Allow Standard User to remove Wi-Fi networks with prompt

DouglasWard-IA
New Contributor III

We set our users to be Standard users on their Macs, and which prevents them from being able to delete Wi-Fi SSIDs. Sometimes, we've needed to allow them to do so, so we have a script in Self Service that will delete a known SSID when run.

#!/bin/sh

## Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

## Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort "NAMEOFTHESSID" 2>/dev/null

But we've run into a situation where a work-from-home user wants to delete an SSID from their home network, etc. I was wondering if there's a way to a have a script that would allow the user to choose from existing "preferred wireless networks" SSIDs and choose which one to delete? That way, we could just have one "Remove Wi-Fi Networks" item in Self Service, and users could remove whichever one they want.

1 ACCEPTED SOLUTION

stevewood
Honored Contributor II
Honored Contributor II

You can actually allow standard users to edit the wi-fi list themselves without using Self Service. If you make a change to the authorizationdb using the security binary, they can delete SSIDs themselves. These are the commands:

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

/usr/bin/security authorizationdb write com.apple.wifi allow

This was provided in this JN post:

https://community.jamf.com/t5/jamf-pro/changing-preferred-wifi-networks-without-admin-rights/m-p/139...

 

 

 

View solution in original post

18 REPLIES 18

stevewood
Honored Contributor II
Honored Contributor II

You can actually allow standard users to edit the wi-fi list themselves without using Self Service. If you make a change to the authorizationdb using the security binary, they can delete SSIDs themselves. These are the commands:

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

/usr/bin/security authorizationdb write com.apple.wifi allow

This was provided in this JN post:

https://community.jamf.com/t5/jamf-pro/changing-preferred-wifi-networks-without-admin-rights/m-p/139...

 

 

 

JayKay27
New Contributor II

Thanks for this. Do you know how to reverse this? Just change everything from allow to deny?

DouglasWard-IA
New Contributor III

Steve, that almost works: it unlocks the networking pane, but it seems it still requires admin credentials to remove the Wi-Fi network. A Self Service script with a prompt/dropdown list would be run as an admin through Jamf. It does work, needed the 

/usr/bin/security authorizationdb write com.apple.wifi allow

line. Thanks!

markanderson
New Contributor II

Steps to "Allow Standard User to remove Wi-Fi networks with prompt"

(i). Click the Start button. in the bottom left corner of the screen.
(ii). Type "network and" and select Network and Sharing Center from the search result.
(iii). Select Manage wireless networks.
(iv). Select the Wi-Fi profile you want to delete then select the Remove button.
(v). Select Yes to confirm.

Joostvantwout
New Contributor III

Anyone has a solution for MacOS Ventura? After I I performed below users are able to delete WiFi networks but they still get a prompt to fill in admin credentials. (Which is not required to remove the wifi network)

/usr/bin/security authorizationdb write system.preferences.network allow

/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

/usr/bin/security authorizationdb write com.apple.wifi allow

same experience here @Joostvantwout. on ventura, removes the network, but still gives the credential prompt and requires you to hit Cancel to get rid of the prompt because it wont accept creds since its looking for admin. im going to submit a case to jamf and see if they are able to provide any insight into doing this on ventura without getting the prompt.

Getting the same thing here. macOS 13.x

dancunn
New Contributor II

hey everyone, think ive got a solution to the ventura issue. jamf support pointed me to this discussion: https:/macadmins.slack.com/archives/C04QVP86E/p1672865513668839.

combining that with the discussion on this thread, i was able to cobble together this script which seems to work well for allowing users to modify network settings with no prompts for creds. let me know if you folks have any luck with it or not.

#!/bin/zsh

#	Variables
SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

$SECURITYBIN authorizationdb read system.preferences > /tmp/system.preferences.plist
$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist

#	Allow access to system wide preference panes
TARGETPLIST="/tmp/system.preferences.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
#echo $ARRAY
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
	echo "Modifying $TARGETPLIST"
	$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
	$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
	$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
	$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
	$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
	$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi

#	Allow access to network preference pane
TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
#echo $ARRAY
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
	echo "Modifying $TARGETPLIST"
	$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
	$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
	$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
	$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
	$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
	$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi

$SECURITYBIN authorizationdb write system.preferences < /tmp/system.preferences.plist
$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist
 

Worked!! Thanks!

liubkkkk0
New Contributor II

Your script works great and really doesn't ask for the admin password when trying to "forget Wi-Fi". But I'm concerned that it might give access to all system settings to a normal user. Here is your version of the script without giving access to system.preferences. It works and when I try to "forget Wi-Fi network" I still get a request for administrator rights, despite the successful result. Do I understand correctly that if I use your script completely, I will allow an ordinary user to change EVERYTHING in the system settings?

#!/bin/zsh

SECURITYBIN="/usr/bin/security"
PLISTBUDDYBIN="/usr/libexec/PlistBuddy"

$SECURITYBIN authorizationdb write system.preferences.network allow
$SECURITYBIN authorizationdb write system.services.systemconfiguration.network allow
$SECURITYBIN authorizationdb write com.apple.wifi allow
/usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO

$SECURITYBIN authorizationdb read system.preferences.network > /tmp/system.preferences.network.plist

TARGETPLIST="/tmp/system.preferences.network.plist"
ARRAY=($($PLISTBUDDYBIN -c "print :rule" $TARGETPLIST | sed -e 's/^Array {//' | sed -e 's/}//' | xargs ))
if [[ ! $ARRAY =~ '(^allow)|(\sallow)' ]] ; then
echo "Modifying $TARGETPLIST"
$PLISTBUDDYBIN -c "set :class rule" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule array" $TARGETPLIST
$PLISTBUDDYBIN -c "add :rule: string allow" $TARGETPLIST
$PLISTBUDDYBIN -c "set :shared true" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :authenticate-user" $TARGETPLIST
$PLISTBUDDYBIN -c "delete :group" $TARGETPLIST
fi

$SECURITYBIN authorizationdb write system.preferences.network < /tmp/system.preferences.network.plist

 

dancunn
New Contributor II

No, this will not completely open up all of System Settings for standard users to modify. For example, most of the Privacy & Security pane (Screen Recording, Accessability, Full Disk Access, etc) will still require Admin rights to modify. 

bcrockett
Contributor III

@dancunn Your solution works in my environment! Standard users can now change network preferences. 

M4tr1xN3o
New Contributor II

@dancunn's solution works for us also. Thanks!

dancunn
New Contributor II

Awesome, glad it's working for folks. 

kwoodard
Valued Contributor

Anyone have a solution for Sonoma and Sequoia? 

liubkkkk0
New Contributor II

Solution dancunn works great for Sonoma and Sequoia

dancunn
New Contributor II

Yea did some additional testing this morning to confirm. Seems to still work as expected on Sequioa.

kwoodard
Valued Contributor

I saw a couple errors, but the script does work.