WiFi device policy

Create new or edit existing WiFi device policies in Endpoint Management by using the Configure > Device Policies page. WiFi policies let you manage how users connect their devices to WiFi networks by defining the following items:

  • Network names and types
  • Authentication and security policies
  • Proxy server use
  • Other WiFi related details

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Prerequisites

Before you create a policy, be sure that you complete these steps:

  • Create any delivery groups that you plan to use.
  • Know the network name and type.
  • Know any authentication or security types that you plan to use.
  • Know any proxy server information that you might need.
  • Install any necessary CA certificates.
  • Have any necessary shared keys.
  • Create the PKI entity for certificate-based authentication.
  • Configure credential providers.

For more information, see Authentication and its subarticles.

iOS settings

Image of Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. The default is On.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. Endpoint Management can then send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.
    • Any (Enterprise)

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, Any (Personal) settings for iOS

Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for iOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you choose Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time that users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term such as “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on users devices when a certificate is untrusted. The default is On.
  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On. This option is available only on iOS 7.0 and later.

macOS settings

Image of Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. The default is On.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2 Enterprise
    • Any (Enterprise)

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, WPA 2 Personal, Any (Personal) settings for macOS

  • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for macOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you select Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and Endpoint Management.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate you want to add. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on user devices when a certificate is untrusted. The default is On.
  • Use as a Login Window configuration: Choose whether to use the same credentials entered at the login window to authenticate the user.
  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On. This option is available only on iOS 7.0 and later.

Android settings

Image of Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • Shared
    • WPA
    • WPA-PSK
    • WPA2
    • WPA2-PSK
    • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

  • Encryption: In the list, choose either Disabled or WEP. The default is WEP.
  • Password: Type an optional password.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

  • Encryption: In the list, choose either TKIP or AES. The default is TKIP.
  • Password: Type an optional password.

802.1x settings for Android

  • EAP Type: In the list, choose PEAP, TLS, or TTLS. The default is PEAP.
  • Password: Type an optional password.
  • Authentication phase 2: In the list, choose None, PAP, MSCHAP, MSCHAPPv2, or GTC. The default is PAP.
  • Identity: Type the optional user name and domain.
  • Anonymous: Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.
  • Identity credential: In the list, choose the identity credential to use. The default is None.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

Windows Phone settings

Image of Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables Endpoint Management to send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows Phone

  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices via Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.
  • Proxy server settings
    • Host name or IP address: Type the name or IP address of the proxy server.
    • Port: Type the port number for the proxy server.

Windows 10 settings

Image of Device Policies configuration screen

  • Authentication: In the list, click the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA Enterprise
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables Endpoint Management to send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows 10

  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.

Chrome OS settings

Image of Device Policies configuration screen

  • Name: Type a user-friendly description of this connection. This setting is required.
  • Priority: Type a suggested priority value for this network. This value can determine which network to connect to when multiple configured networks are available.
  • Allow gateway ARP Polling: If On, this setting allows ARP messages to be sent to the default gateway to monitor the status of the current connection. Default is On.
  • Auto connect: If On, devices connect to the network automatically when in range. Default is Off.
  • Hidden SSID: When set to On, the SSID of the network is not broadcast. Default is Off.
  • Roam threshold: Type the roam threshold for this network. The roam threshold is the signal-to-noise value (in dB) below which device attempts to roam to a new network.
  • Select type of security: Choose the type of security used with this WiFi connection. Options are None and WPA-PSK. Default is None.

Workspace Hub settings

Citrix Ready workspace hub devices can’t connect to 5 Ghz WiFi networks. Configure your device to connect to a 2.4 Ghz WiFi network.

  • Name: Type a user-friendly description of this connection. This setting is required.
  • Authentication: If Open, no authentication is required. If WPA-2 Enterprise, configure authentication settings for the device. Default is Open.
  • EAP Type: Select an authentication protocol type. If Automatic, the workspace hub device automatically determines the authentication protocol. You can also select PEAP-MSCHAPv2. Default is Automatic.
  • Identity: Type a user name for authentication.
  • Password: Type a password for authentication.
  • Anonymous: Type an optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.

To push the WiFi policy to the device, it must first be connected using ethernet. After the device reboots, it connects to WiFi automatically.