and Das Boobies ya!?

💀

What I would like to know is, do these certificates pose a privacy risk? Can they be used to track activity (such as what you search behind a VPN)? Or is it just for user authentication?

What features or information does the school IT gain by having their users install these web certificates?

🪦

[deleted]

Auf private Geräte kommt schon mal gar nichts. Und wenn die sich auf den Kopf stellen!

Sieht nach Zugängen für Wifi aus.

😭

If there is an SSL certificate in there then yes it would allow the school IT department to monitor HTTPS traffic. However, as a VPN encrypts your traffic, they wouldn’t be able to monitor it.

As for why, many areas have laws requiring schools to filter internet traffic. Many of these systems have block pages that tell you why the page you tried to access was blocked. However, because of HTTPS, these block pages cause the browser to throw an HTTPS error because the certificate it received was invalid. Adding this cert will allow the block page to show without an error (but thats speculation on my part). I use NextDNS for personal filtering of ad domains and the like and because I have a block page enabled, I need to install their certificate so it shows up without an HTTPS error.

😭

🤣

Also ich nehm mal an, dass du im Gymi bist, weil unser WLAN genauso heisst. Das scheint ein Zertifikat zu sein, damit man sich leichter mit dem Schul-wifi verbinden kann.

😭

Do not install it on your personal device. By installing it, you’re giving them access to what your phone does on the wifi. It’s their way of monitoring you

I “hack” (bypass school filters and chrome extensions) for $5 and tell people how do it. Not that hard really

Yeah it’s not hard at all with most setups, especially on personal devices. My school used a system that just acted as a DNS sinkhole if you didn’t have the Chrome extension so using my own EDNS got around that.

do you want to connect to the school's wifi or not?

😭

Yeah this 100%. Sysadmin in a UK school here. Our older students have a “Bring Your Own Device” WiFi network so they can use their own devices in school, however due to mandatory safeguarding requirements in UK schools that web usage must still be filtered and monitored. Perhaps Germany have similar requirements? Regardless, I agree it’s totally on the IT to let people know what they’re doing, particularly with their own devices.

Ja

Ja… verstahn eif nöd was die vo mir wönd ich lösch de scheiss lieber

Yes, i am using the free wifi

Sieht so wie ein profil der zugriff suf das schul wlan gibt.

😭

züriiiiiiiii ✌️

Did you consider asking?

Your school is most likely using SSL Decryption to intercept either all (bad implementation) or some https sites. The most common reason a school would do this is to enforce keyword blocks and you can also do things like force safe search on Google and block GMail from external non school accounts.

Without the certificate you'll get SSL errors on any page they're monitoring.

[deleted]

I never installed things on my personal devices that my school told me to. I don’t trust the softwares they give us

vi zont talk like zat!

Das ist ein Netzwerkprofil, damit der IT Bereich deiner Schule deine Netzwerkaktivitäten (z. B was du googlest) sehen können. Damit können die jeden Schüler einfacher zuordnen und anstößige Webseiten blockieren. Außerdem muss man sich dann nicht jedes Mal in den Internetportal anmelden. Ehrlich gesagt ist mir da aber etwas suspekt da du ja nicht wissen kannst welche Daten die es genau sammeln oder ob sie auch Daten von dir sammeln, wenn du nicht mit dem Schul WLAN verbunden bist. Wenn ich du wäre, würde ich es nicht installieren, auch wenn ich dann keinen Zugang zum Schul-WLAN habe. Da ist mir meine Privatsphäre wichtiger.

😭

Self created certificate that's why you're seeing this, the school didn't want to buy a properly cert

😭

[deleted]

This help article says certificates aren’t trusted for SSL if they come from manually installed profiles, unless you explicitly enable trust. If this is true, I’m guessing that there’s no privacy issue with installing the profile, and the only effect it should have is enabling EAP login to access the wifi.

😭

Ist mittlerweile sogar weltweit verbreitet

jo sollte das sein

i think its what draces89 describe

😭

[deleted]

Tracker or blocker

😭

[deleted]

😭

😭

😭

😭

😭

I have something similar for our eduroam network in the Netherlands.

Nein

I’m pretty sure it’s illegal in the European Union, if your employer requires this they will need to provide the phone, laptop or tablet. Its also not allowed for employers to make you install an app on your personal phone for example.

Its even more not allowed to monitor network traffic, then you will be violating both employee rights and the GDPR.

Dutch source: https://www.everphone.com/nl/blog/scheiden-van-gegevens-bij-mobiele-telefoon-van-de-zaak/

😭

😭

😭

r/angryupvote

Qo’

I don’t know if this helps but It’s German and it says that the profile that there’s no signature and that it includes WiFi and two certificates.

This isn’t a profile. It’s a certificate

Zer is sauerkraut in my Lederhosen.

😭

It is prob a VPN so the school can see your search history and block inappropriate websites.

Wanted? Lol

😭

tracking and pushing bloatware most likely

It’s to spy on you while on their wifi. Make sure your not doing to no no business

😭

😭

😭

😭

It just looks like Wi-Fi profiles so you can connect to the SSID at your school.

😭

What you installed is a Profile. Profiles can contain certificates (in this case 2) but can also include other permission. Often used for MDM to access and maintain devices. It’s probably fine, but this is not just a certificate like others claim

This certificate should allow you to connect to it, no clue why you need a certificate for it but it may be standard in Germany. I’m from the US so I don’t know what’s standard there. The certificate would probably track network traffic to make sure you aren’t doing sketchy stuff on their Wi-Fi.

Dieses Zertifikat sollte es Ihnen ermöglichen, sich damit zu verbinden, keine Ahnung, warum Sie ein Zertifikat dafür benötigen, aber es kann in Deutschland Standard sein. Ich komme aus den USA, also weiß ich nicht, was dort Standard ist. Das Zertifikat würde wahrscheinlich den Netzwerkverkehr verfolgen, um sicherzustellen, dass Sie keine skizzenhaften Dinge in ihrem Wi-Fi tun.

uuuooohh 😭😭💢

Me with da vpn

Can they see my traffic if I use my 4g/5g? Can they see my traffic if I use another WiFi ie. My home WiFi? (If I have these kind of certificate installed)

😭

😭

😭

You should only be concerned if the certificate is used for decryption (as i mentioned),

But let's assume that it is; UNLESS you're using a VPN Software provided by your IT (which basically routes your traffic to them) you shouldn't be concerned about it.

A lot of managed devices enforces VPN connectivity to the company's network thus allowing inspection. We can even implement enforced VPN connectivity in which your computer CANT connect to the internet if you somehow turn off your VPN to your company ((despite your WiFi having no issues)

TL'DR;

1. if youre using mobile data with no VPN Software provided by your company - they wont be able to see your traffic
2. If youre using mobile data WITH VPN software running provided by your company - then LIKELY they are seeing your traffic; ((even without decryption; your DNS queries are quite visible so they know which websites you go to at least))

replying to edit, it means they’re laughing crying

😭

Thank you kind soul

of course!

😭

😭

Just get a vpn

Yes iPhones have work profiles. It’s under the “profiles” section in control centre and is called “work”. You can customise the notifications you receive and what apps are visible. Been on iPhones since early 20219

😭

😂