Set up networks for managed devices (Wi-Fi, Ethernet, VPN)

Supported editions for this feature: Business Starter, Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; Essentials; Cloud Identity Free and Premium.  Compare your edition

You can set up and configure networks for mobile devices, Chrome OS devices, and Google meeting room hardware.You can configure Wi-Fi, Ethernet, and Virtual Private Network (VPN) access, as well as network certificates for managed devices enrolled in your organization.

When you add a network configuration, you can apply the same network settings for your entire organization, or enforce specific network settings for different organizational units.

Supported device platforms for network configurations

Network type Supported platforms
Wi-Fi Android, iOS, Chrome OS devices (by user or device), Google meeting room hardware
Ethernet Chrome OS devices (by user or device), Google meeting room hardware
VPN Managed Chrome OS devices

Important considerations for network configuration

  • We recommend that you set up at least one Wi-Fi network for the top organizational unit in your organization and set it to Automatically connect. This setup ensures that devices can access a Wi-Fi network at the sign-in screen.
  • If you leave the password field empty when you set up a network, users can set passwords on their devices. If you specify a password, it's enforced on devices and users can’t edit it.
  • If you need to use static IP addresses on Chrome OS devices in your organization, you can use IP address reservation on your DHCP server. However, DHCP doesn't provide authentication. To track the identity of Chrome OS devices on the network, use a separate authentication mechanism.

Open all   |   Close all

Set up a network

Before you begin: If you want to configure a network with a Certificate Authority, add a certificate before you configure the network.

Add a Wi-Fi network configuration

You can automatically add configured Wi-Fi networks to managed devices when the devices are enrolled in mobile management.

Android users need to have the Android Device Policy app or the Google Apps Device Policy installed on their Android 2.2 and later devices. Additional 802.1x Wi-Fi networks are supported only on Android 4.3 and later devices.

For managed iOS devices, the following extensible authentication protocols (EAPs) are supported: Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP), Transport Layer Security (TLS), and Tunneled Transport Layer Security (TTLS).

Note: A mobile device always inherits the user's Wi-Fi network settings. Therefore, you can configure network settings for mobile devices only by organizational unit.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Click Create Wi-Fi network. If you already set up a Wi-Fi network, click Wi-FiAdd Wi-Fi.
  5. In the Platform access section, select the device platforms that can use this network.
  6. In the Details section, enter the following:
    1. Name—A name for the Wi-Fi that is used to reference it in the Admin console. It doesn’t have to match the network's service set identifier (SSID).
    2. SSID—The Wi-Fi network's SSID. SSIDs are case-sensitive.
    3. (Optional) If your network doesn’t broadcast its SSID, check the This SSID is not broadcast box.
    4. (Optional) To automatically connect devices to this network when it's available, check the Automatically connect box.
    5. Security type—Choose a security type for the network.

      Note: Dynamic WEP (802.1x) is supported only on Chrome OS devices. For Android tablets used with G Suite for Education, you can't use WPA/WPA2 Enterprise (802.1x) during student tablet configuration, but you can set it up manually after you enroll the tablets.

      The next steps depend on the security type you choose.

  7. (Optional) For WEP (insecure) and WPA/WPA2 security types, enter a network security passphrase.
  8. (Optional) For WPA/WPA2 Enterprise (802.1x) and Dynamic WEP (802.1x), choose an EAP for the network and configure the following options:
    1. For PEAP:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Optional) Choose a server Certificate Authority.
    2. For LEAP:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
    3. For EAP-TLS:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Choose a server Certificate Authority.
      3. (Optional) Select the SCEP profile you want to apply to this network. Learn more
      4. Enter a client enrollment URL.
      5. Enter one or more values for an Issuer pattern or Subject pattern.
        Each value you specify must exactly match the respective value in the certificate; if they don’t match, the certificate isn’t used. Your server should provide the certificate with the HTML5 keygen tag.
    4. For EAP-TTLS:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Optional) Choose a server Certificate Authority.
      6. (Optional) Select the SCEP profile you want to apply to this network. Learn more
    5. For EAP-PWD:
      1. For Username, Enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
  9. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct Internet connection—Allow direct Internet access to all websites without using a proxy server. Note: Direct Internet connection isn’t supported on Android tablets used with G Suite for Education.
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces. You can use wildcard characters. For example, to add all variations of google.com, enter *google.com*.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
    2. If you use an authenticated proxy, add all the hostnames on this list to your allowlist.
      Note: Chrome OS supports authenticated proxies for browser traffic only. Chrome OS does not support authenticated proxies for non-user traffic or for traffic coming from Android applications or virtual machines.
  10. (Optional) Under DNS settings, add your static DNS servers.
    Enter one IP address per line. Leave blank to use DNS servers from DHCP.
  11. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add the configuration, it's listed in the Wi-Fi card with its name, SSID, and the platforms its enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with grey icons. You can also point to each icon to review its status.

