Skip to main content

We'd like to prevent users connecting unsecured WiFi -networks, but as this doesn't seem to be a feature (we don't want to use a whitelist / blacklist), I'm trying to find out another way to warn users, if they're using unsecured WiFi at any time.

 

Would anyone have any idea how to do the following?

 

As macOS is able to tell user this information about being connected to unsecured network (when clicking on the WiFi top bar WiFi icon), I thought perhaps this information could be checked somehow via terminal.

If it's somehow possible to check via terminal, I'd then like to send a notification to the user, stating that they're using unsecured network and they should activate our VPN (were not using macOS integrated VPN connection).

 

Jamf is able to provide a simple notification pop-up window to the user via command:

 

jamf displayMessage -message "Enter your message here"

 

 

What I'm thinking that might be possible:

- Create New Policy triggering on Network State Change  (is there anything else to remember when using this?)

- check if connected to unsecured network via terminal command script

  - if "unsecured network" = yes  -> then notify user with "jamf displayMessage" -command

 

Any ideas and help around this matter will be greatly appreciated!

 

Giving a reply to myself. After some more digging, I found a way to get such information about network status in terminal and created this script (my first ever!):

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ $airportStatus = "Off" ]; then echo elif [ $state = "scanning" ]; then echo elif [ $securityStatus = "wpa2-psk" ] || [ $securityStatus = "wpa3-sae" ]; then echo else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi
 
I created a new Policy with selections:
- Trigger: Network State Change
- Execution frequency: Ongoing
- Make available offline
 
It seems to be functioning! We're now testing it for a while with a few users.
 
Giving feedback when:
- Joined network which has other than most commonly used types WPA2-PSK or WPA3-SAE link-auth
(such as WPA, WEP or Open)
 
Not giving any feedback when:
- no network / link
- scanning networks / joining
 
Any and all suggestions to make it look or function better are welcome!

Not sure if there is a way to find the full list of network security types but my network is "ft-wpa2-psk" so I show as not being secure and get the pop up

You could try doing something like this with the WPA2 to solve my case, its looking for wpa2-psk with anything else leading or trailing.  I would also do something with your empty echos, I decided to exit the script, you could want to echo something for logging. 

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ "$airportStatus" = "Off" ]; then exit elif [ "$state" = "scanning" ]; then exit elif [[ $securityStatus == *"wpa2-psk"* ]] || [ "$securityStatus" = "wpa3-sae" ]; then exit else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi



 

Not sure if there is a way to find the full list of network security types but my network is "ft-wpa2-psk" so I show as not being secure and get the pop up

You could try doing something like this with the WPA2 to solve my case, its looking for wpa2-psk with anything else leading or trailing.  I would also do something with your empty echos, I decided to exit the script, you could want to echo something for logging. 

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ "$airportStatus" = "Off" ]; then exit elif [ "$state" = "scanning" ]; then exit elif [[ $securityStatus == *"wpa2-psk"* ]] || [ "$securityStatus" = "wpa3-sae" ]; then exit else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi



 


Thank you for these suggestions! I had no idea how to use asterisks this way and why there's a need to add another [ and ] around it, but hey, I'm learning!

I did those and then went even further and added asterisks also around WPA3, so now if it recognizes any WPA2 or WPA3 protected network, it won't give any feedback.

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ $airportStatus = "Off" ]; then exit elif [ $state = "scanning" ]; then exit elif [[ $securityStatus == *"wpa2"* ]] || [[ $securityStatus = *"wpa3"* ]]; then exit else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi

When ran in Terminal, I do get error feedback on line 7, when WiFi is on and "$airportStatus" cannot be found:

line 7: [: =: unary operator expected

 

This doesn't show up to the users, but I'd still like that command not to give such feedback if its not found. Any ideas for this?

Thank you for these suggestions! I had no idea how to use asterisks this way and why there's a need to add another [ and ] around it, but hey, I'm learning!

I did those and then went even further and added asterisks also around WPA3, so now if it recognizes any WPA2 or WPA3 protected network, it won't give any feedback.

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ $airportStatus = "Off" ]; then exit elif [ $state = "scanning" ]; then exit elif [[ $securityStatus == *"wpa2"* ]] || [[ $securityStatus = *"wpa3"* ]]; then exit else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi

When ran in Terminal, I do get error feedback on line 7, when WiFi is on and "$airportStatus" cannot be found:

line 7: [: =: unary operator expected

 

This doesn't show up to the users, but I'd still like that command not to give such feedback if its not found. Any ideas for this?


@ManOfTheNight Here it is fixed with no error

 

 

#!/bin/bash state=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/state/{print $2}' ) airportStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/AirPort/{print $2}' ) securityStatus=$( /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/link\\ auth:/{print $3}' ) if [ "$airportStatus" = "Off" ]; then exit elif [ "$state" = "scanning" ]; then exit elif [[ $securityStatus == *"wpa2"* ]] || [[ $securityStatus = *"wpa3"* ]]; then exit else sudo jamf displayMessage -message "Unsecured network in use, or network couldn't be detected correctly. Please open secure VPN connection." fi

 

 

The way I did this was by using https://www.shellcheck.net/ I pasted in the version you posted, and applied all to the fixes it reported

 

"$ shellcheck myscript
 
Line 7:
        [ $airportStatus = "Off" ];
          ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
        [ "$airportStatus" = "Off" ];
 
Line 13:
        [ $state = "scanning" ];
          ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean: (apply this, apply all SC2086)
        [ "$state" = "scanning" ];
"

 

 

Terms & ConditionsCookie settingsAccessibility statement