Network settings

Use the network payload to configure network connections and specify settings for both Wi-Fi and Ethernet connections. For OS X, you can provide both Wi-Fi and Ethernet configurations.

Note: Use the network payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.

Wi-Fi settings

Use the Wi-Fi settings payload to set how the device connects to your wireless network. These settings must match the requirements of your network.

Setting

Description

Service Set Identifier

Enter the SSID of the wireless network to connect to.

Hidden Network

Specify whether the network that the device connects to is broadcasting its identity.

Auto Join

Specify whether to automatically join the network without notifying the user.

Proxy setup

If you choose Manual, you have to provide the proxy server settings. If you choose Automatic, enter the URL used to retrieve proxy settings or configure the DHCP server to provide the proxy settings.

For PAC (proxy auto-config) requirements, choose Automatic from the pop-up menu, then enter the URL of the PAC file—for example, https://www.example.com/filename.pac or http://www.example.com/filename.pac. Then decide if you want PAC Fallback enabled. This lets the user connect if the PAC is unreachable.

For Web Proxy Autodiscovery (WPAD) configurations, choose Automatic from the pop-up menu. If you leave the Proxy Server URL field empty, the device requests the wpad.dat file using DHCP (using a 252 entry) or DNS (using an A Record with the name WPAD).

Security Type (None or Any)

Select an authentication for the network:

  • None: The network doesn’t require authentication.

  • Any: The network requires either WEP, WPA, or WPA2 authentication when connecting to the network, but won’t connect to non-authenticated networks.

Security Type (WEP)

Select a WEP authentication method for the network:

  • WEP: The network requires only WEP authentication.

  • Dynamic WEP: The network requires only WEP with 802.1X authentication.

Security Type (WPA)

Select a WPA authentication method for the network:

  • WPA/WPA2 Personal: The network requires only WPA authentication.

  • WPA/WPA2 Enterprise: The network requires only WPA with 802.1X authentication.

Note: This uses the WPA key in the payload. To use the WPA2 key, use WPA2 Personal or WPA2 Enterprise.

Security Type (WPA2)

Select a WPA2 authentication method for the network:

  • WPA2 Personal (iOS 8 or later and OS X Lion or later): The network requires only WPA2 authentication.

  • WPA2 Enterprise (iOS 8 or later and OS X Lion or later): The network requires only WPA2 with 802.1X authentication.

Note: This uses the WPA2 key in the payload. To add the WPA key, use WPA/WPA2 Personal or WPA/WPA2 Enterprise.

Password

Enter the password for joining the wireless network, if applicable. If you leave this blank and the network requires a password, the user is asked to enter it the first time a connection is established. The per-connection password option prevents caching of the user’s password.

Wi-Fi and Ethernet enterprise settings

For Mac computers, you can configure both Wi-Fi and Ethernet EAP settings. These settings must match the requirements of your network. Indicate if the connection should be initiated after the user logs in (OS X only), or if it’s a system setting that is active at all times.

For 802.1X configurations, select the authentication protocols and certificates for your network connection.

Profile Manager supports the following 802.1X authentication methods for WPA Enterprise and WPA2 Enterprise networks:

  • IKEv2

  • EAP-TLS

  • EAP-TTLS (MSCHAPv2)

  • EAP-FAST

  • EAP-AKA

  • PEAPv0 (EAP-MSCHAPv2, the most common form of PEAP)

  • PEAPv1 (EAP-GTC, less common and created by Cisco)

  • LEAP

Mac computers detect WPA/WPA2 Enterprise LEAP, EAP-FAST, EAP-TTLS (MS-CHAPv2), and PEAP v0 and v1 on Ethernet and wireless networks. For EAP-TLS authentication without a network payload, install the necessary identity certificates and tell users to select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

You can join dynamic WEP Enterprise (802.1X WEP) networks on Mac computers by choosing Join Other Network from the Wi-Fi menu. To join these types of networks automatically, install a network payload that specifies WEP Enterprise as the security type.

EAP settings

In the Protocols pane, you specify which EAP methods to use for authentication. You can select multiple EAP methods. The user name, password, and outer identity are used for all methods.

For TTLS, LEAP, PEAP, and EAP-FAST, if you choose directory authentication, the credentials for the directory login are used to authenticate.

In the Trust pane, you specify which certificates should be trusted to validate the authentication server for the network connection. The Trusted Certificates list shows certificates added using the certificates payload. Add the names of the trusted authentication servers to the Trusted Server Certificates Names list. You can specify a particular server, such as server.example.com, or a partial name such as *.example.com.

For device configuration profiles, you must provide the trusted certificates necessary to authenticate the connection.

When you create a profile for a user, the settings are for 802.1X user mode. When you create a profile for a device, the settings are for system mode or login window mode.

Passpoint settings

Passpoint settings permit the device to automatically connect to specified Passpoint WiFi networks. The settings in the following table must match the requirements of the Passpoint network:

Setting

Description

Provider Display Name (required)

Enter the name you want displayed for the Passpoint network.

Domain Name (required)

Enter the fully qualified domain name (FQDN) of the Passpoint service provider.

Roaming Consortium IOs

Enter a series of digits corresponding to one of the service provider’s Passpoint network.

Network Access Identifier (NAI) Realm Names

Enter the known NAI realm names.

Mobile Country Code (MCC) and Mobile Network Configurations (MNC)

Enter the digital codes for both the MCC and the MNC.

Connect to roaming partner Passpoint networks

Specify whether to connect to additional Passpoint networks pre-approved by the service provider.

Security Type

Select an authentication method for the network. Connections are allowed only to networks that support the type you select. You can choose:

  • WEP

  • WEP Enterprise (802.1X WEP)

  • WPA/WPA2 (Personal or Enterprise)

Choose Any to permit connections to networks that support any of the supported protocols.

Password

Enter the password for joining the Passpoint network, if applicable. If you leave this blank and the network requires a password, the user is asked to enter it the first time a connection is established. The per-connection password option prevents caching of the user’s password.

Additional options include the ability to search for hidden networks, automatically join networks, and add proxy information.

You can add network configurations by clicking the add payload button.