Wi-Fi device policy

You create new or edit existing Wi-Fi device policies in XenMobile by using theConfigure > Device Policiespage. Wi-Fi policies let you manage how users connect their devices to Wi-Fi networks by defining the following items:

• Network names and types
• Authentication and security policies
• Proxy server use
• Other WiFi-related details

To add or configure this policy, go toConfigure > Device Policies. For more information, seeDevice policies.

Prerequisites

Before you create a policy, be sure that you complete these steps:

• Create any delivery groups that you plan to use.
• Know the network name and type.
• Know any authentication or security types that you plan to use.
• Know any proxy server information that you might need.
• Install any necessary CA certificates.
• Have any necessary shared keys.
• Create the PKI entity for certificate-based authentication.
• Configure credential providers.

For more information, seeAuthenticationand its subarticles.

iOS settings

• Network type:In the list, chooseStandard,Legacy Hotspot, orHotspot 2.0to set the network type you plan to use.
• Network Name:Type the SSID that is seen in the list of available networks for the device. Does not apply toHotspot 2.0.
• Hidden network (enable if network is open or off):Choose whether the network is hidden.
• Auto Join (automatically join this wireless network):Choose whether the network is joined automatically. If an iOS device is already connected to another network, it won’t join this network. The user must disconnect from the previous network before the device automatically connects. The default isOn.
• Use static MAC address:MAC addresses are unique identifiers a device transmits within a network. To increase privacy, iOS and iPadOS devices can use a different MAC address each time they connect to a network. IfOn, the device always uses the same MAC address when connecting to this network. IfOff, the device uses a different MAC address every time it connects to this network. The default isOff.
• Security type:In the list, choose the security type you plan to use. Does not apply toHotspot 2.0.
  • None - Requires no further configuration.
  • WEP
  • WPA/WPA2 Personal
  • Any (Personal)
  • WEP Enterprise
  • WPA/WPA2 Enterprise: Use of WPA-2 Enterprise requires that you configure the Simple Certificate Enrollment Protocol (SCEP). XenMobile can then send the certificate to the devices to authenticate to the Wi-Fi server. To configure SCEP, go to the Distribution page ofSettings > Credential Providers. For more information, seeCredential providers.
  • Any (Enterprise)

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, Any (Personal) settings for iOS

Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for iOS

When you choose any of these settings, their settings are listed afterProxy server settings.

• Protocols, accepted EAP types:Enable the EAP types you want to support and then configure the associated settings. The default isOfffor each of the available EAP type.
• Inner authentication (TTLS):Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are:PAP,CHAP,MSCHAP, orMSCHAPv2. The default isMSCHAPv2.
• Protocols, EAP-FAST:Choose whether to use protected access credentials (PACs).
  • If you chooseUse PAC, choose whether to use a provisioning PAC.
    • If you chooseProvisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and XenMobile.
      • Provisioning PAC anonymously
• Authentication:
  • User name:Type a user name.
  • Per-connection password:Choose whether to require a password each time that users log on.
  • Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
  • Identity credential (Keystore or PKI credential):In the list, choose the type of identity credential. The default isNone.
  • 欧ter identity:Required only when you enablePEAP,TTLS,orEAP-FAST. Type the externally visible user name. You can increase security by typing a generic term such as “anonymous” so that the user name isn’t visible.
  • Require a TLS certificate:Choose whether to require a TLS certificate.
• Trust
  • Trusted certificates:To add a trusted certificate, clickAddand, for each certificate you want to add, do the following:
    • Application:In the list, choose the application you want to add.
    • ClickSaveto save the certificate or clickCancel.
  • Trusted server certificate names:To add trusted server certificate common names, clickAddand, for each name you want to add, do the following:
    • Certificate:Type the name of the server certificate. You can use wildcards to specify the name, such as wpa.*.example.com.
    • ClickSaveto save the certificate name or clickCancel.
• Allow trust exceptions:Choose whether the certificate trust dialog appears on users devices when a certificate is untrusted. The default isOn.
• Proxy server settings
  • Proxy configuration:In the list, chooseNone,Manual, orAutomaticto set how the VPN connection routes through a proxy server and then configure any additional options. The default isNone, which requires no further configuration.
  • If you chooseManual, configure these settings:
    • Hostname/IP address:类型的主机名或IP地址the proxy server.
    • Port:Type the proxy server port number.
    • User name:Type an optional user name to authenticate to the proxy server.
    • Password:Type an optional password to authenticate to the proxy server.
  • If you chooseAutomatic, configure these settings:
    • Server URL:Type the URL of the PAC file that defines the proxy configuration.
    • Allow direct connection if PAC is unreachable:Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default isOn. This option is available only on iOS 7.0 and later.
• Policy settings
  • 删除政策:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.

macOS settings

• Network type:In the list, chooseStandard,Legacy Hotspot, orHotspot 2.0to set the network type you plan to use.
• Network Name:Type the SSID that is seen in the list of available networks for the device. Does not apply toHotspot 2.0.
• Hide network:Choose whether you want to hide the network.
• Automatically join this wireless network:Choose whether the network is joined automatically. If a device is already connected to another network, it won’t join this network. The user must disconnect from the previous network before the device automatically connects. The default isOn.
• Security type:In the list, choose the security type you plan to use. Does not apply toHotspot 2.0.
  • None - Requires no further configuration.
  • WEP
  • WPA/WPA2 Personal
  • Any (Personal)
  • WEP Enterprise
  • WPA/WPA2 Enterprise
  • Any (Enterprise)
• Priority:If you have multiple networks, type a number in thePriorityfield to set the priority of the network connection. The device chooses the network with the lowest number.

