Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Prevent Mac OS X from connecting to specific wireless networks


At our school we run two wireless networks on separate SSID's, one is for staff and student BYOD stuff which gets limited access to the rest of the network and the other is for school owned domain bound laptops. We have recently been having some issues where users are joining domain bound Macs to the BYOD network which results in them not being able to reach the domain controller and consequently, not being able to log in. Is there a way we can prevent these laptops from connecting to this specific wireless network or stop them from changing the network settings using casper? Thanks.

Daniel Oliver

Like Comment
Order by:
SOLVED Posted: by Aaron

I was asked to do a very similar thing just yesterday. I had a quick search, and all I could find was this:

Haven't tried it yet, but it'd be a script that you'd have running at regular intervals (cron/LaunchDaemons?). Although there's a new trigger in JSS 9 for "Network State Change" \- you could possibly bind the script to that?

I would love for there to be a way to blacklist an SSID, which would prevent access instead of automatically disconnecting with the above script. IF anyone has a way, I'm all ears.

SOLVED Posted: by Aaron

Just tried it, and it works well. Created a script and a new cached (as in, "Make available offline") policy that is triggered by the "Network State Change" event.

This is what the script looks like (courtesy of the above-mentioned link):


wifi=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`
ssid=`networksetup -getairportnetwork $wifi | cut -d " " -f 4`

case $ssid in
        echo "Switching off PatientWifi SSID..."
        networksetup -setairportpower $wifi off
        networksetup -removepreferredwirelessnetwork $wifi $ssid
        osascript -e 'tell application "System Events" to display alert "blah blah blah" as critical'
SOLVED Posted: by jonnydford

Will these users be administrators on the Macs?

The following will enable the 'require administrator authorisation to change network':

/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES

From here:

We use the following to remove our Guest network from our Macs for the same reason as you:

sudo networksetup -removepreferredwirelessnetwork en0 GuestNetworkName
exit 0

Note, it'll be en0 for retinas, en1 for non-retinas.

SOLVED Posted: by rmaldon

@Aaron This is great, any ideas on how to change the icon used for the system events popup? Not sure if thats something that can be edited though...

SOLVED Posted: by Aaron

@rmaldon The final part in the osascript line ("as critical") is the identifier to specify the icon. Although apparently you can use the "with icon" identifier too, ie; "with icon caution" or "with icon stop". Google tells me you can also pass a file reference to a .icns file.

There's no reason why you couldn't use jamfhelper or cocoadialog though.

SOLVED Posted: by jarednichols

One thing you may also be able to do is deploy a configuration profile to these macs. You can do 1 of 2 things:

1: In the configuration profile purposefully put the wrong password for the Wi-Fi network. That way it won't join.

2: Put the correct credentials, but UNCHECK the Auto Join box when making the profile. This way to join the network it would have to be selected from the AirPort menu. It should prevent the system from roaming onto that network.

As always, test test test.