Wi-Fi

Template

Warning

The profile cannot be installed if your machine does not have a Wi-Fi AirPort adapter. USB Adapters do not qualify, so you may have issues testing in a Virtual Machine. This is because it uses CoreWLAN to make the settings and CoreWLAN will only return AirPort devices.

Contents

• Wi-Fi
  • Summary
  • Keys
    • SSID_STR
    • HIDDEN_NETWORK
    • AutoJoin
    • CaptiveBypass
    • EncryptionType
    • Password
    • PayloadCertificateUUID
    • TLSCertificateRequired
  • Keys (HotSpot)
    • IsHotspot
    • DomainName
    • DisplayedOperatorName
    • ServiceProviderRoamingEnabled
    • RoamingConsortiumOIs
    • NAIRealmNames
    • MCCAndMNCs
  • Keys (802.1x)
    • EAPClientConfiguration
    • AcceptEAPTypes
    • UserName
    • UserPassword
    • OneTimeUserPassword
    • PayloadCertificateAnchorUUID
    • TLSTrustedServerNames
    • TLSAllowTrustExceptions
    • TTLSInnerAuthentication
    • OuterIdentity
    • SystemModeCredentialsSource
    • EAPFASTUsePAC
    • EAPFASTProvisionPAC
    • EAPFASTProvisionPACAnonymously
  • Keys (Proxy)
    • ProxyType
    • ProxyServer
    • ProxyUsername
    • ProxyServerPort
    • ProxyPassword
    • ProxyPACURL
    • ProxyPACFallbackAllowed
  • Keys (QoS)
    • QoSMarkingPolicy
  • Troubleshooting
  • Links

Summary

PayloadType:com.apple.wifi.managed Supervised Only:  N/A macOS:N/A macOS Deprecated:  N/A iOS:N/A iOS Deprecated:N/A Highlander:N/A

Keys

SSID_STR

SSID

SSID of the Wi-Fi network to be used

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

• In iOS 7.0 and later, this is optional if a DomainName value is provided

HIDDEN_NETWORK

Hidden

If set, assumes the network is hidden. Otherwise the device will use broadcast SSID to identify the network.

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

AutoJoin

Auto Join

Automatically join the network

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	True	N/A	N/A	5.0	N/A	N/A

CaptiveBypass

Disable Captive Network Detection

Do not show the captive network sheet

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	10.0	N/A	N/A

EncryptionType

Encryption Type

Wireless network encryption to use when connecting. The None value is available in iOS 5.0 and later and the WPA2 value is available in iOS 8.0 and later.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	None	always	N/A	4.0	N/A	N/A

Valid Choices

• WEP
• WPA
• WPA2
• Any
• None

Password

Password

Specifies the password for the access point

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

PayloadCertificateUUID

Certificate UUID

UUID of the certificate payload containing an identity used as the client credential

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$	N/A	N/A	N/A

TLSCertificateRequired

Certificate Required

If set, force a non-default authentication method. (if YES, uses certificate from PayloadCertificateUUID)

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	N/A	N/A	N/A	7.0	N/A	N/A

Keys (HotSpot)

IsHotspot

Is Hotspot

Is a legacy or Hotspot 2.0 network

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	always	N/A	7.0	10.9	N/A

DomainName

Domain Name

HotSpot 2.0 domain name

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	7.0	10.9	N/A

DisplayedOperatorName

Displayed Operator Name

HotSpot 2.0 operator name

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	7.0	10.9	N/A

ServiceProviderRoamingEnabled

Roaming Enable

HotSpot 2.0 allow roaming flag

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	7.0	10.9	N/A

RoamingConsortiumOIs

Roaming OIs

HotSpot 2.0 organization identifiers

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	7.0	10.9	N/A

NAIRealmNames

Realm Names

HotSpot 2.0 NAI realm names

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	7.0	10.9	N/A

MCCAndMNCs

MCC/MNCs

HotSpot 2.0 MCC/MNCs

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	7.0	N/A	N/A

Keys (802.1x)

EAPClientConfiguration

EAP Client Configuration

Specifies 802.1x EAP authentication parameters

Type	Default	Required	Regex	iOS	macOS	Supervised
dictionary	N/A	N/A	N/A	N/A	N/A	N/A

Name	Type	Title	Description	Required
AcceptEAPTypes	array	Accept EAP Types	The EAP types accepted	n/a
UserName	string	Username	Username. If not provided, the user may be prompted during login	n/a
UserPassword	string	Password	Password. If not provided, the user may be prompted during login	n/a
OneTimeUserPassword	boolean	Per-Connection Password	If set, the user will be prompted for a password each time they connect to the network	n/a
PayloadCertificateAnchorUUID	array	Certificate Anchor UUID	Array of UUIDs corresponding to the trusted certificates for this authentication	n/a
TLSTrustedServerNames	array	TLS Trusted Server Names	Array of Common Names of server certificates that can be trusted. The wildcard * can be used to match a range of strings	n/a
TLSAllowTrustExceptions	boolean	Allow Trust Exceptions	No longer supported in iOS 8 and later	n/a
TTLSInnerAuthentication	string	TTLS Inner Authentication	Specifies the inner authentication used by the TTLS module	n/a
OuterIdentity	string	Outer Identity	If TTLS, PEAP, or EAP-FAST is used, this string is used instead of the user’s identity outside the encrypted tunnel. This value can be used to mask the true identity of the person using the network	n/a
SystemModeCredentialsSource	string	System Profile Credentials Source	Use an alternate set of credentials when in System mode (AKA not a loginwindow profile). This can be used to tell EAPOLClient to use the computer password in a bound active directory scenario for authentication.	n/a
EAPFASTUsePAC	boolean	Use PAC	If set, the device will use an existing PAC if it’s present. Otherwise the server must present its identity using a certificate	n/a
EAPFASTProvisionPAC	boolean	Provision PAC	If set, provisions the device	n/a
EAPFASTProvisionPACAnonymously	boolean	Provision PAC Anonymously	If set, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning	n/a
EAPSIMNumberOfRANDs	integer	Allow Two RANDs	The minimum number of RAND values accepted from the server. 3 is the default, and 2 is allowed, but offers less security. For use with EAP-SIM only.	n/a

