Configure networks

You can use policy to configure Wi-Fi networks on a device. The Android Management API uses Open Network Configuration, a standard JSON-based format which was originally developed as part of the Chromium project. Refer to the specification for full details on Open Network Configuration.

To include an Open Network Configuration in a policy, set the openNetworkConfiguration field on a Policy resource.

For fully managed devices, you can optionally prevent a user from manually configuring Wi-Fi settings on their device by setting wifiConfigDisabled to true in the Policy resource.

Disabling the ability to configure Wi-Fi settings while failing to declare any Wi-Fi networks in openNetworkConfiguration will disable Wi-Fi on the device and prevent it from accessing any Wi-Fi networks.

Supported features

The Android Management API only supports a subset of the Open Network Configuration specification.

Top-level object:
- Type must be omitted or set to UnencryptedConfiguration. There is no need to encrypt the network configuration within a policy because the entire policy is encrypted within the Android Management API service. Additionally, there is a second layer of encryption for sensitive information such as passphrases and private keys.
NetworkConfiguration objects:
- GUID, Name, Type, and WiFi are the only supported fields, and are all required.
- Type must be set to WiFi. Other types of networks are not supported.
WiFi objects:
- AllowGatewayARPPolling is not supported.
- SignalStrength is not supported.
- For WEP-PSK passphrases, only 40-bit (10-digit) or 104-bit (26-digit) passphrases are supported.
- The specification states that WEP-PSK passphrases must start with the prefix 0x. However, for consistency with the Android Framework, this prefix is not required.
- To set MAC randomization mode, use the property MACAddressRandomizationMode set with the values Hardware or Automatic. This property is currently unavailable in the Open Network Configuration (ONC) specification but is provided in AMAPI and can be specified while configuring WiFi networks. This applies only to Android 13+ on all management modes.
  - Hardware uses the factory MAC address when connecting to the network.
  - Automatic lets the WiFi framework automatically decide the MAC randomization strategy. This can either be persistent or non-persistent randomly generated MAC addresses which are used while connecting to the network.
EAP objects:
- ClientCertPattern is not supported.
- SaveCredentials is not supported.
- UseSystemCAs is not supported.
- ClientCertType supports only the Ref value
- The following values are supported for Inner: MSCHAPv2, PAP
- The following values are supported for Outer: EAP-AKA, EAP-TLS, EAP-TTLS, EAP-SIM, PEAP
Certificate objects:
- Remove is not supported. Omit the certificate in the configuration instead.
- TrustBits is not supported.

Examples

Multiple WiFi networks

This example policy fragment shows three Wi-Fi networks configured with different security schemes. The Open Network Configuration JSON is nested within the openNetworkConfiguration field of the Policy JSON.

"openNetworkConfiguration": {
  "NetworkConfigurations": [{
    "GUID": "a",
    "Name": "Example A",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example A",
      "Security": "None",
      "AutoConnect": true
    }
  }, {
    "GUID": "b",
    "Name": "Example B",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example B",
      "Security": "WEP-PSK",
      "Passphrase": "1234567890"
    }
  }, {
    "GUID": "c",
    "Name": "Example C",
    "Type": "WiFi",
    "WiFi": {
      "SSID": "Example C",
      "Security": "WPA-PSK",
      "Passphrase": "baseball"
    }
  },
  "GUID": "networkA",
   "Name": "networkA",
   "Type": "WiFi",
   "WiFi": {
     "SSID": "networkA",
     "Security": "WPA-PSK",
     "Passphrase": "pwd1234567",
     "MACAddressRandomizationMode":"Hardware"
   }
 }]
}

EAP authentication

This example policy fragment shows a WiFi network configured with EAP-TLS authentication. In addition to the NetworkConfigurations object, the example includes two Certificates objects for the client and server certificates.

"openNetworkConfiguration": {
   "Type": "UnencryptedConfiguration",
   "NetworkConfigurations": [{
         "GUID": "a",
         "Name": "Example A",
         "Type": "WiFi",
         "WiFi": {
            "SSID":"Example A",
            "EAP": {
               "Outer": "EAP-TLS",
               "Identity": "example",
               "ServerCARef": "abc123",
               "ClientCertType": "Ref",
               "ClientCertRef": "xyz456"
            },
            "Security":"WPA-EAP"
         }
      }
   ],
   "Certificates": [{
         "GUID": "abc123",
         "Type": "Server",
         "X509": "TWFuIGlzIGRpc3Rpbmd1a"  //Base-64 encoded X.509 certificate
      },
      {
         "GUID": "xyz456",
         "Type": "Client",
         "PKCS12": "6PQIEQYJKoZbdDu8gwggRlqCCAPEbAAcGClgvcNAQc" //Base-64 encoded PKCS#12 file
      }
   ]
}