Changing preferred Wifi networks without admin rights?

shawes
New Contributor II

We’ve recently removed admin rights on Macs for all of our users. Does anyone know of a way to enable users to always be able to administer preferred/saved Wifi networks which are saved on their machines without having to grant them temporary admin rights?

1 ACCEPTED SOLUTION

dsavageED
Contributor III

Maybe try:

#!/bin/bash

# Workaround as shown in https://www.jamf.com/jamf-nation/discussions/19050/add-wifi-networks-without-admin-privileges
# Allows non-admin users to add printers and manage their WiFi configuration.

#For WiFi

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

#For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

exit 0;

View solution in original post

16 REPLIES 16

mark_mahabir
Valued Contributor

We use a script mentioned in this thread to allow users to set preferred networks in Self Service.

Does that help at all?

dsavageED
Contributor III

Maybe try:

#!/bin/bash

# Workaround as shown in https://www.jamf.com/jamf-nation/discussions/19050/add-wifi-networks-without-admin-privileges
# Allows non-admin users to add printers and manage their WiFi configuration.

#For WiFi

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow

#For printing

/usr/bin/security authorizationdb write system.preferences.printing allow
/usr/bin/security authorizationdb write system.print.operator allow
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

exit 0;

Is this still valid for macOS 12.3.1? I just tried it and while networking is now indeed unlocked it will ask me for admin logon when I hit OK. The changes wont stick without it.

I'm seeing the same issue; the networking pane is unlocked, but when I choose a Wi-Fi networks and hit the minus "-", it asks me for admin login.

It does work, it just needs the

/usr/bin/security authorizationdb write com.apple.wifi allow

line in it too.

Did that, policy ran ok with below results but making changes to WiFi STILL asks me for admin credentials.

[STEP 1 of 4]
Executing Policy System Preferences - Print and WiFi without admin
[STEP 2 of 4]
Running script System Preferences - Print and WiFi without admin...
Script exit code: 0
Script result: YES (0)
YES (0) YES (0) YES (0) YES (0)
[STEP 3 of 4]
[STEP 4 of 4]

Well, well, the test machine I have is Ventura 13.01, and indeed, it is now asking for admin credentials. Looks like we'll need another solution.

This is how Apple keeps us entertained.

Not sure if this is relevant but I added /usr/libexec/airportd prefs RequireAdminNetworkChange=NO RequireAdminIBSS=NO before testing

While testing on Ventura, I found that I'm prompted for the admin password, but I click Cancel and the removal still works. Curious if you get the same result.

shawes
New Contributor II

@dsavageED - That worked perfectly, thank you!

matthewmazer
New Contributor

May be a dumb question, but I assume this is just a "run once per machine" deployment, or do we need to stick it in self service to be run on demand

DouglasWard-IA
New Contributor III

I run it "once per machine".

JayKay27
New Contributor II

does anyone know how to reverse the script so it's back to being admin locked? 

I believe you will have to delete the preferences you made changes to in order to get it back the way it was.

gustavo-suarez
New Contributor II

Anyone has found or written a script to allow user changes for WiFi settings for Ventura?

I'm struggling to allow this on MacOS Ventura as well.
Anyone found a solution?

i have rearranged the code to only allow the 'Activation W-Lan Management Settings'

Maybe try this:

#!/bin/bash

# Workaround as shown in https://www.jamf.com/jamf-nation/discussions/19050/add-wifi-networks-without-admin-privileges
# Allows non-admin users to manage their WiFi configuration.

#For WiFi

/usr/bin/security authorizationdb write system.preferences.network allow
/usr/bin/security authorizationdb write system.services.systemconfiguration.network allow
/usr/bin/security authorizationdb write com.apple.wifi allow

/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin
/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

exit 0;