AcceptEAPTypes

Accept EAP Types

The EAP types accepted

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	N/A	N/A	N/A

EAP Types values are as follows:

0

Invalid kEAPTypeInvalid (internal use)

1

Identity kEAPTypeIdentity

2

Notification kEAPTypeNotification

3

Nak kEAPTypeNak

4

MD5 Challenge kEAPTypeMD5Challenge

5

One Time Password kEAPTypeOneTimePassword

6

Generic Token Card kEAPTypeGenericTokenCard

13

Transport Layer Security (TLS) kEAPTypeTLS

17

Cisco LEAP kEAPTypeCiscoLEAP

18

EAP-SIM kEAPTypeEAPSIM

19

SRP-SHA1 kEAPTypeSRPSHA1

21

TTLS kEAPTypeTTLS

23

EAP-AKA kEAPTypeEAPAKA

25

PEAP kEAPTypePEAP

26

MSCHAPv2 kEAPTypeMSCHAPv2

33

Extensions kEAPTypeExtensions

43

EAP-FAST kEAPTypeEAPFAST

50

AKAPrime kEAPTypeEAPAKAPrime

UserName

Username

Username. If not provided, the user may be prompted during login

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

UserPassword

Password

Password. If not provided, the user may be prompted during login

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

OneTimeUserPassword

Per-Connection Password

If set, the user will be prompted for a password each time they connect to the network

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

PayloadCertificateAnchorUUID

Certificate Anchor UUID

Array of UUIDs corresponding to the trusted certificates for this authentication

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	N/A	N/A	N/A

TLSTrustedServerNames

TLS Trusted Server Names

Array of Common Names of server certificates that can be trusted. The wildcard * can be used to match a range of strings

Type	Default	Required	Regex	iOS	macOS	Supervised
array	N/A	N/A	N/A	N/A	N/A	N/A

TLSAllowTrustExceptions

Allow Trust Exceptions

No longer supported in iOS 8 and later

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	N/A	N/A	N/A	N/A	N/A	N/A

TTLSInnerAuthentication

TTLS Inner Authentication

Specifies the inner authentication used by the TTLS module

Type	Default	Required	Regex	iOS	macOS	Supervised
string	MSCHAPv2	N/A	N/A	N/A	N/A	N/A

Valid Choices

• PAP
• EAP
• CHAP
• MSCHAP
• MSCHAPv2

OuterIdentity

Outer Identity

If TTLS, PEAP, or EAP-FAST is used, this string is used instead of the user’s identity outside the encrypted tunnel. This value can be used to mask the true identity of the person using the network

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

SystemModeCredentialsSource

System Profile Credentials Source

Use an alternate set of credentials when in System mode (AKA not a loginwindow profile). This can be used to tell EAPOLClient to use the computer password in a bound active directory scenario for authentication.

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

Valid Choices

• ActiveDirectory

EAPFASTUsePAC

Use PAC

If set, the device will use an existing PAC if it’s present. Otherwise the server must present its identity using a certificate

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

EAPFASTProvisionPAC

Provision PAC

If set, provisions the device

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

EAPFASTProvisionPACAnonymously

Provision PAC Anonymously

If set, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	False	N/A	N/A	N/A	N/A	N/A

Keys (Proxy)

ProxyType

Proxy Type

The type of proxy configuration to use for this wireless connection

Type	Default	Required	Regex	iOS	macOS	Supervised
string	None	N/A	N/A	5.0	N/A	N/A

Valid Choices

• None
• Manual
• Auto

ProxyServer

Proxy Server

The hostname of the proxy server

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

ProxyUsername

Proxy Username

The username for proxy server authentication

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

ProxyServerPort

Proxy Server Port

The port used to connect to the proxy server

Type	Default	Required	Regex	iOS	macOS	Supervised
integer	N/A	N/A	N/A	N/A	N/A	N/A

ProxyPassword

Proxy Password

The password to authenticate with the proxy

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

ProxyPACURL

Proxy Username

URL used to recieve proxy settings

Type	Default	Required	Regex	iOS	macOS	Supervised
string	N/A	N/A	N/A	N/A	N/A	N/A

ProxyPACFallbackAllowed

Proxy PAC Fallback Allowed

Proxy PAC Fallback Allowed

Type	Default	Required	Regex	iOS	macOS	Supervised
boolean	N/A	N/A	N/A	N/A	N/A	N/A

Keys (QoS)

QoSMarkingPolicy

QoS Marking Policy

Restrict fast lane QoS marking

Type	Default	Required	Regex	iOS	macOS	Supervised
dictionary	N/A	N/A	N/A	10.0	N/A	N/A

Available in iOS 10.0 and later. Not supported in macOS.

Troubleshooting

EAP Unified Logs log show --predicate 'subsystem == "com.apple.eapol"'.

Links

• Official Documentation.