Network Policy Component
The Network Policy Component allows you to control how a device connects to Wi-Fi, VPN, Bluetooth, mobile data, and other network services.
Use this component to manage connectivity, data usage, and communication features on your managed devices.
CA Certificates
API reference: caCertificates[]
Type: Array<Object>
Manages trusted CA certificates installed on devices.
Supported Format: .crt
Description
- Used for Wi-Fi EAP authentication, VPN, TLS trust chains.
- Newly uploaded certificates are staged locally before policy save.
Device Wi-Fi networks
Device Wi-Fi networks
API reference: openNetworkConfiguration
Type: object (Struct format)
Network configuration for the device. See Configure networks for more information.
You can use policy to configure Wi-Fi networks on a device. The Android Management API uses Open Network Configuration, a standard JSON-based format originally developed as part of the Chromium project.
To include an Open Network Configuration in a Policy, set the openNetworkConfiguration field on a Policy resource.
For fully managed devices, you can optionally prevent users from manually configuring Wi-Fi settings by setting wifiConfigDisabled to true in the Policy resource.
Api specific note
Struct
Struct represents a structured data value, consisting of fields which map to dynamically typed values. In some languages, Struct might be supported by a native representation. For example, in scripting languages like JS a struct is represented as an object. The details of that representation are described together with the proto support for the language.
The JSON representation for Struct is JSON object.
| Field name | Type | Description |
|---|---|---|
| fields | map<string, Value> | Map of dynamically typed values. |
Network Configurations
API reference: openNetworkConfiguration.NetworkConfigurations[]
Type: Array<object>
Defines the list of network configurations applied to the device.
Each item inside NetworkConfigurations[] represents one Wi-Fi configuration profile.
Name
API reference: openNetworkConfiguration.NetworkConfigurations[].Name
Type: string
Friendly display name of the network configuration shown to the user.
Wi-Fi Configuration
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi
Type: object
Contains Wi-Fi-specific configuration settings.
Wi-Fi SSID
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.SSID
Type: string
The Wi-Fi network name the device connects to.
SSIDandHexSSIDare supported.- At least one of them must be present.
- If both are set, the values must be consistent.
Auto Connect
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.AutoConnect
Type: boolean
Determines whether the network is automatically enabled.
-
true
The network is enabled, meaning the device can connect to it automatically without explicit user selection in Wi-Fi settings unless user disables auto-connect for this network. -
false
The network is added to the list of saved networks but is not enabled. The device doesn't connect to it automatically. For the device to connect to the network, the user must manually select the network once from the Wi-Fi settings. After the first manual connection, the network is treated as enabled and the device can connect to it automatically unless user disables auto-connect for this network.
Hidden SSID
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.HiddenSSID
Type: boolean
Defines whether the Wi-Fi network is hidden (not broadcasting its SSID).
Enable this when connecting to hidden enterprise networks.
Security Type
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.Security
Type: enum
Defines the Wi-Fi authentication and encryption type.
Options
Password (Passphrase)
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.Passphrase
Type: string
Controls the Wi-Fi network password.
Applicable when:
Security = WEP-PSK or WPA-PSK.
For
WEP-PSKpassphrases, only 40-bit (10-digit) or 104-bit (26-digit) passphrases are supported.
The specification states that
WEP-PSKpassphrases must start with the prefix 0x. However, for consistency with the Android Framework, this prefix is not required.
MAC Address Randomization Mode
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.MACAddressRandomizationMode
Type: enum
Controls which MAC address is used when connecting to the Wi-Fi network.
Options
| Option | Enum | Description |
|---|---|---|
| Hardware | Hardware | Uses the device factory MAC address. |
| Automatic | Automatic | System automatically determines MAC randomization behavior. |
Enterprise (EAP) Configuration
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP
Type: object
Applicable when:
Security = WPA-EAP or WEP-8021X.
Contains enterprise authentication settings.
Identity
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Identity
Type: string
Defines the identity used for enterprise authentication.
Outer Authentication
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Outer
Type: enum
Defines the outer EAP authentication method.
Options
Inner Authentication
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.Inner
Type: enum
Defines inner authentication type.
Applicable when:
Outer = PEAP or EAP-TTLS.
Options
| Option | Enum | Description |
|---|---|---|
| MSCHAPv2 | MSCHAPv2 | Username/password authentication. |
| PAP | PAP | Password Authentication Protocol. |
Domain Suffix Match
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.DomainSuffixMatch
Type: Array<String>
Defines trusted authentication server domains.
