Posted on 09-16-2019 09:10 AM
Hello J Nation,
We currently have a group of Macbooks that should NOT be utilizing the guest network, but, users like to switch to that network when they think their connection is bad etc.
Is there a way to completely hide/block the guest SSID from this group of machines?
I would greatly appreciate any help on this!
Posted on 09-16-2019 09:42 AM
You'll see the suggestion made to fill in an incorrect password for the SSID. I've never gotten this to work.
I use an extension attribute to collect all SSID's saved to the computers and a policy to remove Guest from their list.
The user can still select Guest anytime they want and you're back to square one. Mojave has a check box for automatically connecting, so you might be able to leverage that into something. I'll turn off guest a couple times a month to force machines to connect to our real network, just long enough for them to check in and get updates.
Posted on 09-16-2019 09:44 AM
@gquattro Your can't prevent the Mac from seeing a SSID, but you could write a script that would check to see what the active SSID was, and if it matched your guest SSID AND the preferred SSID was available (you'd want to check the signal strength as well) then force the connection to drop. Make sure your preferred SSID is the 1st SSID in your preferred networks list and that's what it'll re-connect to.
Posted on 09-16-2019 09:52 AM
I don't think there is a way to do that on Macs. You can prevent it on iPads with a Restrictions configuration profile as long as you have pushed out a Network payload (or you want them to not connect to any network on purpose...).
We block devices we own from getting to the Internet through the guest network using Aruba ClearPass. Integrates with Jamf API to pull MAC addresses and assign Jamf devices an attribute in ClearPass to the effects of "district owned device" which is then blocked from the guest network.
Doesn't prevent the Macs from trying to connect or saving it as a preferred wireless network though and effectively end up offline until someone manually switches back to the regular network. So what I did for my Macs was create a script and LaunchDaemon to check for my guest network. LaunchDaemon triggers every time network status changes. If guest is a preferred wireless network, remove it from the preferred wireless network list, toggle the Wi-Fi off and back on (because the LaunchDaemon will trigger the script as soon as network status changes so they're likely already on the guest network). If guest is not preferred then the script does nothing.
Script below (edited out org specific stuff but functionally similar) which I install to /usr/local/bin/ via Composer package.
#!/bin/bash
#Setup for logging
Date=`/bin/date`
if [ -f "/var/log/GUESTremover.log" ]; then
Logfile=/var/log/GUESTremover.log
echo -e "
Log found, script running on $Date" >> $Logfile
else
/usr/bin/touch /var/log/GUESTremover.log
Logfile=/var/log/GUESTremover.log
echo "Log created, script running on $Date" >> $Logfile
fi
#Detect network interfaces to find the Wi-Fi interface
services=$(networksetup -listnetworkserviceorder | grep 'Hardware Port')
# Read one line at a time...
while read line; do
# Get the name of the interface (Ethernet, Wi-Fi)
sname=$(echo $line | awk -F '(: )|(, )|[)]' '{ print $2 }')
# Get the interface device identifier (en0, en1...)
sdev=$(echo $line | awk -F '(: )|(, )|[)]' '{ print $4 }')
if [[ "$sname" == "Wi-Fi" ]]; then
wifi=$sdev
elif [[ "$sname" == "Ethernet" ]]; then
ethernet=$sdev
elif [[ "$sname" == "Thunderbolt Ethernet"* ]]; then
ethernet=$sdev
fi
# from $services
done <<< "$(echo "$services")"
echo "Ethernet interface is $ethernet" >> $Logfile
echo "WiFi interface is $wifi" >> $Logfile
#Read the list of preferred wireless networks.
preferredNetworks=$(networksetup -listpreferredwirelessnetworks $wifi)
#Check the list of preferred wireless networks for the guest SSID.
if [[ `echo "$preferredNetworks" | grep "GUEST"` ]]; then
echo "GUEST preferred, removing" >> $Logfile
networksetup -removepreferredwirelessnetwork $wifi GUEST >> $Logfile
networksetup -setairportpower $wifi off
/bin/sleep 0.5
networksetup -setairportpower $wifi on
exit 0
else
echo "GUEST not preferred, exiting" >> $Logfile
exit 0
fi
This is the LaunchDaemon install script I use (again, edited to change org specific stuff but functionally the same).
cat << EOF > /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.yourorg.GUESTremover</string>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist</string>
<string>/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist</string>
<string>/var/run/resolv.conf</string>
<string>/private/var/run/resolv.conf</string>
</array>
<key>LowPriorityIO</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>-c</string>
<string>/usr/local/bin/GUESTremover.sh</string>
</array>
</dict>
</plist>
EOF
sleep 2
chown root:wheel /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
chmod 644 /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
sleep 2
launchctl load -w /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
Posted on 09-16-2019 10:26 AM
I appreciate the feedback here! Does anyone know of a way to simply request administrator passwords before changing to a different Wi-fi? Seems simple enough, cannot find the syntax to achieve this.
