Posted on 09-13-2022 08:37 AM
We set our users to be Standard users on their Macs, and which prevents them from being able to delete Wi-Fi SSIDs. Sometimes, we've needed to allow them to do so, so we have a script in Self Service that will delete a known SSID when run.
#!/bin/sh
## Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')
## Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort "NAMEOFTHESSID" 2>/dev/null
But we've run into a situation where a work-from-home user wants to delete an SSID from their home network, etc. I was wondering if there's a way to a have a script that would allow the user to choose from existing "preferred wireless networks" SSIDs and choose which one to delete? That way, we could just have one "Remove Wi-Fi Networks" item in Self Service, and users could remove whichever one they want.
Solved! Go to Solution.
Posted on 09-13-2022 08:58 AM
You can actually allow standard users to edit the wi-fi list themselves without using Self Service. If you make a change to the authorizationdb using the security binary, they can delete SSIDs themselves. These are the commands:
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow
This was provided in this JN post:
Posted on 09-13-2022 08:58 AM
You can actually allow standard users to edit the wi-fi list themselves without using Self Service. If you make a change to the authorizationdb using the security binary, they can delete SSIDs themselves. These are the commands:
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow
This was provided in this JN post:
Posted on 02-07-2023 11:24 AM
Thanks for this. Do you know how to reverse this? Just change everything from allow to deny?
09-13-2022 10:16 AM - edited 09-13-2022 10:26 AM
Steve, that almost works: it unlocks the networking pane, but it seems it still requires admin credentials to remove the Wi-Fi network. A Self Service script with a prompt/dropdown list would be run as an admin through Jamf. It does work, needed the
/usr/bin/security authorizationdb write com.apple.wifi allow
line. Thanks!
Posted on 10-26-2022 10:55 PM
Steps to "Allow Standard User to remove Wi-Fi networks with prompt"
(i). Click the Start button. in the bottom left corner of the screen.
(ii). Type "network and" and select Network and Sharing Center from the search result.
(iii). Select Manage wireless networks.
(iv). Select the Wi-Fi profile you want to delete then select the Remove button.
(v). Select Yes to confirm.
Posted on 06-02-2023 12:50 AM
Anyone has a solution for MacOS Ventura? After I I performed below users are able to delete WiFi networks but they still get a prompt to fill in admin credentials. (Which is not required to remove the wifi network)
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow
Posted on 07-31-2023 09:09 AM
same experience here @Joostvantwout. on ventura, removes the network, but still gives the credential prompt and requires you to hit Cancel to get rid of the prompt because it wont accept creds since its looking for admin. im going to submit a case to jamf and see if they are able to provide any insight into doing this on ventura without getting the prompt.
Posted on 08-16-2023 11:13 AM
Getting the same thing here. macOS 13.x
Posted on 08-16-2023 12:42 PM
hey everyone, think ive got a solution to the ventura issue. jamf support pointed me to this discussion: https:/macadmins.slack.com/archives/C04QVP86E/p1672865513668839.
combining that with the discussion on this thread, i was able to cobble together this script which seems to work well for allowing users to modify network settings with no prompts for creds. let me know if you folks have any luck with it or not.
#!/bin/zsh
# Variables
SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"
/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO
$SECURITYBIN authorizationdb read system.preferences > /tmp/system.preferences.plist
$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist
# Allow access to system wide preference panes
TARGETPLIST="/tmp/system.preferences.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
#echo $ARRAY
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi
# Allow access to network preference pane
TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
#echo $ARRAY
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi
$SECURITYBIN authorizationdb write system.preferences < /tmp/system.preferences.plist
$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist
Posted on 11-15-2023 03:03 PM
Worked!! Thanks!
Posted on 05-13-2024 07:59 AM
Your script works great and really doesn't ask for the admin password when trying to "forget Wi-Fi". But I'm concerned that it might give access to all system settings to a normal user. Here is your version of the script without giving access to system.preferences. It works and when I try to "forget Wi-Fi network" I still get a request for administrator rights, despite the successful result. Do I understand correctly that if I use your script completely, I will allow an ordinary user to change EVERYTHING in the system settings?
#!/bin/zsh
SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"
$SECURITYBIN authorizationdb write system.preferences.network allow
$SECURITYBIN authorizationdb write system.services.systemconfiguration.network allow
$SECURITYBIN authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO
$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist
TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi
$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist
Posted on 05-13-2024 02:30 PM
No, this will not completely open up all of System Settings for standard users to modify. For example, most of the Privacy & Security pane (Screen Recording, Accessability, Full Disk Access, etc) will still require Admin rights to modify.
Posted on 08-23-2023 11:37 AM
@dancunn Your solution works in my environment! Standard users can now change network preferences.
Posted on 10-05-2023 04:44 AM
@dancunn's solution works for us also. Thanks!
Posted on 11-15-2023 03:28 PM
Awesome, glad it's working for folks.
Posted on 10-15-2024 03:53 PM
Anyone have a solution for Sonoma and Sequoia?
Posted on 10-15-2024 11:31 PM
Solution dancunn works great for Sonoma and Sequoia
Posted on 10-16-2024 11:09 AM
Yea did some additional testing this morning to confirm. Seems to still work as expected on Sequioa.
Posted on 10-16-2024 11:25 AM
I saw a couple errors, but the script does work.