Skip to main content

Android Connection Policy

Updated over 2 weeks ago

The Android Connection Policy lets you centrally manage how Android devices connect to networks and communicate — including Wi‑Fi, mobile data, tethering, VPN, Bluetooth, radio states, and advanced enterprise networking options.

Use this policy to:

  • Enforce consistent network behavior on corporate or BYOD devices

  • Reduce unexpected roaming / data charges

  • Lock down which networks devices can join

  • Improve security by restricting insecure Wi‑Fi and unmanaged VPNs

  • Support advanced enterprise networking (APNs, slices, preferential networks)

Overview

Policy name: Android Connection Policy
Description:

This policy is used to manage network, connectivity, and communication settings on the device.

Minimum OS: Android 9+ (some fields require newer versions)
Supported platforms: Android
Ownership types:

  • Company-owned devices

  • BYOD (work profile) devices

Key Capabilities

At a high level, Android Connection Policy lets you:

  • Control mobile data and roaming behavior

  • Restrict or configure Wi‑Fi (including SSIDs, roaming, and security level)

  • Configure APNs (including override APNs and enterprise APNs)

  • Enable/disable tethering / hotspot

  • Control Bluetooth sharing and USB data access

  • Lock or influence radio states (Wi‑Fi, 2G, airplane mode, UWB)

  • Manage SMS, outgoing calls, and cell broadcasts

  • Configure preferential network services and enterprise slices

  • Control whether users may reset network settings or change VPN / Wi‑Fi configs

  • Allow devices to temporarily connect to any network to recover policies (network escape hatch)

Field Reference

Below is a breakdown of each field as it appears in Swif.ai, what it does, and when to use it.

1. Disable Cell Broadcasts Configuration

Field name: cellBroadcastsConfigDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot configure cell broadcast settings (e.g., Wireless Emergency Alerts). This ensures consistent emergency broadcast behavior across all managed devices.

Use cases:

  • Enforce company or regulatory requirements for emergency alerts

  • Prevent users from disabling critical alerts

2. Disable Data Roaming

Field name: dataRoamingDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), the device cannot use mobile data while roaming outside its home network. This helps prevent unexpected roaming charges.

Use cases:

  • Corporate phone plans where roaming is restricted or expensive

  • Devices used primarily domestically that should never roam internationally

3. Disable Mobile Networks Configuration

Field name: mobileNetworksConfigDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot change mobile network settings, such as network operator selection.

Use cases:

  • Prevent users from switching to unapproved carriers

  • Keep consistent cellular configuration on field or kiosk devices

4. Device Connectivity Management

Field name: deviceConnectivityManagement
Type: Dictionary
Min Android: 9+ (subfields vary)

This is a container for multiple connectivity controls such as APNs, Wi‑Fi, tethering, USB, Bluetooth, and advanced networking behavior.

4.1 APN Policy

Field: apnPolicy
Type: Dictionary
Min Android: 9+

Controls Access Point Names (APNs) that devices can use.

4.1.1 APN Settings

Field: apnSettings
Type: Array of dictionaries (APN definitions)
Min Android: 10+

Each entry defines a custom APN the device can use (or override default APNs).

For each APN object:

  • Display Name (displayName, required, string)

    • Friendly name for admins/users.

  • APN (apn, required, string)

    • Actual access point name used by the carrier.

  • APN Types (apnTypes, required, array of strings)

    • What the APN is used for (e.g., ENTERPRISE, DEFAULT, IMS, MMS, etc.).

    • Must be unique; no duplicates.

    • On work profiles, only ENTERPRISE is allowed.

Other optional APN fields (Android 10+ unless stated):

  • proxyAddress (string) – APN proxy host (optional)

  • proxyPort (integer, 0–65535) – APN proxy port (0 = not set)

  • username / password (string) – APN credentials

  • authType (string, default AUTH_TYPE_UNSPECIFIED) – one of:

    • NONE, PAP, CHAP, PAP_OR_CHAP

  • protocol / roamingProtocol (string, default PROTOCOL_UNSPECIFIED) – one of:

    • IP, IPV6, IPV4V6, PPP, NON_IP, UNSTRUCTURED

  • mmsc (string) – MMSC URL

  • mmsProxyAddress (string) – MMS proxy host (IP or hostname)

  • mmsProxyPort (integer, 0–65535)

  • numericOperatorId (string) – MCC+MNC (e.g., 310260)

  • carrierId (integer) – APN carrier ID

  • mvnoType (string, default MVNO_TYPE_UNSPECIFIED) – GID, ICCID, IMSI, SPN

  • alwaysOnSetting (string, default ALWAYS_ON_SETTING_UNSPECIFIED) – ALWAYS_ON or NOT_ALWAYS_ON

  • networkTypes (array of strings, no duplicates) – e.g., LTE, NR, UMTS, etc.

