Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/Mobile/help/en-us/index.html?contextId=android-enterprise-do-policy-wifi

Wi-Fi configuration (Android Enterprise device policy)

With the Wi-Fi configuration you specify settings for connecting to Wi-Fi networks.

Restriction

If your Wi-Fi network uses Extensible Authentication Protocol (EAP) authentication (EAP/PEAP, EAP/TLS, or EAP/TTLS), it must not be hidden. That is, the network must be broadcasting its SSID.

Setting Description
SSID The ID of the Wi-Fi network.
Security type

The security type of the Wi-Fi connection:

  • None
  • WEP
  • WPA/WPA2 PSK
  • EAP/PEAP
  • EAP/TLS
  • EAP/TTLS

When you select WEP, you can’t assign the policy to devices with Android 12 and later.
Phase 2 authorization

The authentication method for phase 2 of the EAP negotiation:

  • None
  • PAP
  • CHAP
  • MSCHAP
  • MSCHAPv2

This setting is only available for EAP/PEAP and EAP/TTLS connections.
Identity

The user identity.

This setting is only available for EAP connections.
Anonymous identity

The pseudonym identity sent unencrypted in phase 1 of the EAP negotiation.

This setting is only available for EAP connections.
Password The password for the Wi-Fi network.
Identity certificate

The identity certificate for the connection to the Wi-Fi network.

The list includes all certificates from Client certificate configurations of the current policy.

This setting is only available for EAP connections.
Trusted certificate

The root CA for the certificate of the EAP server.

The list includes all certificates from Root certificate configurations of the current policy.

This setting is only available for EAP connections.
Domain suffix match

This setting validates the EAP server’s certificate by its DNS name.

The value you enter must match a dNSName element of the certificate’s subjectAltName extension. Values are compared one domain part at a time, starting from the top-level domain.

You can enter multiple values separated by semicolons. The certificate is valid if at least one value matches.

You can’t use wildcards.

Example: example.com matches server.example.com but not server-example.com.

This setting is only available for EAP connections.
Subject alternative name match

This setting validates the EAP server’s certificate by its Subject Alternative Name (SAN).

The value you enter must match a substring of the certificate’s subjectAltName extension.

You can enter multiple values separated by semicolons. The certificate is valid if at least one value matches.

Example: DNS:server.example.com;EMAIL:server@example.com matches a certificate’s SubjectAltName extension with a dNSName element of *.server.example.com or an Email element of server@example.com.

This setting is only available for EAP connections.

Subject alternative name match is an advanced setting. We recommend you use the Domain suffix match setting instead of this setting, where possible.