Sophos Android Enterprise Device only Mode WI-Fi

is it possible to split out the wifi, SCEP and root cert from the restrictions? so can apply 2 policy to a device in enterprise mode?

we use android devices in enterprise mode (750) of them, we have restrictions, disabled apps, wifi, root cert and SCEP within 1 policy. when installing certs for wifi config the device prompts to install the user cert, so this means we cannot make a restriction policy change as it re-installs the wifi config and again prompts to install the certificate and wont reconnect to wifi until the button is pressed.

so in essence each time we make a restriction change, 750 devices disconnect from the wifi network, as these are healthcare clinical devices this is a major problem.

can anyone suggest a way to create a separate wifi config policy which can be applied along side the additional policy requirements.

many thanks

Keep safe