Create a Device Level Windows WiFi Configuration Policy

Use the WiFi Configuration Policy to remotely deploy WiFi settings to JumpCloud-managed Windows devices. The policy lets you configure WiFi network names (SSIDs), security types (like WPA2-Personal or Enterprise), passwords, and auto-connect settings without user interaction.

Note:

This is a device level policy that applies system-wide to the device and all of its users. You can bind this policy to individual devices or device groups. For policies that apply to a specific user's profile across devices, see Get Started: Policies and Learn More section of this article.

Prerequisites

Considerations

  • No additional action is needed to activate the policy once it is applied to target devices.

Creating the Policy

To create a Wifi Configuration policy for Windows devices, do the following:

Selecting the Policy Template

  1. Log in to the JumpCloud Admin portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.

  1. Go to Device Management > Policy Management. The Policy Management page is displayed.
  2. On the Policy Management page, click +Add New.
  3. Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
    • Select the Windows tab.
    • Search and select the policy name and click Configure. The Details tab of the policy is displayed.
    • On the Details tab, configure the required policy configuration settings.
    • (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
    • (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

  • In the Settings section, configure the following policy options:
    • SSID: Name of the wireless network.
      The maximum length of an SSID can be 32 characters. Spaces within the SSID are counted as three characters each. For example, an SSID like "My Network" would use 11 characters (8 for "MyNetwork" and 3 for the space - considering space as %20).
    • Auto-Join: This option enables the device to automatically connect to the Wi-Fi network when in range.
    • Hidden Network: Enable this option to connect to a WiFi network with a hidden SSID. 
    • Security Type: Select the appropriate security protocol that matches your WiFi network's configuration. Additional options appear depending on your selection:
      • Open: Selecting this option enables any device to join the WiFi network.
      • WPA2-Personal AES: Selecting this option displays the Password field where you can enter the password (PSK) for the WiFi network.
      • WPA2-Enterprise / WPA3-Enterprise / WPA3-Personal AES: Selecting any of these options enables the following additional security options:
        • Authentication Mode: Specifies the type of credentials used for authentication. The default value
          • Machine: Select this value to designate the policy as device level. The device authenticates to the network on the basis of the added CA Thumbprint.
          • User: Select this value to designate the policy as user level. The user authenticates to the network on the basis of the added CA Thumbprint.
          • Machine or User: Use machine or user credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, machine credentials are used.
        • CA Thumbprints: This is the root certificate thumbprint and it is a 20-byte SHA1 certificate hash in hexadecimal.
        • Trusted Servers: List of client trusted servers separated by semicolons.
        • Certificate Issuer: Enable this option to enter the root CA thumbprints for the certificates you want to allow on a client for authentication. When this option is selected, the following fields are displayed: 
          • Certificate Issuer CA Thumbprints: Provide the Issuer CA Thumbprint, which is the root certification authority that allows client authentication.
        • Disable User Prompt for Server Validation: Enable this option to automatically trust the server certificate, which will prevent a security prompt.
        • PMK Caching: Enable this option to have the client cache the Pairwise Master Key (PMK) for the network. Caching the PMK allows for faster reconnection to the same network. When this option is selected, the following fields are displayed: 
          • PMK Cache Time to Live: The lifetime of the PMK cache in minutes. Minimum 5mins and maximum 1440 mins are allowed.
          • PMK Cache Size:  Number of entries in PMK cache. Maximum 255 entries are allowed.

Authentication Modes

The Authentication Mode determines the identity scope used during the network authentication handshake. This setting governs whether the device authenticates using device-level (machine) credentials or user-level credentials, and directly affects which certificates, credential prompts, and EAP protocol flows apply.

User Mode

  • Scope: Authenticates the individual user currently logged in to the device.
  • When it applies: This is the authentication mode for Enterprise WiFi policies under User Scoped Policies (e.g., WPA2 Enterprise, WPA3 Enterprise, WPA3 Enterprise 192-bit security types).
  • Behavior: The policy targets the logged-in user's identity. Certificates issued via SCEP are tied to the user's profile.

Machine Mode

  • Scope: Authenticates the device (machine) itself, independent of which user is logged in.
  • When it applies: This is the authentication mode for Enterprise WiFi policies under Device Scoped WiFi Policies. The device connects to the enterprise network using its own machine certificate or machine-level credentials.
  • Behavior: Authentication happens at boot or whenever the device connects, no user login is required. Certificates are issued to the device identity (machine SCEP profile). The network trust is established at the hardware/OS level, not the user session level.

When to Use Which Modes

Scenario Recommended Mode
Individual user needs per-person network access control User
Compliance requires user-level audit trail for network connections User
Shared/kiosk device needs connectivity without user login Machine
Network must be available at boot (pre-login) Machine
RADIUS policies vary by user group or role User
Uniform connectivity for all users on a device Machine

Applying the Policy

  • (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy. 
  • Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
  • Or, select the Devices tab. Select one or more devices where you want to apply this policy.
  • Click Create Policy. A success message is displayed indicating the completion of policy creation.

Viewing Policy Status

  1. Select the Status tab.
  2. To see the last Result Log for a device where this policy is applied, click view.

Note:
  • If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case