Network device policy

The network device policy lets you manage how users connect their devices to Wi-Fi networks by defining the following items:

• Network names and types
• Authentication and security policies
• Proxy server use
• Other Wi-Fi related details

To add or configure this policy, go toConfigure > Device Policies. For more information, see德vice policies.

Prerequisites

Before you create a policy, complete the following:

• Create any delivery groups that you plan to use.
• Know the network name and type.
• Know any authentication or security types that you plan to use.
• Know any proxy server information that you might need.
• Install any necessary CA certificates.
• Have any necessary shared keys.
• Create the PKI entity for certificate-based authentication.
• Configure credential providers.

For more information, seeAuthenticationand its subarticles.

iOS settings

• Network type:In the list, chooseStandard,Legacy Hotspot, orHotspot 2.0to set the network type you plan to use.
• Network name:Type the SSID that is seen in the list of available networks for the device. Does not apply toHotspot 2.0.
• Hide network:Choose whether the network is hidden.
• Automatically join this wireless network:Choose whether a device joins the network automatically. If a device is connected to another network, it doesn’t join this network. The user must disconnect from the previous network before the device automatically connects. The default isOn.
• Disable captive network detection:The captive network assistant helps users access subscription or Wi-Fi Hotspot networks. You typically find these networks in coffee shops, hotels, and other public locations. IfOn, devices can still connect to captive networks, but the user must open a browser and log in manually. The default isOff.
• Use static MAC address:MAC addresses are unique identifiers a device transmits within a network. To increase privacy, iOS and iPadOS devices can use a different MAC address each time they connect to a network. IfOn, the device always uses the same MAC address when connecting to this network. IfOff, the device uses a different MAC address every time it connects to this network. The default isOff.
• Security type:In the list, choose the security type you plan to use. Does not apply toHotspot 2.0.
  • None - Requires no further configuration.
  • WEP
  • WPA/WPA2/WPA3 Personal
  • Any (Personal)
  • WEP Enterprise
  • WPA/WPA2/WPA3 Enterprise: For the latest release of Windows 10, configure the Simple Certificate Enrollment Protocol (SCEP) to use WPA-2 Enterprise. Endpoint Management can then send the certificate to the devices to authenticate to the Wi-Fi server. To configure SCEP, go to the Distribution page ofSettings > Credential Providers. For more information, seeCredential providers.
  • Any (Enterprise)

  The following sections list the options you configure for each of the preceding connection types.

• Proxy server settings
  • Proxy configuration:In the list, chooseNone,Manual, orAutomaticto set how the VPN connection routes through a proxy server and then configure any additional options. The default isNone, which requires no further configuration.
  • If you chooseManual, configure these settings:
    • Host name or IP address:Type the host name or IP address of the proxy server.
    • Port:Type the proxy server port number.
    • User name:Type an optional user name to authenticate to the proxy server.
    • Password:Type an optional password to authenticate to the proxy server.
  • If you chooseAutomatic, configure these settings:
    • Server URL:Type the URL of the PAC file that defines the proxy configuration.
    • Allow direct connection if PAC is unreachable:Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default isOn.
• Fast Lane QoS marking:If you don’t restrict QoS marking for a Wi-Fi network that supports Cisco Fast Lane QoS, all apps are allowed to use L2 and L3 marking. If you restrict QoS marking, specify the apps that can use L2 and L3 marking.
  • Enable QoS marking:If you restrict QoS marking, use this setting to disable it completely or only mark certain apps. IfOff, you disable QoS marking entirely. IfOn, configure a list of apps that can use QoS marking. The default isOn.
  • Allow Apple audio/video calling:Choose whether audio and video calling apps can use QoS marking. IfOff, the quality of video and audio calls can suffer.
  • Allow specific apps:Add an app package ID to this list to allow the app to use QoS marking.
• Hotspot 2.0 settings
  • Displayed operator name:The friendly name broadcast by the Hotspot device. Users see this name in their list of available Wi-Fi networks.
  • Domain name:The domain name used for Hotspot 2.0 negotiation.
  • Allow connecting to roaming partner networks:IfOn, devices roaming off their home network can connect to partner networks.
  • Roaming Consortium Organization Identifiers (OI):Add a list of organization identifiers the device can access. A Roaming Consortium OI belongs to an organization with shared authentication methods. If the Hotspot you configure isn’t available, the device connects to a Roaming Consortium OI listed here.
  • Network Access Identifier (NAI) realm names:Configure a list of realm names used to identify users to a roaming network. A NAI transmits in the formuser@realm.
  • Mobile Country Codes (MCCs) and Mobile Network Configurations (MNCs):A Mobile Country Code consists of three digits that identify the country of a network. The Mobile Network Code consists of 2 or 3 unique digits. When used together, the MCC/MNC uniquely identifies a mobile network operator or carrier.
• 策略设置
  • 删除政策:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs.
  • Allow user to remove policy:You can select when users can remove the policy from their device. SelectAlways,Passcode required, orNeverfrom the menu. If you selectPasscode required, type a passcode in theRemoval passcodefield. Not available for iOS.