Enterprise Wi-Fi configurations without this field are considered insecure and may be rejected by the platform.
Client Certificate Type
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ClientCertType
Type: enum
Defines how client certificates are referenced.
Options
| Option | Enum | Description |
|---|---|---|
| Certificate Reference | Ref | References an uploaded certificate. |
| Key Pair Alias | KeyPairAlias | Uses an installed device key pair. |
Client Certificate Reference
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ClientCertRef
Type: string
References the client certificate GUID from certificate configuration.
Applicable when:
ClientCertType = Ref
Client Certificate Key Pair Alias
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ClientCertKeyPairAlias
Type: string
References an installed device key pair alias.
Applicable when:
ClientCertType = KeyPairAlias
Server Certificate References
API reference: openNetworkConfiguration.NetworkConfigurations[].WiFi.EAP.ServerCARefs
Type: Array<String>
Defines trusted server certificate references used during authentication.
APN Policy
API reference: apnPolicy
Type: object
Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
OverrideApns
API reference: Enum
Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled for more details.
options
| Option | Enum | Description |
|---|---|---|
| Unspecified | OVERRIDE_APNS_UNSPECIFIED | Unspecified. Defaults to OVERRIDE_APNS_DISABLED. |
| Enabled | OVERRIDE_APNS_ENABLED | Override APNs enabled. Only override APNs are in use, any other APNs are ignored. This can only be set on fully managed devices on Android 10 and above. For work profiles override APNs are enabled via preferentialNetworkServiceSettings and this value cannot be set. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
| Disabled | OVERRIDE_APNS_DISABLED | Override APNs disabled. Any configured apnSettings are saved on the device, but are disabled and have no effect. Any other APNs on the device remain in use. |
APN Settings
API reference: apnTypes
Type: enum
APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE, they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting's with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
APN Types
| Enum | Description |
|---|---|
ENTERPRISE | APN type for enterprise traffic. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13. |
BIP | APN type for BIP (Bearer Independent Protocol). This can only be set on fully managed devices on Android 12 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 12. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
CBS | APN type for CBS (Carrier Branded Services). This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
DEFAULT | APN type for default data traffic. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
DUN | APN type for DUN (Dial-up networking) traffic. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
EMERGENCY | APN type for Emergency PDN. This is not an IA apn, but is used for access to carrier services in an emergency call situation. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
FOTA | APN type for accessing the carrier's FOTA (Firmware Over-the-Air) portal, used for over the air updates. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
HIPRI | APN type for HiPri (high-priority) traffic. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
IA | APN type for IA (Initial Attach) APN. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
IMS | APN type for IMS (IP Multimedia Subsystem) traffic. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
MCX | APN type for MCX (Mission Critical Service) where X can be PTT/Video/Data. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
MMS | APN type for MMS (Multimedia Messaging Service) traffic. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
RCS | APN type for RCS (Rich Communication Services). This can only be set on fully managed devices on Android 15 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 15. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
SUPL | APN type for SUPL (Secure User Plane Location) assisted GPS. This can only be set on fully managed devices. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
VSIM | APN type for VSIM (Virtual SIM) service. This can only be set on fully managed devices on Android 12 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 12. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
XCAP | APN type for XCAP (XML Configuration Access Protocol) traffic. This can only be set on fully managed devices on Android 11 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 11. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles. |
Apn
API reference: apn
Type: string
Name of the APN. Policy will be rejected if this field is empty.
Display Name
API reference: displayName
Type: string
Human-readable name that describes the APN. Policy will be rejected if this field is empty.
Always On Setting
API reference: alwaysOnSetting
Type: enum
Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
Options
| Option | Enum | Description |
|---|---|---|
| Unspecified | ALWAYS_ON_SETTING_UNSPECIFIED | Unspecified. Defaults to NOT_ALWAYS_ON. |
| Not Always On | NOT_ALWAYS_ON | The PDU session brought up by this APN should not be always on. |
| Always On | ALWAYS_ON | The PDU session brought up by this APN should always be on. Supported on Android 15 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 15. |
Auth Type
API reference: authType
Type: enum
Options
| Enum | Description |
|---|---|
AUTH_TYPE_UNSPECIFIED | Unspecified. If username is empty, defaults to NONE. Otherwise, defaults to PAP_OR_CHAP. |
NONE | Authentication is not required. |
PAP | Authentication type for PAP. |
CHAP | Authentication type for CHAP. |
PAP_OR_CHAP | Authentication type for PAP or CHAP. |
Carrier Id
API reference: carrierId
Type: integer
Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
mms Proxy Address
API reference: mmsProxyAddress
Type: string
MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
mms Proxy Port
API reference: mmsProxyPort
Type: integer
MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
mmsc
API reference: mmsc
Type: string
MMSC (Multimedia Messaging Service Center) URI of the APN.