  • mtuV4 (integer, Android 13+) – IPv4 MTU, 0 = not set

  • mtuV6 (integer, Android 13+) – IPv6 MTU, 0 = not set

Use cases:

  • Provision enterprise APNs without user input

  • Restrict devices to carrier-approved or enterprise-only APNs

  • Optimize for specific network technologies or MTUs

4.1.2 Override APNs

Field: overrideApns
Type: String
Default: OVERRIDE_APNS_UNSPECIFIED
Options (Android 10+):

  • OVERRIDE_APNS_UNSPECIFIED

  • OVERRIDE_APNS_DISABLED

  • OVERRIDE_APNS_ENABLED

When set to OVERRIDE_APNS_ENABLED, only override APNs from apnSettings are used; all other APNs are ignored.

Use cases:

  • Strictly force traffic through managed APNs

  • Prevent devices from falling back to user- or carrier-defined APNs

4.2 Bluetooth Sharing

Field: bluetoothSharing
Type: String
Default: BLUETOOTH_SHARING_UNSPECIFIED
Min Android: 8+
Options:

  • BLUETOOTH_SHARING_UNSPECIFIED

  • BLUETOOTH_SHARING_ALLOWED

  • BLUETOOTH_SHARING_DISALLOWED

Controls whether Bluetooth can be used for sharing (e.g., file transfer).

Use cases:

  • Disable Bluetooth sharing on high-security or kiosk devices

  • Allow Bluetooth for peripherals but not data sharing (combined with other controls)

4.3 Configure WiFi

Field: configureWifi
Type: String
Default: CONFIGURE_WIFI_UNSPECIFIED
Min Android: 9+
Options:

  • CONFIGURE_WIFI_UNSPECIFIED

  • ALLOW_CONFIGURING_WIFI

  • DISALLOW_ADD_WIFI_CONFIG

  • DISALLOW_CONFIGURING_WIFI

Controls how much freedom users have to configure Wi‑Fi networks.

Use cases:

  • Allow corporate admins to define all Wi‑Fi; block user-added networks

  • Fully lock down Wi‑Fi on kiosks or shared devices

4.4 Tethering Settings

Field: tetheringSettings
Type: String
Default: TETHERING_SETTINGS_UNSPECIFIED
Min Android: 9+
Options:

  • TETHERING_SETTINGS_UNSPECIFIED

  • ALLOW_ALL_TETHERING

  • DISALLOW_WIFI_TETHERING

  • DISALLOW_ALL_TETHERING

Defines which tethering/hotspot methods are allowed.

Use cases:

  • Allow USB tethering only; block Wi‑Fi hotspot

  • Completely disable tethering to avoid uncontrolled data usage

4.5 USB Data Access

Field: usbDataAccess
Type: String
Default: DISALLOW_USB_FILE_TRANSFER
Min Android: 9+
Options:

  • ALLOW_USB_DATA_TRANSFER

  • DISALLOW_USB_FILE_TRANSFER

  • DISALLOW_USB_DATA_TRANSFER

Controls whether data can be transferred over USB.

Use cases:

  • Disable all USB data (only charging allowed) for high-security devices

  • Allow only specific transfer modes depending on your policy

4.6 WiFi Direct Settings

Field: wifiDirectSettings
Type: String
Default: WIFI_DIRECT_SETTINGS_UNSPECIFIED
Min Android: 9+
Options:

  • WIFI_DIRECT_SETTINGS_UNSPECIFIED

  • ALLOW_WIFI_DIRECT

  • DISALLOW_WIFI_DIRECT

Enables or disables Wi‑Fi Direct, which allows peer‑to‑peer connections.

Use cases:

  • Prevent unmonitored peer‑to‑peer file shares

  • Allow Wi‑Fi Direct when needed for specific enterprise apps or peripherals

4.7 WiFi Roaming Policy

Field: wifiRoamingPolicy
Type: Dictionary
Min Android: 9+

Defines how the device roams between Wi‑Fi access points.

4.7.1 WiFi Roaming Settings

Field: wifiRoamingSettings
Type: Array of dictionaries
Min Android: 9+

Each entry configures behavior for one SSID:

  • WiFi Roaming Mode (wifiRoamingMode, required, string, Android 15+)

    • One of:

      • WIFI_ROAMING_MODE_UNSPECIFIED

      • WIFI_ROAMING_DISABLED

      • WIFI_ROAMING_DEFAULT

      • WIFI_ROAMING_AGGRESSIVE

  • WiFi SSID (wifiSsid, required, string)

    • Target network SSID

SSIDs must be unique across the list.

