Citrix Endpoint Management

Wi-Fi device policy

The Wi-Fi device policy lets you manage how users connect their devices to Wi-Fi networks by defining the following items:

  • Network names and types
  • Authentication and security policies
  • Proxy server use
  • Other Wi-Fi related details

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Prerequisites

Before you create a policy, complete these steps:

  • Create any delivery groups that you plan to use.
  • Know the network name and type.
  • Know any authentication or security types that you plan to use.
  • Know any proxy server information that you might need.
  • Install any necessary CA certificates.
  • Have any necessary shared keys.
  • Create the PKI entity for certificate-based authentication.
  • Configure credential providers.

For more information, see Authentication and its subarticles.

iOS and tvOS settings

Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. If a device is already connected to another network, it doesn’t join this network. The user must disconnect from the previous network before the device automatically connects. The default is On.
  • Disable Captive Network Detection: The captive network assistant helps users access subscription or Wi-Fi Hotspot networks. You typically find these networks in coffee shops, hotels, and other public locations. If On, devices can still connect to captive networks, but the user must open a browser and log in manually. The default is Off.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2/WPA3 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2/WPA3 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. Endpoint Management can then send the certificate to devices to authenticate to the Wi-Fi server. To configure SCEP, go to the Distribution page of Settings > Credential Providers. For more information, see Credential providers.
    • Any (Enterprise)

    The following sections list the options you configure for each of the preceding connection types.

  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type the URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On.
  • Fast Lane QoS marking: If you don’t restrict QoS marking for a Wi-Fi network that supports Cisco Fast Lane QoS, all apps are allowed to use L2 and L3 marking. If you restrict QoS marking, specify the apps that can use L2 and L3 marking.
    • Enable QoS marking: If you restrict QoS marking, use this setting to disable it completely or only mark certain apps. If Off, you disable QoS marking entirely. If On, configure a list of apps that can use QoS marking. The default is On.
    • Whitelist Apple audio/video calling: Choose whether audio and video calling apps can use QoS marking. If Off, the quality of video and audio calls can suffer.
    • Whitelist specific apps: Add an app package ID to this list to allow the app to use QoS marking.
  • Hotspot 2.0 settings
    • Displayed operator name: The friendly name broadcast by the Hotspot device. Users see this name in their list of available Wi-Fi networks.
    • Domain name: The domain name used for Hotspot 2.0 negotiation.
    • Allow connecting to roaming partner networks: If On, devices roaming off their home network can connect to partner networks.
    • Roaming Consortium Organization Identifiers (OI): Add a list of organization identifiers the device can access. A Roaming Consortium OI belongs to an organization with shared authentication methods. If the Hotspot you configure isn’t available, but the device can access a network with a Roaming Consortium OI listed here, the device connects to that network.
    • Network Access Identifier (NAI) realm names: Configure a list of realm names used to identify users to a roaming network. A NAI transmits in the form user@realm.
    • Mobile Country Codes (MCCs) and Mobile Network Configurations (MNCs): A Mobile Country Code consists of three digits that identify the country of a network. The Mobile Network Code consists of 2 or 3 unique digits. When used together, the MCC/MNC uniquely identifies a mobile network operator or carrier.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field. Not available for iOS.

WPA, WPA Personal, Any (Personal) settings for iOS

Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, WPA3 Enterprise, Any (Enterprise) settings for iOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you choose Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time that users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term such as “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on users devices when a certificate is untrusted. The default is On.

macOS settings

Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. If a device is already connected to another network, it doesn’t join this network. The user must disconnect from the previous network before the device automatically connects. The default is On.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2 Enterprise
    • Any (Enterprise)

    The following sections list the options you configure for each of the preceding connection types.

  • Priority: For multiple networks, type a number to define the priority of the network connection. The device chooses the network with the lowest priority number. Negative numbers are acceptable. The default is 0.
  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type the URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On.
  • Hotspot 2.0 settings
    • Displayed operator name: The friendly name broadcast by the Hotspot device. Users see this name in their list of available Wi-Fi networks.
    • Domain name: The domain name used for Hotspot 2.0 negotiation.
    • Allow connecting to roaming partner networks: If On, devices roaming off their home network can connect to partner networks.
    • Roaming Consortium Organization Identifiers (OI): Add a list of organization identifiers the device can access. A Roaming Consortium OI belongs to an organization with shared authentication methods. If the Hotspot you configure isn’t available, but the device can access a network with a Roaming Consortium OI listed here, the device connects to that network.
    • Network Access Identifier (NAI) realm names: Configure a list of realm names used to identify users to a roaming network. A NAI transmits in the form user@realm.
    • Mobile Country Codes (MCCs) and Mobile Network Configurations (MNCs): A Mobile Country Code consists of three digits that identify the country of a network. The Mobile Network Code consists of 2 or 3 unique digits. When used together, the MCC/MNC uniquely identifies a mobile network operator or carrier.
  • Policy settings
    • Remove policy: Choose a method for scheduling policy removal. Available options are Select date and Duration until removal (in hours)
      • Select date: Click the calendar to select the specific date for removal.
      • Duration until removal (in hours): Type a number, in hours, until policy removal occurs.
    • Allow user to remove policy: You can select when users can remove the policy from their device. Select Always, Passcode required, or Never from the menu. If you select Passcode required, type a passcode in the Removal passcode field.
    • Profile scope: Select whether this policy applies to a User or an entire System. The default is User. This option is available only on macOS 10.7 and later.

WPA, WPA Personal, WPA 2 Personal, Any (Personal) settings for macOS

  • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for macOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you select Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate you want to add. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on user devices when a certificate is untrusted. The default is On.

