Add Wifi Networks without Admin Privileges

Chuey
Contributor III

Hello,

Currently our staff have admin privileges on our Mac OS X Machines. We would like to take this away and make them a standard user. The only thing preventing us from doing so is adding Wifi Networks either at work or home.

Does anyone know a way we can give permission to add wifi networks to a standard user without admin privileges? Any help is much appreciated. We are typically a OS X 10.10.X or 10.11.X environment.

Thanks in advance

2 ACCEPTED SOLUTIONS

AVmcclint
Honored Contributor

They should be able to do this by default. All our users are non-admins and they connect to other wifi networks all the time. Open hotspots as well as those requiring passwords. The one thing that DOES require admin rights is to delete unwanted SSIDs from the list.

View solution in original post

Chuey
Contributor III

Thanks @AVmcclint you're right. Under System Prefs > Network > Advanced > there are 3 options to either require admin privileges or not which is disabled by default.

1cbd925882fe4382bfb7008d113a800f

We found how to toggle these settings with this command and depending on the model of Macbook you use it may be en0 or en1:

/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=Yes RequireAdminPowerToggle=Yes

YES will require admin and NO will not require admin.

Thanks for helping clarify this and hopefully this will help anyone else out there who wants to enable/disable people from changing their wifi network.

View solution in original post

13 REPLIES 13

bpavlov
Honored Contributor

This is a little bit more than you asked for but here you go:

Set access to System Preferences Panes
/usr/bin/security authorizationdb write system.preferences allow

For date/time

/usr/bin/security authorizationdb write system.preferences.datetime allow

For networking

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

These unlock the preferences. But

/usr/bin/security authorizationdb remove system.preferences.network
/usr/bin/security authorizationdb remove system.services.systemconfiguration.network

do not lock them again. Whats wrong there? Even rebooting did not reset the access.

roodavis
New Contributor II

Is there a downside to making this change to the Network preference pane? Anything I should be aware of or use cautiously?

AVmcclint
Honored Contributor

They should be able to do this by default. All our users are non-admins and they connect to other wifi networks all the time. Open hotspots as well as those requiring passwords. The one thing that DOES require admin rights is to delete unwanted SSIDs from the list.

Chuey
Contributor III

Thanks @AVmcclint you're right. Under System Prefs > Network > Advanced > there are 3 options to either require admin privileges or not which is disabled by default.

1cbd925882fe4382bfb7008d113a800f

We found how to toggle these settings with this command and depending on the model of Macbook you use it may be en0 or en1:

/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=Yes RequireAdminPowerToggle=Yes

YES will require admin and NO will not require admin.

Thanks for helping clarify this and hopefully this will help anyone else out there who wants to enable/disable people from changing their wifi network.

jel888
New Contributor

Thanks! This little issue had been bugging me for awhile and simply checking off the items as you show in System Preferences > Network > Advanced ( Big Sur ) worked.

agakhan_admin
New Contributor II

HI AVmcclint

I am aware that this is old blog , but when I pushed the scripts on my user MacBook through Jamf, They can access network options easily but , as you mentioned, that Removing Unwanted SSID's prompts admin password. I can delete them but it still prompts. Do you know how to remove that option from coming? Although when I ignore the prompt by clicking cancel, the SSID is though removed but it is little un convenient to have the prompt

LeFLO
New Contributor II

@agakhan_admin did you find a solution ? With Big Sur, I've the same issue.
Regards

Franck

agakhan_admin
New Contributor II

@LeFLO Hi There - No, haven't found.

G_M__webkfoe_
New Contributor III

On Big Sure we can't go into the "Advanced" option of the Network preferences and make any edit (like trying to enable/disable the autojoin on any wifi), as as soon as you hit the "OK" button you get prompted for admin credentials.

 

Anyone having a solution to this..?

G_M__webkfoe_
New Contributor III

Thanks to @LM from the MacAdmins slack channel I've been able to find a solution.

 

adding the following piece of code will do the trick:

 

sudo security authorizationdb write com.apple.wifi allow

 

BUT, unfortunately you will have to re-apply it every time the device is restarted.

The easiest way for those who are not willing to create "special" automations, would be to create a policy which will run with an ongoing frequency, at every startup trigger, making sure to make the policy available offline (cache it).

 

 

kylejordan09
New Contributor II

This works in Big Sur & Monterey. thanks!

wifichallenges
Contributor II

Thank you for this.

I wanted to allow STAFF computers only access to change the wireless networks as a limited user. Main reason is that the new macbooks appear to not be able to join 802.1x in a good fashion. You have to accept the certificate, but while you are clicking trust, the credentials on the first login window appear to timeout. So you can never actually log in, and our staff wireless network is then added in this broken state. The only way i seem to be able to add a network these days is to add it from the "Advanced" window which was locked (admin authentication) until i ran the following settings by script policy:

 

/usr/bin/security authorizationdb write system.preferences allow
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

Simply created a policy to run once on all the staff machines to allow this. Then people can add and remove their own networks as they please.