Use cases:

  • Force aggressive roaming on large campuses for smoother transitions

  • Disable roaming for certain SSIDs to keep devices on a specific AP

4.8 WiFi SSID Policy

Field: wifiSsidPolicy
Type: Dictionary
Min Android: 13+

Controls which Wi‑Fi SSIDs are allowed or blocked.

4.8.1 WiFi SSID Policy Type

Field: wifiSsidPolicyType
Type: String
Default: WIFI_SSID_POLICY_TYPE_UNSPECIFIED
Options:

  • WIFI_SSID_POLICY_TYPE_UNSPECIFIED

  • WIFI_SSID_DENYLIST

  • WIFI_SSID_ALLOWLIST

Determines if wifiSsids is treated as a denylist or allowlist.

4.8.2 WiFi SSIDs

Field: wifiSsids
Type: Array of dictionaries
Min Android: 13+

Each object:

  • WiFi SSID (wifiSsid, required, string) – SSID to allow or deny.

Use cases:

  • Force devices to connect only to approved corporate SSIDs (allowlist)

  • Block known insecure or guest SSIDs (denylist)

4.9 Preferential Network Service Settings

Field: preferentialNetworkServiceSettings
Type: Dictionary
Min Android: 13+

Configures multiple enterprise network slices and how apps map to them.
On 4G, you must additionally configure the corresponding enterprise APN via apnPolicy.

4.9.1 Default Preferential Network ID

Field: defaultPreferentialNetworkId
Type: String (required)
Default: NO_PREFERENTIAL_NETWORK
Options:

  • PREFERENTIAL_NETWORK_ID_UNSPECIFIED

  • NO_PREFERENTIAL_NETWORK

  • PREFERENTIAL_NETWORK_ID_ONE

  • PREFERENTIAL_NETWORK_ID_TWO

  • PREFERENTIAL_NETWORK_ID_THREE

  • PREFERENTIAL_NETWORK_ID_FOUR

  • PREFERENTIAL_NETWORK_ID_FIVE

The default network slice used when an app does not have an explicit preferentialNetworkId. There must be a matching configuration in preferentialNetworkServiceConfigs unless it is NO_PREFERENTIAL_NETWORK.

4.9.2 Preferential Network Service Configs

Field: preferentialNetworkServiceConfigs
Type: Array of dictionaries (required)
Min Android: 13+

Each entry:

  • Preferential Network ID (preferentialNetworkId, required, string)

    • Must be one of PREFERENTIAL_NETWORK_ID_ONEFIVE

    • Cannot be NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED

    • IDs must be unique

  • Fallback to Default Connection (fallbackToDefaultConnection, string, default FALLBACK_TO_DEFAULT_CONNECTION_UNSPECIFIED)

    • FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED

    • FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED

  • Non-Matching Networks (nonMatchingNetworks, string, default NON_MATCHING_NETWORKS_UNSPECIFIED, Android 14+)

    • NON_MATCHING_NETWORKS_ALLOWED

    • NON_MATCHING_NETWORKS_DISALLOWED

    • Controls whether apps can use networks other than the preferential slice.

Configurations not referenced by any application or by defaultPreferentialNetworkId are ignored.

Use cases:

  • Ensure specific apps use dedicated enterprise slices for QoS, security, or compliance

  • Restrict apps to a slice and disallow fallback, or allow fallback if the slice is unavailable

5. Enable Network Escape Hatch

Field name: networkEscapeHatchEnabled
Type: Boolean
Default: false
Min Android: 9+

If enabled (true) and the device cannot connect to a configured network at boot, it may temporarily connect to any available network to fetch the latest policy updates.

Use cases:

  • Recover devices that were misconfigured and lost connectivity

  • Ensure critical policy updates can still be delivered in edge cases

6. Disable Network Reset

Field name: networkResetDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot perform a network reset (which would otherwise reset Wi‑Fi, mobile data, and Bluetooth settings to factory defaults).

Use cases:

  • Prevent accidental or intentional removal of corporate Wi‑Fi / APN / VPN settings

  • Keep devices compliant with enforced network policies

7. Disable Outgoing Calls

Field name: outgoingCallsDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot make outgoing calls. Incoming calls may still be received.

Use cases:

  • Shared or kiosk devices that should not place calls

  • Cost control on corporate-owned phones

8. Preferential Network Service (Work Profile)

Field name: preferentialNetworkService
Type: String
Default: PREFERENTIAL_NETWORK_SERVICE_DISABLED
Min Android: 12+
Options:

  • PREFERENTIAL_NETWORK_SERVICE_UNSPECIFIED

  • PREFERENTIAL_NETWORK_SERVICE_DISABLED

  • PREFERENTIAL_NETWORK_SERVICE_ENABLED

Controls whether traffic from work-profile apps is given preferential network treatment compared to personal apps.