  • Connection mode: If On, choose the connection mode to use when the user joins the network. The default is Off.
    • System: If marked, the device uses the system credentials to authenticate the user. The default is cleared.
    • Login window: If marked, the device uses the same credentials entered at the login window to authenticate the user. The default is cleared.

Android (legacy DA) settings

Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the Wi-Fi connection.
    • Open
    • Shared
    • WPA
    • WPA-PSK
    • WPA2
    • WPA2-PSK
    • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

  • Encryption: In the list, choose either Disabled or WEP. The default is WEP.
  • Password: Type an optional password.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

  • Encryption: In the list, choose either TKIP or AES. The default is TKIP.
  • Password: Type an optional password.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

802.1x settings for Android

  • EAP Type: In the list, choose PEAP, TLS, or TTLS. The default is PEAP.
  • Password: Type an optional password.
  • Authentication phase 2: In the list, choose None, PAP, MSCHAP, MSCHAPPv2, or GTC. The default is PAP.
  • Identity: Type the optional user name and domain.
  • Anonymous: Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.
  • Identity credential: In the list, choose the identity credential to use. The default is None.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

Android Enterprise settings

Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the Wi-Fi connection.
    • Open
    • Shared
    • WPA
    • WPA-PSK
    • WPA2
    • WPA2-PSK
    • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types. The default is Open.

Open, Shared settings for Android Enterprise

  • Encryption: In the list, choose either Disabled or WEP. The default is WEP.
  • Password: Type an optional password.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

  • Encryption: In the list, choose either TKIP or AES. The default is TKIP.
  • Password: Type an optional password.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

802.1x settings for Android

  • EAP Type: In the list, choose PEAP, TLS, or TTLS. The default is PEAP.
  • Password: Type an optional password.
  • Authentication phase 2: In the list, choose None, PAP, MSCHAP, MSCHAPPv2, or GTC. The default is PAP.
  • Identity: Type the optional user name and domain.
  • Anonymous: Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.
  • Identity credential: In the list, choose the identity credential to use. The default is None.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

Windows Phone settings

Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the Wi-Fi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables Endpoint Management to send the certificate to devices to authenticate to the Wi-Fi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows Phone

  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices via Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.

Proxy server settings for Windows Phone

  • Host name or IP address: Type the name or IP address of the proxy server.
  • Port: Type the port number for the proxy server.

Windows Desktop/Tablet settings

Device Policies configuration screen

  • Network name: The SSID seen in the list of available networks.
  • Authentication: In the list, click the type of security to use with the Wi-Fi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA Enterprise
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables Endpoint Management to send the certificate to devices to authenticate to the Wi-Fi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows 10

  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Shared key: Provide the encryption key for the method you selected.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.

Windows Mobile/CE

  • Network name: The SSID seen in the list of available networks.
  • Device-to-device connection (ad-hoc): Choose whether to allow devices to connect to each other directly using Wi-Fi. The default is Off.
  • Network: Select whether the network connects externally, to the internet, or internally, within the office. The default is Internet.
  • Authentication: In the list, click the type of security to use with the Wi-Fi connection.
    • Open
    • Shared
    • WPA
    • WPA-PSK
    • WPA-None
    • WPA2
    • WPA2-PSK
  • Encryption: In the list, choose from WEP, AES, or TKIP to set the type of encryption. You can also select Disabled. The default is WEP.
  • Key provided (automatic): Choose whether devices receive the network key automatically. The default is Off.
  • Password: Type an optional password.
  • Key index: An access point can have up to four WEP keys, but each network only uses one key at a time. The access point assigns each key a unique value between 1 and 4. To see other devices on the network, a device must use the same key. Select the appropriate key index for the network you configure.

Chrome OS settings

Device Policies configuration screen

  • Name: Type a user-friendly description of this connection. This setting is required.
  • Priority: Type a suggested priority value for this network. This value can determine which network to connect to when multiple configured networks are available.
  • Allow gateway ARP Polling: If On, this setting allows ARP messages to be sent to the default gateway to monitor the status of the current connection. Default is On.
  • Auto connect: If On, devices connect to the network automatically when in range. Default is Off.
  • Hidden SSID: When set to On, the SSID of the network is not broadcast. Default is Off.
  • SSID: The SSID seen in the list of available networks on a device.
  • Roam threshold: Type the roam threshold for this network. The roam threshold is the signal-to-noise value (in dB) below which device attempts to roam to a new network.
  • Select type of security: Choose the type of security used with this Wi-Fi connection. Options are None and WPA-PSK. Default is None.
  • Passphrase: If you select WPA-PSK as the security, type the passphrase for the network.

Citrix Ready workspace hub settings

You can connect to 5 GHz Wi-Fi networks if your Citrix Ready workspace hub device is built on the Raspberry Pi 3 Model B+ platform or later. Configure your device to connect to the network:

  • Name: Type a user-friendly description of this connection. This setting is required.
  • Authentication: If Open, no authentication is required. If WPA-2 Enterprise, configure authentication settings for the device. Default is Open.
  • EAP Type: Select an authentication protocol type. If Automatic, the workspace hub device automatically determines the authentication protocol. You can also select PEAP-MSCHAPv2. Default is Automatic.
  • Identity: Type a user name for authentication.
  • Password: Type a password for authentication.
  • Anonymous: Type an optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.

To push the Wi-Fi policy to the device, the device must connect using Ethernet. After the device reboots, it connects to Wi-Fi automatically.

Wi-Fi device policy