Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Blocking In House Public SSID's on iOS

Being able to block certain ssid's within our network. Some students and staff think they are going to gain so much more access with a public network. In our case, our public network has limited bandwidth, stronger filter and causes future problems when they are connected to the public network. If the JSS could add a feature that would block certain ssid's that would resolve a lot of headaches for tech staff.

Order by:

Posted: by bpavlov

Does Apple allow that on iOS though? I think JAMF can only implement what Apple allows. That would indeed be very neat to do though.

On the off chance you haven't considered it, one potential solution is the network team actively blocking wireless MAC Addresses of managed computers so they couldn't connect to the that specific wireless network. I imagine these computers are already managed by you so getting the wireless mac address shouldn't be too hard.


Posted: by sandersonp

Apple does not provide a mechanism for blocking particular SSIDs, but here's a trick that's worked for me. Configure a WiFi payload that has the wrong config for that SSID. E.G. our public WiFi has no security, so I configured the payload for WEP and gave it a bum password. Once those settings are locked in, the user shouldn't be able to join that network, even after forgetting the network.


Posted: by yonith

This bum password for an open SSID does not work. I am on the latest version of JSS as of 3/15/17 and I can say it didn't work for me. We have a visitor network at my workplace, so I configured a payload which applies a bad pw (any pw would be considered bad considering none is required) and set security for WEP. Upon receipt of the payload Wifi will disconnect, but all a user has to do on their IOS device is manually choose that SSID and it will successfully join and work properly anyway.


Posted: by beth.lindner

@yonith @modaffb As of Jamf Pro 9.98 there is an iOS Restriction to "Allow connecting to unmanaged Wi-Fi networks (supervised only)" which prevents users from connecting to any Wi-Fi networks not deployed through Jamf Pro. Does this help solve the struggles presented in this Feature Request? Thanks for the feedback!


Posted: by psd_martinb

Giving a bum password on an open network worked for us. For enrollment, we connect to our guest wifi, then a payload downloads the WPA password for the closed network. Auto switching works seldomly, but adding a wifi payload for the open network with a bad WPA password and unchecking "Auto Join" seems to do the trick. Not worried about blocking the network all together.


Posted: by cdenesha

@beth.lindner We would still need the students to be able to join networks when not at school.


Posted: by cboatwright

This is an important feature request in schools because of how Apple Classroom works - student and teacher devices must be on the same network. Students can hop onto an open, guest SSID to disengage their device from Classroom.

Sending a WiFi config profile with incorrect password does not work if there is no password required to join. Also, sending a bad password when a password is required does not work either - you just get an 'incorrect password' message and are then asked to enter a new one.

Completely blocking unmanaged networks is not a solution for devices that go home with students...


Posted: by twall

I know this likely needs to come from Apple, but I'll second the comments made about needing to be able to blacklist a specific SSID or 2 without blacklisting everything. A whitelist doesn't work for student devices going home. Just preventing access to a campus guest network would eliminate MANY headaches.


Posted: by nick1313

We constantly battle this exact thing because we have a NAC and don't allow our district owned devices to connect to our guest network. They can connect to it, but don't get out to the internet, just a splash page telling them they need to switch back to our private network. If they don't forget the guest network it will auto-join to it when it wakes from sleep because it's the "easiest" to join in the eyes of the iPad.

I've mentioned this to our Apple Engineer a couple times.


Posted: by jray10

I would like to see this on macOS as well. I manage computer labs at a university and the students are always connecting to the SSIDs they find. Naturally everything is wired and this just causes headaches.