Use cases:

  • Prioritize corporate traffic over personal traffic on BYOD devices

  • Improve reliability/performance for business-critical apps

9. Disable SMS

Field name: smsDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot send or receive SMS messages.

Use cases:

  • Devices used only for data (e.g., dedicated work devices, kiosks)

  • Environments with strict communication controls

10. Device Radio State

Field name: deviceRadioState
Type: Dictionary
Min Android: 9+

Controls radio states such as Wi‑Fi, airplane mode, 2G, Wi‑Fi security level, and ultra‑wideband (UWB).

10.1 WiFi State

Field: wifiState
Type: String
Default: WIFI_STATE_UNSPECIFIED
Options:

  • WIFI_STATE_UNSPECIFIED

  • WIFI_STATE_USER_CHOICE

  • WIFI_ENABLED

  • WIFI_DISABLED

Controls whether Wi‑Fi is on and whether the user can change it.

10.2 Airplane Mode State

Field: airplaneModeState
Type: String
Default: AIRPLANE_MODE_STATE_UNSPECIFIED
Options:

  • AIRPLANE_MODE_STATE_UNSPECIFIED

  • AIRPLANE_MODE_USER_CHOICE

  • AIRPLANE_MODE_DISABLED

Controls whether airplane mode can be toggled by the user.

10.3 Cellular 2G State

Field: cellularTwoGState
Type: String
Default: CELLULAR_TWO_G_STATE_UNSPECIFIED
Options:

  • CELLULAR_TWO_G_STATE_UNSPECIFIED

  • CELLULAR_TWO_G_USER_CHOICE

  • CELLULAR_TWO_G_DISABLED

Controls whether the user can enable 2G cellular, which is often considered insecure.

Use cases:

  • Disable 2G where security requirements forbid weak radio technologies

10.4 Minimum WiFi Security Level

Field: minimumWifiSecurityLevel
Type: String
Default: MINIMUM_WIFI_SECURITY_LEVEL_UNSPECIFIED
Options:

  • MINIMUM_WIFI_SECURITY_LEVEL_UNSPECIFIED

  • OPEN_NETWORK_SECURITY

  • PERSONAL_NETWORK_SECURITY

  • ENTERPRISE_NETWORK_SECURITY

  • ENTERPRISE_BIT192_NETWORK_SECURITY

Defines the minimum Wi‑Fi security a device is allowed to connect to.

Use cases:

  • Block open or WEP/WPA‑personal networks; enforce enterprise-grade Wi‑Fi only

10.5 Ultra-Wideband State

Field: ultraWidebandState
Type: String
Default: ULTRA_WIDEBAND_STATE_UNSPECIFIED
Options:

  • ULTRA_WIDEBAND_STATE_UNSPECIFIED

  • ULTRA_WIDEBAND_USER_CHOICE

  • ULTRA_WIDEBAND_DISABLED

Controls whether the user can toggle ultra‑wideband radios.

Use cases:

  • Environments where UWB must be disabled for privacy or regulatory reasons

11. Disable VPN Configuration

Field name: vpnConfigDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot add, modify, or remove VPN configurations.

Use cases:

  • Ensure only IT-approved VPNs are available

  • Prevent data exfiltration via personal VPN apps

12. Disable WiFi Configuration

Field name: wifiConfigDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot add, modify, or remove Wi‑Fi access points.

Use cases:

  • Lock devices to pre-configured corporate Wi‑Fi

  • Avoid user connections to public or insecure networks

13. Disable Tethering Configuration

Field name: tetheringConfigDisabled
Type: Boolean
Default: false
Min Android: 9+

When enabled (true), users cannot configure tethering / hotspot settings.

Use cases:

  • Combined with tetheringSettings to fully prevent hotspot usage

  • Ensure data plans are not consumed by tethered personal devices

Practical Notes

  • Many subfields have Android version requirements (especially APN, Wi‑Fi roaming, and preferential network features on Android 10–15). Ensure your device fleet meets these before using them.

  • Some fields enforce uniqueness (e.g., APN types, SSIDs, network IDs). Duplicate entries will cause the policy to be rejected.

  • On BYOD work profiles, APN usage is more restricted (e.g., ENTERPRISE is the only allowed APN type in apnTypes).

Related Articles
Configuring a Policy for RADIUS Wi-Fi on Windows
Android KIOSK Policy
Apple Wi-Fi Policy
Windows Connectivity Policy
Android Open Network Configuration Policy
Did this answer your question?