WiFi device policy

You create new or edit existing WiFi device policies in XenMobile by using the Configure > Device Policies page. WiFi policies let you manage how users connect their devices to WiFi networks by defining the following items:

  • Network names and types
  • Authentication and security policies
  • Proxy server use
  • Other WiFi-related details

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Prerequisites

Before you create a policy, be sure that you complete these steps:

  • Create any delivery groups that you plan to use.
  • Know the network name and type.
  • Know any authentication or security types that you plan to use.
  • Know any proxy server information that you might need.
  • Install any necessary CA certificates.
  • Have any necessary shared keys.
  • Create the PKI entity for certificate-based authentication.
  • Configure credential providers.

For more information, see Authentication and its subarticles.

iOS settings

Image of Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. The default is On.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. XenMobile can then send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.
    • Any (Enterprise)

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, Any (Personal) settings for iOS

Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for iOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you choose Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and XenMobile.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time that users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term such as “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on users devices when a certificate is untrusted. The default is On.
  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On. This option is available only on iOS 7.0 and later.

macOS settings

Image of Device Policies configuration screen

  • Network type: In the list, choose Standard, Legacy Hotspot, or Hotspot 2.0 to set the network type you plan to use.
  • Network Name: Type the SSID that is seen in the list of available networks for the device. Does not apply to Hotspot 2.0.
  • Hidden network (enable if network is open or off): Choose whether the network is hidden.
  • Auto Join (automatically join this wireless network): Choose whether the network is joined automatically. The default is On.
  • Security type: In the list, choose the security type you plan to use. Does not apply to Hotspot 2.0.
    • None - Requires no further configuration.
    • WEP
    • WPA/WPA2 Personal
    • Any (Personal)
    • WEP Enterprise
    • WPA/WPA2 Enterprise
    • Any (Enterprise)

The following sections list the options you configure for each of the preceding connection types.

WPA, WPA Personal, WPA 2 Personal, Any (Personal) settings for macOS

  • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.

WEP Enterprise, WPA Enterprise, WPA2 Enterprise, Any (Enterprise) settings for macOS

When you choose any of these settings, their settings are listed after Proxy server settings.

  • Protocols, accepted EAP types: Enable the EAP types you want to support and then configure the associated settings. The default is Off for each of the available EAP type.
  • Inner authentication (TTLS): Required only when you enable TTLS. In the list, choose the inner authentication method to use. Options are: PAP, CHAP, MSCHAP, or MSCHAPv2. The default is MSCHAPv2.
  • Protocols, EAP-FAST: Choose whether to use protected access credentials (PACs).
    • If you select Use PAC, choose whether to use a provisioning PAC.
      • If you choose Provisioning PAC, choose whether to allow an anonymous TLS handshake between the end-user client and XenMobile.
        • Provisioning PAC anonymously
  • Authentication:
    • User name: Type a user name.
    • Per-connection password: Choose whether to require a password each time users log on.
    • Password: Type an optional password. If you leave this field blank, users might be prompted for their passwords when they log on.
    • Identity credential (Keystore or PKI credential): In the list, choose the type of identity credential. The default is None.
    • Outer identity: Required only when you enable PEAP, TTLS, or EAP-FAST. Type the externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
    • Require a TLS certificate: Choose whether to require a TLS certificate.
  • Trust
    • Trusted certificates: To add a trusted certificate, click Add and, for each certificate you want to add, do the following:
      • Application: In the list, choose the application you want to add.
      • Click Save to save the certificate or click Cancel.
    • Trusted server certificate names: To add trusted server certificate common names, click Add and, for each name you want to add, do the following:
      • Certificate: Type the name of the server certificate you want to add. You can use wildcards to specify the name, such as wpa.*.example.com.
      • Click Save to save the certificate name or click Cancel.
  • Allow trust exceptions: Choose whether the certificate trust dialog appears on user devices when a certificate is untrusted. The default is On.
  • Use as a Login Window configuration: Choose whether to use the same credentials entered at the login window to authenticate the user.
  • Proxy server settings
    • Proxy configuration: In the list, choose None, Manual, or Automatic to set how the VPN connection routes through a proxy server and then configure any additional options. The default is None, which requires no further configuration.
    • If you choose Manual, configure these settings:
      • Hostname/IP address: Type the host name or IP address of the proxy server.
      • Port: Type the proxy server port number.
      • User name: Type an optional user name to authenticate to the proxy server.
      • Password: Type an optional password to authenticate to the proxy server.
    • If you choose Automatic, configure these settings:
      • Server URL: Type URL of the PAC file that defines the proxy configuration.
      • Allow direct connection if PAC is unreachable: Choose whether to allow users to connect directly to the destination if the PAC file is unreachable. The default is On. This option is available only on iOS 7.0 and later.

