Network Policy Component
The Network Policy Component allows you to control how a device connects to Wi-Fi, VPN, Bluetooth, mobile data, and other network services. Use this component to manage connectivity, data usage, and communication features on your managed devices.
CA Certificates
API reference: caCertificates[]
Type: Array<Object>
Manages trusted CA certificates installed on devices.
Supported Format: .crt
- Used for Wi-Fi EAP authentication, VPN, TLS trust chains.
- Newly uploaded certificates are staged locally before policy save.
Device Wi-Fi networks
Device Wi-Fi networks
API reference: openNetworkConfiguration
Type: object (Struct format)
Network configuration for the device. You can use policy to configure Wi-Fi networks on a device. The Android Management API uses Open Network Configuration, a standard JSON-based format originally developed as part of the Chromium project.
To include an Open Network Configuration in a Policy, set the openNetworkConfiguration field on a Policy resource.
For fully managed devices, you can optionally prevent users from manually configuring Wi-Fi settings by setting wifiConfigDisabled to true in the Policy resource.
API specific note — Struct
Struct represents a structured data value, consisting of fields which map to dynamically typed values. The JSON representation for Struct is a JSON object.
| Field name | Type | Description |
|---|---|---|
| fields | map<string, Value> | Map of dynamically typed values. |
Network Configurations
API reference: openNetworkConfiguration.NetworkConfigurations[]
Type: Array<object>
Defines the list of network configurations applied to the device. Each item inside NetworkConfigurations[] represents one Wi-Fi configuration profile.
Name
API reference: openNetworkConfiguration.NetworkConfigurations[].Name
Type: string
Friendly display name of the network configuration shown to the user.
Wi-Fi Configuration
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi
Type: object
Contains Wi-Fi-specific configuration settings.
Wi-Fi SSID
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.SSID
Type: string
The Wi-Fi network name the device connects to.
SSIDandHexSSIDare supported.- At least one of them must be present.
- If both are set, the values must be consistent.
Auto Connect
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.AutoConnect
Type: boolean
Determines whether the network is automatically enabled.
true— The network is enabled and the device can connect automatically.false— The network is saved but not enabled. The user must manually connect once before auto-connect applies.
Hidden SSID
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.HiddenSSID
Type: boolean
Defines whether the Wi-Fi network is hidden (not broadcasting its SSID). Enable this when connecting to hidden enterprise networks.
Security Type
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.Security
Type: enum
Defines the Wi-Fi authentication and encryption type.
| Option | Enum | Description |
|---|---|---|
| Open | None | No authentication required. |
| WEP PSK | WEP-PSK | WEP passphrase authentication. |
| WPA PSK | WPA-PSK | WPA/WPA2 personal authentication. |
| WPA Enterprise | WPA-EAP | Enterprise authentication using EAP. |
| WEP Enterprise | WEP-8021X | WEP with enterprise authentication. |
| WPA3 Enterprise 192-bit | WPA3-Enterprise_192 | WPA3 enterprise high-security mode. |
Password (Passphrase)
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.Passphrase
Type: string
Controls the Wi-Fi network password. Applicable when Security = WEP-PSK or WPA-PSK.
For
WEP-PSKpassphrases, only 40-bit (10-digit) or 104-bit (26-digit) passphrases are supported.
MAC Address Randomization Mode
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.MACAddressRandomizationMode
Type: enum
Controls which MAC address is used when connecting to the Wi-Fi network.
| Option | Enum | Description |
|---|---|---|
| Hardware | Hardware | Uses the device factory MAC address. |
| Automatic | Automatic | System automatically determines MAC randomization behavior. |
Enterprise (EAP) Configuration
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP
Type: object
Applicable when Security = WPA-EAP or WEP-8021X. Contains enterprise authentication settings.
Identity
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Identity — Type: string
Defines the identity used for enterprise authentication.
