网络
ITIn 管理员可以在受管设备上静默配置企业this Wi-section you can configure networking-related policies.
Wi‑Fi 设置。Wi-configurations can be provisioned and managed by the system via WiFi configurations. Depending on the value set on Configure Wi‑Fi, 设置也可以锁定,以防止用户创建配置或修改企业配置。
1.users 蓝牙已禁用
蓝牙是否已禁用may have limited or no control over adding/modifying networks.
Device radio state
1. Wi‑Fi state
Controls current state of Wi‑Fi and if the user can change its state.
User choice (default): User is allowed to enable/disable Wi‑Fi.
Enabled: Wi‑Fi is on and the user is not allowed to turn it off (Android 13+).
Disabled: Wi‑Fi is off and the user is not allowed to turn it on (Android 13+).
2. 蓝牙通讯录分享已禁用
The minimum required security level of Wi‑Fi networks that the device can connect to. Supported on Android 13 and above, for fully managed devices and work profiles on company-owned devices.
Open network (default): The device can connect to all types of Wi‑Fi networks.
Personal network: Disallows open Wi‑Fi networks; requires at least personal security (for example WPA2‑PSK).
Enterprise network: Requires enterprise EAP networks; disallows Wi‑Fi networks below this security level.
192‑bit enterprise network: Requires 192‑bit enterprise networks; strictest option.
3. Ultra wideband (UWB) state
Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
User choice (default): The user is allowed to toggle UWB on or off.
Disabled: UWB is disabled and the user is not allowed to toggle it via settings (Android 14+).
Device connectivity management
4. Bluetooth sharing
Controls whether Bluetooth sharing is allowed.
Allowed: Bluetooth sharing is allowed (default on fully managed devices, Android 8+).
Disallowed: Bluetooth sharing is disallowed (default on work profiles, Android 8+).
5. Configure Wi‑Fi
Controls Wi‑Fi configuring privileges. Depending on the selected option, the user has full, limited, or no control in configuring Wi‑Fi networks.
Allow configuring Wi‑Fi (default): The user is allowed to configure Wi‑Fi.
Disallow add Wi‑Fi config: Adding new Wi‑Fi configurations is disallowed. The user can switch between already configured networks (Android 13+; fully managed and company-owned work profiles).
Disallow configuring Wi‑Fi: Disallows configuring Wi‑Fi networks. For fully managed devices this removes user-configured networks and retains only networks configured via WiFi configurations. For company-owned work profiles, existing networks are not affected but users cannot add/remove/modify Wi‑Fi networks.
When configuring Wi‑Fi is disabled and the device cannot connect at boot time, the system can show the network escape hatch to let the user temporarily connect and refresh policy.
6. Wi‑Fi direct settings
Controls configuring and using Wi‑Fi direct settings. Supported on company-owned devices running Android 13 and above.
Allow (default): The user is allowed to use Wi‑Fi direct.
Disallow: The user is not allowed to use Wi‑Fi direct.
7. Tethering settings
Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
Allow all tethering (default): Allows configuration and use of all forms of tethering.
Disallow Wi‑Fi tethering: Disallows the user from using Wi‑Fi tethering (company-owned Android 13+).
Disallow all tethering: Disallows all forms of tethering (fully managed + company-owned work profiles).
8. Wi‑Fi SSID policy
Restrictions on which Wi‑Fi SSIDs the device can connect to (this does not affect which networks can be configured on the device). Supported on company-owned devices running Android 13 and above.
SSID denylist (default): The device cannot connect to any Wi‑Fi network whose SSID is listed, but can connect to other networks.
SSID allowlist: The device can connect only to the SSIDs listed. The SSID list must not be empty.
Use Add SSID to add entries. Depending on the selected policy type, the list is interpreted as allowed or denied SSIDs.
In the Policy Editor UI, the SSID list is labeled Allowed Wi‑Fi SSIDs for allowlists and Denied Wi‑Fi SSIDs for denylists.
