Minimum Wi-Fi Security Requirement policy isn’t blocking intended Wi-Fi security types

Environment

• Knox Service Plugin
• Android Enterprise
• Knox SDK
• Devices running Android 13 OS and higher
• Knox 3.9 and higher

Overview

Knox Service Plugin users who have applied the Allow Minimum Wi-Fi Security Requirement policy may notice an issue where Wi-Fi security types lower than the selected minimum aren’t being blocked. For example, after selecting WPA as the minimum, WEP Wi-Fi networks are still able to connect to the device despite being less secure.

Cause

Starting with Android 13 OS, Google introduced a change to its Wi-Fi security type classifications by grouping types into security levels. The following Wi-Fi security levels are ranked in order of increasing security:

1. OPEN
2. Personal
3. Enterprise EAP
4. Enterprise 192

On devices running Knox 3.9 (Android 13) and higher, the Allow Minimum Wi-Fi Security Requirement policy is enforced based on security level and not the specific security type:

For example, when selecting PEAP from the policy dropdown, Knox Service Plugin will block OPEN and Personal (WEP, WPA) Wi-Fi networks. However, it still allows all Wi-Fi connections from the Enterprise EAP security level and higher, including PWD, PEAP, TLS, etc.

Resolution

On devices running Android 13 and higher, Knox Service Plugin enforces the Allow Minimum Wi-Fi Security Requirement policy based on Google’s Wi-Fi security level framework. You can set the policy based on the minimum security level you require.

The Knox Service Plugin team is reorganizing the Allow Minimum Wi-Fi Security Requirement policy menu to align with this new framework in an upcoming release.