Outer Authentication
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Outer
Type: enum
| Option | Enum | Description |
|---|---|---|
| EAP TLS | EAP-TLS | Certificate-based authentication. |
| EAP TTLS | EAP-TTLS | Tunneled TLS authentication. |
| PEAP | PEAP | Protected EAP authentication. |
| EAP SIM | EAP-SIM | SIM-based authentication. |
| EAP AKA | EAP-AKA | Authentication and Key Agreement. |
Inner Authentication
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Inner
Type: enum — Applicable when Outer = PEAP or EAP-TTLS.
| Option | Enum | Description |
|---|---|---|
| MSCHAPv2 | MSCHAPv2 | Username/password authentication. |
| PAP | PAP | Password Authentication Protocol. |
Domain Suffix Match
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.DomainSuffixMatch — Type: Array<String>
Defines trusted authentication server domains.
Enterprise Wi-Fi configurations without this field are considered insecure and may be rejected by the platform.
Client Certificate Type
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ClientCertType
| Option | Enum | Description |
|---|---|---|
| Certificate Reference | Ref | References an uploaded certificate. |
| Key Pair Alias | KeyPairAlias | Uses an installed device key pair. |
Server Certificate References
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ServerCARefs — Type: Array<String>
Defines trusted server certificate references used during authentication.
APN Policy
APN Policy
API reference: apnPolicy — Type: object
Access Point Name (APN) policy. Configuration for Access Point Names which may override any other APNs on the device.
OverrideApns
Whether override APNs are disabled or enabled.
| Option | Enum | Description |
|---|---|---|
| Unspecified | OVERRIDE_APNS_UNSPECIFIED | Defaults to OVERRIDE_APNS_DISABLED. |
| Enabled | OVERRIDE_APNS_ENABLED | Only override APNs are in use. Only supported on fully managed devices on Android 10+. |
| Disabled | OVERRIDE_APNS_DISABLED | Override APNs disabled. Any configured apnSettings are saved but disabled. |
APN Settings
API reference: apnTypes — Type: enum
APN Types
| Enum | Description |
|---|---|
ENTERPRISE | APN type for enterprise traffic. Supported on Android 13+. |
BIP | APN type for Bearer Independent Protocol. Fully managed devices on Android 12+. |
CBS | APN type for Carrier Branded Services. Fully managed devices only. |
DEFAULT | APN type for default data traffic. Fully managed devices only. |
DUN | APN type for Dial-up networking traffic. Fully managed devices only. |
EMERGENCY | APN type for Emergency PDN. Fully managed devices only. |
FOTA | APN type for Firmware Over-the-Air portal. Fully managed devices only. |
HIPRI | APN type for high-priority traffic. Fully managed devices only. |
IMS | APN type for IP Multimedia Subsystem traffic. Fully managed devices only. |
MMS | APN type for Multimedia Messaging Service traffic. Fully managed devices only. |
RCS | APN type for Rich Communication Services. Fully managed devices on Android 15+. |
SUPL | APN type for Secure User Plane Location assisted GPS. Fully managed devices only. |
Apn
API reference: apn — Type: string
Name of the APN. Policy will be rejected if this field is empty.
Display Name
API reference: displayName — Type: string
Human-readable name that describes the APN. Policy will be rejected if this field is empty.
Always On Setting
API reference: alwaysOnSetting — Type: enum
| Option | Enum | Description |
|---|---|---|
| Unspecified | ALWAYS_ON_SETTING_UNSPECIFIED | Defaults to NOT_ALWAYS_ON. |
| Not Always On | NOT_ALWAYS_ON | The PDU session should not be always on. |
| Always On | ALWAYS_ON | The PDU session should always be on. Supported on Android 15+. |
Auth Type
API reference: authType — Type: enum
| Enum | Description |
|---|---|
AUTH_TYPE_UNSPECIFIED | Unspecified. Defaults to NONE if username empty, otherwise PAP_OR_CHAP. |
NONE | Authentication is not required. |
PAP | Authentication type for PAP. |
CHAP | Authentication type for CHAP. |
PAP_OR_CHAP | Authentication type for PAP or CHAP. |
Protocol
API reference: protocol — Type: enum
| Enum | Description |
|---|---|
PROTOCOL_UNSPECIFIED | The protocol is not specified. |
IP | Internet protocol. |
IPV4V6 | Dual IP stack. |
IPV6 | Internet protocol, version 6. |
NON_IP | Transfer of Non-IP data to external packet data network. |
PPP | Point to point protocol. |
UNSTRUCTURED | Transfer of Unstructured data to the Data Network via N6. |
Proxy Configuration
Default network proxy configuration on device
API reference: recommendedGlobalProxy
The network-independent global HTTP proxy. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
Proxy Modes
| Mode | Description |
|---|---|
| NONE | No proxy. |
| HOST | Manual proxy. |
| PAC | PAC file. |
ProxyInfo
Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excludedHosts fields. For a PAC script proxy, set the pacUri field.
