WiFi

If true, the device makes this network available for joining before the device is unlocked for the first time following a reboot, on a device configured for return to service. Any network credentials are placed into Class D storage within the keychain, and information about the network is stored on disk in Class D.

There are several restrictions on the use of this flag:

• This property is only available in the return to service mode.

• Only one network can be designated as available before first unlock.

• EAPClientConfiguration must not be present.

• If IsHotspot is present, it must be set to false.

• QoSMarkingPolicy must not be present.

• If ProxyType is present, it must be set to None.

The device fails to install the profile payload if any of these conditions are not met.

Available: visionOS 26+

If true, the device joins the network automatically.

If false, the user must tap the network name to join it.

Available: iOS 5+ | iPadOS 5+ | macOS 10.7+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

If true, the system bypasses Captive Network detection when the device connects to the network.

Available: iOS 10+ | iPadOS 10+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

If true, disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections.

If false, then the system enables MAC address randomization on iOS, watchOS, and visionOS.

This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it.

Available: iOS 14+ | iPadOS 14+ | macOS 15+ | visionOS 1+ | watchOS 7+

The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

The primary domain of the tunnel.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

The enterprise network configuration.

If true, enables IPv6 on this interface.

The encryption type for the network.

If set to anything except None, the payload may contain the following three keys: Password, PayloadCertificateUUID, or EAPClientConfiguration.

As of iOS 16, tvOS 16, watchOS 9, and macOS 13:

• WPA allows joining WPA or WPA2 networks

• WPA2 allows joining WPA2 or WPA3 networks

• WPA3 allows joining WPA3 networks only

• Any allows joining WPA, WPA2, WPA3, and WEP networks

Prior to iOS 16, tvOS 16, and watchOS 9, specifying WPA, WPA2, and WPA3 were equivalent and would allow joining any WPA network.

Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly.

The HESSID used for Wi-Fi Hotspot 2.0 negotiation.

Available: iOS 7+ | iPadOS 7+ | macOS 10.7+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

If true, defines this network as hidden.

If true, the device treats the network as a hotspot.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits.

Available: iOS 7+ | iPadOS 7+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

The password for the access point.

The UUID of the certificate payload within the same profile to use for the client credential.

If true, allows connecting directly to the destination if the PAC file is unreachable.

The URL of the PAC file that defines the proxy configuration.

The password used to authenticate to the proxy server.

The proxy server’s network address.

The proxy server’s port number.

The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL.

The user name used to authenticate to the proxy server.

A dictionary that contains the list of apps that the system allows to benefit from L2 and L3 marking. When this dictionary isn’t present, the system allows all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane.

Available: iOS 10+ | iPadOS 10+ | macOS 10.13+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

If true, allows connection to roaming service providers.

Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

An array of strings that contain the type of connection mode to attach.

Available: macOS 10.7+

The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is optional if a value exists for DomainName value.

Available: iOS 7+ | iPadOS 7+ | macOS 10.7+ | tvOS 9+ | visionOS 1+ | watchOS 3.2+

If true, allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If false, allows for zero-factor authentication for EAP-TLS.