General Page
Follow the steps to open the Network Restrictions section from the IBM® MaaS360® Portal home page.
-
From the IBM® MaaS360® Portal home page, select Security and click Policies.
-
Click the Android Enterprise Policy.
-
In the Configure settings tab, click Restrictions.
-
Click Edit and select Configure Restrictions.
-
In the Network Restrictions tab, select the following policies to apply.
- Allow or Block Wi-Fi Networks by SSID. This policy helps organizations to prevent an employee from connecting to unsecured or public networks and ensures that the devices connect only to approved office or home networks. The administrators can define lists of either Allowed or Blocked Wi-Fi SSIDs.
- Select Allowed Wi-Fi Networks for devices to connect to specified SS IDs only.
- Select Blocked Wi-Fi Networks to prevent devices from connecting to those specific networks.
Note: Ensure that the SSIDs in the Allowed Wi-Fi Networks list are accurate. Mistakes in spelling, case, or spaces can prevent devices from connecting to the intended networks, resulting in no internet access if an alternative connection is not available.
- Minimum Wi-Fi security level. This policy enables administrators to define the minimum acceptable security standard for Wi-Fi connections. Any Wi-Fi network under the selected security level is blocked. The available Security levels are as follows.
-
Open
No encryption or authentication required for this security level. This level contains public and guest Wi-Fi networks such as those in cafes, airports, and hotels. There is a risk of data being transmitted unencrypted, making this level vulnerable to eavesdropping and attacks like man-in-the-middle (MITM).
-
Personal
This security level includes WEP, WPA, WPA2-Personal, and WPA3-Personal. It uses a pre-shared key (PSK) for authentication. This level is suitable for home networks and small business environments. Note that WPA2-Personal and WPA3-Personal are secure but WEP is outdated and highly vulnerable to attacks.
-
Enterprise EAP
This security level is used in corporate, government, and university networks requiring user authentication through a RADIUS server. It is stronger than personal networks due to individual user credentials and encryption certificates. The Enterprise Wi-Fi using 802.1X authentication with Extensible Authentication Protocol (EAP) methods are as follows.- PEAP (Protected EAP)
- EAP-TLS (Transport Layer Security)
- EAP-TTLS (Tunneled TLS)
- EAP-SIM, EAP-FAST, and so on.
-
Enterprise 192
This is the highest security level, utilizing WPA3-Enterprise with 192-bit encryption. It is used in military, financial institutions, and high-security corporate environments requiring robust encryption. It provides improved cryptographic strength and protection against brute force and dictionary attacks.
Note: Setting a higher security level may block networks with weaker encryption. Ensure that all the essential Wi-Fi networks meet the defined security criteria to maintain connectivity. Additionally, the Minimum Wi-Fi Security Level cannot be stronger than the configured security level in the Wi-Fi profiles.
-
- Allow Configuring Wi-Fi. This policy determines whether the users can manually add new Wi-Fi configurations. It prevents users from connecting to unauthorized or rogue networks. It is suitable for corporate environments where Wi-Fi configurations are centrally managed.
Note: Disabling this policy can result in devices losing internet connectivity if no Wi-Fi SSIDs are preconfigured through the policy. Make sure critical Wi-Fi SSIDs are already pushed through MaaS360® policies before disabling this option.
- Allow Change Wi-Fi State. This policy controls whether users can enable or disable Wi-Fi on their devices. It makes sure that the employees do not accidentally turn off the Wi-Fi, which can disrupt critical business apps reliant on connectivity. It is useful in industries like logistics or retail, where continuous Wi-Fi connectivity is essential.
- Allow Wi-Fi Direct (Updated Policy). This policy is now expanded to support all Android 13+ devices with Device Owner (DO) enrollment. It restricts users from bypassing enterprise networks through peer-to-peer Wi-Fi connections and prevents unauthorized data sharing or file transfers over Wi-Fi Direct.
- Allow Wi-Fi Tethering. This policy controls whether users can enable and configure Wi-Fi tethering and portable hotspots. It prevents employees from sharing corporate network access with unauthorized personal devices and it helps reduce the bandwidth consumption, and minimizes security risks from external devices.
- Allow or Block Wi-Fi Networks by SSID. This policy helps organizations to prevent an employee from connecting to unsecured or public networks and ensures that the devices connect only to approved office or home networks. The administrators can define lists of either Allowed or Blocked Wi-Fi SSIDs.
- In the Wi-Fi tab, select Wi-Fi Settings and click Restrict Sharing Wi-Fi policy. This policy restricts users from sharing admin-configured Wi-Fi networks. It prevents users from sharing secured Wi-Fi credentials with unauthorized users and it is critical to protect sensitive enterprise network details.
Key Benefits
The key benefits of the new policies are as follows.
- Enhanced Security by limiting network connections based on SSID or security level reduces exposure to unsecured networks and potential data risks.
- Improved Network Control to administrators who can enforce strict Wi-Fi policies, ensuring that only authorized networks are accessible.
- Better User Experience by preventing manual Wi-Fi configuration changes or tethering that keeps users focused on approved connectivity options.
- Compliance Support by enforcing security levels like WPA3-Enterprise by ensuring adherence to industry standards and corporate security policies.
Was this topic helpful?
Document Information
Modified date:
09 April 2025
UID
ibm17185535