mtuV4(supports from 13+)
API reference: mtuV4
Type: integer
The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
mtuV6(supports from 13+)
API reference: mtuV6
Type: integer
The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
mvno Type
API reference: mvnoType
Type: enum
Options
| Enum | Description |
|---|---|
MVNO_TYPE_UNSPECIFIED | The MVNO type is not specified. |
GID | MVNO type for group identifier level 1. |
ICCID | MVNO type for ICCID. |
IMSI | MVNO type for IMSI. |
SPN | MVNO type for SPN (service provider name). |
mvno Type
API reference: networkTypes[]
Type: enum
Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
Options
| Enum | Description |
|---|---|
EDGE | Radio technology EDGE. |
GPRS | Radio technology GPRS. |
GSM | Radio technology GSM. |
HSDPA | Radio technology HSDPA. |
HSPA | Radio technology HSPA. |
HSPAP | Radio technology HSPAP. |
HSUPA | Radio technology HSUPA. |
IWLAN | Radio technology IWLAN. |
LTE | Radio technology LTE. |
NR | Radio technology NR (New Radio) 5G. |
TD_SCDMA | Radio technology TD_SCDMA. |
UMTS | Radio technology UMTS. |
Username
API reference: username
Type: string
APN username of the APN.
Password
API reference: password
Type: string
APN password of the APN.
Numeric OperatorId
API reference: numericOperatorId
Type: string
The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
Protocol
API reference: protocol
Type: enum
The protocol to use to connect to this APN.
Options
| Enum | Description |
|---|---|
PROTOCOL_UNSPECIFIED | The protocol is not specified. |
IP | Internet protocol. |
IPV4V6 | Virtual PDP type introduced to handle dual IP stack UE capability. |
IPV6 | Internet protocol, version 6. |
NON_IP | Transfer of Non-IP data to external packet data network. |
PPP | Point to point protocol. |
UNSTRUCTURED | Transfer of Unstructured data to the Data Network via N6. |
Protocol
API reference: roamingProtocol
Type: enum
The protocol to use to connect to this APN while the device is roaming.
Options
| Enum | Description |
|---|---|
PROTOCOL_UNSPECIFIED | The protocol is not specified. |
IP | Internet protocol. |
IPV4V6 | Virtual PDP type introduced to handle dual IP stack UE capability. |
IPV6 | Internet protocol, version 6. |
NON_IP | Transfer of Non-IP data to external packet data network. |
PPP | Point to point protocol. |
UNSTRUCTURED | Transfer of Unstructured data to the Data Network via N6. |
Proxy Address
API reference: proxyAddress
Type: string
The proxy address of the APN.
Proxy Port
API reference: proxyPort
Type: integer
The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
Proxy Configuration
Default network proxy configuration on device
API reference: recommendedGlobalProxy (ProxyInfo)
The network-independent global HTTP proxy. Typically proxies should be configured per-network in openNetworkConfiguration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
Proxy Modes
| Mode | Description |
|---|---|
| NONE | No proxy |
| HOST | Manual proxy |
| PAC | PAC file |
ProxyInfo
Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excludedHosts fields. For a PAC script proxy, set the pacUri field.
HOST Mode Fields
Applicable when:
recommendedGlobalProxy.host.
Host
API reference: host
Type: string
The host of the direct proxy.
Port
API reference: port
Type: string
The port of the direct proxy.
excludedHosts
API reference: excludedHosts[]
Type: string
For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com
PAC Mode Fields
Applicable when:
recommendedGlobalProxy.pacUri.
pacUri
API reference: pacUri
Type: string
The URI of the PAC script used to configure the proxy.
Global VPN configuration on device
Global VPN configuration on device
API reference: alwaysOnVpnPackage
Type: object
Configuration for an always-on VPN connection. Use with vpnConfigDisabled to prevent modification of this setting.
Fields
| Field | API Reference | Type | Description |
|---|---|---|---|
| VPN Package | packageName | string | The package name of the VPN app. |
| Block networking if VPN isn't connected | lockdownEnabled | boolean | Disallows networking when the VPN is not connected. |
Note: If lockdown enabled → Device traffic forced through VPN.