Host
API reference: host — Type: string
The host of the direct proxy.
Port
API reference: port — Type: string
The port of the direct proxy.
excludedHosts
API reference: excludedHosts[] — Type: string
Hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
pacUri
API reference: pacUri — Type: string
The URI of the PAC script used to configure the proxy.
Global VPN configuration on device
Global VPN configuration on device
API reference: alwaysOnVpnPackage — Type: object
Configuration for an always-on VPN connection. Use with vpnConfigDisabled to prevent modification of this setting.
| Field | API Reference | Type | Description |
|---|---|---|---|
| VPN Package | packageName | string | The package name of the VPN app. |
| Block networking if VPN isn't connected | lockdownEnabled | boolean | Disallows networking when the VPN is not connected. |
If lockdown enabled → Device traffic is forced through VPN.
Location Mode
API reference: locationMode — Type: enum
The degree of location detection enabled on work profile and fully managed devices.
| Option | Enum | Description |
|---|---|---|
| Default | LOCATION_MODE_UNSPECIFIED | Defaults to LOCATION_USER_CHOICE. |
| User Choice | LOCATION_USER_CHOICE | Location setting is not restricted on the device. |
| Location Enforced | LOCATION_ENFORCED | Enable location setting on the device. |
| No location | LOCATION_DISABLED | Disable location setting on the device. |
Preferential Network Service
API reference: preferentialNetworkService — Type: enum
Controls whether preferential network service is enabled on the work profile or fully managed devices.
| Option | Enum | Description |
|---|---|---|
| Default | PREFERENTIAL_NETWORK_SERVICE_UNSPECIFIED | Defaults to PREFERENTIAL_NETWORK_SERVICES_DISABLED. |
| Enabled | PREFERENTIAL_NETWORK_SERVICE_ENABLED | Enabled on work profile. Supported on Android 12+ for work profiles, Android 13+ for fully managed. |
| Disabled | PREFERENTIAL_NETWORK_SERVICE_DISABLED | Preferential network service is disabled. |
Enable bluetooth contact sharing on device
API reference: bluetoothContactSharingDisabled — Type: boolean
Whether bluetooth contact sharing is disabled.
Enable bluetooth configuration on device
API reference: bluetoothConfigDisabled — Type: boolean
Whether configuring bluetooth is disabled.
Enable cell broadcast configuration on device
API reference: cellBroadcastsConfigDisabled — Type: boolean
Whether configuring cell broadcast is disabled.
Enable mobile network configuration on device
API reference: mobileNetworksConfigDisabled — Type: boolean
Whether configuring mobile networks is disabled.
Enable VPN configuration on device
API reference: vpnConfigDisabled — Type: boolean
Whether configuring VPN is disabled.
Enable Wi-Fi configuration on device
API reference: wifiConfigDisabled — Type: boolean
Whether configuring Wi-Fi networks is disabled. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration.
Enable network reset setting on device
API reference: networkResetDisabled — Type: boolean
Whether resetting network settings is disabled.
Enable NFC sending data from apps on device
API reference: outgoingBeamDisabled — Type: boolean
Whether using NFC to beam data from apps is disabled.
Enable outgoing phone calls from device
API reference: outgoingCallsDisabled — Type: boolean
Whether outgoing calls are disabled.
Enable outgoing SMS from device
API reference: smsDisabled — Type: boolean
Whether sending and receiving SMS messages is disabled.
Enable data roaming on device
API reference: dataRoamingDisabled — Type: boolean
Whether roaming data services are disabled.
Enable bluetooth on device
API reference: bluetoothDisabled — Type: boolean
Whether bluetooth is disabled. Prefer this setting over bluetoothConfigDisabled because bluetoothConfigDisabled can be bypassed by the user.
Network Escape Hatch
API reference: networkEscapeHatchEnabled — Type: boolean
Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting.
Setting
wifiConfigDisabledto true will override this setting under specific circumstances.