Configure WiFi Profiles and Policies

  • The OMM menu is only available to orgs that implement Okta Mobility Management (OMM).
  • Procedures documented on this page are only available to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.

  • The Devices menu is available to orgs that implement Okta Mobility Management (OMM).
  • The OMM menu is available to orgs that implement Okta Mobility Management (OMM).

Okta offers two different WiFi features: WiFi Policies, and WiFi Profiles. You can implement only one of these features in an org. The WiFi Policies feature is Generally Available (GA) to most orgs, but it is not available if the WiFi Profiles Early Access (EA) feature is enabled for your org. The features are located in different areas of the Admin console. Use the following images to determine which WiFi feature your org implements:

Configure a WiFi profile

This is an Early Access feature. To enable it, please contact Okta Support.

WiFi Profiles allow you to create multiple WiFi profiles and assign them to OMM-enrolled mobile devices so that users are not limited to a single WiFi profile on a device. It also supports the WPA/WPA2 Enterprise protocol to enable the following:

  • Username and password authentication with a RADIUS server (you are no longer limited to shared key authentication).
  • The option to add one or more server certificates needed to establish a secure connection to the WiFi network.

See Known Issues for feature limitations and workarounds, and see Configure a WiFi policy for details about the Generally Available WiFi Policies.

Requirements

Authentication Environment

  • A directory service such as Active Directory (AD) or LDAP (other directory services may also work).
    If you have integrated your AD or LDAP environment with Okta:
    • The latest version of the Okta AD or LDAP agent must be installed on your designated domain server(s).
    • Delegated Authentication must be enabled on all AD or LDAP instances.
  • RADIUS server that supports the PEAP/MSCHAPv2 authentication protocol (the current Okta RADIUS agent does not support this protocol).
  • The password that your users enter to sign in to Okta must be the same as the password they enter to log in to your network.
  • CA Certificates (WPA/WPA2 Enterprise networks).

Device configuration

  • OMM-enrolled iOS, OSX, and Android mobile devices
  • Okta Mobile for Android verison 2.12 or later
  • Any version of Okta Mobile for iOS
  • Android devices must be configured with a passcode (assumes a WPA/WPA2 Enterprise security network)

Procedure

  1. Go to DevicesWiFi.
  2. Go to OMMWiFi.
  3. Click Add WiFi Network.
  4. Configure the following on the Add WiFi Network screen:
    • Network SSID: Enter the name of the WiFi network.
    • Description (Optional): Enter a description for this WiFi profile.
    • Hidden: Select this option if you want to establish a WiFi profile for a hidden Network SSID.
    • Auto join: Select this option If you want your OMM-enrolled users to join this network automatically. If multiple WiFi network profiles are configured for your org, auto-join priority is given to the network with the strongest signal.

      Note: The Auto join option is not supported on Android devices.

    • Security type: Select the security type that has been configured for this Network SSID.
      • None: Provides no network security (not recommended).
      • WEP or WPA/WPA2 Personal: Authenticates users with a pre-shared key. See the Shared key field under Network Authentication.
      • WPA/WPA2 Enterprise: Authenticates users with their login credentials. See the corresponding fields under Network Authentication.
    • Authentication protocol (currently supports PEAP-MSCHAPv2 only)
    • Shared key (WEP or WPA/WPA2 Personal networks only): Enter the pre-shared key for this SSID.
    • Username (WPA/WPA2 Enterprise networks only): Select the format that matches the network username format used in your environment to authenticate users. The generated username based on this format will be used to log on to the WiFi network.

      For example, given a username john.doe@example.com:

      • Email: The Okta user's email address. For example, john.doe@example.okta.com.
      • AD Employee ID: The user's AD employee ID. For example, 223.
      • AD SAM account name: For example, jdoe.
      • AD SAM account name + domain: For example, jdoe@example.com.
      • AD user principal name: For example, john.doe@example.com.
      • AD user principal name prefix: For example, john.doe.
      • Email prefix: For example, john.doe.
      • Okta username: For example, john.doe@okta.com.
      • Okta username prefix: For example, john.doe.
    • Password: Select Okta password. Users are authenticated using their Okta password, and then are automatically connected to the network. They do not need to enter a password (except as detailed in Known Issues).
    • Trusted server certificates: Optional. Specify one or more certificates as needed to grant secure access to the WiFi network. If your WiFi network access is secured by two or more CAs or a chain of trust, click Add Another to add as many certificates as necessary. If editing a profile to add and delete certificates, see Known Issues.

      Note: You must configure Android devices with a passcode before you can assign a WiFi profile that is secured by a trusted server certificate to them; otherwise, the WiFi profile assignment will fail.

