Network Configuration (WiFi & VPN)
WiFi
Configure managed WiFi networks that devices connect to automatically.
| Field | Type | Description |
|---|---|---|
SSID | string | The network name (max 32 characters) |
SecurityType | enum | WPA, WPA2, WPA3, WPA2WPA3, WPAEnterprise, WPA2Enterprise, WPA3Enterprise |
AutoJoin | boolean | Connect automatically when in range |
HiddenNetwork | boolean | Network does not broadcast its SSID |
Passphrase | string | Pre-shared key (required for Personal modes) |
Security Types
- Personal (WPA/WPA2/WPA3): Uses a pre-shared passphrase. WPA3 is preferred when the access point supports it.
- Enterprise (WPA2Enterprise/WPA3Enterprise): Uses 802.1X authentication with EAP. Requires additional fields:
| Field | Description |
|---|---|
EAPType | TLS, TTLS, PEAP, EAP-FAST |
Username | Authentication username |
Password | Authentication password |
IdentityCertificate | Client certificate reference (for EAP-TLS) |
RootCertificate | CA certificate for server validation |
OuterIdentity | Anonymous identity (EAP-TTLS/PEAP) |
InnerAuthentication | PAP, CHAP, MSCHAP, MSCHAPv2 |
Proxy Settings
| Field | Type | Description |
|---|---|---|
ProxyType | enum | None, Manual, Auto (PAC), AutoDiscovery (WPAD) |
ProxyServer | string | Hostname or IP of proxy server |
ProxyPort | integer | Port number |
ProxyPACURL | string | PAC file URL (when type is Auto) |
ProxyBypassList | string[] | Domains that bypass the proxy |
Example
{
"SSID": "Corp-Network",
"SecurityType": "WPA2Enterprise",
"AutoJoin": true,
"HiddenNetwork": false,
"EAPType": "PEAP",
"Username": "{{device_user}}",
"OuterIdentity": "anonymous@corp.com",
"InnerAuthentication": "MSCHAPv2",
"RootCertificate": "corp-ca-cert",
"ProxyType": "Manual",
"ProxyServer": "proxy.corp.com",
"ProxyPort": 8080
}VPN
Configure VPN connections for secure remote access.
| Field | Type | Description |
|---|---|---|
Protocol | enum | IKEv2, IPsec, L2TP, PPTP, WireGuard |
Server | string | VPN server hostname or IP |
ServerPort | integer | Port number (default varies by protocol) |
RemoteId | string | Server identifier (IKEv2) |
LocalId | string | Client identifier (IKEv2) |
AuthenticationMethod | enum | Password, Certificate, SharedSecret, EAP |
Authentication
- Password: Username + password authentication.
- Certificate: Client certificate + optional username.
- SharedSecret: Pre-shared key (IPsec/L2TP).
- EAP: Extensible Authentication Protocol (IKEv2).
On-Demand VPN Rules
Control when the VPN connects automatically.
| Field | Type | Description |
|---|---|---|
OnDemandEnabled | boolean | Enable on-demand VPN |
OnDemandRules | object[] | List of match rules |
OnDemandRules[].Action | enum | Connect, Disconnect, Ignore |
OnDemandRules[].Domains | string[] | Domain match list |
OnDemandRules[].SSIDMatch | string[] | Only trigger on these WiFi SSIDs |
OnDemandRules[].InterfaceTypeMatch | enum | WiFi, Cellular, Any |
Rules are evaluated in order. The first match determines the action.
{
"OnDemandEnabled": true,
"OnDemandRules": [
{
"Action": "Connect",
"Domains": ["*.corp.com", "*.internal"],
"InterfaceTypeMatch": "Any"
},
{
"Action": "Disconnect",
"SSIDMatch": ["Corp-Guest"],
"InterfaceTypeMatch": "WiFi"
}
]
}Example
{
"Protocol": "IKEv2",
"Server": "vpn.corp.com",
"ServerPort": 500,
"RemoteId": "vpn.corp.com",
"AuthenticationMethod": "Certificate",
"IdentityCertificate": "vpn-client-cert",
"OnDemandEnabled": true,
"OnDemandRules": [
{
"Action": "Connect",
"Domains": ["*.corp.com"],
"InterfaceTypeMatch": "Any"
}
]
}Global HTTP Proxy
Set a system-wide HTTP proxy that applies to all traffic, not just browser traffic.
| Field | Type | Description |
|---|---|---|
ProxyServer | string | Proxy hostname or IP |
ProxyPort | integer | Port number |
ProxyUsername | string | Optional authentication username |
ProxyPassword | string | Optional authentication password |
ProxyBypassList | string[] | Domains/IPs that bypass the proxy |
ProxyPACURL | string | PAC file URL (overrides manual settings) |
ProxyPACFallback | boolean | Fall back to direct connection if PAC is unreachable |
When ProxyPACURL is set, the device fetches the PAC file and uses its logic to determine whether to proxy each request. Manual ProxyServer/ProxyPort are ignored in this mode.
{
"ProxyServer": "proxy.corp.com",
"ProxyPort": 3128,
"ProxyBypassList": [
"*.local",
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}DNS Settings
Configure custom DNS settings for managed devices.
| Field | Type | Description |
|---|---|---|
DNSServers | string[] | Custom DNS server IPs (up to 4) |
SearchDomains | string[] | DNS search domains for unqualified hostnames |
SupplementalMatchDomains | string[] | Domains that use these DNS servers (split DNS) |
SupplementalMatchDomainsNoSearch | boolean | Do not append search domains to match queries |
Split DNS
Use SupplementalMatchDomains to route only specific domains through the custom DNS servers while everything else uses the default resolver. This is useful for corporate DNS resolution without affecting public internet traffic.
{
"DNSServers": ["10.1.0.53", "10.1.0.54"],
"SearchDomains": ["corp.com", "internal"],
"SupplementalMatchDomains": ["corp.com", "*.internal.corp.com"]
}