5.11 Wi-Fi Policy

The following instructions assume that you are on the Configure Wi-Fi Settings page in the Create New Wi-Fi Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Wi-Fi policy (see Editing a Policy’s Details).

The Wi-Fi policy lets you control wireless access.

5.11.1 Configure General Settings

The General Settings let you control access for ad hoc network connections and Wi-Fi connections.

Ad Hoc Connections

Ad hoc network connections provide direct wireless access between devices without using a physical wireless access point such as router or mobile phone hotspot. These connections are temporary but can be used for transferring files, playing multi-player computer games, and sharing Internet connection. If you allow connections, you can define the minimum security level for connections in this policy.

Select one of the following options to control ad hoc connections:

  • Enable: Allows ad hoc network connections.

  • Disable: Prevents ad hoc network connections.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Wi-Fi policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Wi-Fi policies assigned to the user’s groups, folders, or zone.

Wi-Fi Connections

This setting lets you control Wi-Fi connectivity, which includes mobile phone hotspots, but does not include Bluetooth and infrared wireless connections. To control Bluetooth and infrared connections, use the Communication Hardware policy. For information about setting minimum security levels when connections are enabled, see Configure Minimum Security.

Select one of the following options:

  • Enable: Allows Wi-Fi connections.

  • Disable: Prevents Wi-Fi connections. Connections are blocked but the wireless adapter remains active in case you want to use wireless access points to determine location. To completely disable Wi-Fi adapters, use the Communication Hardware policy.

  • Inherit: If the policy’s Inherit from Policy Hierarchy setting is enabled, inherits this setting from other Wi-Fi policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Wi-Fi policies assigned to the user’s groups, folders, or zone.

5.11.2 Define Access Points

You can use the Access Points list to control connections to wireless access points, such as routers and mobile phone hotspots. The list works as follows:

  • When you add an access point, you designate it as prohibited or approved. Prohibited access points are filtered out of a device’s wireless network connection display. If a user manually connects to a prohibited access point, the connection is blocked. You can also define further controls by configuring the Minimum Security settings in the policy.

  • All access points are approved (default approval) until you add one approved access point to the list (explicit approval). At that point, the default approval is ignored and only explicitly approved access points are allowed.

  • Prohibited access overrides approved access. For example, assume that you have multiple access points that share Novell as the SSID. You create an approved access point definition using Novell as the SSID, which results in all access points that share the Novell SSID being allowed. However, there is one Novell access point you want to prohibit, so you create a prohibited access point definition using the access point’s MAC address. Based on its SSID and MAC address, the access point matches both definitions (approved and prohibited). Prohibited access overrides approved access, so connection to the access point is prohibited.

The following table provides instructions for managing access points:

Task

Steps

Additional Details

Add a new access point

  1. Click Add > Create New.

  2. Fill in the following fields to define the access point:

    Name: Specify a name to identify the access point in the ZENworks system.

    SSID and MAC Address: The SSID and the MAC Address are the two fields used to determine if a detected access point matches this definition. You must fill in at least one of the fields.

    Multiple access points can share the same SSID. If you fill in the SSID field, any access point that uses that SSID is matched. The SSID is case-sensitive.

    If you want to identify a specific access point, specify the MAC address. Each access point has a unique MAC address.

    Enforcement: Select whether the access point is prohibited or approved.

  3. To define another access point, select Define another access point.

  4. Click OK to add the access point to the list.

 

Copy an access point from another policy

  1. Click Add > Copy Existing.

  2. Select the Wireless policies whose access points you want to copy.

  3. Click OK.

All access points included in the selected Wireless policies are copied. If necessary, you can edit the copied access points after they are added to the list.

Import an access point from a policy export file

  1. Click Add > Import.

  2. Click to display the Select File dialog box.

  3. Click Browse, select the export file, then click Open.

  4. Click OK to add the access points to the list.

All access points included in the export file are imported. If necessary, you can edit the imported access points after they are added to the list.

For information about exporting access points, see Export an access point.

Edit an access point

  1. Click the access point name.

  2. Modify the fields as desired.

  3. Click OK.

 

Export an access point

  1. Select the check box next to the access point name.

    You can select multiple access points to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete an access point

  1. Select the check box next to the access point name, then click Delete.

  2. Click OK to confirm deletion of the access point.

 

5.11.3 Configure Minimum Security

Select the minimum security protocol that an approved access point must provide before a connection is allowed. For example, if you select WPA, only approved access points that provide WPA, WPA2, or WPA3 encryption are allowed.

Select No encryption required to ignore minimum security. Select Inherit to inherit the minimum security from other Wi-Fi policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Wi-Fi policies assigned to the user’s groups, folders, or zone.

Approved access points that fall below the minimum security level are not displayed in the device’s wireless network connections list when detected. If a user tries to manually define a connection to the access point, the connection is blocked.

5.11.4 Define the Minimum Security Message

This option is available only if you selected WPA, WPA2, or WPA3 as the minimum security requirement.

You can display a message when a wireless connection is blocked because the access point does not meet the minimum security requirement. Select Display message when minimum security not met, then fill in the following fields:

  • Title of Message Window: Specify the message window’s title.

  • Body: Provide the text for the message body.

  • Message Hyperlink: If you want to include a hyperlink, select Include message hyperlink, then specify the display text for the hyperlink and the link command.