Wi-Fi¶
Warning
The profile cannot be installed if your machine does not have a Wi-Fi AirPort adapter. USB Adapters do not qualify, so you may have issues testing in a Virtual Machine. This is because it uses CoreWLAN to make the settings and CoreWLAN will only return AirPort devices.
Contents
Summary¶
PayloadType: | com.apple.wifi.managed |
---|---|
Supervised Only: | |
N/A | |
macOS: | N/A |
macOS Deprecated: | |
N/A | |
iOS: | N/A |
iOS Deprecated: | N/A |
Highlander: | N/A |
Keys¶
SSID_STR¶
SSID
SSID of the Wi-Fi network to be used
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
- In iOS 7.0 and later, this is optional if a DomainName value is provided
HIDDEN_NETWORK¶
Hidden
If set, assumes the network is hidden. Otherwise the device will use broadcast SSID to identify the network.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
AutoJoin¶
Auto Join
Automatically join the network
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | True | N/A | N/A | 5.0 | N/A | N/A |
CaptiveBypass¶
Disable Captive Network Detection
Do not show the captive network sheet
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | 10.0 | N/A | N/A |
EncryptionType¶
Encryption Type
Wireless network encryption to use when connecting. The None value is available in iOS 5.0 and later and the WPA2 value is available in iOS 8.0 and later.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | None | always | N/A | 4.0 | N/A | N/A |
Valid Choices¶
- WEP
- WPA
- WPA2
- Any
- None
Password¶
Password
Specifies the password for the access point
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
PayloadCertificateUUID¶
Certificate UUID
UUID of the certificate payload containing an identity used as the client credential
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ | N/A | N/A | N/A |
TLSCertificateRequired¶
Certificate Required
If set, force a non-default authentication method. (if YES, uses certificate from PayloadCertificateUUID)
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | 7.0 | N/A | N/A |
Keys (HotSpot)¶
IsHotspot¶
Is Hotspot
Is a legacy or Hotspot 2.0 network
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | always | N/A | 7.0 | 10.9 | N/A |
DomainName¶
Domain Name
HotSpot 2.0 domain name
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | 7.0 | 10.9 | N/A |
DisplayedOperatorName¶
Displayed Operator Name
HotSpot 2.0 operator name
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | 7.0 | 10.9 | N/A |
ServiceProviderRoamingEnabled¶
Roaming Enable
HotSpot 2.0 allow roaming flag
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | 7.0 | 10.9 | N/A |
RoamingConsortiumOIs¶
Roaming OIs
HotSpot 2.0 organization identifiers
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | 7.0 | 10.9 | N/A |
NAIRealmNames¶
Realm Names
HotSpot 2.0 NAI realm names
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | 7.0 | 10.9 | N/A |
MCCAndMNCs¶
MCC/MNCs
HotSpot 2.0 MCC/MNCs
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | 7.0 | N/A | N/A |
Keys (802.1x)¶
EAPClientConfiguration¶
EAP Client Configuration
Specifies 802.1x EAP authentication parameters
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
dictionary | N/A | N/A | N/A | N/A | N/A | N/A |
Name | Type | Title | Description | Required |
---|---|---|---|---|
AcceptEAPTypes | array | Accept EAP Types | The EAP types accepted | n/a |
UserName | string | Username | Username. If not provided, the user may be prompted during login | n/a |
UserPassword | string | Password | Password. If not provided, the user may be prompted during login | n/a |
OneTimeUserPassword | boolean | Per-Connection Password | If set, the user will be prompted for a password each time they connect to the network | n/a |
PayloadCertificateAnchorUUID | array | Certificate Anchor UUID | Array of UUIDs corresponding to the trusted certificates for this authentication | n/a |
TLSTrustedServerNames | array | TLS Trusted Server Names | Array of Common Names of server certificates that can be trusted. The wildcard * can be used to match a range of strings | n/a |
TLSAllowTrustExceptions | boolean | Allow Trust Exceptions | No longer supported in iOS 8 and later | n/a |
TTLSInnerAuthentication | string | TTLS Inner Authentication | Specifies the inner authentication used by the TTLS module | n/a |
OuterIdentity | string | Outer Identity | If TTLS, PEAP, or EAP-FAST is used, this string is used instead of the user’s identity outside the encrypted tunnel. This value can be used to mask the true identity of the person using the network | n/a |
SystemModeCredentialsSource | string | System Profile Credentials Source | Use an alternate set of credentials when in System mode (AKA not a loginwindow profile). This can be used to tell EAPOLClient to use the computer password in a bound active directory scenario for authentication. | n/a |
EAPFASTUsePAC | boolean | Use PAC | If set, the device will use an existing PAC if it’s present. Otherwise the server must present its identity using a certificate | n/a |
EAPFASTProvisionPAC | boolean | Provision PAC | If set, provisions the device | n/a |
