Skip to main content

Windows Wifi Policy

Easily push secure, pre-configured wireless profiles to Windows devices

Manage and restrict WiFi connectivity on your Windows devices using Swif's Windows WiFi Policy. This policy allows you to deploy enterprise WiFi profiles, limit devices to approved networks, and prevent users from manually configuring WiFi connections.

Overview

The Windows WiFi Policy enables IT administrators to:

  • Deploy one or more WiFi profiles to managed Windows devices

  • Restrict devices to only connect to MDM-deployed WiFi networks

  • Block users from manually adding or modifying WiFi connections

  • Support both BYOD and company-owned device scenarios

  • Automatically configure WiFi during device enrollment (Pre-Flight)

Supported platforms: Windows 10 and later


Key Features

Block Manual WiFi Configuration

When Allow Manual Wi-Fi Configuration is set to false, users cannot manually add or connect to WiFi networks. Only WiFi profiles deployed through the MDM policy will be available on the device.

⚠️ Important: If you block manual WiFi configuration, you must first deploy at least one enterprise WiFi profile to the device using this policy. Otherwise, the device may lose network connectivity. Blocking will also delete any previously user-configured WiFi profiles from the device.

Deploy WiFi Profiles

You can deploy WiFi profiles using two configuration methods:

  • Field-based configuration — Define WiFi profiles using structured fields (SSID, security settings, authentication, etc.)

  • XML-based configuration — Provide a raw Windows WiFi profile XML for advanced scenarios

Pre-Flight (Enrollment-Time WiFi)

Enable the Pre-Flight option to automatically configure WiFi during device enrollment. This ensures devices have network connectivity from the moment they are enrolled, without requiring manual setup.

Bypass Update of Existing Profiles

When enabled, if a WiFi profile already exists on the device, no modifications will be applied. This prevents temporary WiFi interruptions during policy updates. When disabled, the device will update the WiFi profile regardless of its current state.


Configuration Options

General Settings

Field

Description

Default

Allow Manual Wi-Fi Configuration

Allow or block connections to WiFi outside of MDM-deployed networks.

true (allowed)

Bypass Update

Skip updating existing WiFi profiles to avoid connectivity interruptions.

false

Is Pre-Flight

Apply this policy during device enrollment.

false

Config Type

Choose between Field (structured) or XML (raw XML profile).

Field

WiFi Profile Settings (Field Mode)

When using Field-based configuration, each WiFi profile supports the following:

Field

Description

Options/Default

SSID Name

The WiFi network name (case-sensitive).

Connection Type

Network operating mode.

ESS (infrastructure) or IBSS (ad-hoc). Default: ESS

Connection Mode

Whether connection is automatic or user-initiated.

auto or manual. Default: auto

Auto Switch

Roam to a more preferred network when in range.

true / false

Non Broadcast

Connect to a hidden network that doesn't broadcast its SSID.

true / false

Security Settings

Configure authentication and encryption for each WiFi profile:

Field

Description

Options

Authentication

Authentication method for the wireless LAN.

open, shared, WPA, WPAPSK, WPA2, WPA2PSK, WPA3, WPA3SAE, WPA3ENT, WPA3ENT192, OWE

Encryption

Data encryption type.

AES, WEP

Use OneX

Enable 802.1X authentication.

true / false

FIPS Mode

Enable FIPS 140-2 compliant security.

true / false

Shared Key (PSK) Settings

For networks using pre-shared keys (WPA-PSK, WPA2-PSK):

Field

Description

Key Type

passPhrase or networkKey (required for WEP).

Key Material

The network password or key.

Protected

Whether the key material is encrypted. Default set to false. Protected is required when shared key is present.

Enterprise Authentication (802.1X / EAP)

For enterprise networks using 802.1X:

Field

Description

Options

Auth Mode

Specifies who authenticates.

user, machine, machineOrUser, guest

EAP Method Type

EAP type number (e.g., 13 for EAP-TLS).

Server Validation

Validate the RADIUS server certificate.

Configure trusted root CA, server names

Certificate Store

Use device certificate store for credentials.

Simple cert selection toggle

Hotspot 2.0 Settings

For Passpoint / Hotspot 2.0 networks:

Field

Description

Domain Name

Home Network Provider domain.

NAI Realm

Network Access Identifier realm list (e.g., user@domain).

Network 3GPP

Public Land Mobile Network (PLMN) IDs.

Roaming Consortium

Organizationally Unique Identifiers (OUI) from IEEE.

MAC Randomization

Field

Description

Enable Randomization

Randomize the device MAC address for this profile.

Randomize Everyday

Generate a new random MAC address daily.

Randomization Seed

Seed value to differentiate profile versions.

Advanced Settings

Field

Description

PMK Cache Mode

Enable/disable Pairwise Master Key caching (WPA2 only).

PMK Cache TTL

PMK cache lifetime in minutes.

PMK Cache Size

Number of PMK cache entries (default: 128).

Pre-Auth Mode

Enable pre-authentication for fast roaming (WPA2 only).

Pre-Auth Throttle

Number of pre-auth attempts on neighboring APs (default: 3).


How to Apply the Policy

  1. Navigate to Policies in the Swif console.

  2. Create or edit a Windows WiFi Policy.

  3. Configure your WiFi profiles with the desired SSID, security, and authentication settings.

  4. Optionally set Allow Manual Wi-Fi Configuration to false to restrict users to MDM-deployed networks only.

  5. Assign the policy to your target devices or device groups.


Common Use Cases

Restrict devices to approved networks only

  1. Create a WiFi policy with your corporate SSID(s) configured.

  2. Set Allow Manual Wi-Fi Configuration to false.

  3. Assign to devices.

Devices will only be able to connect to the MDM-deployed WiFi profiles. All user-configured profiles will be removed.

Auto-configure WiFi during enrollment

  1. Create a WiFi policy with your enrollment network SSID.

  2. Enable Is Pre-Flight.

  3. Assign to your enrollment group.

Devices will automatically connect to the specified network during the enrollment process.

Deploy enterprise WPA2-Enterprise WiFi

  1. Set authentication to WPA2 and encryption to AES.

  2. Enable useOneX for 802.1X.

  3. Configure EAP settings (e.g., EAP-TLS with certificate store).

  4. Optionally configure server validation with trusted root CA.


Removing the Policy

When the Windows WiFi Policy is unassigned from a device:

  • Manual WiFi configuration is restored to default behavior.

  • Users can freely add and connect to WiFi networks again.

  • Previously blocked networks become accessible.


Frequently Asked Questions

Can I whitelist or blacklist specific SSIDs?
Windows does not natively support a whitelist/blacklist mechanism to restrict WiFi access by SSID. However, you can effectively limit connectivity by deploying specific WiFi profiles and blocking manual WiFi configuration. This restricts the device to only use MDM-deployed profiles.

What happens if I block manual WiFi without deploying a profile first?
The device may lose network connectivity. Always deploy at least one WiFi profile before setting Allow Manual Wi-Fi Configuration to false.

Does this policy work on BYOD devices?
Yes. The Windows WiFi Policy supports both company-owned and BYOD scenarios.

What Windows versions are supported?
Windows 10 and later.


Did this answer your question?