Additional notes on setting up Wi-Fi networks

  • After you set up a Wi-Fi network and before you change the password, set up another network so that users get the updated Wi-Fi settings on their devices.
  • Hidden networks can take a while to be identified on Android devices.
Add an Ethernet network configuration

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Click Create Ethernet network. If you already set up an Ethernet network, click EthernetAdd Ethernet.
  5. In the Platform access section, select the device platforms that can use this network.
  6. In the Details section, enter the following:
    1. Name—A name for the Ethernet network that is used to reference it in the Admin console.
    2. Authentication—Choose the authentication method to use, None or Enterprise (802.1X).
  7. If you chose Enterprise (802.1X), choose an EAP and configure the following options:
    1. For PEAP:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Optional) Choose a server Certificate Authority.
    2. For LEAP:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
    3. For EAP-TLS:
      1. For Username, enter a username for administering the network. The username supports username variables.
      2. (Optional) Choose a server Certificate Authority.
      3. Enter a client enrollment URL.
      4. Enter one or more values for an Issuer pattern or Subject pattern.
        Each value you specify must exactly match the respective value in the certificate; if they don’t match, the certificate isn’t used. Your server should provide the certificate with the HTML5 keygen tag.
    4. For EAP-TTLS:
      1. (Optional) Choose the inner protocol to use. Automatic works for most configurations.
      2. (Optional) For Outer identity, enter the user identity to present to the network’s outer protocol. The identity supports username variables.
      3. For Username, Enter a username for administering the network. The username supports username variables.
      4. (Optional) Enter a password. The value isn’t visible after you save the configuration.
      5. (Optional) Choose a server Certificate Authority.
    5. For EAP-PWD:
      1. For Username, Enter a username for administering the network. The username supports username variables.
      2. (Optional) Enter a password. The value isn’t visible after you save the configuration.
  8. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct Internet connection—Allow direct Internet access to all websites without using a proxy server. Note: Direct Internet connection isn’t supported on Android tablets used with G Suite for Education.
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces. You can use wildcard characters. For example, to add all variations of google.com, enter *google.com*.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
    2. If you use an authenticated proxy, allowlist all the hostnames on this list.
      Note: Chrome OS supports authenticated proxies for browser traffic only. Chrome OS does not support authenticated proxies for non-user traffic or for traffic coming from Android applications or virtual machines.
  9. (Optional) Under DNS settings, add your static DNS servers.
    Enter one IP address per line. Leave blank to use DNS servers from DHCP.
  10. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add the configuration, it's listed in the Ethernet card with its name, SSID, and the platforms its enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with grey icons. You can also point to each icon to review its status.

Note: Chrome OS supports only one Ethernet network profile due to configuration limitations.

Use a third-party VPN app

Download the app from the Chrome Web Store. You can install and configure third-party VPN apps like any other Chrome app. For details, see Set Chrome policies for one app.

Add a VPN configuration

For managed Chrome OS devices and other devices running Chrome OS.

