Blocking SSID

EliasG
Contributor

Trying to block our public SSID so students on school mac's cant join it and take it off our systems. Any thoughts?

7 REPLIES 7

BK
New Contributor III

@EliasG You can push a profile that has that exact SSID but with a bogus password. It will never connect since the credentials are wrong.

You can force wi-off to disable and remove that connection if you are using hard wire.

jjones
Contributor II

Terminal wise going along with @baha_khalil, you could make this following script a policy to run:

# /bin/bash
#Sets arguements for script
    PreferredNetwork=$4
#Most networks are set to WPA2 for security
    WirelessSecurity=$5
    Password=$6

#Sets arguement to check for port location of wifi for ethernet enabled devices.
    NetworkPort=`/usr/sbin/networksetup -listallhardwareports | grep -A 1 Wi-Fi | grep Device | cut -d' ' -f2`

#Removes selected SSID and adds with bogus password.
    networksetup -removepreferredwirelessnetwork "$NetworkPort" "$PreferredNetwork"
    networksetup -addpreferredwirelessnetworkatindex "$NetworkPort" "$PreferredNetwork" 10 "$WirelessSecurity" "$Password"
    echo "SSID Blocked"

exit 0

Take note of the "10" in the third networksetup command, this is the order number it will be listed at. I believe "if" the list does not reach to 10, it should put the wifi you list at the last of line.

Different wireless security options are according to networksetup:
For security type, use OPEN for none, WPA for WPA Personal, WPAE for WPA Enterprise, WPA2 for WPA2 Personal, WPA2E for WPA2 Enterprise, WEP for plain WEP, and 8021XWEP for 802.1X WEP.

bbot
Contributor

I use the script below and set it to ongoing, making it available offline, and setting it to trigger at network state change.

When attempting to connect to the guest network, it turns off wireless, deletes the guest wifi entry, pops up a message telling the user to turn on wireless and connect to the corporate wifi.

#!/bin/bash

##Blocks access to Guest network

#  VARIABLES

# Get the wireless network service (wservice)
wservice=`/usr/sbin/networksetup -listallnetworkservices | grep -Ei '(Wi-Fi|AirPort)'`

# Get the wireless hardware port (whwport)
whwport=`networksetup -listallhardwareports | awk "/$wservice/,/Ethernet Address/" | awk 'NR==2' | cut -d " " -f 2`

# Find the ALL network hardware ports (hwports)
hwports=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`

# Get the wireless network (wirelessnw)
wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4`

# Get the SSID
SSID=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I
| grep ' SSID:' | cut -d ':' -f 2 | tr -d ' '`

# Work SSID
WorkSSID=XXXXXXX

# Authentication to use eg WPA2 Enterprise
Auth=WPA2E

# Index for SSID
Index=0

# SSIDs to Block
#Block1=XXXXXX

####################################################################################

# Set the preferred wireless network to WorkSSID
/usr/sbin/networksetup -addpreferredwirelessnetworkatindex $whwport $WorkSSID $Index $Auth

# Turn the wirless hardware port on
/usr/sbin/networksetup -setairportpower $whwport on

# Get the wireless network (wirelessnw)
wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4`

# Block  wireless networks

case $wirelessnw in
XXXXXX)
networksetup -setairportpower $whwport off

# Removed guest network from preferred network list to prevent endless looping
/usr/sbin/networksetup -removepreferredwirelessnetwork $whwport XXXXXX

# Display message to user connect to Corp WIFI
TITLE="Access Denied"
MSG="Please turn on Wi-Fi connect to CORP WIFI"

/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "$TITLE" -description "$MSG" -button1 "Close" -lockHUD -icon /Library/LC/Logo.icns

;;
esac

# Check to see it the jss is ping-able and if so submit the ip change to the jss.
# This is useful when using Casper Remote and users are switching between wired and wireless

#if [ "$checkjss" == "The JSS is available." ]; then
#/usr/sbin/jamf log
#fi

exit 0

nadeen_n92
New Contributor II

thanks for the script but im not getting the notification alert to appear when connecting to the guest wifi, any ideas why ?

 

kboissonneault
New Contributor

In reply to bbot, thanks for the script! I'm trying to find a way so that our University-owned Macs will not connect to the SSID student-access, and preferably connect to one of our 3 employee-access SSIDs. I'd like this to be an always running offline script on the Macs, is that possible?

bbot
Contributor

@kboissonneault Yes it is possible run when off the network.

set it to ongoing, making it available offline, and setting it to trigger at network state change.

This will cause the script to run anytime there is a network change. Keep in mind this is going to generate lots of log files and people may change networks multiple times daily.

kboissonneault
New Contributor

I did find out how to make it offline, and it does work for denying access to the public SSID, however, the solution I made seems to break the initial employee-access WI-FI connection on the log-in screen (achieved using configuration profile). So I turned the policy off for now until I can figure that one out!