The payload that configures Wi-Fi settings.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Auto Join AutoJoin If `true`, the device joins the network automatically.
If `false`, the user must tap the network name to join it. | boolean | optional | true | ✓Yes | iOS (5.0+) |
SSID SSID_STR The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is optional if a value exists for `DomainName` value. | string | optional | — | ✓Yes | iOS (7.0+) |
Hidden HIDDEN_NETWORK If `true`, defines this network as hidden. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
Proxy Type ProxyType The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL. | string | optional | None | ✗No | |
Encryption Type EncryptionType The encryption type for the network.
If set to anything except `None`, the payload may contain the following three keys: `Password`, `PayloadCertificateUUID`, or `EAPClientConfiguration`.
As of iOS 16, tvOS 16, watchOS 9, and macOS 13:
- `WPA` allows joining WPA or WPA2 networks
- `WPA2` allows joining WPA2 or WPA3 networks
- `WPA3` allows joining WPA3 networks only
- `Any` allows joining WPA, WPA2, WPA3, and WEP networks
Prior to iOS 16, tvOS 16, and watchOS 9, specifying `WPA`, `WPA2`, and `WPA3` were equivalent and would allow joining any WPA network.
Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly. | string | optional | Any | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
Password Password The password for the access point. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
Certificate UUID PayloadCertificateUUID The UUID of the certificate payload within the same profile to use for the client credential. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
EAP Client Configuration EAPClientConfiguration The enterprise network configuration. 19 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Accept EAP Types AcceptEAPTypes The EAP types that the system accepts. Allowed values:
- `13`: EAP-TLS
- `17`: LEAP
- `18`: EAP-SIM
- `21`: EAP-TTLS
- `23`: EAP-AKA
- `25`: PEAPv0/v1
- `43`: EAP-FAST
For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network. 1 subkey | array | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ └─ EAP Type EAPType | integer | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
└─ Username UserName The user name for the account. If you don't specify a value, the system prompts the user during login. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Password UserPassword The user's password. If you don't specify a value, the system prompts the user during login. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Certificate Anchor UUID PayloadCertificateAnchorUUID An array of the UUID of each certificate payload in the same profile to trust for authentication. Use this key to prevent the device from asking the user whether to trust the listed certificates. Dynamic trust (the certificate dialogue) is in a disabled state if you specify this property without also enabling 'TLSAllowTrustExceptions'. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ └─ Individual Certificate Anchor UUID CertificateAnchorUUID | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
└─ TLS Trusted Certificates TLSTrustedCertificates An array of trusted certificates. Each entry in the array must contain certificate data that represents an anchor certificate used for verifying the server certificate. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ └─ TLSTrustedCertificatesItem TLSTrustedCertificatesItem A certificate identifier. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ TLS Trusted Server Names TLSTrustedServerNames The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it.
If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'.
If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ └─ Individual Trusted TLS Server Name TLSTrustedServerName | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
└─ Allow Trust Exceptions TLSAllowTrustExceptions If 'true', allows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when the system doesn't trust a certificate.
If 'false', the authentication fails if the system doesn't already trust the certificate.
As of iOS 8, Apple no longer supports this key. | boolean | optional | true | ✗No | |
└─ TLSCertificateIsRequired TLSCertificateIsRequired If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS.
If you don't specify a value, the default is 'true' for EAP-TLS, and 'false' for other EAP types. | boolean | optional | false | ✓Yes | iOS (7.0+) |
└─ TTLS Inner Authentication TTLSInnerAuthentication The inner authentication that the TTLS module uses. | string | optional | MSCHAPv2 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ TLSMinimumVersion TLSMinimumVersion The minimum TLS version for EAP authentication. | string | optional | 1.0 | ✓Yes | iOS (11.0+)macOS (10.13+)tvOS (11.0+) |
└─ TLSMaximumVersion TLSMaximumVersion The maximum TLS version for EAP authentication. | string | optional | 1.2 | ✓Yes | iOS (11.0+)macOS (10.13+)tvOS (11.0+) |
└─ Outer Identity OuterIdentity A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or [email protected]. It can increase security because an attacker can't see the authenticating user's name in the clear.
This key is only relevant to TTLS, PEAP, and EAP-FAST.
This field is required if 'TLSMinimumVersion' is '1.3'. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Use PAC EAPFASTUsePAC If 'true', the device uses an existing PAC if it's present. Otherwise, the server must present its identity using a certificate. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Provision PAC EAPFASTProvisionPAC If 'true', allows PAC provisioning.
This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there's no other way to provision a PAC. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Provision PAC Anonymously EAPFASTProvisionPACAnonymously If 'true', provisions the device anonymously. Note that there are known machine-in-the-middle attacks for anonymous provisioning. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Allow Two RANDs EAPSIMNumberOfRANDs The minimum number of RAND values to accept from the server.
For use with EAP-SIM only. | integer | optional | 3 | ✓Yes | iOS (8.0+) |
└─ SystemModeCredentialsSource SystemModeCredentialsSource Set this string to 'ActiveDirectory' to use the AD computer name and password credentials.
If using this property, you can't use 'SystemModeUseOpenDirectoryCredentials'. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ SystemModeUseOpenDirectoryCredentials SystemModeUseOpenDirectoryCredentials If 'true', the system mode connection tries to use the Open Directory credentials.
