Block public wi-fi networks

mikevos
New Contributor III

Hi All,

Is there a way for the JSS to help me block all public / open wi-fi networks?
We do not want our devices to join them (OS X and iOS).

I have not found it, but maybe you guys can help :).

7 REPLIES 7

Johnny_Kim
Contributor II

If the users don't have admin rights on the Mac, you can use the "Require administrator authorization to:" and select the "Change networks" located in Network settings-> Advanced.

26e83067a3f5489096c40f701e4f966c

EliasG
Contributor

@Johnny.Kim what would require you to do go through every laptop manually correct?

chad_fox
Contributor II

@EliasG you could create a configuration profile and restrict the Network preferences pane. As long as you have a config profile scoped to all the devices to connect to a specific network, this should work fine.

mm2270
Legendary Contributor II

There's a way to set all those settings with command line options, maybe a way to do the same with a Config profile but I don't know. BTW, just restricting the Network Pref Pane will not be sufficient, because changing wireless networks can be done from the Wi-Fi menubar item if its there.

Let me look up the Terminal commands to set those options and post back. Unless someone beats me to it.

mm2270
Legendary Contributor II

Ok, found it. Here's a command that will check the box in the Network Preference Pane > Advanced for Wi-Fi labeled

Require administrator authorization to: Change networks
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport prefs RequireAdminNetworkChange=YES

As long as clients are not local admins, once that option is enabled, if they try to switch to another network than what they are configured to join thru a Config Profile, they'll get prompted to enter an admin password, which they won't have (hopefully)

A few other prefs you can set with the airport utility that may be interesting to you are:

RequireAdminIBSS Sets the option on to require admin to create new networks RequireAdminPowerToggle Sets the option on to require admin to turn Wi-Fi on or off

The only thing I'm not clear on is if a reboot is needed or log out/in to have the setting correctly apply. You'll have to experiment with that I guess. I don't know if its possible to have this setting included in a profile.

mikevos
New Contributor III

@Johnny.Kim @mm2270 Thanks for the help!

Sorry for not being more clear earlier.
I would still like them to be able to change network to f.e. their home wi-fi (if it has WPA2 protection)
Just not have them connect to any public / open wi-fi networks.

EliasG
Contributor

@chad.fox I've tried that, then we run into problems when teachers bring laptops home and can't join home wifi lol.