IBM MaaS360

IBM MaaS360

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Enhanced Wi-Fi Security with MaaS360 Policies

By Aakash Kumar Jain posted Tue March 11, 2025 05:10 AM

  

Enhancing Wi-Fi Security and Control with MaaS360 Android App v8.90

With the release of MaaS360 Android Agent version 8.90, new Wi-Fi restriction policies have been introduced to provide IT administrators with enhanced control over Wi-Fi settings on Android 13+ devices. These new policies leverage Google's latest Android 13 APIs, offering improved security and network management capabilities.

Why These Changes Were Introduced

As organizations increasingly rely on mobile devices for business operations, securing Wi-Fi connections has become crucial. Open and unsecured Wi-Fi networks pose significant risks, including data breaches and unauthorized access.

To mitigate these risks, Google introduced new APIs in Android 13 that enhance Wi-Fi security and network control. MaaS360 has integrated these APIs in version 8.90 to provide admins with better control over device connectivity.

New Wi-Fi Restrictions in MaaS360 Portal

Location in Portal:
Android Enterprise Policy → Android Enterprise Settings → Restrictions → Network Restrictions

1. Allow or Block Wi-Fi Networks by SSID

Description:
Admins can define lists of either Allowed or Blocked Wi-Fi SSIDs.

  • Selecting Allowed Wi-Fi Networks ensures devices can only connect to specified SSIDs.
  • Selecting Blocked Wi-Fi Networks prevents devices from connecting to those specific networks.

Use Case:
This policy is ideal for organizations that want to:

  • Prevent employees from connecting to unsecured or public networks (e.g., cafés, airports).
  • Ensure corporate devices connect only to approved office or home networks.

Configuration Caution:

  • Carefully specify correct Wi-Fi SSIDs.
  • For the Allowed Wi-Fi Networks option, all other SSIDs will be blocked apart from the specified ones. Incorrect entries may leave devices without Wi-Fi connectivity if mobile data is unavailable.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

2. Minimum Wi-Fi Security Level

Description:
This policy allows admins to define the minimum acceptable security standard for Wi-Fi connections. Any Wi-Fi network below the selected security level will be blocked.

Available Security Levels:

  • Open

    • Description: No encryption or authentication.
    • Common Use Cases: Public and guest Wi-Fi networks such as those in cafés, airports, and hotels.
    • Risk: Data is transmitted unencrypted, making it vulnerable to eavesdropping and attacks like man-in-the-middle (MITM).

  • Personal

    • Description: Includes WEP, WPA, WPA2-Personal, and WPA3-Personal. Uses a pre-shared key (PSK) for authentication.
    • Common Use Cases: Suitable for home networks and small business environments.
    • Security Note: While WPA2-Personal and WPA3-Personal are secure, WEP is outdated and highly vulnerable to attacks.

  • Enterprise EAP

    • Description: Enterprise Wi-Fi using 802.1X authentication with Extensible Authentication Protocol (EAP) methods such as:
      • PEAP (Protected EAP)
      • EAP-TLS (Transport Layer Security)
      • EAP-TTLS (Tunneled TLS)
      • EAP-SIM, EAP-FAST, etc.
    • Common Use Cases: Used in corporate, government, and university networks requiring user authentication via a RADIUS server.
    • Security Note: Stronger than Personal networks due to individual user credentials and encryption certificates.

  • Enterprise 192

    • Description: The highest security level, utilizing WPA3-Enterprise with 192-bit encryption.
    • Common Use Cases: Military, financial institutions, and high-security corporate environments requiring robust encryption.
    • Security Note: Provides improved cryptographic strength and protection against brute force and dictionary attacks.

Configuration Caution:

  • Selecting a higher security level may block essential networks if they don’t meet the criteria.
  • Before applying this policy, ensure that critical Wi-Fi networks are configured to meet the selected security standard.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

3. Allow Configuring Wi-Fi

Description:
Determines whether users can manually add new Wi-Fi configurations.

Use Case:

  • Prevents end users from connecting to unauthorized or rogue networks.
  • Suitable for corporate environments where Wi-Fi configurations are centrally managed.

Configuration Caution:
Disabling this policy may result in devices losing internet connectivity if no Wi-Fi SSIDs are preconfigured via policy. Ensure critical Wi-Fi SSIDs are already pushed through MaaS360 policies before disabling this option.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

4. Allow Change Wi-Fi State

Description:
Controls whether users can enable or disable Wi-Fi on their devices.

Use Case:

  • Ensures employees cannot accidentally turn off Wi-Fi, which could disrupt critical business apps reliant on connectivity.
  • Useful in industries like logistics or retail, where continuous Wi-Fi connectivity is essential.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

5. Allow Wi-Fi Direct (Updated Policy)

Description:
Previously supported only for Samsung KNOX (SAFE 4.0+). Now expanded to support all Android 13+ devices with DO enrollment.

Use Case:

  • Restricts users from bypassing enterprise networks via peer-to-peer Wi-Fi connections.
  • Prevents unauthorized data sharing or file transfers over Wi-Fi Direct.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

6. Allow Wi-Fi Tethering

Description:
Controls whether users can enable and configure Wi-Fi tethering and portable hotspots.

Use Case:

  • Prevents employees from sharing corporate network access with unauthorized personal devices.
  • Helps reduce bandwidth consumption and minimizes security risks from external devices.

Supported On: Android 13+ (DO) with MaaS360 Agent 8.90+

7. Restrict Sharing Wi-Fi

Location in Portal:
Android Enterprise Policy → Android Enterprise Settings → Wi-Fi Settings

Description:
Restricts users from sharing admin-configured Wi-Fi networks.

Use Case:

  • Prevents users from sharing secured Wi-Fi credentials with unauthorized users.
  • Critical for protecting sensitive enterprise network details.

Supported On: Android 13+ (PO & DO) with MaaS360 Agent 8.90+

Key Benefits of These Changes

Enhanced Security: Limiting network connections based on SSID or security level reduces exposure to unsecured networks and potential data risks.
Improved Network Control: Administrators can enforce strict Wi-Fi policies, ensuring only authorized networks are accessible.
Better User Experience: Preventing manual Wi-Fi configuration changes or tethering keeps users focused on approved connectivity options.
Compliance Support: Enforcing security levels like WPA3-Enterprise ensures adherence to industry standards and corporate security policies.

Key Configuration Recommendations for Admins

🔹 Allowed/Blocked SSIDs: Carefully configure SSIDs to avoid accidental connectivity loss.
🔹 Minimum Security Level: Review existing corporate networks to ensure they meet the desired security level.
🔹 Wi-Fi Configuration Control: Before disabling this option, verify that required Wi-Fi SSIDs are already preconfigured on devices.
🔹 Tethering & Wi-Fi Direct: For organizations with strict data security policies, disabling these options can help minimize security risks.

By implementing these enhanced Wi-Fi restrictions, organizations can achieve greater control over network security and ensure safer mobile device connectivity in their environment.

0 comments
18 views

Permalink

https://community.ibm.com/community/user/blogs/aakash-kumar-jain/2025/03/11/enhanced-wi-fi-security-with-maas360-policies