Allow Standard User to remove Wi-Fi networks with prompt

Steve, that almost works: it unlocks the networking pane, but it seems it still requires admin credentials to remove the Wi-Fi network. A Self Service script with a prompt/dropdown list would be run as an admin through Jamf. It does work, needed the 

line. Thanks!

Steps to "Allow Standard User to remove Wi-Fi networks with prompt"

(i). Click the Start button. in the bottom left corner of the screen.
(ii). Type "network and" and select Network and Sharing Center from the search result.
(iii). Select Manage wireless networks.
(iv). Select the Wi-Fi profile you want to delete then select the Remove button.
(v). Select Yes to confirm.

Thanks for this. Do you know how to reverse this? Just change everything from allow to deny?

Anyone has a solution for MacOS Ventura? After I I performed below users are able to delete WiFi networks but they still get a prompt to fill in admin credentials. (Which is not required to remove the wifi network)

/usr/bin/security authorizationdb write system.preferences.network allow

/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

/usr/bin/security authorizationdb write com.apple.wifi allow

same experience here @Joostvantwout. on ventura, removes the network, but still gives the credential prompt and requires you to hit Cancel to get rid of the prompt because it wont accept creds since its looking for admin. im going to submit a case to jamf and see if they are able to provide any insight into doing this on ventura without getting the prompt.

Getting the same thing here. macOS 13.x

hey everyone, think ive got a solution to the ventura issue. jamf support pointed me to this discussion: https:/macadmins.slack.com/archives/C04QVP86E/p1672865513668839.

combining that with the discussion on this thread, i was able to cobble together this script which seems to work well for allowing users to modify network settings with no prompts for creds. let me know if you folks have any luck with it or not.

@dancunn Your solution works in my environment! Standard users can now change network preferences. 

@dancunn's solution works for us also. Thanks!

Worked!! Thanks!

Awesome, glad it's working for folks. 

Your script works great and really doesn't ask for the admin password when trying to "forget Wi-Fi". But I'm concerned that it might give access to all system settings to a normal user. Here is your version of the script without giving access to system.preferences. It works and when I try to "forget Wi-Fi network" I still get a request for administrator rights, despite the successful result. Do I understand correctly that if I use your script completely, I will allow an ordinary user to change EVERYTHING in the system settings?

#!/bin/zsh

SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"

$SECURITYBIN authorizationdb write system.preferences.network allow
$SECURITYBIN authorizationdb write system.services.systemconfiguration.network allow
$SECURITYBIN authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist

TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
if [[ ! $ARRAY =~ '(^allow)|(\\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi

$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist

#!/bin/zsh

SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"

$SECURITYBIN authorizationdb write system.preferences.network allow
$SECURITYBIN authorizationdb write system.services.systemconfiguration.network allow
$SECURITYBIN authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist

TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
if [[ ! $ARRAY =~ '(^allow)|(\\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi

$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist

No, this will not completely open up all of System Settings for standard users to modify. For example, most of the Privacy & Security pane (Screen Recording, Accessability, Full Disk Access, etc) will still require Admin rights to modify. 

Anyone have a solution for Sonoma and Sequoia? 

Solution dancunn works great for Sonoma and Sequoia

Yea did some additional testing this morning to confirm. Seems to still work as expected on Sequioa.

I saw a couple errors, but the script does work.

Interestingly enough, I tried out the script today. Went to remove an SSID, it did remove it but then popped up the administrator prompt. I hit cancel and it stayed gone. Have you seen this?

Yes, same on my site. The Admin Prompt comes up but no input required.