9. Wi‑Fi roaming settings
Configure Wi‑Fi roaming mode per SSID. Use Add Wi‑Fi roaming setting to create entries.
Each entry includes:
SSID: The SSID to which the roaming setting applies (required).
WiFi roaming mode: Default / Disabled / Aggressive. Disabled and Aggressive require Android 15+ and are supported only on fully managed devices and work profiles on company-owned devices.
Network restrictions
10. Bluetooth disabled
Whether bluetooth is disabled. Prefer this setting over Bluetooth config disabled because Bluetooth config disabled can be bypassed by the user.
11. Bluetooth contact sharing disabled
蓝牙通讯录分享是否已禁用
3.12. 蓝牙配置已禁用Bluetooth config disabled
配置蓝牙是否被禁用。
4.13. 移动热点配置已禁用
配置移动热点和随身Network Wi-Fireset 是否已禁用。
5. Wi-Fi 配置已禁用
是否已禁用配置 Wi-Fi 接入点
6. 网络重置已禁用disabled
是否已禁用重置网络设置。
7.14. 出站波束已禁用Outgoing beam disabled
是否使用 NFC 从应用传输数据的选项已禁用。
VPN
8.15. 始终开启Always On VPN 应用app
指定始终开启Specify an Always On VPN 以确保来自指定管理的应用程序的数据始终通过配置的package VPN。name to ensure that data from specified managed apps will always go through a configured VPN.
注意:此功能需要部署支持始终开启和按应用Note: This feature requires deploying a VPN 功能的client that supports both Always On and per-app VPN 客户端。features.
9.16. VPN 锁定lockdown
当VPN未连接时,禁止联网。
10.17. VPN 配置已禁用config disabled
配置 VPN 是否已禁用。
Proxy and network services
11.18. 首选网络服务Preferential network service
是否启用工作资料中的首选网络服务。例如,组织可能与运营商达成协议,将员工设备上的所有工作数据通过专为企业使用的网络服务发送。5G网络中的企业专享切片是一种受支持的首选网络服务示例。对完全管理的设备没有影响。Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that work data is sent via a carrier network service dedicated for enterprise use (for example, an enterprise slice on 5G networks). This has no effect on fully managed devices.
已禁用:工作资料中的首选网络服务已禁用。
已启用:工作资料中的首选网络服务已启用。
If you use enterprise network slicing, also configure 5G Network Slicing Configuration under the Cellular policy panel and assign apps to a slice using their Preferential Network setting.
12.19. 推荐全局代理Recommended global proxy
不依赖网络的全局HTTP代理。通常在openNetworkConfiguration中应按网络配置代理。但对于诸如通用内部过滤等不常见的配置,全局HTTP代理可能很有用。如果代理不可访问,网络访问可能会中断。全局代理仅为建议,某些应用可能会忽略它。The network-independent global HTTP proxy. Typically proxies should be configured per-network in WiFi configurations. A global proxy may be useful for unusual configurations like general internal filtering. The global proxy is only a recommendation and some apps may ignore it.
禁用
直连代理
自动代理配置 (PAC)
12.119.1. 主机Host
直连代理的主机
12.219.2. 端口Port
直连代理的端口。
12.19.3. PAC URI
用于配置代理的 PAC 脚本的 URI。
12.19.4. 已排除的主机Excluded hosts
对于直连代理,代理会绕过的主机。主机名可以包含通配符,例如*For a direct proxy, the hosts for which the proxy is bypassed. Host names may contain wildcards such as *.example.com。com.
Use Add excluded host to add entries (available for direct proxy only).
13. Wi-Fi 配置
Define Wi‑Fi network configurations that the system will apply on devices. Use Add WiFi configuration to create an entry and remove it with the delete action.
20. WiFi configuration fields
设备的网络配置Each configuration includes:
13.1.
Configuration 配置名称
: Required.13.2.name
SSID
: 13.3.自动连接Required.