Android settings

Image of Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • Shared
    • WPA
    • WPA-PSK
    • WPA2
    • WPA2-PSK
    • 802.1x EAP

The following sections list the options you configure for each of the preceding connection types.

Open, Shared settings for Android

  • Encryption: In the list, choose either Disabled or WEP. The default is WEP.
  • Password: Type an optional password.

WPA, WPA-PSK, WPA2, WPA2-PSK settings for Android

  • Encryption: In the list, choose either TKIP or AES. The default is TKIP.
  • Password: Type an optional password.

802.1x settings for Android

  • EAP Type: In the list, choose PEAP, TLS, or TTLS. The default is PEAP.
  • Password: Type an optional password.
  • Authentication phase 2: In the list, choose None, PAP, MSCHAP, MSCHAPPv2, or GTC. The default is PAP.
  • Identity: Type the optional user name and domain.
  • Anonymous: Type the optional, externally visible user name. You can increase security by typing a generic term like “anonymous” so that the user name isn’t visible.
  • CA certificate: In the list, choose the certificate to use.
  • Identity credential: In the list, choose the identity credential to use. The default is None.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.

Windows Phone settings

Image of Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables XenMobile to send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows Phone

  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows Phone

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether to connect when the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices via Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.
  • Proxy server settings
    • Host name or IP address: Type the name or IP address of the proxy server.
    • Port: Type the port number for the proxy server.

Windows 10 settings

Image of Device Policies configuration screen

  • Authentication: In the list, click the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA Enterprise
    • WPA-2 Enterprise: For the latest release of Windows 10, use of WPA-2 Enterprise requires that you configure SCEP. SCEP configuration enables XenMobile to send the certificate to devices to authenticate to the WiFi server. To configure SCEP, go to Distribution page of Settings > Credential Providers. For more information, see Credential providers.

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows 10

  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows 10

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.

Windows Mobile/CE settings

Image of Device Policies configuration screen

  • Network name: Type the SSID that is in the list of available networks on the user device.
  • Device-to-device connection (ad-hoc): Allows two devices to connect directly. Default is Off.
  • Network: Choose whether the device is connected to an external internet source or an Office intranet.
  • Authentication: In the list, choose the type of security to use with the WiFi connection.
    • Open
    • WPA Personal
    • WPA-2 Personal
    • WPA-2 Enterprise

The following sections list the options you configure for each of the preceding connection types.

Open settings for Windows Mobile/CE

  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA Personal, WPA-2 Personal settings for Windows Mobile/CE

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • Hidden network (Enable if network is open or off): Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.

WPA-2 Enterprise settings for Windows Mobile/CE

  • Encryption: In the list, choose either AES or TKIP to set the type of encryption. The default is AES.
  • EAP Type: in the list, choose either PEAP-MSCHAPv2 or TLS to set the EAP type. The default is PEAP-MSCHAPv2.
  • Connect if hidden: Choose whether the network is hidden.
  • Connect automatically: Choose whether to connect to the network automatically.
  • Push certificate via SCEP: Choose whether to push the certificate to user devices by using Simple Certificate Enrollment Protocol (SCEP).
  • Credential provider for SCEP: In the list, choose the SCEP credential provider. The default is None.
  • Key provided (automatic): Choose whether the key is automatically provided. Default is Off.
  • Password: Type the password in this field.
  • Key index: Choose the key index. Available options are 1, 2, 3, and 4.