WPA, WPA Personal, Any (Personal) settings for iOS

Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, WPA3 Enterprise, Any (Enterprise) settings for iOS

当你选择任何一种安全类型,EAP年代ettings appear afterQoS settings.

Important:

If you select theWPA2 Enterprisesecurity type, you must allow at least one EAP protocol.

• Allowed EAP protocols:Enable the EAP types you want to support and then configure the associated settings. The default isOfffor each of the available EAP type.
• Inner authentication (TTLS):Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are:PAP,CHAP,MSCHAP, orMSCHAPv2. The default isMSCHAPv2.
• EAP-FAST with PAC:Choose whether to use protected access credentials (PACs).
  • If you chooseUse PAC, choose whether to use a provisioning PAC.
    • If you chooseProvisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
      • Provisioning PAC anonymously
• Authentication:
  • User name:Type a user name.
  • Per-connection password:Choose whether to require a password each time that users log on.
  • Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
  • Identity credential (keystore or PKI credential):In the list, choose the type of identity credential. The default isNone.
  • Outer identity:Required only when you enablePEAP,TTLS,orEAP-FAST. Type the externally visible user name. You can increase security by typing a generic term such as “anonymous” so that the user name isn’t visible.
  • Require a TLS certificate:Choose whether to require a TLS certificate.
• Trust
  • Trusted certificates:To add a trusted certificate, clickAddand, for each certificate you want to add, do the following:
    • Application:In the list, choose the application you want to add.
    • ClickSaveto save the certificate or clickCancel.
  • Trusted server certificate names:To add trusted server certificate common names, clickAddand, for each name you want to add, do the following:
    • Certificate:Type the name of the server certificate. You can use wildcards to specify the name, such as wpa.*.example.com.
    • ClickSaveto save the certificate name or clickCancel.
• Allow trust exceptions:Choose whether the certificate trust dialog appears on users devices when a certificate is untrusted. The default isOn.

macOS settings

• Network:In the list, choose the network option you plan to use. The default isWi-Fi.
  • Wi-Fi
  • Global Ethernet
  • First Active Ethernet
  • Second Active Ethernet
  • Third Active Ethernet
  • First Ethernet
  • Second Ethernet
  • Third Ethernet
• Network type:In the list, chooseStandard,Legacy Hotspot, orHotspot 2.0to set the network type you plan to use.
• Network name:Type the SSID that is seen in the list of available networks for the device. Does not apply toHotspot 2.0.
• Hide network:Choose whether the network is hidden.
• Automatically join this wireless network:Choose whether the network is joined automatically. If a device is already connected to another network, it doesn’t join this network. The user must disconnect from the previous network before the device automatically connects. The default isOn.
• Security type:In the list, choose the security type you plan to use. Does not apply toHotspot 2.0.
  • None - Requires no further configuration.
  • WEP
  • WPA/WPA2 Personal
  • Any (Personal)
  • WEP Enterprise
  • 水渍险/ WPA2烤鸭rprise
  • Any (Enterprise)

  The following sections list the options you configure for each of the preceding connection types.

