We have a fairly new deployment of Macs and our users are all standard users.
On our previous Windows laptops, standard users were able to remove any "remembered" networks. This doesn't seem to the be the case for our new Mac laptops.
I've tried enabling the Network preference pane using scripts provided by other users on the forums that uses the authorizationdb command. And while it does unlock the Network preference pane, it still prompts for admin creds when you apply the changes.
How do you handle your users needing to remove old preferred networks?
Are you calling airportd in addition to the authorizationdb mods? Its been a few major OS releases since I've had cause (complaints) to look into this, but here are the commands I've been using the let non-admins change network settings:
/usr/bin/security authorizationdb write system.preferences.network allow;
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow;
/usr/libexec/airportd $(/usr/sbin/networksetup -listnetworkserviceorder | /usr/bin/sed -n 's/)//g;s/.*.Wi-Fi,.Device:.//p') prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No
RequireAdminIBSS=Yes will prevent non-admins from creating ad hoc networks.
While I understand this is not exaclty what you are asking, and it assumes the network port, however perhaps this might work for what you need to accomplish:
#!/bin/bash #Remove Old Networks networksetup -removepreferredwirelessnetwork en0 Guest networksetup -removepreferredwirelessnetwork en0 xfinitywifi networksetup -removepreferredwirelessnetwork en0 Starbucks
Check that something isn't getting munged by looking at the logs for the policy in the management UI or using jamf policy -verbose -id ## . Alternately, see if a simplified version does the trick:
# for machines without built-in ethernet
/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No
# for machines with built-in ethernet
/usr/libexec/airportd en1 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No
Also, to confirm, I take it you are just want users to be able to add and remove known Wi-Fi networks, not locations or interfaces?
According to the Jamf, the script is running successfully.
I swapped out the last line for the simplified version, but I'm still getting the same result.
I'm looking to just allow my users the ability to remove known Wi-Fi networks only. If they accidentally click on our guest network, or connect to a network at another location and want to remove it later, they can then remove it.
The output is only giving me a YES (0) results for the authorizationdb lines. Should I be getting feedback about the third line that calls airportd?