This section describes how to implement Wi-Fi APIs with the Knox SDK.

Turn WI-FI on or off

To prevent users from toggling Wi-Fion or off use .allowWifi with true or false


To disable Wi-Fi background scanning, use .allowWifiScanning. This usage completely disables Wi-Fi background services, even if triggered remotely.

For example, using .allowWifiScanning prevents location accuracy from accessing the connection settings.

These APIs are independent of each other, use both in order to turn off Wi-Fi services completely on a device. See the table below for implementation logic.




allow Wi-Fi and Wi-Fi scanning

wpa_supplicant runs

disallow Wi-Fi and allow Wi-Fi scanning

wpa_supplicant runs


allow Wi-Fi and disallow Wi-Fi scanning

If user turns on Wi-Fi , wpa_supplicant runs

disallow Wi Fi and Wi Fi scanning

wpa_supplicant is killed

Create and manage Wi-Fi profiles

There are two classes in the Knox API that you can use to manage Wi-Fi profiles and settings:

  • WifiAdminProfile: used to create a Wi-Fi profile on the device. For example, network type, user name and password.
  • WifiPolicy: methods to use the previously created Wi-Fi profiles. For example, turn wifi on and off.

See the API references for a list of supported networks types.

Note: When you create a Wi-Fi profile, the provisioned SSID is restricted so no other network can share the same SSID. If an admin profile is deleted, all of their associations are also removed.

Create an open network with SSID

//create EDM object
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); 

// create Wi-Fi Profile
WifiAdminProfile wifiProfile = new WifiAdminProfile(); 
wifiProfile.ssid = "Company Wi-Fi"; //set ssid = "NONE"; // set security 

// Create the network

Create an EAP-TLS network

//create EDM object 
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);   

//create Wi-Fi profile
Wi-fiAdminProfile wifiProfile = new WifiAdminProfile(); 
wifiProfile.ssid = "PLATFORM"; //set ssid = "EAP-TLS"; //set security
wifiProfile.userIdentity = "test1"; // set username "";
wifiProfile.caCertificate = "test1"; //assuming the CA certificate was installed with alias test1"
wifiProfile.clientCertification = "test1"; // assuming the User certificate was installed with alias test1

// Create the network

Modify a network profile

There are several APIs that you can use to edit an existing network profile.

These APIs allow the admin to modify an existing profile, such as change the security type, from a WPA-PSK network to EAP-TlS. In this scenario the admin can remove the network and then recreate it using setWiFiProfile, or use the API to set the security type, then change the appropriate values.

To illustrate the use of these APIs to manage an existing profile, let's modify the OPEN network type to EAP-TLS.

EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); 

WifiPolicy wp = edm.getWifiPolicy();
// set security level to EAP_TLS
wp.setNetworkLinkSecurity("PLATFORM", "EAP-TLS");

// set user identity

// set ca certificate, assuming it is installed with alias "test1"

// set user certificate, assuming it is installed with alias "test1"

Blacklist Wi-Fi policies

There are two sets of policies which can restrict networks by the their SSID:

  1. addBlockedNetwork and removeBlockedNetwork
    • Blocks the specified SSIDs however they continue to appear in the available network list.
  2. addWifiSsidToBlackList, addWifiSsidToWhiteList, activateWifiSsidRestriction, and complementary methods
    • Allows the admin to selectively block/allow networks. These APIs support the wildcard * making for a flexible operation for the admin. The blocked networks still appear in the available network list.