Configure the Wi-Fi Library Item

By Trevor Gerzen

Configure devices to connect to Wi-Fi networks, including enterprise networks that use 802.1X authentication


Add a Wi-Fi Library Item

Add a Wi-Fi Library Item to your Library.

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose Wi-Fi.
  3. Click Add & Configure to create and display a new Wi-Fi Library Item for editing.
  4. Give the new Wi-Fi Library Item a Title. Use the title to differentiate this Library Item from other Wi-Fi Library Items. Use a name that identifies the item — for example, the title might include the SSID or the location where the Wi-Fi configuration is used.
  5. Assign this Library Item to Blueprints containing devices you would like to deploy it to.

Configure General Settings

The General settings describe the network and device behavior unrelated to authentication.

  1. Specify the Service Set Identifier (SSID), also known as the network’s name.
  2. If you want devices to automatically join this network when it is available, select Auto join network. If you do not select Auto join network, devices will know how to connect to the network, but the user will have to choose to do so.
  3. If the network is hidden—i.e., it does not broadcast its SSID—select Hidden network. Hidden networks are not standards-compliant and are not recommended.
  4. To use IPv6 on this network, select IPv6.
  5. If you do not want to use Apple’s Captive Network Assistant on this network, select Disable captive network detection.
  6. If you wish to turn off MAC address randomization, select Disable MAC address randomization.

Configure Authentication Settings

The Wi-Fi Library Item supports pre-shared key (PSK, “personal”) authentication and 802.1X Extensible Authentication Protocol (EAP) authentication (often referred to as “enterprise Wi-Fi”). Most EAP types have additional settings that you need to configure. These settings become available when you select an EAP type. A network may support multiple authentication types, so you can choose more than one EAP type when configuring enterprise authentication.

Many older encryption protocols are no longer considered secure. Use the most up-to-date authentication and encryption supported by your network.


Use the None authentication type when no password is necessary to join the network. If a network with the specified SSID is available and does not require authentication, the device will attempt to join it.

Anyone can join a network with no password.

Pre-Shared Key

PSK authentication is commonly used in home and small business environments. Anyone who has the network’s shared password can join it.

  1. For Authentication type, choose WEP, WPA Personal, WPA2 Personal, WPA3 Personal, or Any Personal. Any Personal will work with any of the methods above, and it is useful when some locations use WPA2, and others use WPA3.
  2. Specify the Password. If you do not enter a password, the device prompts the user to enter a password when connecting to the network.

Enterprise Authentication

Enterprise authentication uses 802.1X to provide more secure authentication options when connecting to Wi-Fi networks. Enterprise authentication types include Dynamic WEP, WPA Enterprise, WPA2 Enterprise, and WPA3 Enterprise.

  1. For Authentication type, choose Dynamic WEP, WPA Enterprise, WPA2 Enterprise, or WPA3 Enterprise.
  2. On macOS, if you wish to authenticate to the network as the user that logs in at the login window, select Use as a Login Window configuration. Otherwise, the configuration is considered a System configuration, and Mac systems will be able to authenticate to the network when a user has not logged in. You can also use this option in conjunction with EAP-TLS so a certificate identity is used to authenticate the system before login, but then login window credentials are used to authenticate the user.
  3. Select the Accepted EAP Types your network supports. You may select more than one and will need to set all the settings necessary for the selected EAP types. For more information on configuring specific EAP types, refer to Configure Enterprise Wi-Fi authentication protocols.

Configure an Identity Certificate

Certain authentication types require or allow specifying an identity certificate to prove the device’s identity. These certificates can come from several sources.

Identity certificates used for network authentication should have the Client Authentication entitlement in their Extended Key Usage (EKU). Work with your network administrator to ensure the certificate service and certificate templates are configured correctly for your network.

When the Automatic profile redistribution option is selected, Kandji will check the expiration date of the issued certificate, and attempt to automatically re-install the profile to renew the certificate.

When using this option the $PROFILE_UUID will automatically be appended to the Subject in the request.

Obtain an Identity using AD CS

You can obtain identity certificates using Microsoft Active Directory Certificate Services (AD CS).

To deploy AD CS certificates via Kandji, the AD CS Integration must first be configured.
  1. If you wish to have the client device acquire an identity certificate from AD CS, choose AD CS Certificate for Identity certificate.
  2. Click Configure AD CS Certificate. A drawer opens to allow you to configure AD CS options.
  3. Enter a Certificate name. This will appear on the configuration profile shown in System Preferences.
  4. Enter a Certificate subject. The Certificate subject is typically used to identify the device within the Certificate Authority. This can be anything that you would like, such as the Kandji global variable $SERIAL_NUMBER. Using the $SERIAL_NUMBER global variable will insert the device serial number into the profile before sending it to the device.
  5. Optionally, if your environment requires it, you can Specify additional Subject Alternative Names (SAN) to be sent in the request.
  6. Enter a Template name. This is the name of the AD CS computer certificate template used to generate AD CS certificates.
  7. Select an AD CS server from the drop-down menu. AD CS servers are added during the setup of the AD CS integration.
  8. Select a Key size for the certificate.
  9. Select Allow apps to access the private key if you want to automatically allow all apps to access and use the certificate identity’s private key.
  10. Select Prevent the private key data from being extracted from the keychain to prevent the certificate and keys from being exported out of the keychain on the device.
  11. Click Done.

Obtain an Identity using SCEP

Using the Simple Certificate Enrollment Protocol (SCEP), you can obtain identity certificates. 

