Wi-Fi Configuration

  • Android
  • Windows
  • iOS
  • macOS

This section contains the following topics:

Wi-Fi settings

Wi-Fi settings

A Wi-Fi configuration sets up access to a wireless network.

A user can modify some of the Wi-Fi settings on the device. However, the MDM server may or may not receive information about the changes, which is based on the device OS. Therefore, the configurations will not be re-pushed automatically to the device to override the configuration on the device with the configuration on the server.

ProcedureProcedure

  1. Go to Configurations > +Add.
  2. Select the  Wi-Fi configuration.
  3. Enter a Name for the configuration.
  4. Enter a description.
  5. Configure the Wi-Fi settings as per the following descriptions.
  6. Click Next.
  7. (macOS only) In the Distribute page, select one of the following distribution options:
    • Device channel - the configuration is effective for all users on a device, which is the typical option.
    • User channel - the configuration is effective only for the currently registered user on a device.
  8. Select one of the following distribution options:
    • All Devices
    • No Devices (default)
    • Custom.
  9. Click Done.

The following table lists the Wi-Fi Settings:

Setting

What To Do

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Service Set Identifier (SSID)

Enter the name of the wireless network these settings apply to. This field is case sensitive.

Auto Join

Select if devices should automatically join the corresponding Wi-Fi network. If this option is not selected, device users must tap the network name on the device to join the network.

Hidden Network

Select this option if the network access is not broadcast.

Disable Captive Network Detection (iOS 10+)

Administrators can enable or disable Wi-Fi Captive bypass mode. When Apple detects the presence of a captive portal, it opens a login screen to request access. You can disable the detection of captive portals, requiring the user to manually launch a web browser which triggers the portal login of the captive network. This new setting is useful when an ISE captive portal prevents the login screen from popping up, leading users to believe that their unconnected devices are actually connected to the Internet.

Proxy Setup

Select Manual or Automatic to configure a proxy.

If you select Manual, then the following additional fields are available:

  • Server and Port: Enter the network address and port number for the proxy server.*

  • Authentication: Enter a valid user name if one is required for connecting to the proxy.*

  • Password: Enter a valid password if one is required for connecting to the proxy.

To remove the added host name, click on the 'minus' icon.

If you select Automatic, then the following additional field is available:

  • Proxy Server URL: Enter the fully-qualified URL for the proxy.

Security Type

Select the security method required for accessing the network:

  • Any (Personal)

  • Any (Enterprise)
  • WEP
  • WEP Enterprise
  • WPA

  • WPA Enterprise
  • WPA2
  • WPA2 Enterprise
  • WPA3
  • WPA3 Enterprise

WPA3/WPA3 Enterprise is applicable for iOS 13+.

Windows supports WPA, WPA Enterprise, WPA2, and WPA2 Enterprise.

WEP, WPA/WPA2/WPA3, Any (Personal) settings

Setting

What To Do

Password

(Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network.

WEP Enterprise, WPA/WPA2/WPA3 Enterprise, Any (Enterprise) settings

Setting

What To Do

Protocols

Accepted EAP Types

Select the EAP types that can be used for accessing this network:

  • TLS

  • TTLS - In the Inner Identity field, select one of the authentication protocols such as OS Default, PAP, CHAP, MSCHAP, MSCHAPv2, and EAP.

  • PEAP

  • LEAP (Not supported for AMAPI-enrolled devices)

  • EAP-SIM

  • EAP-AKA

  • EAP-FAST (Not supported for AMAPI-enrolled devices)

Windows Phone does not support multiple EAP types such as LEAP, EAP-SIM, EAP-AKA, and EAP-FAST. However, the AMAPI currently supports single EAP only.

EAP-FAST

Select the EAP-FAST option that define authentication methods:

  • Use PAC: Select to use a proxy auto-config (PAC)..

  • Provision PAC: Select to allow a PAC to be provisioned. Otherwise, only a PAC already provisioned on the device can be used. This option is available only if you selected Use PAC.

  • Provision PAC Anonymously: Select to allow a PAC to be provisioned without authenticating the server. This option is available only if you selected Provision PAC.

Authentication

Username

Specify the username required for network access. If you leave this blank, the device user will be prompted for it.*

Use Per-Connection Password

Select to prompt the device user for a password for each connection. When the device rejoins the same network, the device user will be prompted to reauthenticate to join the network. This option is not supported for AMAPI-enrolled devices.

Password

(Optional) Enter the password for accessing this network. Otherwise, the device user will be prompted for any password required for accessing the network.

Identity Certificate

(Optional) Select the certificate to use for the identity credential. The Identity Certificate configuration defines each available identity certificate.

