Perusing the AMAPI policies dev docs this afternoon I stumbled upon a new API, WifiSsidPolicy, that will offer organisations the ability to allow or deny certain Wi-Fi networks.


I say "new", it's been in DPM as a device-level API since Android 13, so it's practically 2 years old. But.. that's AMAPI.

It offers two configs:

WIFI_SSID_ALLOWLIST prevents connection to all networks except for the SSID(s) explicitly set by policy.

WIFI_SSID_DENYLIST allows connection to any network except for the SSID(s) explicitly set by policy.

I tried it out this evening, because of course, only to be met unfortunately with absolutely no change in behaviour whatsoever, and my bug reports don't show any sign of new restrictions within the DEVICE_POLICY dump of service. I might have jumped the gun a little on full availability 👀.

Either way, once this launches (read: by the time release notes are live) I can see some pretty obvious use cases for it - Preventing access to all but the corporate/store network for location-bound hardware (dedicated, single use, etc) so it's an offline brick outside of this for Wi-Fi-only devices, or perhaps known risky network SSIDs*, or again those of a corporate network managed devices mustn't connect to should they otherwise have the opportunity.

*Not open networks necessarily, as we can already prevent this with MinimumWifiSecurityLevel to mandate a minimum of WEP/WPA or better.

.. but as with MinimumWifiSecurityLevel, WifiSsidPolicy only applies to company owned devices running 13 or higher, so unfortunately organisations running 12 or older devices without OEMconfig derived network policy restrictions are left to run amok joining every honeypot they find unless configuring Wi-Fi is disabled all together 😅.

Sidenote: I wrote this up in Project IDX - - which seems pretty new and gives me some access to Gemini in a limited context. Not bad for a VSCode clone without proper copy/paste support (that I've experience) so far 😁.