设备在范围内时是否自动连接网络。Auto connect: Whether the network should be connected to automatically when in range.
13.4.
Fast 快速切换指示客户端是否应尝试使用快速漫游(Transition2008)与网络。2008) with the network.
MAC randomization mode: Hardware or Automatic (Android 13+).
13.5.20.1. 隐藏的SSIDSecurity
指示SSID是否会广播。Wi‑Fi security options:
13.6. 安全
WPA‑PSK: WPA/WPA2/WPA3-个人版Personal (预共享密钥)Pre-Shared Key).
WPA‑EAP: WPA/WPA2/WPA3-企业版(可扩展身份验证协议)Enterprise (Extensible Authentication Protocol).
WPA3 192-bit mode: WPA‑EAP network allowing only WPA3 192-bit mode.
13.7.20.2. 密码短语Passphrase (Pre‑Shared Key)
密码,用于Shown when Security is 预共享密钥WEP‑PSK安全选项。 or WPA‑PSK. The passphrase is required.
13.8.20.3. EAP 方法method (Enterprise)
可扩展身份验证协议方法Shown when Security is WPA‑EAP or WPA3 192-bit mode. Select one EAP outer method:
EAP-EAP‑TLS
EAP-EAP‑TTLS
PEAP
EAP-EAP‑SIM
EAP-EAP‑AKA
13.9.20.4. 第二阶段身份验证Phase 2 authentication
Shown for tunneling outer methods (EAP‑TTLS and PEAP).
MSCHAPv2
PAP
13.10.20.5. 来自用户的EAP凭据EAP credentials from users
启用后,系统将自动在设备上按用户方式应用EAP凭据。您可以在When enabled, the system automatically applies EAP credentials on devices on a per-user basis. You can configure user credentials in the 用户Users部分配置用户的凭据。 section.
13.11.20.6. 客户端证书Client certificate
用于通过此For WiFiEAP‑TLS, 网络进行设备身份验证的证书。更多信息请参阅you can assign a client certificate used for Wi‑Fi authentication. For more information read the 证书管理Certificate management 部分。page.
If a certificate is already assigned, you can use Open certificate to view it or Change certificate to select a different one.
Alternatively, you can specify Client certificate key pair alias, which references a client certificate stored in the Android keychain and allowed for Wi‑Fi authentication.
If both Client certificate and Client certificate key pair alias are set, the key pair alias is ignored.
13.12.20.7. 身份Identity
用户身份。对于隧道外协议(PEAP、EAP-TTLS),用于在隧道内部进行身份验证,Identity of user. For tunneling outer protocols (PEAP, EAP‑TTLS), this is used to authenticate inside the tunnel, and 匿名身份Anonymous identity 用于隧道外部的is used for the EAP 身份。对于非隧道外协议,此值用于identity outside the tunnel. For non-tunneling outer protocols, this is used for the EAP 身份。 此值受字符串扩展的约束。identity.
13.13.20.8. 匿名身份Anonymous identity
仅限隧道协议,此项表示向外层协议呈现的用户身份。该值支持字符串扩展。如果未指定,则使用空字符串。For tunneling protocols only, this indicates the identity of the user presented to the outer protocol.
13.14.20.9. 密码Password
用户密码
13.15.20.10. 服务器Server CA 证书certificates
用于验证主机证书链的List of CA 证书列表。至少一个certificates to be used for verifying the host’s certificate chain. At least one CA 证书必须匹配。如果未设置,客户端将不检查服务器证书是否由特定的certificate must match. For more information read the Certificate management page.
Use Add Server CA 签名。系统certificate CAto 证书的验证仍可能适用。有关更多信息,请参阅add 证书管理entries 部分。and remove them with the delete action.
20.11. Domain suffix matches
A list of constraints for the server domain name. The entries are used as suffix match requirements against the DNS name(s) of the alternative subject name of an authentication server certificate.