  1. Click Save and Assign.
  2. Assign the WiFi profile to People and Groups.

Known Issues

Applicable to all network security types

Password prompts: When users sign in to Okta Mobile, Okta caches their password for 10 minutes. If you assign WiFi profile(s) to users before the cache expires, users are not prompted to enter their password to complete the profile assignment. If you assign a WiFi profile after the cache has expired, users are prompted to enter a password to complete the assignment. iOS and Android device users are prompted for passwords at different times:

  • Apple allows you to complete the WiFi profile assignment before the user enters their password. In such cases, iOS device users are prompted to enter their password when their device attempts to connect to the WiFi network.
  • Google requires the user's password before we can complete the profile assignment. If the cache has expired, Android users are prompted to enter their password at the time the profile is being assigned.

Auto join: The auto join option is not supported on Android devices.

Applicable to WPA/WPA2 enterprise networks

Android passcode is required: Android devices must be configured with a passcode in order to be assigned a WiFi profile secured by a trusted server certificate. Otherwise, WiFi profile assignment will fail.

Always enter the correct password: End users should take special care to enter their password correctly during WiFi network authentication. Okta's WiFi profile authentication process does not detect incorrect passwords immediately, but connection to the WiFi network will fail at some point. iOS users who enter an incorrect password are prompted to re-enter it when their device attempts to connect to the network; Android users who enter an incorrect password are not re-prompted in this case and connection to the network simply fails.

Certificate prompts: If you specify one or more certificates for a WiFi network, users are prompted to install every certificate on Android and Samsung SAFE devices. If you assign users of these devices more than one WiFi profile secured by multiple certificates, additional install prompts are repeated for each WiFi network.

Deleting certificates from devices: In WiFi profiles configured with the security type WPA/WPA2 Enterprise, whether or not deleting a certificate in Okta also deletes the certificate from devices depends on the device type:

  • Native Android: Google does not support the ability for Okta to delete certificates from Native Android devices.
  • Samsung SAFE: Deleting certificates from Okta does not delete certificates from Samsung SAFE devices running Okta Mobile version 2.14.0 or earlier. Okta is working toward removing this limitation for Samsung SAFE devices in the next release of Okta Mobile for Android.
  • AfW: If you delete some but not all certificates from Okta, the certificates you delete in Okta are deleted from AfW devices. However, if you delete all installed certificates through Okta, none are deleted from AfW devices. Okta is working toward removing this limitation for AfW devices in the next release of Okta Mobile for Android.

Do not add and delete certificates in the same editing session. If you add and delete certificates in a single editing session or in the wrong order, the deletion task will succeed but the add task will fail. In this state, your end users will lose their connection to the WiFi network. If you need to edit a WiFi profile to add one or more certificates and delete one or more certificates, treat adding and deleting as separate operations and edit the profile in the following order:

  1. Click Edit.
  2. Add the certificate(s).
  3. Click Save.
  4. Click Edit again to re-enter edit mode.
  5. Delete the certificate(s) by clicking the X next to the certificate(s).
  6. Click Save.

Configure a WiFi policy

Okta WiFi Policies is Okta's initial WiFi feature. It allows you to configure one or more WiFi policies and push them automatically to end users enrolled in Okta Mobility Management (OMM). This allows end users to join an established WiFi network without having to enter any security information.

Before you begin

WiFi policies are similar to sign-on policies. You can add, delete, and edit WiFi policies and their associated rules.

  • Your can implement either WiFi Policies or WiFi Profiles, but you cannot implement both. The WiFi Policies feature is Generally Available (GA) to most orgs, but it is not available if the WiFi Profiles Early Access (EA) feature is enabled for your org. The features are located in different areas of the Admin console. To determine which WiFi feature your org implements, mouse over this screenshot:

  • The shared key is currently unmasked.
  • Authentication with user credentials is not supported.
  • Certificate-based authentication is not supported.
  • Connection to hidden networks is not supported on Android devices.
  • The WiFi Policies feature supports only one WiFi policy on a device at one time.
    See Configure a WiFi profile to configure multiple WiFi profiles on a device.

Procedure

Create a WiFi policy

  1. Go to SecurityPolicies, and then click the Wifi Config tab.
  2. Click Add New Policy, and then enter the following information:

    3. For new policies

    • Policy Name: Enter a unique name.
    • Policy Description: Enter a description.
    • Assign to groups: Type in the name of the group this policy applies to.

    For all policies

    • SSID: Enter the WiFi network name.
    • Encryption Type: Enter None, WPA/WP2, or WEP.
    • Shared Key: Enter the shared key (password) for this WiFi network.
  3. Click Update, or Create Policy.

Add a rule to a WiFi policy

WiFi rules determine whether users can access a WiFi connection. For orgs in which a Default Policy is present (legacy orgs), WiFi Access is set to Disabled. For new WiFi policies, you need to create at least one active rule where access is enabled. The Default Rule cannot be edited.

  1. Either click the pencil icon to edit an existing rule (for the non-default policy only), or click Add Rule to create a new rule that gives users WiFi access.
  2. Use the Access is drop-down menu to specify that WiFi access is enabled.
  3. Click Update Rule, or Create Rule.
  4. Once you have created a rule, select Status from the drop-down menu to Activate it.