22.7 Distributing Corporate Wi-Fi Settings

A Wi-Fi Profile bundle enables deployment of wireless network settings to managed devices or users. Deploying these Wi-Fi configurations makes it easier for users to connect to the corporate Wi-Fi. The Wi-Fi Profile bundle enables devices to connect to corporate networks, even if the Wi-Fi is hidden, encrypted or password protected.

For example, if you have a corporate Wi-Fi network that should connect only to Android devices, then create a Wi-Fi Profile bundle, which includes all the necessary settings to connect to the wireless network. Deploy the bundle to all Android devices in your management zone. Users with Android devices can readily connect to the corporate network.

22.7.1 Creating a Wi-Fi Profile bundle

IMPORTANT:

  • In an Android device, if a Wi-Fi profile with an SSID is already installed by another user or a third-party app, then another profile with the same SSID cannot be installed on the device. As a workaround, you need to remove the existing Wi-Fi profile, and then reassign the Wi-Fi Profile bundle to the device.

  • In an iOS device, multiple bundles with the same SSID can be installed.

  1. In ZENworks Control Center, click Bundles.

  2. In the Bundles page, click New, and then select Bundles.

  3. In the Select Bundle type page, select Corporate Bundle, and then select Wi-Fi Profile.

  4. Specify the bundle details, and then click Next.

  5. In the Specify Network Identity page, specify the required network details, and then click Next. For more information on the settings on this page, see Network Identity.

  6. In the Specify Security information page, select the Security Type. Specify the required information, and then click Next. For more information on the settings on this page, see Security Information.

  7. In the Trust Certificates page, you can upload a certificate that will be used for communication between the devices and the Wi-Fi router. Specify the required information, and then click Next. For more information on the settings on this page, see Trust Certificates.

  8. In the Summary page, review all the updated information and then click Finish.

  9. (Optional) Select the Create as Sandbox option to create a sandbox-only version of the bundle.

  10. (Optional) Select the Define Additional Properties option, which will display additional details of the bundle. For more information on the Details page, see Managing the Wi-Fi Profile Bundle.

Network Identity

Specify the following network identifiers:

  • Service Set Identified (SSID): Specify a unique identifier that the wireless networking devices use to establish and maintain wireless connectivity.

  • Hidden Network: Select this option if the network access is not broadcast.

  • Auto Join: Select this option if devices should automatically join the Wi-Fi network. If this option is not selected, users must select the network name on the device to join the network.

  • Disable Captive Network Detection: Select this option to bypass the Captive network detection when the device connects to the network.

Security Information

Depending on the selected Security Type, the relevant fields are displayed. The Security Type field has the following options:

  • None: Select this option, if you do not want to specify any security information for the Wi-Fi profile.

  • Enterprise: Select this option, if you are configuring an Wi-Fi profile for an enterprise. For more information see Enterprise.

  • Personal: Select this option, if you are configuring an Wi-Fi profile for personal use. For more information see Personal.

Enterprise

If Enterprise is selected as the Security Type, then following fields are displayed:

  • Encryption Type: Select the encryption type that can be used to encrypt this network. Possible values are WEP, WPA, and WPA2. Depending on the network access point, select the required encryption type.

  • EAP Type: Select the EAP types that can be used to access this network. Depending on your network configuration, select any one EAP Type.

    Following are the available EAP Types:

    • TTLS

    • EAP-FAST

    • PEAP

    • LEAP

    • EAP-SIM

    • EAP-AKA

    • PWD

    • AKA-PRIME

Depending on the selected EAP type, one of the following fields are displayed:

  • User Name: Specify the user name required to access the network. If the user name field is not specified, then the user will be prompted for the user name while accessing the network.

  • Password: : Specify the password to access the network. If the password field is not specified, the device user will be prompted for the password.

  • Use Per-Connection Password: Select this option to prompt the user for a password for each connection. When the device rejoins the same network, the device user will be prompted to re-authenticate.

  • Inner Authentication: Select the protocol used to authenticate the user name and password (None, CHAP, MSCHAP, MSCHAPv2, PAP, EA or GTC). The None option is valid only for Android devices.

  • Outer Identity: Specify an alternate user name to be used outside the encrypted tunnel to conceal the user’s identity.

  • Minimum TLS Version: Specify the minimum TLS version. By default, Minimum TLS Version is 1.0.

  • Maximum TLS Version: : Specify the maximum TLS version. By default, Maximum TLS Version is 1.2.

  • Use PAC: Select this option to use Protect Access Credentials (PAC).

    PACs are strong shared secrets that enable EAP-FAST end-user clients to authenticate each other and establish a TLS tunnel.

  • Provision PAC: If this option is selected, then a new PAC is sent to the end-user client over a secured network connection. Automatic PAC provisioning requires no intervention of the network user or administrator, provided the server and the end-user client are configured to support automatic provisioning.

  • Provision PAC Anonymously: If this option is selected, the administrator should generate PAC files, which must then be distributed to the applicable network users. Users must configure end-user clients with the PAC files.

  • Allow two RANDs: Number of expected RANDs for EAP-SIM. Select the check box to use 2 RANDs for network security.

Personal

If Personal is selected as the Security Type, then the following fields are displayed:

  • Password: Specify the password to access the network. If the password field is not specified, then the device user will be prompted for the password.

IMPORTANT:: Based on the Android versions of the devices, ensure that you specify a password that meets the minimum requirements:

  • Android 6, 7 and 8 (Oreo): Minimum password length is 7 characters.

  • Android 9 (Pie): Minimum password length is 8 characters.

If the password length does not meet the Android operating system requirements, the bundle installation might fail on the device.

Trust Certificates

In this section, you can either upload a trust certificate, or add a certificate name that is already approved by the Certificate Authority.

Trust Certificate

In this section, you can upload any number of certificates that will be used to communicate between devices and the Wi-Fi router.

To upload a trust certificate:

  1. Click Add, in the Add Trust Certificate pop-up, and then click Browse.

  2. In the File Upload dialog box, select the required certificate file.

Trusted Server Certificate Names

In this section, you can add a trusted certificate that is already approved by the Certificate Authority.

  • To add a trusted certificate name, click Add, specify the certificate name, and then click OK.

IMPORTANT:On Android 5 (Lollipop) and 6 (Marshmallow) devices:

  • Only one certificate can be installed on the device.

  • The binary encoded certificate (DER format) is not supported.

If a certificate is installed on the device, it cannot be removed, but can be replaced with another certificate.

22.7.2 Managing the Wi-Fi Profile Bundle

After creating a bundle, based on requirements, you can modify the bundle. For more information, see Viewing the Bundle Informationin the ZENworks Software Distribution Reference.

Details

In the Details tab, you can modify the following settings:

Proxy

In this section, configure the proxy server that should be used with this network. Depending on the selected Proxy Setup, the relevant fields are displayed.

  • None: If the Proxy Setup is selected as None, then no field is displayed.

  • Manual: If the Proxy Setup is selected as Manual, then following fields are displayed:

    • Server and Port: Specify the proxy server address and port number.

    • User Name: Specify the user name to access the proxy server.

    • Password: Specify the password for the proxy server.

  • Automatic: If the Proxy Setup is selected as Automatic, then the following fields are displayed:

    • Proxy URL: Specify the fully-qualified URL to retrieve proxy settings.

  • Allow direct connection if PAC is unreachable: Select this option if you want to allow users to connect directly to the destination when the PAC file is unreachable.

IMPORTANT:

  • On Android 5 (Lollypop), 6 (Marshmallow), and 7 (Nougat) devices, proxy is not supported.

  • On Android 8 and above, Manual proxy is not supported.