  1. If you wish to have the client device acquire an identity certificate from a SCEP service, choose SCEP for Identity certificate.
  2. Click Configure SCEP Certificate. A drawer opens to allow you to configure SCEP options. 
  3. Enter the URL for the SCEP server for URL.
  4. Optionally, specify a Name as needed by your SCEP server — usually the name of the CA where the SCEP service is requesting a certificate.
  5. Optionally, enter the pre-shared key as the Challenge the SCEP server expects.
  6. Optionally, enter the expected Fingerprint of the certificate authority’s certificate.
  7. Optionally, provide the name you would like to appear as the certificate identity’s Subject. You can use a static value or one of Kandji’s global variables. For example, CN=$EMAIL.
  8. Select Specify Subject Alternative Names (SAN)if you want to provide SANs for the certificate identity.
    1. For each SAN you would like to provide, click Add SAN Type
    2. Select the SAN type you would like to add: DNS Name, RFC 822 Name, Uniform Resource Identifier, or NT Principal Name.
    3. Enter the associated value you would like to add for each SAN type. You can use a static value or one of Kandji’s global variables.
  9. Choose the Key size. Work with your network administrator to ensure you choose a compatible key size — longer keys provide increased security.
  10. For Key usage, choose whether to allow the keys to be used for Signing, Encryption, Both signing and encryption, or None. Work with your network administrator to determine which entitlements are necessary.
  11. If you want the device to automatically retry obtaining a certificate if the first attempt fails, select Retries, then enter the number of retries to attempt — the default is 3.
  12. If you want to introduce a delay between retries, select Retry delay and specify the number of seconds between retries. The default is a 10 seconds delay between retries.
  13. Select Don’t allow key to be extracted to prevent exporting the certificate identity’s private key from the macOS Keychain.
  14. Select Allow access to all apps if you want to automatically allow all apps to access and use the certificate identity’s private key.
  15. Select Certificate expiration notification and specify the number of days before the certificate expires to start notifying the user. The default is to notify the user 14 days before expiration.
  16. Select Automatic profile redistribution to automatically renew the certificate the specified number of days before it expires. The default is to automatically renew the certificate 30 days before expiration.
  17. Click Done.

Import a PKCS #12 File

You may provide a single identity certificate to be used by all configured devices by uploading a Public-Key Cryptography Standards (PKCS) #12 formatted file.

All devices will use the same certificate, preventing your network administrators from identifying a device by its login and representing a single set of credentials that can be compromised to access the network. Revoking that certificate will prevent all configured devices from accessing the network.
  1. If you wish to provide a certificate in PKCS #12 format, choose PKCS #12 for the Identity certificate.
  2. Click Configure PKCS #12 to open the Configure PKCS #12 drawer. 
  3. Upload the PKCS #12 encoded certificate for the Certificate.
  4. In the Password field, provide the password to the PKCS #12 file.
  5. If you want apps to access the private key of the certificate, select Allow apps to access the private key.
  6. If you do not want the user to be able to export the private key using the keychain, select Prevent the private data from being extracted in the keychain.
  7. Click Done.

Configure Certificate Trust Settings

Specifying trusted certificates in the Wi-Fi Library Item is not recommended. If certificates are renewed or changed, you will need to redeploy the entire Wi-Fi profile, potentially causing devices to disconnect from the Wi-Fi network. 

Instead, install the trusted certificate chain for your RADIUS server(s) using a separate Certificates Library item. Then specify the name of those certificates in the Wi-Fi Library item under Specify server certificate names. See Apple Platform Deployment for more information.

Most enterprise Wi-Fi environments require that devices trust the 802.1X authentication server(s), typically a Remote Access Dial-In User Server (RADIUS). The Certificate trust settings allow you to configure which certificates presented by the server devices will trust. If a device does not trust the authentication server(s), the user will be prompted to trust it. 

  1. Select Specify trusted certificates if you want to provide certificates for the configured devices to trust. Then upload the certificates in .cer or .crt format.
  2. Select Specify server certificate names if you want to provide DNS names of certificates devices should trust. Then enter their DNS names — wildcards are accepted.
  3. Select Allow trust exceptions if you want to ask the user whether to trust the authentication server if the presented certificate fails validation. This option is deprecated in newer versions of macOS and iOS.

Configure Proxy Settings

Configure devices to use a network proxy by configuring the settings in the Proxy section.

  1. To configure network proxy settings, toggle the Proxy section to Managed.
  2. To configure devices to use a Proxy Auto-Configuration (PAC) file, select Automatic for Proxy type.
    1. Specify the Proxy PAC URL where devices can find the PAC file.
    2. If you want devices to attempt to connect directly to destinations when the PAC file is not available, select Proxy PAC fallback allowed
  3. To configure devices to use a specific proxy, choose Manual for Proxy type.
    1. Provide the Proxy server and port.
    2. If the proxy requires authentication, provide the Proxy username and Proxy password.

Configure Fast Lane Marking

Use Fast Lane on networks and devices that support Quality of Service (QoS) marking to prioritize traffic from apps on connected devices as voice, video, or real-time data. To learn more about Fast Lane, refer to iOS Compatibility with Cisco QoS Fastlane & Adaptive 802.11r.

Fast Lane is not supported by all networks or devices.
  1. If you want to manage Fast Lane marking, toggle the Fast Lane marking section to Managed.
  2. To turn off Fast Lane, choose Disable Fast Lane for all apps.
  3. To turn on Fast Lane, choose Allow specific apps
  4. Fast Lane applies to network traffic from specific apps. Click Add application to add apps to the allow list. 
  5. To add apps from your Kandji Library, enter the app’s name under Search by name. Select the apps you want to allow to use Fast Lane.
  6. You may also specify apps by Bundle ID. Click Add Bundle ID
  7. Provide the App Name and Bundle ID and click Add. You can add multiple Bundle IDs.
  8. Click Done.