Wi-Fi

Type of network interface on the device.

If 'true', the device treats the network as a hotspot.

Depends on: PFC_InterfaceSelector

The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is optional if a value exists for 'DomainName' value.

Depends on: PFC_InterfaceSelector; DomainName not set

If 'true', defines this network as hidden.

If 'true', the device joins the network automatically. If 'false', the user must tap the network name to join it.

If 'true', the system bypasses Captive Network detection when the device connects to the network.

If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. If 'false', then the system enables MAC address randomization on iOS, watchOS, and visionOS. This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it.

If 'true', enables IPv6 on this interface.

The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL.

The proxy server's network address.

Depends on: ProxyType ∈ [Manual]; ProxyType

The proxy server's port number.

Depends on: ProxyType ∈ [Manual]; ProxyType

The user name used to authenticate to the proxy server.

The password used to authenticate to the proxy server.

The URL of the PAC file that defines the proxy configuration.

If 'true', allows connecting directly to the destination if the PAC file is unreachable.

The encryption type for the network. If set to anything except 'None', the payload may contain the following three keys: 'Password', 'PayloadCertificateUUID', or 'EAPClientConfiguration'. As of iOS 16, tvOS 16, watchOS 9, and macOS 13: - 'WPA' allows joining WPA or WPA2 networks - 'WPA2' allows joining WPA2 or WPA3 networks - 'WPA3' allows joining WPA3 networks only - 'Any' allows joining WPA, WPA2, WPA3, and WEP networks Prior to iOS 16, tvOS 16, and watchOS 9, specifying 'WPA', 'WPA2', and 'WPA3' were equivalent and would allow joining any WPA network. Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly.

The password for the access point.

The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points.

Depends on: PFC_InterfaceSelector ∈ [Hotspot2]

The primary domain of the tunnel.

Depends on: PFC_InterfaceSelector ∈ [Hotspot2]

If 'true', allows connection to roaming service providers.

An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation.

An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation.

An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits.

The HESSID used for Wi-Fi Hotspot 2.0 negotiation.

An array of strings that contain the type of connection mode to attach.

The enterprise network configuration.

A dictionary that contains the list of apps that the system allows to benefit from L2 and L3 marking. When this dictionary isn't present, the system allows all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane.

The UUID of the certificate payload within the same profile to use for the client credential.

Depends on: EAPClientConfiguration.AcceptEAPTypes

If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS.

—

—

—

A type of connection mode.

The EAP types that the system accepts. Allowed values: - '13': EAP-TLS - '17': LEAP - '18': EAP-SIM - '21': EAP-TTLS - '23': EAP-AKA - '25': PEAPv0/v1 - '43': EAP-FAST For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

The user name for the account. If you don't specify a value, the system prompts the user during login.

The user's password. If you don't specify a value, the system prompts the user during login.

Depends on: EAPClientConfiguration.AcceptEAPTypes; EAPClientConfiguration.OneTimeUserPassword

If 'true', the user receives a prompt for a password each time they connect to the network.

An array of the UUID of each certificate payload in the same profile to trust for authentication. Use this key to prevent the device from asking the user whether to trust the listed certificates. Dynamic trust (the certificate dialogue) is in a disabled state if you specify this property without also enabling 'TLSAllowTrustExceptions'.

The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it. If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'.

If 'true', allows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when the system doesn't trust a certificate. If 'false', the authentication fails if the system doesn't already trust the certificate. As of iOS 8, Apple no longer supports this key.

The inner authentication that the TTLS module uses.

Depends on: EAPClientConfiguration.AcceptEAPTypes

A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or anon@mycompany.net. It can increase security because an attacker can't see the authenticating user's name in the clear. This key is only relevant to TTLS, PEAP, and EAP-FAST. This field is required if 'TLSMinimumVersion' is '1.3'.

Depends on: EAPClientConfiguration.TLSMinimumVersion ∈ [1.3]

The minimum TLS version for EAP authentication.

The maximum TLS version for EAP authentication.

If 'true', the device uses an existing PAC if it's present. Otherwise, the server must present its identity using a certificate.

If 'true', allows PAC provisioning. This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there's no other way to provision a PAC.

Depends on: EAPClientConfiguration.AcceptEAPTypes; EAPClientConfiguration.EAPFASTUsePAC ∈ [true]

If 'true', provisions the device anonymously. Note that there are known machine-in-the-middle attacks for anonymous provisioning.

The minimum number of RAND values to accept from the server. For use with EAP-SIM only.

Set this string to 'ActiveDirectory' to use the AD computer name and password credentials. If using this property, you can't use 'SystemModeUseOpenDirectoryCredentials'.

If 'true', the system mode connection tries to use the Open Directory credentials. If using this property, you can't use 'SystemModeCredentialsSource'.

An array of trusted certificates. Each entry in the array must contain certificate data that represents an anchor certificate used for verifying the server certificate.

If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS. If you don't specify a value, the default is 'true' for EAP-TLS, and 'false' for other EAP types.

An integer representing an EAP type, inside of the Accept EAP Types array.

A UUID for a trusted certificate

An item in the TLS Trusted Server Names array representing a Common Name of a server certificate.

A certificate identifier.

If 'true', disables L3 marking and only uses L2 marking for traffic that goes to the Wi-Fi network. If 'false', the system behaves as if Wi-Fi doesn't have an association with a Cisco QoS fast lane network.

If 'true', adds audio and video traffic of built-in audio or video services, such as FaceTime and Wi-Fi Calling, to the allow list for L2 and L3 marking for traffic that goes to the Wi-Fi network.

An array of app bundle identifiers that defines the allow list for L2 and L3 marking for traffic that goes to the Wi-Fi network. If the array isn't present, but the 'QoSMarkingPolicy' key is present — even empty — no apps can use L2 and L3 marking.

Use 'QoSMarkingAllowListAppIdentifiers' instead.

—

—