Skip to content

Network Configuration (WiFi & VPN)

WiFi

Configure managed WiFi networks that devices connect to automatically.

FieldTypeDescription
SSIDstringThe network name (max 32 characters)
SecurityTypeenumWPA, WPA2, WPA3, WPA2WPA3, WPAEnterprise, WPA2Enterprise, WPA3Enterprise
AutoJoinbooleanConnect automatically when in range
HiddenNetworkbooleanNetwork does not broadcast its SSID
PassphrasestringPre-shared key (required for Personal modes)

Security Types

  • Personal (WPA/WPA2/WPA3): Uses a pre-shared passphrase. WPA3 is preferred when the access point supports it.
  • Enterprise (WPA2Enterprise/WPA3Enterprise): Uses 802.1X authentication with EAP. Requires additional fields:
FieldDescription
EAPTypeTLS, TTLS, PEAP, EAP-FAST
UsernameAuthentication username
PasswordAuthentication password
IdentityCertificateClient certificate reference (for EAP-TLS)
RootCertificateCA certificate for server validation
OuterIdentityAnonymous identity (EAP-TTLS/PEAP)
InnerAuthenticationPAP, CHAP, MSCHAP, MSCHAPv2

Proxy Settings

FieldTypeDescription
ProxyTypeenumNone, Manual, Auto (PAC), AutoDiscovery (WPAD)
ProxyServerstringHostname or IP of proxy server
ProxyPortintegerPort number
ProxyPACURLstringPAC file URL (when type is Auto)
ProxyBypassListstring[]Domains that bypass the proxy

Example

json
{
  "SSID": "Corp-Network",
  "SecurityType": "WPA2Enterprise",
  "AutoJoin": true,
  "HiddenNetwork": false,
  "EAPType": "PEAP",
  "Username": "{{device_user}}",
  "OuterIdentity": "anonymous@corp.com",
  "InnerAuthentication": "MSCHAPv2",
  "RootCertificate": "corp-ca-cert",
  "ProxyType": "Manual",
  "ProxyServer": "proxy.corp.com",
  "ProxyPort": 8080
}

VPN

Configure VPN connections for secure remote access.

FieldTypeDescription
ProtocolenumIKEv2, IPsec, L2TP, PPTP, WireGuard
ServerstringVPN server hostname or IP
ServerPortintegerPort number (default varies by protocol)
RemoteIdstringServer identifier (IKEv2)
LocalIdstringClient identifier (IKEv2)
AuthenticationMethodenumPassword, Certificate, SharedSecret, EAP

Authentication

  • Password: Username + password authentication.
  • Certificate: Client certificate + optional username.
  • SharedSecret: Pre-shared key (IPsec/L2TP).
  • EAP: Extensible Authentication Protocol (IKEv2).

On-Demand VPN Rules

Control when the VPN connects automatically.

FieldTypeDescription
OnDemandEnabledbooleanEnable on-demand VPN
OnDemandRulesobject[]List of match rules
OnDemandRules[].ActionenumConnect, Disconnect, Ignore
OnDemandRules[].Domainsstring[]Domain match list
OnDemandRules[].SSIDMatchstring[]Only trigger on these WiFi SSIDs
OnDemandRules[].InterfaceTypeMatchenumWiFi, Cellular, Any

Rules are evaluated in order. The first match determines the action.

json
{
  "OnDemandEnabled": true,
  "OnDemandRules": [
    {
      "Action": "Connect",
      "Domains": ["*.corp.com", "*.internal"],
      "InterfaceTypeMatch": "Any"
    },
    {
      "Action": "Disconnect",
      "SSIDMatch": ["Corp-Guest"],
      "InterfaceTypeMatch": "WiFi"
    }
  ]
}

Example

json
{
  "Protocol": "IKEv2",
  "Server": "vpn.corp.com",
  "ServerPort": 500,
  "RemoteId": "vpn.corp.com",
  "AuthenticationMethod": "Certificate",
  "IdentityCertificate": "vpn-client-cert",
  "OnDemandEnabled": true,
  "OnDemandRules": [
    {
      "Action": "Connect",
      "Domains": ["*.corp.com"],
      "InterfaceTypeMatch": "Any"
    }
  ]
}

Global HTTP Proxy

Set a system-wide HTTP proxy that applies to all traffic, not just browser traffic.

FieldTypeDescription
ProxyServerstringProxy hostname or IP
ProxyPortintegerPort number
ProxyUsernamestringOptional authentication username
ProxyPasswordstringOptional authentication password
ProxyBypassListstring[]Domains/IPs that bypass the proxy
ProxyPACURLstringPAC file URL (overrides manual settings)
ProxyPACFallbackbooleanFall back to direct connection if PAC is unreachable

When ProxyPACURL is set, the device fetches the PAC file and uses its logic to determine whether to proxy each request. Manual ProxyServer/ProxyPort are ignored in this mode.

json
{
  "ProxyServer": "proxy.corp.com",
  "ProxyPort": 3128,
  "ProxyBypassList": [
    "*.local",
    "10.0.0.0/8",
    "172.16.0.0/12",
    "192.168.0.0/16"
  ]
}

DNS Settings

Configure custom DNS settings for managed devices.

FieldTypeDescription
DNSServersstring[]Custom DNS server IPs (up to 4)
SearchDomainsstring[]DNS search domains for unqualified hostnames
SupplementalMatchDomainsstring[]Domains that use these DNS servers (split DNS)
SupplementalMatchDomainsNoSearchbooleanDo not append search domains to match queries

Split DNS

Use SupplementalMatchDomains to route only specific domains through the custom DNS servers while everything else uses the default resolver. This is useful for corporate DNS resolution without affecting public internet traffic.

json
{
  "DNSServers": ["10.1.0.53", "10.1.0.54"],
  "SearchDomains": ["corp.com", "internal"],
  "SupplementalMatchDomains": ["corp.com", "*.internal.corp.com"]
}

Released under the MIT License