Authentication Certificate (Available for Windows devices only)

Select one of the following three Certificate Stores to pick a certificate and connect to a Wi-Fi network: 

  • Machine or User: If this option is selected and the user is not logged in, the Authentication certificate will be picked from the machine store. If the user is logged in, the specific certificate will be picked from the user store.
  • Machine: If this option is selected, the Authentication certificate will be picked from the machine store.
  • User: If this option is selected, the Authentication certificate will be picked from the user store.

By default, the User option is selected.

Outer Identity

(Optional) For TLS, TTLS, PEAP, and EAP-FAST, select to allow device users to hide their identity. The user's actual name appears only inside the encrypted tunnel. This option can increase security because an attacker cannot see the authenticating user's name in the clear.

Domain

Supported when EAP type is TLS and TTLS.

Trust

Trusted Certificates (Not supported for AMAPI-enrolled devices)

Select the checkboxes to select multiple certificates from the list.

Trusted Server Certificate Names

Click + Add to enter the names of one or more trusted server certificates.

(Optional) Select Allow Trust Exceptions to allow trust decisions to be made by the user in a dialog window.

iOS and macOS

Setting

What To Do

All Versions

Network Type

Select if this network should be treated as:

  • standard
  • legacy hotspot
  • Passpoint

Proxy PAC fallback allowed

(Optional) Allows the device to connect directly to the destination if the PAC file is unreachable.

Setup Modes (Optional)

An array of strings that contain the type of connection mode to be attached.

  • System: WiFi is connected before the user logs in to the device.

  • Login Window: The WiFi is available after the user logs in to the device.

    Currently, setup modes work only when both System and Login Window modes are enabled.

Passpoint Settings

The settings in this section appear if you selected Passpoint for the Network Type.

Domain Name

Enter the domain name to be used for Passpoint negotiation.

Connect to roaming partner Passpoint networks

(Optional) Select to allow connections to roaming service providers.

Roaming Consortium Organization Identifiers

(Optional) Enter the identifiers assigned by IEEE to the entities supported by this Wi-Fi profile.

Network Access Identifier Realm Names

(Optional) Enter the Network Access Identifier Realm names to be used for Passpoint negotiation.

MCC and MNC pair

(Optional) Enter the Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs to be used for Passpoint negotiation. Each string must contain exactly six digits.

Displayed operator name

(Optional) Enter the network operator name to display.

Cisco QoS  fast lane

The settings in this section apply to Cisco fast lane configuration. Settings include Allowlisting apps for L2 and L3 marking, and whether to Allowlist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling.

Restrict QoS marking

If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 markings.

Enable QoS marking

Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network.

Allowlist Apple audio/video calling

Specifies whether to Allowlist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling.

Choose Apps

Use to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 marking.

iOS 10+

Cisco QoS  fast lane

The settings in this section apply to Cisco fast lane configuration. Settings include Allowlisting apps for L2 and L3 marking, and whether to Allowlist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling.

Restrict QoS marking

If unselected, then all apps will use L2 and L3 marking when the network supports Cisco QoS Fast Lane. If selected, then use the Choose Apps settings that appear to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 markings.

Enable QoS marking

Disables L3 marking and uses only L2 marking for traffic sent to the Wi-Fi network. When unselected, the system treats Wi-Fi as not associated with a Cisco QoS Fast Lane network.

Allowlist Apple audio/video calling

Specifies whether to Allowlist the audio and video traffic of built-in audio/video services such as FaceTime and Wi-Fi Calling.

Choose Apps

Use to add the apps that you would like included for L2 and L3 marking. All apps not selected will not use L2 and L3 marking.

iOS 10.3+ Supervised

Enable Wi-Fi Allowlisting

Determines which Wi-Fi networks the device is allowed to connect to. If multiple Wi-Fi configurations exist, the most restrictive will be applied.

iOS 14.0+

Disable MAC Address Randomization

In iOS 14.0, Apple changed the default behavior for a device reporting its Wi-Fi MAC address to report a random address for new connections instead of the device's actual Wi-Fi MAC address. As a result, this feature may cause unexpected behavior for enterprises using captive portals or filtering of MAC addresses.

Administrators can Disable MAC Address Randomization for a Wi-Fi network by editing the associated Wi-Fi configuration and turning on this option (by default, false). This will cause the Wi-Fi configuration to be re-pushed to all devices. This option displays a privacy warning in the device Settings indicating that the network has reduced privacy protections.

A device user can still manually turn this on or off through their device's settings.

Android 11+

MAC Address Randomization

  • Disabled: Wi-Fi is connected before the user logs in to the device.

  • Enabled - Auto: The Wi-Fi is available after the user logs in to the device.

  • Enabled - Non-persistent

  • Enabled - Persistent

Type $ to see a list of supported variables, if available, for this field.

For more information, see How to create a configuration.