If using this property, you can't use 'SystemModeCredentialsSource'. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Per-Connection Password OneTimeUserPassword If 'true', the user receives a prompt for a password each time they connect to the network. | boolean | optional | false | ✓Yes | iOS (8.0+)macOS (10.8+)tvOS (9.0+) |
Displayed Operator Name DisplayedOperatorName The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+) |
Domain Name DomainName The primary domain of the tunnel. | string | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+) |
Roaming OIs RoamingConsortiumOIs An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation. 1 subkey | array | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+) |
└─ RoamingConsortiumOI RoamingConsortiumOI | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
Roaming Enable ServiceProviderRoamingEnabled If `true`, allows connection to roaming service providers. | boolean | optional | false | ✓Yes | iOS (7.0+)macOS (10.9+) |
Is Hotspot IsHotspot If `true`, the device treats the network as a hotspot. | boolean | optional | false | ✓Yes | iOS (7.0+)macOS (10.9+) |
HESSID HESSID The HESSID used for Wi-Fi Hotspot 2.0 negotiation. | string | optional | — | ✓Yes | iOS (7.0+) |
Realm Names NAIRealmNames An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation. 1 subkey | array | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+) |
└─ NAIRealmName NAIRealmName | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
MCC/MNCs MCCAndMNCs An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. 1 subkey | array | optional | — | ✓Yes | iOS (7.0+) |
└─ MCCAndMNC MCCAndMNC | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
Disable Captive Network Detection CaptiveBypass If `true`, the system bypasses Captive Network detection when the device connects to the network. | boolean | optional | false | ✓Yes | iOS (10.0+) |
QoS Marking Policy QoSMarkingPolicy A dictionary that contains the list of apps that the system allows to benefit from L2 and L3 marking. When this dictionary isn't present, the system allows all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane. 4 subkeys | dictionary | optional | — | ✓Yes | iOS (10.0+)macOS (10.13+) |
└─ Allowlisted App Identifiers QoSMarkingAllowListAppIdentifiers An array of app bundle identifiers that defines the allow list for L2 and L3 marking for traffic that goes to the Wi-Fi network. If the array isn't present, but the `QoSMarkingPolicy` key is present — even empty — no apps can use L2 and L3 marking. 1 subkey | array | optional | — | ✓Yes | iOS (14.5+)macOS (14.0+) |
└─ └─ Allowlisted App appBundleID | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
└─ Whitelisted App Identifiers QoSMarkingWhitelistedAppIdentifiers Deprecated (iOS 14.5, macOS 14.0) Use `QoSMarkingAllowListAppIdentifiers` instead. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 14.5)macOS (legacy - 14.0) |
└─ └─ Allowlisted App appBundleID | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) | |
└─ QoS marking for audio or video calls QoSMarkingAppleAudioVideoCalls If `true`, adds audio and video traffic of built-in audio or video services, such as FaceTime and Wi-Fi Calling, to the allow list for L2 and L3 marking for traffic that goes to the Wi-Fi network. | boolean | optional | true | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
└─ Allow QoS marking QoSMarkingEnabled If `true`, disables L3 marking and only uses L2 marking for traffic that goes to the Wi-Fi network.
If `false`, the system behaves as if Wi-Fi doesn't have an association with a Cisco QoS fast lane network. | boolean | optional | true | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
SetupModes SetupModes An array of strings that contain the type of connection mode to attach. 1 subkey | array | optional | — | ✓Yes | macOS (10.7+) |
└─ SetupModesItem SetupModesItem A type of connection mode. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
EnableIPv6 EnableIPv6 If `true`, enables IPv6 on this interface. | boolean | optional | true | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
Certificate Required TLSCertificateRequired If `true`, allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If `false`, allows for zero-factor authentication for EAP-TLS. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (9.0+)visionOS (1.0+)watchOS (3.2+) |
Proxy Server ProxyServer The proxy server's network address. | string | optional | — | ✗No | |
Proxy Server Port ProxyServerPort The proxy server's port number. Range: 0 - 65535 | integer | optional | — | ✗No | |
Proxy Username ProxyUsername The user name used to authenticate to the proxy server. | string | optional | — | ✗No | |
Proxy Password ProxyPassword The password used to authenticate to the proxy server. | string | optional | — | ✗No | |
Proxy PAC URL ProxyPACURL The URL of the PAC file that defines the proxy configuration. | string | optional | — | ✗No | |
Proxy PAC Fallback Allowed ProxyPACFallbackAllowed If `true`, allows connecting directly to the destination if the PAC file is unreachable. | boolean | optional | false | ✗No | |
Disable MAC address randomization during association DisableAssociationMACRandomization If `true,` disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections.
If `false`, then the system enables MAC address randomization on iOS, watchOS, and visionOS.
This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. | boolean | optional | false | ✓Yes | iOS (14.0+)macOS (15.0+)watchOS (7.0+) |
Allow Join Before First Unlock AllowJoinBeforeFirstUnlock If `true`, the device makes this network available for joining before the device is unlocked for the first time following a reboot, on a device configured for return to service. Any network credentials are placed into Class D storage within the keychain, and information about the network is stored on disk in Class D.
There are several restrictions on the use of this flag:
- This property is only available in the return to service mode.
- Only one network can be designated as available before first unlock.
- `EAPClientConfiguration` must not be present.
- If `IsHotspot` is present, it must be set to `false`.
- `QoSMarkingPolicy` must not be present.
- If `ProxyType` is present, it must be set to `None`.
The device fails to install the profile payload if any of these conditions are not met. | boolean | optional | false | ✓Yes | visionOS (26.0+) |