• Priority:For multiple networks, type a number to define the priority of the network connection. The device connects to the network with the lowest priority number first. Negative numbers are acceptable. The default is0.
• Proxy server settings
  • Proxy configuration:In the list, chooseNone,Manual, orAutomaticto set how the VPN connection routes through a proxy server and then configure any additional options. The default isNone, which requires no further configuration.
  • If you chooseManual, configure these settings:
    • Host name or IP address:Type the host name or IP address of the proxy server.
    • Port:Type the proxy server port number.
    • User name:Type an optional user name to authenticate to the proxy server.
    • Password:Type an optional password to authenticate to the proxy server.
  • If you chooseAutomatic, configure these settings:
    • Server URL:Type the URL of the PAC file that defines the proxy configuration.
    • Allow direct connection if PAC is unreachable:Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default isOn.
• Hotspot 2.0 settings
  • Displayed operator name:The friendly name broadcast by the Hotspot device. Users see this name in their list of available Wi-Fi networks.
  • Domain name:The domain name used for Hotspot 2.0 negotiation.
  • Allow connecting to roaming partner networks:IfOn, devices roaming off their home network can connect to partner networks.
  • Roaming Consortium Organization Identifiers (OI):Add a list of organization identifiers the device can access. A Roaming Consortium OI belongs to an organization with shared authentication methods. If the Hotspot you configure isn’t available, the device connects to a Roaming Consortium OI listed here.
  • Network Access Identifier (NAI) realm names:Configure a list of realm names used to identify users to a roaming network. A NAI transmits in the formuser@realm.
  • Mobile Country Codes (MCCs) and Mobile Network Configurations (MNCs):A Mobile Country Code consists of three digits that identify the country of a network. The Mobile Network Code consists of 2 or 3 unique digits. When used together, the MCC/MNC uniquely identifies a mobile network operator or carrier.
• 策略设置
  • 删除政策:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs.
  • Allow user to remove policy:You can select when users can remove the policy from their device. SelectAlways,Passcode required, orNeverfrom the menu. If you selectPasscode required, type a passcode in theRemoval passcodefield.
  • Profile scope:Select whether this policy applies to aUseror an entireSystem. The default isUser. This option is available only on macOS 10.7 and later.

WPA, WPA Personal, WPA 2 Personal, Any (Personal) settings for macOS

• Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for macOS

• Connection mode:IfOn, choose the connection mode to use when the user joins the network. The default isOff.
  • System:If marked, the device uses the system credentials to authenticate the user. The default is cleared.
  • Login window:If marked, the device uses the same credentials entered at the login window to authenticate the user. The default is cleared.

当你选择任何一种安全类型,EAP年代ettings appear afterQoS settings.

Important:

If you select theWPA2 Enterprisesecurity type, you must allow at least one EAP protocol.

• Allowed EAP protocols:Enable the EAP types you want to support and then configure the associated settings. The default isOfffor each of the available EAP type.
• Inner authentication (TTLS):Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are:PAP,CHAP,MSCHAP, orMSCHAPv2. The default isMSCHAPv2.
• EAP-FAST with PAC:Choose whether to use protected access credentials (PACs).
  • If you selectUse PAC, choose whether to use a provisioning PAC.
    • If you chooseProvisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
      • Provisioning PAC anonymously
• Authentication:
  • Use Active Directory authentication:Choose whether to enable Active Directory authentication. Available for macOS 10.7 and later. To make this option available, complete the following:
    • SetPEAPas the EAP protocol.
    • Set the profile scope toSystem. You can use this setting option only when you apply the policy to the entire system.
  • User name:Type a user name.
  • Per-connection password:Choose whether to require a password each time users log on.
  • Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
  • Identity credential (keystore or PKI credential):In the list, choose the type of identity credential. The default isNone.
  • Outer identity:Required only when you enablePEAP,TTLS,orEAP-FAST. Type the externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • Require a TLS certificate:Choose whether to require a TLS certificate.
• Trust
  • Trusted certificates:To add a trusted certificate, clickAddand, for each certificate you want to add, do the following:
    • Application:In the list, choose the application you want to add.
    • ClickSaveto save the certificate or clickCancel.
  • Trusted server certificate names:To add trusted server certificate common names, clickAddand, for each name you want to add, do the following:
    • Certificate:Type the name of the server certificate you want to add. You can use wildcards to specify the name, such as wpa.*.example.com.
    • ClickSaveto save the certificate name or clickCancel.
• Allow trust exceptions:Choose whether the certificate trust dialog appears on user devices when a certificate is untrusted. The default isOn.

