Manage and restrict WiFi connectivity on your Windows devices using Swif's Windows WiFi Policy. This policy allows you to deploy enterprise WiFi profiles, limit devices to approved networks, and prevent users from manually configuring WiFi connections.
Overview
The Windows WiFi Policy enables IT administrators to:
Deploy one or more WiFi profiles to managed Windows devices
Restrict devices to only connect to MDM-deployed WiFi networks
Block users from manually adding or modifying WiFi connections
Support both BYOD and company-owned device scenarios
Automatically configure WiFi during device enrollment (Pre-Flight)
Supported platforms: Windows 10 and later
Key Features
Block Manual WiFi Configuration
When Allow Manual Wi-Fi Configuration is set to false, users cannot manually add or connect to WiFi networks. Only WiFi profiles deployed through the MDM policy will be available on the device.
⚠️ Important: If you block manual WiFi configuration, you must first deploy at least one enterprise WiFi profile to the device using this policy. Otherwise, the device may lose network connectivity. Blocking will also delete any previously user-configured WiFi profiles from the device.
Deploy WiFi Profiles
You can deploy WiFi profiles using two configuration methods:
Field-based configuration — Define WiFi profiles using structured fields (SSID, security settings, authentication, etc.)
XML-based configuration — Provide a raw Windows WiFi profile XML for advanced scenarios
Pre-Flight (Enrollment-Time WiFi)
Enable the Pre-Flight option to automatically configure WiFi during device enrollment. This ensures devices have network connectivity from the moment they are enrolled, without requiring manual setup.
Bypass Update of Existing Profiles
When enabled, if a WiFi profile already exists on the device, no modifications will be applied. This prevents temporary WiFi interruptions during policy updates. When disabled, the device will update the WiFi profile regardless of its current state.
Configuration Options
General Settings
Field | Description | Default |
Allow Manual Wi-Fi Configuration | Allow or block connections to WiFi outside of MDM-deployed networks. |
|
Bypass Update | Skip updating existing WiFi profiles to avoid connectivity interruptions. |
|
Is Pre-Flight | Apply this policy during device enrollment. |
|
Config Type | Choose between |
|
WiFi Profile Settings (Field Mode)
When using Field-based configuration, each WiFi profile supports the following:
Field | Description | Options/Default |
SSID Name | The WiFi network name (case-sensitive). | — |
Connection Type | Network operating mode. |
|
Connection Mode | Whether connection is automatic or user-initiated. |
|
Auto Switch | Roam to a more preferred network when in range. |
|
Non Broadcast | Connect to a hidden network that doesn't broadcast its SSID. |
|
Security Settings
Configure authentication and encryption for each WiFi profile:
Field | Description | Options |
Authentication | Authentication method for the wireless LAN. |
|
Encryption | Data encryption type. |
|
Use OneX | Enable 802.1X authentication. |
|
FIPS Mode | Enable FIPS 140-2 compliant security. |
|
Shared Key (PSK) Settings
For networks using pre-shared keys (WPA-PSK, WPA2-PSK):
Field | Description |
Key Type |
|
Key Material | The network password or key. |
Protected | Whether the key material is encrypted. Default set to false. |
Enterprise Authentication (802.1X / EAP)
For enterprise networks using 802.1X:
Field | Description | Options |
Auth Mode | Specifies who authenticates. |
|
EAP Method Type | EAP type number (e.g., 13 for EAP-TLS). | Integer (IANA EAP registry) |
Server Validation | Validate the RADIUS server certificate. | Configure trusted root CA, server names |
Certificate Store | Use device certificate store for credentials. | Simple cert selection toggle |
Hotspot 2.0 Settings
For Passpoint / Hotspot 2.0 networks:
Field | Description |
Domain Name | Home Network Provider domain. |
NAI Realm | Network Access Identifier realm list (e.g., |
Network 3GPP | Public Land Mobile Network (PLMN) IDs. |
Roaming Consortium | Organizationally Unique Identifiers (OUI) from IEEE. |
MAC Randomization
Field | Description |
Enable Randomization | Randomize the device MAC address for this profile. |
Randomize Everyday | Generate a new random MAC address daily. |
Randomization Seed | Seed value to differentiate profile versions. |
Advanced Settings
Field | Description |
PMK Cache Mode | Enable/disable Pairwise Master Key caching (WPA2 only). |
PMK Cache TTL | PMK cache lifetime in minutes. |
PMK Cache Size | Number of PMK cache entries (default: 128). |
Pre-Auth Mode | Enable pre-authentication for fast roaming (WPA2 only). |
Pre-Auth Throttle | Number of pre-auth attempts on neighboring APs (default: 3). |
How to Apply the Policy
Navigate to Policies in the Swif console.
Create or edit a Windows WiFi Policy.
Configure your WiFi profiles with the desired SSID, security, and authentication settings.
Optionally set Allow Manual Wi-Fi Configuration to
falseto restrict users to MDM-deployed networks only.Assign the policy to your target devices or device groups.
Common Use Cases
Restrict devices to approved networks only
Create a WiFi policy with your corporate SSID(s) configured.
Set Allow Manual Wi-Fi Configuration to false.
Assign to devices.
Devices will only be able to connect to the MDM-deployed WiFi profiles. All user-configured profiles will be removed.
Auto-configure WiFi during enrollment
Create a WiFi policy with your enrollment network SSID.
Enable Is Pre-Flight.
Assign to your enrollment group.
Devices will automatically connect to the specified network during the enrollment process.
Deploy enterprise WPA2-Enterprise WiFi
Set authentication to
WPA2and encryption toAES.Enable
useOneXfor 802.1X.Configure EAP settings (e.g., EAP-TLS with certificate store).
Optionally configure server validation with trusted root CA.
Removing the Policy
When the Windows WiFi Policy is unassigned from a device:
Manual WiFi configuration is restored to default behavior.
Users can freely add and connect to WiFi networks again.
Previously blocked networks become accessible.
Frequently Asked Questions
Can I whitelist or blacklist specific SSIDs?
Windows does not natively support a whitelist/blacklist mechanism to restrict WiFi access by SSID. However, you can effectively limit connectivity by deploying specific WiFi profiles and blocking manual WiFi configuration. This restricts the device to only use MDM-deployed profiles.
What happens if I block manual WiFi without deploying a profile first?
The device may lose network connectivity. Always deploy at least one WiFi profile before setting Allow Manual Wi-Fi Configuration to false.
Does this policy work on BYOD devices?
Yes. The Windows WiFi Policy supports both company-owned and BYOD scenarios.
What Windows versions are supported?
Windows 10 and later.
