Jamf Nation Community

schwartzb · ‎08-17-2022

We have a fairly new deployment of Macs and our users are all standard users.

On our previous Windows laptops, standard users were able to remove any "remembered" networks. This doesn't seem to the be the case for our new Mac laptops.

I've tried enabling the Network preference pane using scripts provided by other users on the forums that uses the authorizationdb command. And while it does unlock the Network preference pane, it still prompts for admin creds when you apply the changes.

How do you handle your users needing to remove old preferred networks?

joshuasee · ‎08-18-2022

Are you calling airportd in addition to the authorizationdb mods? Its been a few major OS releases since I've had cause (complaints) to look into this, but here are the commands I've been using the let non-admins change network settings:

/usr/bin/security authorizationdb write system.preferences.network allow;
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow;
/usr/libexec/airportd $(/usr/sbin/networksetup -listnetworkserviceorder | /usr/bin/sed -n 's/)//g;s/.*.Wi-Fi,.Device:.//p') prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No

RequireAdminIBSS=Yes will prevent non-admins from creating ad hoc networks.

atomczynski · ‎08-18-2022

While I understand this is not exaclty what you are asking, and it assumes the network port, however perhaps this might work for what you need to accomplish:

#!/bin/bash

#Remove Old Networks
networksetup  -removepreferredwirelessnetwork en0 Guest
networksetup  -removepreferredwirelessnetwork en0 xfinitywifi
networksetup  -removepreferredwirelessnetwork en0 Starbucks

schwartzb · ‎08-19-2022

Thanks for this!

I've had lines one and two in my script, but the third line is new.

I just tried to run this through a policy, but I'm still getting an admin prompt when applying the changes. But, when I run this manually through terminal, everything works as intended.

Any ideas?

joshuasee · ‎08-19-2022

Check that something isn't getting munged by looking at the logs for the policy in the management UI or using jamf policy -verbose -id ## . Alternately, see if a simplified version does the trick:

# for machines without built-in ethernet
/usr/libexec/airportd en0 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No

# for machines with built-in ethernet
/usr/libexec/airportd en1 prefs RequireAdminIBSS=Yes RequireAdminNetworkChange=No RequireAdminPowerToggle=No

Also, to confirm, I take it you are just want users to be able to add and remove known Wi-Fi networks, not locations or interfaces?

schwartzb · ‎08-22-2022

According to the Jamf, the script is running successfully.

I swapped out the last line for the simplified version, but I'm still getting the same result.

I'm looking to just allow my users the ability to remove known Wi-Fi networks only. If they accidentally click on our guest network, or connect to a network at another location and want to remove it later, they can then remove it.

The output is only giving me a YES (0) results for the authorizationdb lines. Should I be getting feedback about the third line that calls airportd?

Jamf Nation Community

Allow Standard Users to Remove Preferred WiFi Networks