Category Filter

How to Set up Wi-Fi on macOS devices?

Hexnode allows you to remotely configure Wi-Fi networks from the MDM console, and lets devices connect directly to the network without any authentication. However, removing the policy forces the devices to forget the Wi-Fi network, and the users will have to manually authenticate to continue using this network.

Set up Wi-Fi network via policy

To configure Wi-Fi networks remotely via policy,

  1. Login to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to macOS > Network > Wi-Fi. Click Configure.

Wi-Fi for macOS devices

Wi-Fi Settings Description
Service Set Identifier The name of a Wi-Fi network abbreviated as SSID.
Auto join The devices will automatically get connected to the network configured here when they come in the vicinity of the Wi-Fi network. Enabled by default.
Hidden Network From the list of available networks, this network will be hidden from the device. By default, connection to a hidden network is restricted.
Security Type Security type specifies the security protocol to be used for authentication.Select a security type and configure the remaining options accordingly. The available security types are: None, WEP, WPA/WPA2, Any (Personal), WEP Enterprise, WPA/WPA2 Enterprise, Any (Enterprise).

‘None’ specifies that no security type has been set for the Wi-Fi network, making the devices prone to vulnerability. Instead, if WEP, WPA/WPA2, or Any (Personal) security types are selected, the admin should enter a valid password for the devices to connect automatically to the network.

Alternatively, to set up an enterprise network, additional settings should be configured as mentioned below:

Configuration for WEP Enterprise, WPA/WPA2 Enterprise and Any (Enterprise) Network Security Types

Configure macOS Wi-Fi for any security type

Settings Description
Accepted EAP types Select the authentication framework for your enterprise network. The available options are TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM. TTLS is enabled by default.
Inner Identity
(If TTLS is selected)
The available options are PAP (default), CHAP, MSCHAP, and MSCHAPv2. PAP is the least secure one, which sends the password as a plain text. CHAP is secure than PAP. Instead of a plain text, a random number and the result of a hash function (which is performed on the password) is sent. MSCHAP is another variant of CHAP and is introduced by Microsoft. MSCHAP requires mutual authentication. In mutual authentication, any data is sent between the device and the server only after the device proves its identity to the server, and the server proves its identity back to the device.
Use PAC
(Applicable only if EAP-FAST is selected)
Protected Access Credentials (PAC) can be used for Wi-Fi network connections. Select this option to use an existing PAC file if any.
Provision PAC
(If PAC is used)
The server creates a PAC file for a specific user by authenticating with the user’s password and adds it to the device. The PAC file can be used to make a connection with the network.
Provision PAC Anonymously
(If PAC is provisioned)
PAC is provisioned without authenticating with the server.
Username The account name of the user. Use %username% to fetch the data automatically from the MDM console.
Use per connection password The device will prompt for a password every time the user tries to connect to the network.
Password
(If Per connection password is not used)
If a password is not required for every connection, then a one-time password can be provided here.
Identity Certificate To authenticate the connection, the identity certificate is sent to the server when the device gets connected to the Wi-Fi network. You can add a certificate by navigating to Security > Certificates > Add Certificate, and they will be displayed in the Identity Certificate. Choose one among them.
Outer Identity In response to an EAP identity request, the value entered here will be sent as the identity. For authentication, first, the outer identity will be sent in a secure tunnel, followed by the actual identification (username) of the user.

Setting up Proxy

A proxy server serves as an intermediary between the devices and the internet. The devices can be secured from external attacks. There are three options available, None, Manual and Automatic.

To skip setting up a proxy server, choose None. To set up a proxy, choose any of the other two options.

Manual Proxy Configuration

If you are setting up the proxy manually, enter the below details:

  • Server: The IP address of the proxy server.
  • Port: Port number associated with the proxy server.
  • Authentication: Username to get authenticated to the server.
  • Password: Password associated with username provided above.

Automatic Configuration of Proxy Server

Choose this option to get the proxy set up automatically by providing the proxy server URL, and Hexnode will take care of the rest.

Associate the configured policy to devices/groups

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click Ok. Click Save.
  3. You can also choose to associate the policy to device groups, users, user groups or domains from the left pane of Policy Targets tab.

If the policy has been saved,

  1. Go to Policies tab and choose the desired policy.
  2. Click on Manage drop-down, select Associate Targets.
  3. Choose the target entities and click Associate.