Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.
6

Prevent Mac OS X from connecting to specific wireless networks

Posted: 2/12/15 at 6:29 PM by tigsict

Hello,

At our school we run two wireless networks on separate SSID's, one is for staff and student BYOD stuff which gets limited access to the rest of the network and the other is for school owned domain bound laptops. We have recently been having some issues where users are joining domain bound Macs to the BYOD network which results in them not being able to reach the domain controller and consequently, not being able to log in. Is there a way we can prevent these laptops from connecting to this specific wireless network or stop them from changing the network settings using casper? Thanks.

Daniel Oliver

6

Posted: 2/12/15 at 9:04 PM by Aaron

I was asked to do a very similar thing just yesterday. I had a quick search, and all I could find was this: https://jamfnation.jamfsoftware.com/discussion.html?id=5327

Haven't tried it yet, but it'd be a script that you'd have running at regular intervals (cron/LaunchDaemons?). Although there's a new trigger in JSS 9 for "Network State Change" \- you could possibly bind the script to that?

I would love for there to be a way to blacklist an SSID, which would prevent access instead of automatically disconnecting with the above script. IF anyone has a way, I'm all ears.

Posted: 2/12/15 at 11:28 PM by Aaron

Just tried it, and it works well. Created a script and a new cached (as in, "Make available offline") policy that is triggered by the "Network State Change" event.

This is what the script looks like (courtesy of the above-mentioned link):

#!/bin/bash

wifi=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`
ssid=`networksetup -getairportnetwork $wifi | cut -d " " -f 4`

case $ssid in
    PatientWifi|SecExternal)
        echo "Switching off PatientWifi SSID..."
        networksetup -setairportpower $wifi off
        networksetup -removepreferredwirelessnetwork $wifi $ssid
        osascript -e 'tell application "System Events" to display alert "blah blah blah" as critical'
        ;;
esac
CCA Badge

Posted: 2/13/15 at 5:32 AM by jonnydford

Will these users be administrators on the Macs?

The following will enable the 'require administrator authorisation to change network':

/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES

From here: https://jamfnation.jamfsoftware.com/discussion.html?id=5528

We use the following to remove our Guest network from our Macs for the same reason as you:

#!/bin/bash
sudo networksetup -removepreferredwirelessnetwork en0 GuestNetworkName
exit 0

Note, it'll be en0 for retinas, en1 for non-retinas.

CCT Badge CCA Badge CCE Badge

Posted: 9/23/15 at 6:05 PM by rmaldon

@Aaron This is great, any ideas on how to change the icon used for the system events popup? Not sure if thats something that can be edited though...

Posted: 9/23/15 at 6:31 PM by Aaron

@rmaldon The final part in the osascript line ("as critical") is the identifier to specify the icon. Although apparently you can use the "with icon" identifier too, ie; "with icon caution" or "with icon stop". Google tells me you can also pass a file reference to a .icns file.

There's no reason why you couldn't use jamfhelper or cocoadialog though.

Posted: 9/24/15 at 6:41 AM by jarednichols

One thing you may also be able to do is deploy a configuration profile to these macs. You can do 1 of 2 things:

1: In the configuration profile purposefully put the wrong password for the Wi-Fi network. That way it won't join.

2: Put the correct credentials, but UNCHECK the Auto Join box when making the profile. This way to join the network it would have to be selected from the AirPort menu. It should prevent the system from roaming onto that network.

As always, test test test.