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, WPA 2 Personal, Any (Personal) settings for macOS

• Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for macOS

When you choose any of these settings, their settings are listed afterProxy server settings.

• Protocols, accepted EAP types:Enable the EAP types you want to support and then configure the associated settings. The default isOfffor each of the available EAP type.
• Inner authentication (TTLS):Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are:PAP,CHAP,MSCHAP, orMSCHAPv2. The default isMSCHAPv2.
• Protocols, EAP-FAST:Choose whether to use protected access credentials (PACs).
  • If you selectUse PAC, choose whether to use a provisioning PAC.
    • If you chooseProvisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and XenMobile.
      • Provisioning PAC anonymously
• Authentication:
  • User name:Type a user name.
  • Per-connection password:Choose whether to require a password each time users log on.
  • Password:Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
  • Identity credential (Keystore or PKI credential):In the list, choose the type of identity credential. The default isNone.
  • 欧ter identity:Required only when you enablePEAP,TTLS,orEAP-FAST. Type the externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • Require a TLS certificate:Choose whether to require a TLS certificate.
• Trust
  • Trusted certificates:To add a trusted certificate, clickAddand, for each certificate you want to add, do the following:
    • Application:In the list, choose the application you want to add.
    • ClickSaveto save the certificate or clickCancel.
  • Trusted server certificate names:To add trusted server certificate common names, clickAddand, for each name you want to add, do the following:
    • Certificate:Type the name of the server certificate you want to add. You can use wildcards to specify the name, such as wpa.*.example.com.
    • ClickSaveto save the certificate name or clickCancel.
• Allow trust exceptions:Choose whether the certificate trust dialog appears on user devices when a certificate is untrusted. The default isOn.
• Use as a Login Window configuration:Choose whether to use the same credentials entered at the login window to authenticate the user.
• Proxy server settings
  • Proxy configuration:In the list, chooseNone,Manual, orAutomaticto set how the VPN connection routes through a proxy server and then configure any additional options. The default isNone, which requires no further configuration.
  • If you chooseManual, configure these settings:
    • Hostname/IP address:类型的主机名或IP地址the proxy server.
    • Port:Type the proxy server port number.
    • User name:Type an optional user name to authenticate to the proxy server.
    • Password:Type an optional password to authenticate to the proxy server.
  • If you chooseAutomatic, configure these settings:
    • Server URL:Type the URL of the PAC file that defines the proxy configuration.
    • Allow direct connection if PAC is unreachable:Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default isOn. This option is available only on iOS 7.0 and later.

Android settings

• Network name:Type the SSID that is in the list of available networks on the user device.
• Authentication:In the list, choose the type of security to use with the Wi-Fi connection.
  • Open
  • Shared
  • WPA
  • WPA-PSK
  • WPA2
  • WPA2-PSK
  • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

• Encryption:In the list, choose eitherDisabledorWEP. The default isWEP.
• Password:Type an optional password.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

• Encryption:In the list, choose eitherTKIPorAES. The default isTKIP.
• Password:Type an optional password.

802.1x settings for Android

• EAP Type:In the list, choosePEAP,TLS, orTTLS. The default isPEAP.
• Password:Type an optional password.
• Authentication phase 2:In the list, chooseNone,PAP,MSCHAP,MSCHAPPv2, orGTC. The default isPAP.
• Identity:Type the optional user name and domain.
• Anonymous:Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
• CA certificate:In the list, choose the certificate to use.
• Identity credential:In the list, choose the identity credential to use. The default isNone.
• Hidden network (Enable if network is open or off):Choose whether the network is hidden.

Android Enterprise settings

• Network name:Type the SSID that is in the list of available networks on the user device.
• Authentication:In the list, choose the type of security to use with the Wi-Fi connection.
  • Open
  • Shared
  • WPA
  • WPA-PSK
  • WPA2
  • WPA2-PSK
  • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

• Encryption:In the list, choose eitherDisabledorWEP. The default isWEP.
• Password:Type an optional password.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

• Encryption:In the list, choose either TKIP or AES. The default is TKIP.
• Password:Type an optional password.

802.1x settings for Android

• EAP Type:In the list, choosePEAP,TLS, orTTLS. The default isPEAP.
• Password:Type an optional password.
• Authentication phase 2:In the list, chooseNone,PAP,MSCHAP,MSCHAPPv2, orGTC. The default isPAP.
• Identity:Type the optional user name and domain.
• Anonymous:Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
• CA certificate:In the list, choose the certificate to use.
• Identity credential:In the list, choose the identity credential to use. The default isNone.
• Hidden network (Enable if network is open or off):Choose whether the network is hidden.

Windows 10 and Windows 11 settings

• Authentication:In the list, click the type of security to use with the Wi-Fi connection.
  • Open
  • WPA Personal
  • WPA-2 Personal
  • 水渍险企业
  • WPA-2 Enterprise: Use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables XenMobile to send the certificate to devices to authenticate to the Wi-Fi server. To configure SCEP, go toDistributionpage ofSettings > Credential Providers. For more information, seeCredential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows 10 and Windows 11

• Hidden network (Enable if network is open or off):Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows 10 and Windows 11

• Encryption:In the list, choose eitherAESorTKIPto set the type of encryption. The default isAES.
• Hidden network (Enable if network is open or off):Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows 10 and Windows 11

• Encryption:In the list, choose eitherAESorTKIPto set the type of encryption. The default isAES.
• EAP Type:在列表中,选择PEAP-MSCHAPv2orTLSto set the EAP type. The default isPEAP-MSCHAPv2.
• Connect if hidden:Choose whether the network is hidden.
• Connect automatically:Choose whether to connect to the network automatically.
• Push certificate via SCEP:Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
• Credential provider for SCEP:In the list, choose the SCEP credential provider. The default isNone.