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Click Create VPN network.
  5. Choose a platform to allow access to this VPN.
  6. Enter VPN details:
    1. Name—A name for the VPN that is used to reference it in the Admin console.
    2. Remote host—The IP address or the full server hostname of the server that provides access to the VPN in the Remote host box.
    3. (Optional) To automatically connect devices to this VPN, check the Automatically connect box.
    4. VPN type—Choose a VPN type.
      Note: The Admin console can push only certain OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
    5. If you chose L2TP over IPsec with Pre-Shared Key:
      1. Enter the pre-shared key needed to connect to the VPN. This value isn't visible after you save the configuration.
      2. Enter a username to connect to the VPN. The username supports username variables.
      3. (Optional) Enter a password. If you’re using a username variable, don’t enter password. Note: This value isn’t visible after you save the configuration.
    6. If you chose OpenVPN:
      1. (Optional) Enter the port to use when connecting to the remote host.
      2. Choose the protocol to use for VPN traffic.
      3. Choose which authorities to allow when authenticating the certificate provided by the network connection.
        Choose from your uploaded certificates.
      4. If the server requires client certificates, check the Use client enrollment URL box and enter one or more values for an Issuer pattern or Subject pattern.
        • The values must exactly match the respective values in the certificate.
        • Configure the server to provide the certificate with the HTML5 keygen tag.
  7. For Username, enter the OpenVPN username (supports username variables) or, to require individual user credentials at sign-in, leave blank.
  8. For Password, enter the OpenVPN password or, to require individual user credentials at sign-in, leave blank.
  9. Configure the network proxy settings:
    1. Select a proxy type:
      • Direct Internet connection—Allow direct Internet access to all websites without using a proxy server. 
      • Manual proxy configuration—Configure a proxy server for all or some of your domains or IP addresses:
        1. Select an HTTP proxy mode. You can configure only the SOCKS host, a single HTTP proxy host for all protocols, or different HTTP proxy hosts for the protocols.
        2. For each host, enter the server host IP address and the port number to use.
        3. To bypass the proxy server (not available for iOS device traffic) and have no proxy for some domains or IP addresses, in the Domains with no proxy field, enter them as a comma-separated list with no spaces. You can use wildcard characters. For example, to add all variations of google.com, enter *google.com*.
      • Automatic proxy configuration—Use a Proxy Server Auto Configuration (.pac) file to determine the proxy server to use. Enter the PAC file URL.
      • Web proxy autodiscovery (WPAD)—Allow devices to discover which proxy to use.
  10. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

After you add the configuration, it's listed in the VPN card with its name, SSID, and the platforms its enabled on. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with grey icons. You can also point to each icon to review its status.

Configure network credentials by policy

For Chrome and Android devices, you can have the device automatically try to connect to a secure network with username or identity credentials specified by policy. For example, you could specify to use the username or full email address of a signed-in user, so users need only to provide their password to authenticate.

To use this feature on Chrome OS devices, specify one of the following variables in the Username or Outer identity boxes during Enterprise (802.1x), WPA/WPA2 Enterprise (802.1x), Dynamic WEP (802.1x) or VPN configuration.

During 802.1x configuration on devices running Chrome OS, if the ${PASSWORD} variable is specified, the user’s current sign-in password is used to sign in. Otherwise, users are prompted to enter their password to sign in.

Enter the text for the variable exactly as shown in the Variable column in the table below. For example, enter ${LOGIN_ID} to prompt the system to replace this variable with its value, jsmith.

Variable Value Supported devices
${LOGIN_ID}

The user's username (example: jsmith).

Note: On Chrome OS devices, this variable is only replaced for networks that apply by user.

Android
Chrome
${LOGIN_EMAIL}

The user's full email address (example: jsmith@your_domain.com).

Note: On Chrome OS devices, this variable is only replaced for networks that apply by user.

Android
Chrome
${CERT_SAN_EMAIL}

The first rfc822Name Subject Alternate Name field from the client certificate matched to this network based on the Issuer or Subject pattern.
This can be different from ${LOGIN_EMAIL} if a non-Google login is used to connect to wireless networks.

Supported in Chrome 51 and higher.

Chrome 51 and later
${CERT_SAN_UPN}

The first Microsoft User Principal Name otherName field from the client certificate matched to this network based on the Issuer or Subject pattern.

Supported in Chrome 51 and higher.

Chrome 51 and later
${PASSWORD} The user’s password (example: password1234). Chrome
 

Note:

  • ${CERT_SAN_EMAIL} and ${CERT_SAN_UPN} read only the X509v3 Subject Alternate Name from the certificate. Specifically, they don't read any fields from the Subject Name field.
  • If the client certificate is missing the fields indicated for substitution, no substitution occurs and the literal string variable remains in the identity field.
  • Certificate-based substitution only works for Wi-Fi. It does not work for VPN.
  • For Chrome 68 and later, automatic connection and authentication using the ${PASSWORD} variable works on all devices. For Chrome 66 and 67, it works on enrolled devices only.

Add and manage certificates

Important considerations for certificates:

  • On Chrome OS versions 61–72,  certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.
  • On Chrome OS version 73 and later, certificates added to an organizational unit are available to network settings, kiosk apps, and managed guest sessions on devices.
  • Some configurations using PEAP, TLS, and TTLS need server-side certificates to ensure accessibility.
  • To use certificates for an EAP Wi-Fi network, the device must be secured with a password, PIN, or pattern verification.
  • Do not upload certificates containing private keys.

