Help

Add Wifi Networks without Admin Privileges

Go to solution
Chuey
Contributor III

Posted on ‎03-02-2016 09:42 AM

Hello,

Currently our staff have admin privileges on our Mac OS X Machines. We would like to take this away and make them a standard user. The only thing preventing us from doing so is adding Wifi Networks either at work or home.

Does anyone know a way we can give permission to add wifi networks to a standard user without admin privileges? Any help is much appreciated. We are typically a OS X 10.10.X or 10.11.X environment.

Thanks in advance

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
AVmcclint
Honored Contributor

Posted on ‎03-02-2016 09:48 AM

They should be able to do this by default. All our users are non-admins and they connect to other wifi networks all the time. Open hotspots as well as those requiring passwords. The one thing that DOES require admin rights is to delete unwanted SSIDs from the list.

View solution in original post

Reply

Go to solution
Chuey
Contributor III

Posted on ‎03-03-2016 06:32 AM

Thanks @AVmcclint you're right. Under System Prefs > Network > Advanced > there are 3 options to either require admin privileges or not which is disabled by default.

1cbd925882fe4382bfb7008d113a800f

We found how to toggle these settings with this command and depending on the model of Macbook you use it may be en0 or en1:

/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=Yes RequireAdminPowerToggle=Yes

YES will require admin and NO will not require admin.

Thanks for helping clarify this and hopefully this will help anyone else out there who wants to enable/disable people from changing their wifi network.

View solution in original post

Reply
13 REPLIES 13

Go to solution
bpavlov
Honored Contributor

Posted on ‎03-02-2016 09:47 AM

This is a little bit more than you asked for but here you go:

Set access to System Preferences Panes
/usr/bin/security authorizationdb write system.preferences allow

For date/time

/usr/bin/security authorizationdb write system.preferences.datetime allow

For networking

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a 'Domain Users' -t group lpadmin

0 Kudos
Reply

Go to solution
opus-nbo
New Contributor
In response to bpavlov

‎03-18-2022 05:43 AM - edited ‎03-18-2022 05:46 AM 

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

These unlock the preferences. But

/usr/bin/security authorizationdb remove system.preferences.network
/usr/bin/security authorizationdb remove system.services.systemconfiguration.network

do not lock them again. Whats wrong there? Even rebooting did not reset the access.

0 Kudos
Reply

Go to solution
roodavis
New Contributor II
In response to bpavlov

Posted on ‎11-30-2022 05:46 PM

Is there a downside to making this change to the Network preference pane? Anything I should be aware of or use cautiously?

0 Kudos
Reply

Go to solution
AVmcclint
Honored Contributor

Posted on ‎03-02-2016 09:48 AM

They should be able to do this by default. All our users are non-admins and they connect to other wifi networks all the time. Open hotspots as well as those requiring passwords. The one thing that DOES require admin rights is to delete unwanted SSIDs from the list.

Reply

Go to solution
Chuey
Contributor III

Posted on ‎03-03-2016 06:32 AM

Thanks @AVmcclint you're right. Under System Prefs > Network > Advanced > there are 3 options to either require admin privileges or not which is disabled by default.

1cbd925882fe4382bfb7008d113a800f

We found how to toggle these settings with this command and depending on the model of Macbook you use it may be en0 or en1:

/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=Yes RequireAdminPowerToggle=Yes

YES will require admin and NO will not require admin.

Thanks for helping clarify this and hopefully this will help anyone else out there who wants to enable/disable people from changing their wifi network.

Reply

Go to solution
jel888
New Contributor
In response to Chuey

Posted on ‎09-11-2023 12:48 AM

Thanks! This little issue had been bugging me for awhile and simply checking off the items as you show in System Preferences > Network > Advanced ( Big Sur ) worked.

0 Kudos
Reply

Go to solution
agakhan_admin
New Contributor II

Posted on ‎03-02-2020 02:23 AM

HI AVmcclint

I am aware that this is old blog , but when I pushed the scripts on my user MacBook through Jamf, They can access network options easily but , as you mentioned, that Removing Unwanted SSID's prompts admin password. I can delete them but it still prompts. Do you know how to remove that option from coming? Although when I ignore the prompt by clicking cancel, the SSID is though removed but it is little un convenient to have the prompt

Reply

Go to solution
LeFLO
New Contributor II

Posted on ‎05-11-2021 07:55 AM

@agakhan_admin did you find a solution ? With Big Sur, I've the same issue.
Regards

Franck

0 Kudos
Reply

Go to solution
agakhan_admin
New Contributor II

Posted on ‎05-24-2021 05:23 AM

@LeFLO Hi There - No, haven't found.

0 Kudos
Reply

Go to solution
G_M__webkfoe_
New Contributor III

Posted on ‎10-07-2021 06:41 AM

On Big Sure we can't go into the "Advanced" option of the Network preferences and make any edit (like trying to enable/disable the autojoin on any wifi), as as soon as you hit the "OK" button you get prompted for admin credentials.

 

Anyone having a solution to this..?

0 Kudos
Reply

Go to solution
G_M__webkfoe_
New Contributor III

Posted on ‎10-07-2021 08:29 AM

Thanks to @LM from the MacAdmins slack channel I've been able to find a solution.

 

adding the following piece of code will do the trick:

 

sudo security authorizationdb write com.apple.wifi allow

 

BUT, unfortunately you will have to re-apply it every time the device is restarted.

The easiest way for those who are not willing to create "special" automations, would be to create a policy which will run with an ongoing frequency, at every startup trigger, making sure to make the policy available offline (cache it).

 

 

Reply

Go to solution
kylejordan09
New Contributor II

Posted on ‎01-13-2022 04:28 PM

This works in Big Sur & Monterey. thanks!

0 Kudos
Reply

Go to solution
wifichallenges
Contributor II

Posted on ‎06-24-2022 02:08 PM

Thank you for this.

I wanted to allow STAFF computers only access to change the wireless networks as a limited user. Main reason is that the new macbooks appear to not be able to join 802.1x in a good fashion. You have to accept the certificate, but while you are clicking trust, the credentials on the first login window appear to timeout. So you can never actually log in, and our staff wireless network is then added in this broken state. The only way i seem to be able to add a network these days is to add it from the "Advanced" window which was locked (admin authentication) until i ran the following settings by script policy:

 

/usr/bin/security authorizationdb write system.preferences allow
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

Simply created a policy to run once on all the staff machines to allow this. Then people can add and remove their own networks as they please.

0 Kudos
Reply