Location Mode
API reference: locationMode
Type: enum
The degree of location detection enabled on work profile and fully managed devices.
| Option | Enum | Description |
|---|---|---|
| Default | LOCATION_MODE_UNSPECIFIED | Defaults to LOCATION_USER_CHOICE. |
| User Choice | LOCATION_USER_CHOICE | Location setting is not restricted on the device. No specific behavior is set or enforced. |
| Location Enforced | LOCATION_ENFORCED | Enable location setting on the device. Important: On Android 11 and above, work profiles on company-owned devices cannot directly enforce enabling of location services. When LOCATION_ENFORCED is set, then a NonComplianceDetail with USER_ACTION is reported. Compliance can only be restored once the user manually turns on location services through the device's Settings application. |
| No location | LOCATION_DISABLED | Disable location setting on the device. Important: On Android 11 and above, work profiles on company-owned devices cannot directly enforce disabling of location services. When LOCATION_DISABLED is set, then a NonComplianceDetail with USER_ACTION is reported. Compliance can only be restored once the user manually turns off location services through the device's Settings application. |
Preferential Network Service
API reference: preferentialNetworkService
Type: enum
Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees' devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
See preferentialNetworkService for details.
| Option | Enum | Description |
|---|---|---|
| Default | PREFERENTIAL_NETWORK_SERVICE_UNSPECIFIED | Unspecified. Defaults to PREFERENTIAL_NETWORK_SERVICES_DISABLED. |
| Enabled | PREFERENTIAL_NETWORK_SERVICE_ENABLED | Preferential network service is enabled on the work profile. This setting is only supported on work profiles on devices running Android 12 or above. Starting with Android 13, fully managed devices are also supported. |
| Disabled | PREFERENTIAL_NETWORK_SERVICE_DISABLED | Preferential network service is disabled on the work profile. |
Enable bluetooth contact sharing on device
API reference: bluetoothContactSharingDisabled
Type: boolean
Whether bluetooth contact sharing is disabled.
Enable bluetooth configuration on device
API reference: bluetoothConfigDisabled
Type: boolean
Whether configuring bluetooth is disabled.
Enable cell broadcast configuration on device
API reference: cellBroadcastsConfigDisabled
Type: boolean
Whether configuring cell broadcast is disabled.
Enable mobile network configuration on device
API reference: mobileNetworksConfigDisabled
Type: boolean
Whether configuring mobile networks is disabled.
Enable tethering/hotspot configuration on device (deprecated)
API reference: tetheringConfigDisabled
Type: boolean
Please use deviceConnectivityManagement.tetheringSettings instead.
Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
Enable VPN configuration on device
API reference: vpnConfigDisabled
Type: boolean
Whether configuring VPN is disabled.
Enable Wi-Fi configuration on device (deprecated)
API reference: wifiConfigDisabled
Type: boolean
Please use deviceConnectivityManagement.configureWifi instead.
Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can't be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
Enable network reset setting on device
API reference: networkResetDisabled
Type: boolean
Whether resetting network settings is disabled.
Enable NFC sending data from apps on device
API reference: outgoingBeamDisabled
Type: boolean
Whether using NFC to beam data from apps is disabled.
Enable outgoing phone calls from device
API reference: outgoingCallsDisabled
Type: boolean
Whether outgoing calls are disabled.
Enable location sharing from device
API reference: shareLocationDisabled
Type: boolean
Whether location sharing is disabled.
Enable outgoing SMS from device
API reference: smsDisabled
Type: boolean
Whether sending and receiving SMS messages is disabled.
Enable data roaming on device
API reference: dataRoamingDisabled
Type: boolean
Whether roaming data services are disabled.
Enable bluetooth on device
API reference: bluetoothDisabled
Type: boolean
Whether bluetooth is disabled. Prefer this setting over bluetoothConfigDisabled because bluetoothConfigDisabled can be bypassed by the user.
Allow users to temporarily connect to a local Wi-Fi network if no connection found on device boot, only until device policy is updated
API reference: networkEscapeHatchEnabled
Type: boolean
Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.
Note: Setting
wifiConfigDisabledto true will override this setting under specific circumstances. Please seewifiConfigDisabledfor further details. SettingconfigureWifitoDISALLOW_CONFIGURING_WIFIwill override this setting under specific circumstances. Please seeDISALLOW_CONFIGURING_WIFIfor further details.