Posted on 09-16-2019 10:35 AM
Posted on 09-16-2019 11:26 AM
The options in the screenshot above can be set using the airport command line utility.
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport prefs RequireAdminIBSS=YES RequireAdminNetworkChange=YES
If you push the above out from a Jamf policy, just drop the sudo since it's not needed.
Note that the RequireAdminIBSS
option prevents them from creating an ad-hoc network on their Mac. That'll be a useful option to enable. The RequireAdminNetworkChange option is obvious.
Also note that all of this requires that the users are not local admins or don't have local admin credentials. If they have either, they'll be able to override these options.
Another option you could play with, using the same utility is the RememberRecentNetworks
. If that Guest network is not configured for their Macs, then setting the above to NO
would mean even after they connect, it would prevent their Mac from remembering the connection. So next time it wakes up, it should not auto reconnect to Guest. The only problem is this would also stop their system from remembering other networks, like their home one if they take the Macs with them. That could be a problem, so you'll have to decide if you want to do that or not.
Posted on 09-16-2019 11:30 AM
One of the main reasons we've let this dog lie is our students get to bring their Macbooks home. Not being able to connect to their home network would kinda cruel.
Posted on 09-16-2019 11:38 AM
@gquattro We have our computers for students set to only allow wifi to change if you are an administrator using this:
sudo /usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES RequireAdminPowerToggle=NO
Hope this helps!
Posted on 09-16-2019 06:13 PM
@larry_barrett In a previous role at a K12 school with a 1:1 using MacBook Airs I handled letting students connect to their home Wi-Fi with 2 2 scripts - one that made sure the campus Wi-Fi was always #1 in the Preferred Networks list (see Preferred Wireless Network priority and one that would check the active SSID and if it wasn't the campus SSID AND that SSID was available it'd drop the Wi-Fi connection temporarily (I don't have a copy of that script handy, but somewhere on Jamf Nation is the one I built it from). When Wi-Fi came back up they'd get the campus SSID due to its #1 spot on the list. It worked great except for the student that lived close enough to the campus that at home they still saw the school SSID (when we turned off 2.4GHz that problem went away)
Posted on 09-16-2019 07:57 PM
This script is from 2016, but I don't see why it wouldn't work!
#!/bin/bash
# Monitor and Manage WiFi Networks
# Del Brown
# 11/21/16
# delonline@icloud.com
#
# Begin Variable Definitions
#Replace WIFINAME with your school WiFi. Leaving it empty will disconnect from any network.
WifiWhitelist="WIFINAME"
# End of Variable Definitions
# Begin Function Declarations
connect ()
{
for SchoolNetwork in $WifiWhitelist
do
#loop through whitelist and connect to whitelisted network found
echo " Available Network ""$SchoolNetwork"
networksetup -setairportnetwork en0 "$SchoolNetwork" &>/dev/null
done
}
disconnect ()
{
echo "Time to disconnect"
# send disconnect command to en0
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -z
#exit 1
}
onSchoolNetwork ()
{
# test to see if the school network has been joined. You can either use the networksetup command or the airport utility for this
MyWifi=`networksetup -getairportnetwork en0 | awk '{print $4}'`
#MyWifi=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --getinfo | grep " SSID" | awk '{print $2}'`
# Call the disconnect function if a network outside of school is joined
for AllowedID in $WifiWhitelist
do
if [ "$AllowedID" == "$MyWifi" ]
then # Asset is on the school network
echo "I am connected to the School Network ""$AllowedID"
exit 1
fi
done
echo "Device is not connected to School Network so disconnect and reconnect to the school"
disconnect
connect
exit
}
atSchool ()
{
WifiAvailable=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | awk '{print $1}'`
# test to see if the Asset is at school by scanning for school networks and see if one is the school
for ScannedNetworks in $WifiAvailable
do
for SchoolNetwork in $WifiWhitelist
do
if [ "$SchoolNetwork" == "$ScannedNetworks" ]
then
AssetAtSchool="Yes"
echo "The Device is at school"
return
fi
done
done
AssetAtSchool="No"
echo "asset is not at school so we don't care and we'll exit"
exit
}
# End Function Declarations
#########################
#program starts here
atSchool
onSchoolNetwork
Source: https://www.jamf.com/jamf-nation/discussions/22083/managing-wifi-on-macos
Posted on 09-17-2019 05:52 AM
@rhoward This makes a lot of sense and will do the trick for us I believe, thank you :)