Kaspersky Secure Mobility Management
5.0
English

Contents

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

In this section

Connecting Android devices to a Wi-Fi network

Connecting iOS MDM devices to a Wi-Fi network
Page top
[Topic 274786]

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To connect a mobile device to a Wi-Fi network:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select Android and go to the Device configuration section.
  4. On the Wi-Fi card, click Settings.

    The Wi-Fi window opens.

  5. Enable the settings using the Wi-Fi toggle switch.
  6. Click Add.

    The Add Wi-Fi network window opens.

  7. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  8. Select the Connect automatically check box if you want Android devices to automatically connect to the Wi-Fi network.
  9. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device.

    In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

  10. In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA2 PSK, or 802.1.x EAP protocol).

    The 802.1.x EAP security protocol is supported only in Kaspersky Endpoint Security for Android 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

  11. If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
    • EAP method

      Specifies an Extensible Authentication Protocol (EAP) method for network authentication. Possible values:

      • TLS (default)
      • PEAP
      • TTLS
    • Method for uploading root certificate

      Specifies the way you want to upload a root certificate. Possible values:

      • From the list of root certificates – Lets you select any available certificate from the drop-down list.
      • From file – Lets you upload a certificate file from your computer.
    • Root certificate

      Specifies the root certificate to be used by the Wi-Fi network.

    • User certificate

      Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      The following values are available in the drop-down list:

      • Not selected – The user certificate is not specified.
      • User certificates – The VPN certificates that were added in the Certificates section and installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
      • SCEP profiles – SCEP certificate profiles configured in the SCEP and NDES settings and used to obtain certificates.
    • Domain name

      Specifies the constraint for the server domain name.

      If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.

      You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).

      If you specify *, any root certificate is considered valid. This value is specified by default.

    • Two-factor authentication type

      Specifies a two-factor authentication type. Possible values:

      • Not selected (default)
      • MSCHAP
      • MSCHAPV2
      • GTC
    • User ID

      Specifies a user ID to be used to connect to the Wi-Fi network.

    • Anonymous ID

      Specifies an anonymous identity that is different from the user identity and is used if the PEAP or TTLS method of network authentication is selected.

    • Password

      Specifies a password for accessing the wireless network. The password will be sent in a QR code.

      Do not send a password for a confidential Wi-Fi network that should not be publicly available. The password is transmitted unencrypted along with other data to configure the device.

  12. In the Password field, set a network access password if you selected a secure network at step 9.
  13. On the Additional settings tab, select the Use a proxy server check box if you want to use a proxy server to connect to the Wi-Fi network.
  14. If you selected Use a proxy server, in the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android 8 or later, proxy server settings for Wi-Fi cannot be redefined with a policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

  15. In the Do not use proxy server for the specified addresses field, add web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android 8 or later, excluding web addresses from the proxy server does not work.

  16. Click Add.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    This list contains the names of suggested wireless networks.

    On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear in the saved networks list on these devices.

    On corporate devices and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

  17. Click OK.
  18. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On devices running Android 10 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Page top
[Topic 274806]

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you must configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
  2. In the policy properties window, select Application settings.
  3. Select iOS and go to the Device configuration section.
  4. On the Wi-Fi card, click Settings.

    The Wi-Fi window opens.

  5. Enable the settings using the Wi-Fi toggle switch.
  6. Click Add.

    The Add Wi-Fi network window opens.

  7. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  8. If you want iOS MDM devices to automatically connect to the Wi-Fi network, select the Connect automatically check box.

    If you disable automatic connection to an existing Wi-Fi network in the policy settings, you will not be able to enable automatic connection to this network again. This is due to an issue known to Apple.

  9. If you don't want iOS MDM devices to connect to Wi-Fi networks requiring preliminary authentication (captive networks), select the Bypass captive portal check box.

    To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

  10. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden network check box.

    In this case, to connect to the network the user needs to manually enter the service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

  11. If you want iOS MDM devices to use static MAC addresses when they connect to the Wi-Fi network, select the Disable MAC address randomization check box.
  12. In the Protection section, select the type of Wi-Fi network security (open network or secure network protected with the WEP, WPA, WPA2, or WPA3 protocol).

    On devices running iOS 15 or earlier, selecting WPA, WPA2, or WPA3 is identical and lets you connect to any network protected using WPA.

    • Open network. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).

      WEP protection is available on devices running iOS 5 or later.

    • WPA. The network is protected using the WPA (Wi-Fi Protected Access) or WPA2 protocol.
    • WPA2. The network is protected using the WPA2 or WPA3 protocol.
    • WPA3. The network is protected using the WPA3 protocol.
    • Personal network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (corporate network). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA (corporate network). The network is protected using the WPA or WPA2 encryption protocol with the use of the 802.1X protocol.
    • WPA2 (corporate network). The network is protected using the WPA2 or WPA3 encryption protocol with the use of one key shared by all users (802.1X).
    • WPA3 (corporate network). The network is protected using the WPA3 encryption protocol with the use of one key shared by all users (802.1X).
    • Corporate network (any). The network is protected using the WEP, WPA, WPA2, or WPA3 protocol depending on the type of Wi-Fi router. Authentication is performed using a single encryption key shared by all users.

    If you have selected any of the corporate network options, in the EAP protocol section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

  13. In the Authentication section, configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    2. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

      The user ID is designed to make the authentication process more secure, since the user name is not displayed openly, but rather transmitted via an encrypted TLS tunnel.

    3. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    4. If you want the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network.
    6. In the Minimum TLS version drop-down list, select the minimum allowed TLS version.
    7. In the Maximum TLS version drop-down list, select the maximum allowed TLS version.
  14. If necessary, on the Additional settings tab, configure the settings for connecting to the Wi-Fi network via a proxy server:
    1. Select the Use a proxy server check box.
    2. Configure a connection to a proxy server:
      1. If you want to configure the connection automatically:
        • Select Automatic.
        • In the PAC file URL field, specify the URL of the proxy PAC file.
        • To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      2. If you want to configure the connection manually:
        • Select Manual.
        • In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
        • In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
        • In the Password field, specify the password for the connection to the proxy server.
  15. Click Add.

    The new Wi-Fi network is displayed in the list.

  16. Click OK.
  17. Click Save to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the selected authentication method.

Page top
[Topic 274807]