Category filter

How to set up Wi-Fi for Android devices?

Set up and help connect a device to the corporate Wi-Fi network without the user knowing its password. You can create a policy with the Wi-Fi settings of your organization’s wireless network and associate them with the enrolled Android/Android TV OS devices. This policy can be configured on all subscription plans.


When the Wi-Fi configuration is removed from the device, the device will not disconnect from the Wi-Fi network until it can connect to another mobile / Wi-Fi network.

To configure Wi-Fi network on Android devices,
  1. Log in to your Hexnode portal.
  2. Go to Policies.
  3. Create a new policy or select an existing one.
  4. Click on Android.
  5. Select Wi-Fi from Networks.
Wi-Fi Settings Description
Network name (SSID) In simple words, Service Set Identifier (SSID) is the name of the Wi-Fi network.
Auto-join Devices will connect to this Wi-Fi network when the devices are in its range, no need to manually tap connect. Auto-join is enabled by default.
Hidden network Enable this option to connect to a Wi-Fi network which is hidden, the one whose SSID is not broadcasting. A hidden network will not appear in the list of available wireless networks.
MAC Randomization The MAC address is used to identify a device in a Wi-Fi network. With this setting, you can randomize the device’s MAC address with the options below.
  • Persistent: When this option is selected, the Wi-Fi network keeps the same MAC address even if the user forgets and reconnects to the network. In this case, the MAC address only changes when the device undergoes a factory reset.
  • Non-Persistent: When the option is selected, the MAC address of the Wi-Fi network will be changed every time the device connects to a network.
  • Auto: When this option is selected, the Wi-Fi network will generate a random MAC address. The Wi-Fi network behavior can be automatically chosen as either Persistent or Non-Persistent.
  • Disable: When this option is selected, the Wi-Fi network will use the factory MAC address. The device’s factory MAC address will be in the format of XX:XX:XX:XX:XX:XX.

  • This setting is supported on Android 12 and above devices.
  • The Auto and Disable options for MAC address randomization are only available on Android Enterprise and profile owner devices that are running on Android 13 or higher.

Security type Select a security type to display additional security setup options. The available security types are None, WEP, WPA/WPA2 PSK (default) and 802.1x EAP.

(If WEP or WPA/WPA2 PSK is selected as the security type)

Enter the password in this field to connect to the Wi-Fi network.

Note: Minimum character length should be 8.

Accepted EAP method

(If 802.1x EAP is selected as the security type)

Select the accepted Extensible Authentication Protocol to authenticate the wireless connection. Available protocols are PEAP, TTLS, TLS and PWD. The remaining settings will change according to the EAP type selected. PEAP is selected as the default EAP method if 802.1x is selected as the security type.

PEAP Settings

PEAP Settings Description
Phase 2 authentication Select an authentication protocol None, PAP, MSCHAP, MSCHAPv2, GTC. In PAP, passwords are sent as plain text. MSCHAP is Microsoft’s variant of CHAP (Challenge-Handshake Authentication Protocol), which uses a hash function with random numbers on the password, and the random number and the result of the hash are sent instead of a plain password. MSCHAPv2 is the second version of the MSCHAP and support mutual authentication. GTC (Generic Token Card) is an alternative to Microsoft’s MSCHAPv2 and is developed by Cisco. Ensure that the same protocol configured on your corporate Wi-Fi network is selected here. MSCHAPv2 is set as the default authentication protocol.
Identity Provide the username to authenticate with the authentication protocol. This field supports the use of wildcards. The supported wildcard is %username%.
Outer identity The outer identity entered here will be sent in response to the EAP identity request allowing the users to hide their real identity. A secure tunnel is created for transferring the identity and password. While authentication, outer identity will be sent initially. It securely conceals the real identity of the user from attackers.
Password Enter the password associated with the username provided in the ‘Identity’ field.

Settings for TLS


Supported on Android devices running version 6.0 and later with Hexnode UEM device owner privileges.

TLS Settings Description
Identity Provide the username to authenticate with the authentication protocol. This field supports the use of wildcards. The supported wildcard is %username%.
CA Certificate Choose the CA certificate to be used for authentication. For this, the certificates must first be uploaded under Security > Certificates.
User Certificate Choose the CA certificate to be used for authentication. For this, the certificates must first be uploaded under Security > Certificates.

Settings for TTLS and PWD

TTLS/PWD Settings Description
Identity The username to get authenticated with the authentication protocol. This field supports the use of wildcards. The supported wildcard is %username%.
Password Provide the password associated with the identity to get authenticated to the authentication protocol.

  • Multiple Wi-Fi networks can be configured by clicking on +Add more and providing the network details.
  • For devices running Android 7 and above, while enrolling them in the Android Enterprise – Device Owner mode using QR code, you can add Wi-Fi configuration to QR code. This automatically connects the device to the Wi-Fi network you configure in the QR Code settings under Admin > Android Enterprise > Device Owner Settings.
  • On Android 10 devices enrolled in Hexnode UEM as Device Admin,
    • Wi-Fi profiles with WEP security will not get saved on the device.
    • Unlike other devices, the Wi-Fi configurations pushed to the device will not be shown under “Saved Networks” in the device settings.
    • If a device with no notification access permission set for the Hexnode app enters the range of the configured Wi-Fi network, the device will post a notification on the status bar asking whether to connect to the Hexnode suggested Wi-Fi network. This notification will be shown even if the device is in kiosk mode. Manually grant permission to connect to the network. If declined, any subsequent Wi-Fi configurations pushed will not be saved on the device.
  • When a Wi-Fi policy is associated for the first time with an Android 10+ device (Device Admin), a one-time prompt “Allow Suggested Wi-Fi networks” appears on the device. Click on ‘Allow’ to permit the Hexnode UEM suggested Wi-Fi networks on the device. It enables the device to connect to configured Wi-Fi networks automatically.
  • Suggested Wi-Fi network prompt.
    Suggested Wi-Fi network notification.

Configuring Wi-Fi settings for Android devices via Hexnode

Push Wi-Fi configurations to Android Devices/Groups

If you haven’t saved the policy yet, to associate the policy with the device,

  1. Head on to Policy Targets tab.
  2. Click on + Add Devices.
  3. Select the devices and click OK.
  4. Click on Save.

Not only devices, but you can also associate any policies with the device groups, users, user groups, or domains from the left pane under Policy Targets.

There’s another method for the policies created already to get associated with the device.

  1. From Policies, choose the required policy.
  2. Under Policy Management, click on Manage.
  3. Select Associate Targets and choose the devices.
  4. Click on Associate.

What happens at the device end?

  • The details of the pushed Wi-Fi network(s) can be seen in the Policies section of the Hexnode app on the device.
  • The user can connect to the configured network without authenticating with the network password.

  • Managing Android Devices