Android Enterprise settings

• Network name:Type the SSID that is in the list of available networks on the user device.
• Authentication:In the list, choose the type of security to use with the Wi-Fi connection.
  • Open
  • Shared
  • WPA
  • WPA-PSK
  • WPA2
  • WPA2-PSK
  • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types. The default isOpen.

Open, Shared settings for Android Enterprise

• Encryption:In the list, choose eitherDisabledorWEP. The default isWEP.
• Password:Type an optional password.
• Hide network:Choose whether the network is hidden.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

• Encryption:In the list, choose eitherTKIPorAES. The default isTKIP.
• Password:Type an optional password.
• Hide network:Choose whether the network is hidden.

802.1x settings for Android

• EAP Type:In the list, choosePEAP,TLS, orTTLS. The default isPEAP.
• Password:Type an optional password.
• Authentication phase 2:In the list, chooseNone,PAP,MSCHAP,MSCHAPPv2, orGTC. The default isPAP.
• Identity:Type the optional user name and domain.
• Anonymous:Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
• CA certificate:In the list, choose the certificate to use.
• Identity credential:In the list, choose the identity credential to use. The default isNone.
• Hide network:Choose whether the network is hidden.

Android (legacy DA) settings

• Network name:Type the SSID that is in the list of available networks on the user device.
• Authentication:In the list, choose the type of security to use with the Wi-Fi connection.
  • Open
  • Shared (Android Enterprise only)
  • WPA (Android Enterprise only)
  • WPA-PSK (Android Enterprise only)
  • WPA2
  • WPA2-PSK
  • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

• Encryption:In the list, choose eitherDisabledorWEP. The default isWEP.
• Password:Type an optional password.
• Hide network:Choose whether the network is hidden.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

• Encryption:In the list, choose eitherTKIPorAES. The default isTKIP.
• Password:Type an optional password.
• Hide network:Choose whether the network is hidden.

802.1x settings for Android

• EAP type:In the list, choosePEAP,TLS, orTTLS. The default isPEAP.
• Password:Type an optional password.
• Authentication phase 2:In the list, chooseNone,PAP,MSCHAP,MSCHAPPv2, orGTC. The default isPAP.
• Identity:Type the optional user name and domain.
• Anonymous:Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
• CA certificate:In the list, choose the certificate to use.
• Identity credential:In the list, choose the identity credential to use. The default isNone.
• Hide network:Choose whether the network is hidden.

Windows Desktop/Tablet settings

• Network name:The SSID seen in the list of available networks.
• Authentication:In the list, click the type of security to use with the Wi-Fi connection.
  • Open
  • WPA Personal
  • WPA-2 Personal
  • WPA Enterprise
  • WPA-2 Enterprise: For the latest release of Windows 10, configure SCEP to use WPA-2 Enterprise. SCEP configuration enables Endpoint Management to send the certificate to devices to authenticate to the Wi-Fi server. To configure SCEP, go toDistributionpage ofSettings > Credential Providers. For more information, seeCredential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows 10 and Windows 11

• Hide network:Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows 10 and Windows 11

• Encryption:In the list, choose eitherAESorTKIPto set the type of encryption. The default isAES.
• Shared key:Provide the encryption key for the method you selected.
• Hide network:Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows 10 and Windows 11

• Encryption:In the list, choose eitherAESorTKIPto set the type of encryption. The default isAES.
• EAP Type:in the list, choose eitherPEAP-MSCHAPv2orTLSto set the EAP type. The default isPEAP-MSCHAPv2.
• Hide network:Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.
• Enable SCEP?:Choose whether to push the certificate to user devices by using SCEP.
• Credential provider for SCEP:In the list, choose the SCEP credential provider. The default isNone.