EAPFASTProvisionPACAnonymously | boolean | Provision PAC Anonymously | If set, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning | n/a |
EAPSIMNumberOfRANDs | integer | Allow Two RANDs | The minimum number of RAND values accepted from the server. 3 is the default, and 2 is allowed, but offers less security. For use with EAP-SIM only. | n/a |
AcceptEAPTypes¶
Accept EAP Types
The EAP types accepted
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | N/A | N/A | N/A |
EAP Types values are as follows:
- 0
- Invalid kEAPTypeInvalid (internal use)
- 1
- Identity kEAPTypeIdentity
- 2
- Notification kEAPTypeNotification
- 3
- Nak kEAPTypeNak
- 4
- MD5 Challenge kEAPTypeMD5Challenge
- 5
- One Time Password kEAPTypeOneTimePassword
- 6
- Generic Token Card kEAPTypeGenericTokenCard
- 13
- Transport Layer Security (TLS) kEAPTypeTLS
- 17
- Cisco LEAP kEAPTypeCiscoLEAP
- 18
- EAP-SIM kEAPTypeEAPSIM
- 19
- SRP-SHA1 kEAPTypeSRPSHA1
- 21
- TTLS kEAPTypeTTLS
- 23
- EAP-AKA kEAPTypeEAPAKA
- 25
- PEAP kEAPTypePEAP
- 26
- MSCHAPv2 kEAPTypeMSCHAPv2
- 33
- Extensions kEAPTypeExtensions
- 43
- EAP-FAST kEAPTypeEAPFAST
- 50
- AKAPrime kEAPTypeEAPAKAPrime
UserName¶
Username
Username. If not provided, the user may be prompted during login
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
UserPassword¶
Password
Password. If not provided, the user may be prompted during login
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
OneTimeUserPassword¶
Per-Connection Password
If set, the user will be prompted for a password each time they connect to the network
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
PayloadCertificateAnchorUUID¶
Certificate Anchor UUID
Array of UUIDs corresponding to the trusted certificates for this authentication
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | N/A | N/A | N/A |
TLSTrustedServerNames¶
TLS Trusted Server Names
Array of Common Names of server certificates that can be trusted. The wildcard * can be used to match a range of strings
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
array | N/A | N/A | N/A | N/A | N/A | N/A |
TLSAllowTrustExceptions¶
Allow Trust Exceptions
No longer supported in iOS 8 and later
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | N/A | N/A | N/A |
TTLSInnerAuthentication¶
TTLS Inner Authentication
Specifies the inner authentication used by the TTLS module
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | MSCHAPv2 | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- PAP
- EAP
- CHAP
- MSCHAP
- MSCHAPv2
OuterIdentity¶
Outer Identity
If TTLS, PEAP, or EAP-FAST is used, this string is used instead of the user’s identity outside the encrypted tunnel. This value can be used to mask the true identity of the person using the network
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
SystemModeCredentialsSource¶
System Profile Credentials Source
Use an alternate set of credentials when in System mode (AKA not a loginwindow profile). This can be used to tell EAPOLClient to use the computer password in a bound active directory scenario for authentication.
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
Valid Choices¶
- ActiveDirectory
EAPFASTUsePAC¶
Use PAC
If set, the device will use an existing PAC if it’s present. Otherwise the server must present its identity using a certificate
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
EAPFASTProvisionPAC¶
Provision PAC
If set, provisions the device
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
EAPFASTProvisionPACAnonymously¶
Provision PAC Anonymously
If set, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | False | N/A | N/A | N/A | N/A | N/A |
Keys (Proxy)¶
ProxyType¶
Proxy Type
The type of proxy configuration to use for this wireless connection
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | None | N/A | N/A | 5.0 | N/A | N/A |
Valid Choices¶
- None
- Manual
- Auto
ProxyServer¶
Proxy Server
The hostname of the proxy server
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
ProxyUsername¶
Proxy Username
The username for proxy server authentication
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
ProxyServerPort¶
Proxy Server Port
The port used to connect to the proxy server
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
integer | N/A | N/A | N/A | N/A | N/A | N/A |
ProxyPassword¶
Proxy Password
The password to authenticate with the proxy
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
ProxyPACURL¶
Proxy Username
URL used to recieve proxy settings
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
string | N/A | N/A | N/A | N/A | N/A | N/A |
ProxyPACFallbackAllowed¶
Proxy PAC Fallback Allowed
Proxy PAC Fallback Allowed
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
boolean | N/A | N/A | N/A | N/A | N/A | N/A |
Keys (QoS)¶
QoSMarkingPolicy¶
QoS Marking Policy
Restrict fast lane QoS marking
Type | Default | Required | Regex | iOS | macOS | Supervised |
---|---|---|---|---|---|---|
dictionary | N/A | N/A | N/A | 10.0 | N/A | N/A |
Available in iOS 10.0 and later. Not supported in macOS.
Troubleshooting¶
EAP Unified Logs log show --predicate 'subsystem == "com.apple.eapol"'
.