Configure networks

You can use policy to configure Wi-Fi networks on a device. The Android Management API uses Open Network Configuration, a standard JSON-based format which was originally developed as part of the Chromium project. Refer to the specification for full details on Open Network Configuration.

To include an Open Network Configuration in a policy, set the openNetworkConfiguration field on a Policy resource.

For fully managed devices, you can optionally prevent a user from manually configuring Wi-Fi settings on their device by setting wifiConfigDisabled to true in the Policy resource.

Supported features

The Android Management API only supports a subset of the Open Network Configuration specification.

• Top-level object:
  • Type must be omitted or set to UnencryptedConfiguration. There is no need to encrypt the network configuration within a policy because the entire policy is encrypted within the Android Management API service. Additionally, there is a second layer of encryption for sensitive information such as passphrases and private keys.
• NetworkConfiguration objects:
  • GUID, Name, Type, and WiFi are the only supported fields, and are all required.
  • Type must be set to WiFi. Other types of networks are not supported.
• WiFi objects:
  • AllowGatewayARPPolling is not supported.
  • SignalStrength is not supported.
  • For WEP-PSK passphrases, only 40-bit (10-digit) or 104-bit (26-digit) passphrases are supported.
  • The specification states that WEP-PSK passphrases must start with the prefix 0x. However, for consistency with the Android Framework, this prefix is not required.
• EAP objects:
  • ClientCertPattern is not supported.
  • SaveCredentials is not supported.
  • UseSystemCAs is not supported.
  • ClientCertType supports only the Ref value
  • The following values are supported for Inner: MSCHAPv2, PAP
  • The following values are supported for Outer: EAP-AKA, EAP-TLS, EAP-TTLS, EAP-SIM, PEAP
• Certificate objects:
  • Remove is not supported. Omit the certificate in the configuration instead.
  • TrustBits is not supported.

Examples

Multiple WiFi networks

This example policy fragment shows three Wi-Fi networks configured with different security schemes. The Open Network Configuration JSON is nested within the openNetworkConfiguration field of the Policy JSON.

"openNetworkConfiguration": {
  "NetworkConfigurations": [{
    "GUID": "a",
    "Name": "Example A",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example A",
      "Security": "None",
      "AutoConnect": true
    }
  }, {
    "GUID": "b",
    "Name": "Example B",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example B",
      "Security": "WEP-PSK",
      "Passphrase": "1234567890"
    }
  }, {
    "GUID": "c",
    "Name": "Example C",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example C",
      "Security": "WPA-PSK",
      "Passphrase": "baseball"
    }
  }]
}

EAP authentication

This example policy fragment shows a WiFi network configured with EAP-TLS authentication. In addition to the NetworkConfigurations object, the example includes two Certificates objects for the client and server certificates.

"openNetworkConfiguration": {
   "Type": "UnencryptedConfiguration",
   "NetworkConfigurations": [{
         "GUID": "a",
         "Name": "Example A",
         "Type": "WiFi",
         "WiFi": {
            "SSID":"Example A",
            "EAP": {
               "Outer": "EAP-TLS",
               "Identity": "example",
               "ServerCARef": "abc123",
               "ClientCertType": "Ref",
               "ClientCertRef": "xyz456"
            },
            "Security":"WPA-EAP"
         }
      }
   ],
   "Certificates": [{
         "GUID": "abc123",
         "Type": "Server",
         "X509": "TWFuIGlzIGRpc3Rpbmd1a"  //Base-64 encoded X.509 certificate
      },
      {
         "GUID": "xyz456",
         "Type": "Client",
         "PKCS12": "6PQIEQYJKoZbdDu8gwggRlqCCAPEbAAcGClgvcNAQc" //Base-64 encoded PKCS#12 file
      }
   ]
}