Use the Wifi settings to provide connection parameters that enforce the use of the corporate wifi network on macOS devices.

The following table describes the connection parameters that are required to enforce a wifi connection:
Policy setting Description
Configure for Type The type of wifi connection. This setting supports the following types:
  • Open
  • WEP
  • WPA/WPA2
  • Any (Personal)
  • WEP (Enterprise)
  • WPA/WPA2 (Enterprise)
  • Any (Enterprise)
  • Ethernet
Service Set Identifier (SSID) The SSID of the wifi network.
Auto Join Users can join the wifi network automatically. If this setting is disabled, users must select the network name to join the network.
Hidden Network The wifi network is hidden and not broadcasting the SSID.
Network Type Passpoint: The network is treated as a hotspot.
  • Displayed Operator Name: The operator name that is displayed when the device is connected to this network. This name is used with Wi-Fi Hotspot 2.0 access points only.
  • Domain Name for Hotspot Negotiation: The domain name that is used for the Wi-Fi Hotspot 2.0 negotiation.
  • Allow Connections to Roaming Service Providers: The connections to roaming service providers that are allowed.
  • Roaming Consortium Organizations: The list of roaming Consortium Organization Identifiers that are used for Wi-Fi Hotspot 2.0 negotiation.
  • Realm Names for Network Access: The list of Network Access Identifier Realm names that are used for Wi-Fi Hotspot 2.0 negotiation.
Encryption Type The security protocol of the wifi network. The supported encryption standards are WEP, WPA, Any, or None. The encryption types must match the capabilities of the network access point. If you are not sure about the encryption type, or want to apply to all encryption types, use Any.
Accepted EAP Types The supported Extensible Authentication Protocol (EAP) authentication types.
Use Protected Access Credential(PAC) (for EAP-FAST)
  • Use PAC: The device uses an existing Protected Access Credential (PAC). Otherwise, the server provides its identity using a certificate. The default value is false.
  • Provision PAC: PAC provisioning is allowed on the device. This is the only method to provision PAC on the device. The default value is false.
  • Provision PAC Anonymously: PAC is provisioned anonymously on the device. The default value is false.
Inner Authentication Protocol (for TTLS) The inner authentication used by the TTLS module. The supported values are PAP, CHAP, MSCHAP, or MSCHAPV2.
Authentication Username The user name of the wifi network. Enter %username% to allow users to use their corporate credentials.
Outer Identity Username The user name that appears only in the encrypted tunnel and allows users to hide their identity. This setting applies to TTLS, PEAP, or EAP-FAST.
Trusted Certificates The trusted certificates that are required for authentication. The device does not prompt the user for certificates if the selected certificate is trusted.
Trusted Certificate Name The list of common certificate names that are trusted and accepted for the network. You can use wildcards to specify the name, such as wpa.*.example.com. If a server provides a certificate that is not in this list, the certificate is not trusted.
Allow Trust Exceptions The user can choose trust decisions (from a dialog window) when a certificate is not trusted. Otherwise, authentication fails if the certificate is not already trusted.
Use Per Connection Password Users are prompted for a password each time they connect to the network.
Password for Authenticating a Wireless Network The password that is used to authenticate to a wireless network. If a password is not provided, the network is still added to the known networks and users are prompted to provide a password when they connect to that network.
Identity Certificate The certificate payload that is used for the identity certificate.
Proxy Type If you choose the manual proxy type, you must provide the proxy server address including the proxy server port number and optionally, a username and password. If you choose the auto proxy type, enter a Proxy (PAC) URL.
Disable Captive Network Detection Captive Network detection is bypassed when the device connects to the network.
Enable QoS Marking for Apps QoS (Quality of Service) Packet Marking helps define the L2 and L3 level configuration of the wifi network. The administrator can define which apps can access these levels of the network to avoid usage, making the network slow.
  • Allowed Apps for QoS Marking: The list of app bundle identifiers that are allowed for L2 and L3 marking for traffic sent to the wifi network. If the array is not present, apps are not allowed. If the QoSMarkingPolicy key is present (or empty), apps are allowed.
  • Restrict L3 Marking: The L3 marking is disabled and only L2 marking is used for traffic that is sent to the wifi network.
  • Built-in Apple Audio/Video calls: The audio and video calls are enabled for built-in services such as FaceTime or Wifi Calling.