Safe searching

If you deploy a proxy on your web traffic, it may be possible to configure your proxy to append safe=strict to all search requests sent to Google. This parameter enables strict SafeSearch for all searches, regardless of the setting on the Search Settings page. However, the parameter doesn’t work on searches that use SSL search. Learn how to prevent SSL searches from bypassing your content filters.

Add or delete a certificate

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click Certificates.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. To add a certificate:
    1. Click Add Certificate.
    2. Enter a name for the certificate.
    3. Click Upload, select the PEM file, and click Open.
    4. Select the platforms that the certificate is a Certificate Authority for.
    5. Click Add.

To remove a certificate, go to the table of certificates, point to the row, and click Delete.

Manage network configurations

You can change or delete an existing VPN, Wi-Fi, or Ethernet network configuration.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. Select the organizational unit that the network is configured for.
  4. Click the type of network configuration you want to change or delete.

    The card contains a searchable table of the configurations for that type of network. In the Enabled On column, the configuration is enabled for platforms with blue icons and disabled for platforms with grey icons. You can also point to each icon to review its status.

  5. To edit an existing configuration, click the network, make your changes, and click Save.
  6. To remove a network configuration from an organizational unit, click Remove to the right of the network. This option is available only if the configuration was added directly to the organizational unit. 

    To remove a network configuration that a child organizational unit inherited from the parent organizational unit, select the child organizational unit, open the configuration for editing, and uncheck all the platforms. The configuration still appears in the list, but it isn't applied to any devices in the child organizational unit. 
  7. Click Save Changes.

Use auto-connect features

Auto-connect Chrome OS devices to managed networks

You can configure your Chrome OS devices or other device running Chrome OS to connect to a network automatically. When you enable this option, Chrome OS devices can automatically connect only to Wi-Fi networks that you configure for your organization.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Click General SettingsAuto-connect.
  5. Check the Only allow managed networks to auto-connect box.
  6. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Note: Even when this setting is enabled, users can still manually connect their Chrome OS devices to an unmanaged network by plugging an Ethernet cable into their device. Once an Ethernet cable is plugged in, the OS will automatically connect to the available network regardless of whether they're signed in to a managed profile or not.

How auto-connect works for EAP-TLS networks on devices running Chrome 40+

If you connect to an EAP-TLS (client-certificate backed network) on Chrome OS devices running Chrome 40 and later, your Chrome OS devices do the following:

  • Automatically connect to EAP-TLS (client-certificate backed network) after an extension installs client certificates.
  • After first login (even with Ephemeral mode), if there is a device certificate and an EAP-TLS network, again you will automatically switch to the certificate-backed network.
  • If any device-wide managed network was configured in the Admin console (not necessarily certificate-backed), at the login screen the managed network with 'highest' security is automatically connected to.

How auto-connect works for non-EAP-TLS networks on devices running Chrome 40+

For an 802.1X network that isn't EAP-TLS and has unique credentials associated with each user, each user must manually connect to the 802.1X network the first time they sign in on that device. This manual setup is required even if you enable auto-connect setting and configure the credentials with variables. After the user connects manually for the first time, the credentials are stored in their profile on the device. On future logins, they are automatically connected to the network.

How auto-connect networks are selected

Applies to Chrome version 72 and later.

If you enable auto-connect and multiple networks are available, your Chrome OS device chooses a network based on the following priorities in this order. If multiple networks satisfy a rule, the device breaks the tie by applying the next rule on the list.

  1. Technology -- Devices prefer Ethernet networks over Wi-Fi networks.
  2. Managed -- Devices prefer managed networks configured using policies, over unmanaged networks with user/device configurations.
  3. Security level -- Devices prefer networks secured through TLS over networks secured through PSK. Devices choose open networks only if no TLS or PSK networks are available.
  4. Profile -- Devices prefer networks that are configured at the user profile level over networks configured at the device level.

Next steps

For more information about deploying WiFi and networking for Chrome OS devices, including setting up TLS or SSL content filters, see Enterprise networking for Chrome devices

Accessibility: Network management settings are accessible by screen readers. For details, see Google Accessibility and the Admin guide to accessibility. To report issues, see Google Accessibility Feedback.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue