You can use policy to configure Wi-Fi networks on a device. The Android Management API uses Open Network Configuration, a standard JSON-based format which was originally developed as part of the Chromium project. Refer to the specification for full details on Open Network Configuration.
To include an Open Network Configuration in a policy, set the
openNetworkConfiguration
field on a
Policy
resource.
For fully managed devices, you can optionally prevent a user from manually
configuring Wi-Fi settings on their device by setting wifiConfigDisabled
to
true
in the
Policy
resource.
Supported features
The Android Management API only supports a subset of the Open Network Configuration specification.
- Top-level object:
Type
must be omitted or set toUnencryptedConfiguration
. There is no need to encrypt the network configuration within a policy because the entire policy is encrypted within the Android Management API service. Additionally, there is a second layer of encryption for sensitive information such as passphrases and private keys.
NetworkConfiguration
objects:GUID
,Name
,Type
, andWiFi
are the only supported fields, and are all required.Type
must be set toWiFi
. Other types of networks are not supported.
WiFi
objects:AllowGatewayARPPolling
is not supported.SignalStrength
is not supported.- For
WEP-PSK
passphrases, only 40-bit (10-digit) or 104-bit (26-digit) passphrases are supported. - The specification states that
WEP-PSK
passphrases must start with the prefix0x
. However, for consistency with the Android Framework, this prefix is not required.
EAP
objects:ClientCertPattern
is not supported.SaveCredentials
is not supported.UseSystemCAs
is not supported.- The
Pattern
value forClientCertType
is not supported. - The
MD5
value forInner
is not supported. - The
LEAP
andEAP-FAST
values forOuter
are not supported.
Certificate
objects:Remove
is not supported. Omit the certificate in the configuration instead.TrustBits
is not supported.
Examples
Multiple WiFi networks
This example policy fragment shows three Wi-Fi networks configured with
different security schemes. The Open Network Configuration JSON is nested within
the openNetworkConfiguration
field of the
Policy
JSON.
"openNetworkConfiguration": { "NetworkConfigurations": [{ "GUID": "a", "Name": "Example A", "Type": "WiFi", "WiFi": { "SSID": "Example A", "Security": "None", "AutoConnect": true } }, { "GUID": "b", "Name": "Example B", "Type": "WiFi", "WiFi": { "SSID": "Example B", "Security": "WEP-PSK", "Passphrase": "1234567890" } }, { "GUID": "c", "Name": "Example C", "Type": "WiFi", "WiFi": { "SSID": "Example C", "Security": "WPA-PSK", "Passphrase": "baseball" } }] }
EAP authentication
This example policy fragment shows a WiFi network configured with EAP-TLS
authentication. In addition to the NetworkConfigurations
object, the example
includes two Certificates
objects for the client and server certificates.
"openNetworkConfiguration": { "Type": "UnencryptedConfiguration", "NetworkConfigurations": [{ "GUID": "a", "Name": "Example A", "Type": "WiFi", "WiFi": { "SSID":"Example A", "EAP": { "Outer": "EAP-TLS", "Identity": "example", "ServerCARef": "abc123", "ClientCertType": "Ref", "ClientCertRef": "xyz456" }, "Security":"WPA-EAP" } } ], "Certificates": [{ "GUID": "abc123", "Type": "Server", "X509": "TWFuIGlzIGRpc3Rpbmd1a" //Base-64 encoded X.509 certificate }, { "GUID": "xyz456", "Type": "Client", "PKCS12": "6PQIEQYJKoZbdDu8gwggRlqCCAPEbAAcGClgvcNAQc" //Base-64 encoded PKCS#12 file } ] }