Wi-Fi network priority for Android devices

Wi-Fi priority values do not work with Android devices from version 8 and higher.

Within the Ivanti EPMM user interface, you set the Wi-Fi network priority for Android devices in two places in the user interface. First, set the Lockdown policy option for Android Wi-Fi devices, then you can set the Wi-Fi configuration. The Lockdown policy option “Always Connect Device to Managed Wi-Fi” ensures that Android devices pro-actively connect to the highest priority managed Wi-Fi network in range. By enabling this fieldi in the Lockdown policy and using Wi-Fi priority settings, administrators can control which Wi-Fi network a device connects to. In addition, the Wi-Fi network configuration settings allow you specify a direct or automatic Wi-Fi connection to a Wi-Fi proxy setting, increasing the network security of your Wi-Fi devices. Both the Wi-Fi network priority and the Always Connect Device to Managed Wi-Fi lockdown policy option apply to all Android devices.

With Always Connect Device to Managed Wi-Fi:

  • ENABLED: an Android device will always connect to the highest priority managed Wi-Fi network available, actively disconnecting from any unmanaged networks.
    • The Wi-Fi Priority value you set provides a preference for the highest priority network if multiple managed networks are available.
    • The connection to the managed Wi-Fi network is maintained as long as the signal is in range, even if a managed Wi-Fi network with a higher priority becomes available.
    • Exception: a newly received Wi-Fi configuration goes into effect after the current Wi-Fi connection disconnects.
  • DISABLED: an Android device will connect to the highest priority Wi-Fi network as determined by Android.

CAUTION: When enabling Always Connect Device to Managed Wi-Fi in the Lockdown policy, because the device will actively connect to managed Wi-Fi SSID with the highest priority, if there is an error in the Wi-Fi configuration it is possible for the device to lose Wi-Fi access.

When Always Connect Device to Managed Wi-Fi is enabled and a managed Wi-Fi network is in range, the user cannot override the Wi-Fi connection choice and cannot choose to connect to an unmanaged network.

Setting up enforced Wi-Fi network priority

First, set up the Lockdown policy to enable Always Connect Device to Managed Wi-Fi and apply the policy to the device.

Procedure

  1. Go to Policies & Configs > Policies.
  2. Select Add New > Lockdown.
  3. In the New Lockdown Policy dialog box, enter a Name.
  4. Scroll down to the Android section. For Always Connect Device to Managed Wi-Fi, select Enable.
  5. Fill out the rest of the Lockdown policy as needed.
  6. Select Save.
  7. Apply the policy to a label to assign it to the appropriate Android devices.

Next, provide values for network priority settings for all Wi-Fi configurations. From this menu, you can select a direct or automatic proxy server as well as specific servers to exclude.

In the Admin Portal:

  1. Go to Policies & Configs > Configurations.
  2. Select an existing Wi-Fi configuration, and select Edit in the right-side panel.
  3. Locate the Android Settings section in the dialog box.
  4. For Priority, enter a number between 1 (lowest priority) and 100 (highest priority), inclusive, or leave it blank (default priority).

    Devices use the priority that is provided when the Wi-Fi configuration is provisioned. Future changes to the priority value are not sent to the device.

  5. Select an optional Proxy Type that is supported on Android 8.0 or supported newer versions. Use the drop-down menu to select from the following options:
    1. None: This is the default value, indicating that no proxy server is specified.
    2. Direct: Select to specify a direct connection to a proxy server. After you make this selection, the menu expands and the following fields are displayed:

      Host Exclusions List: Select + to enter one or more domains of traffic that will not be proxied. This setting applies to the URL traffic, but it does not apply to the proxy server.

      Proxy Server: Enter the host name or IP address of a proxy server.

      Proxy Port: Specify a proxy server port.

    3. Auto: Select to specify an automatic connection to the proxy server. After you make this selection, the following field is displayed:

      PAC URL: Enter the proxy auto-config (PAC) URL of the Wi-Fi proxy server. The PAC URL provides a mapping of URLs that the software uses to locate the proxy server automatically.

  6. Select Save.

    The Wi-Fi configuration is now pushed to all devices that have the configuration’s labels applied. The Priority designation applies to both newly provisioned and previously provisioned network settings.

  7. Apply the Wi-Fi configurations to a label to assign them to the appropriate devices.

When the Wi-Fi configuration and the Lockdown policy as described are applied to a device, the highest priority Wi-Fi network is enforced.

Android 10 specific Wi-Fi settings

On Android 10 devices or supported newer versions, upon installation or upgrade, device users can configure Wi-Fi and location settings in specific modes.

Note the following:

  • For all modes of deployment, to enable Wi-Fi and MTD configurations to be successfully applied, the Allow the user to turn on location sharing lockdown field must be selected.
  • Administrators will not be able to disable Wi-Fi through UEM configurations in Work managed device mode and Device Administrator mode on Android 10 devices.
  • Administrators are required to leave in all modes of deployment to enable Wi-Fi and MTD configurations to be successfully applied.

Wi-Fi configuration now requires end users to allow location services on the device. The behavior changes in different configuration modes and is documented in the table below.

Table 43.  Android 10 Wi-Fi Settings

Item

Description

(Android Enterprise)

Work Profile mode

Device users are requested to activate location for the device and for the Managed Profile. In order for administrators to update Wi-Fi and to have Mobile Threat Defense detect Wi-Fi-based threats, device users must activate location. If the device user chooses No, the device will be flagged with an unblocking error for non-compliance and Ivanti EPMM will report a configuration error.

(Android Enterprise)

Work Managed Device mode

Managed Device with Work Profile (COPE)

In the background, Ivanti EPMM will programmatically turn on the location services setting without device user intervention. Wi-Fi and MTD configurations should be successful with no errors.

If there is no MTD configuration or a Wi-Fi configuration, the device user can switch location service on or off.

Device Administrator (DA) Mode

Wi-Fi configurations will not be supported and will show as Sent on the server with config error. MTD configurations will be still accepted for non-network threats but the Wi-Fi related threats will not work for Device Administrators and MAM.

Kiosk Mode

Administrators wanting users to enable/disable Wi-Fi but not connect to any other Wi-Fi network settings are not supported. Options available to administrators are:

  • Scenario 1: Administrators wanting users to enable/disable Wi-Fi and connect to any available Wi-Fi will need to have the below settings in Kiosk.
    • Lockdown settings > Allow Wi-Fi (de-selected)
    • Lockdown settings > Allow Wi-Fi to be configured (de-selected)
    • Kiosk Mode Settings > Allow users to Access Wi-Fi Settings (selected)
  • Scenario 2: Administrators wanting to block users from any Wi-Fi controls.
    • Lockdown Settings > Allow Wi-Fi (selected)
    • Lockdown Settings > Allow Wi-Fi to be configured (selected)