Hide/Block SSID on Macbook Pros

gquattro
New Contributor III

Hello J Nation,

We currently have a group of Macbooks that should NOT be utilizing the guest network, but, users like to switch to that network when they think their connection is bad etc.

Is there a way to completely hide/block the guest SSID from this group of machines?

I would greatly appreciate any help on this!

11 REPLIES 11

larry_barrett
Valued Contributor

You'll see the suggestion made to fill in an incorrect password for the SSID. I've never gotten this to work.

I use an extension attribute to collect all SSID's saved to the computers and a policy to remove Guest from their list.

The user can still select Guest anytime they want and you're back to square one. Mojave has a check box for automatically connecting, so you might be able to leverage that into something. I'll turn off guest a couple times a month to force machines to connect to our real network, just long enough for them to check in and get updates.

sdagley
Esteemed Contributor II

@gquattro Your can't prevent the Mac from seeing a SSID, but you could write a script that would check to see what the active SSID was, and if it matched your guest SSID AND the preferred SSID was available (you'd want to check the signal strength as well) then force the connection to drop. Make sure your preferred SSID is the 1st SSID in your preferred networks list and that's what it'll re-connect to.

crbeck
Contributor

I don't think there is a way to do that on Macs. You can prevent it on iPads with a Restrictions configuration profile as long as you have pushed out a Network payload (or you want them to not connect to any network on purpose...).

We block devices we own from getting to the Internet through the guest network using Aruba ClearPass. Integrates with Jamf API to pull MAC addresses and assign Jamf devices an attribute in ClearPass to the effects of "district owned device" which is then blocked from the guest network.

Doesn't prevent the Macs from trying to connect or saving it as a preferred wireless network though and effectively end up offline until someone manually switches back to the regular network. So what I did for my Macs was create a script and LaunchDaemon to check for my guest network. LaunchDaemon triggers every time network status changes. If guest is a preferred wireless network, remove it from the preferred wireless network list, toggle the Wi-Fi off and back on (because the LaunchDaemon will trigger the script as soon as network status changes so they're likely already on the guest network). If guest is not preferred then the script does nothing.

Script below (edited out org specific stuff but functionally similar) which I install to /usr/local/bin/ via Composer package.

#!/bin/bash

#Setup for logging
Date=`/bin/date`
if [ -f "/var/log/GUESTremover.log" ]; then
    Logfile=/var/log/GUESTremover.log
    echo -e "
Log found, script running on $Date"  >> $Logfile
else
    /usr/bin/touch /var/log/GUESTremover.log
    Logfile=/var/log/GUESTremover.log
    echo "Log created, script running on $Date"  >> $Logfile
fi

#Detect network interfaces to find the Wi-Fi interface
services=$(networksetup -listnetworkserviceorder | grep 'Hardware Port')

# Read one line at a time...
while read line; do
    # Get the name of the interface (Ethernet, Wi-Fi)
    sname=$(echo $line | awk -F '(: )|(, )|[)]' '{ print $2 }')
    # Get the interface device identifier (en0, en1...)
    sdev=$(echo $line | awk -F '(: )|(, )|[)]' '{ print $4 }')

    if [[ "$sname" == "Wi-Fi" ]]; then
        wifi=$sdev
    elif [[ "$sname" == "Ethernet" ]]; then
        ethernet=$sdev
    elif [[ "$sname" == "Thunderbolt Ethernet"* ]]; then
        ethernet=$sdev
    fi

# from $services
done <<< "$(echo "$services")"

echo "Ethernet interface is $ethernet" >> $Logfile
echo "WiFi interface is $wifi" >> $Logfile

#Read the list of preferred wireless networks.
preferredNetworks=$(networksetup -listpreferredwirelessnetworks $wifi)

#Check the list of preferred wireless networks for the guest SSID.
if [[ `echo "$preferredNetworks" | grep "GUEST"` ]]; then
    echo "GUEST preferred, removing" >> $Logfile
    networksetup -removepreferredwirelessnetwork $wifi GUEST >> $Logfile
    networksetup -setairportpower $wifi off
    /bin/sleep 0.5
    networksetup -setairportpower $wifi on
    exit 0
else
    echo "GUEST not preferred, exiting" >> $Logfile
    exit 0
fi

This is the LaunchDaemon install script I use (again, edited to change org specific stuff but functionally the same).

cat << EOF > /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.yourorg.GUESTremover</string>
    <key>RunAtLoad</key>
    <true/>
    <key>WatchPaths</key>
    <array>
        <string>/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist</string>
        <string>/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist</string>
        <string>/var/run/resolv.conf</string>
        <string>/private/var/run/resolv.conf</string>
    </array>
    <key>LowPriorityIO</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/bash</string>
        <string>-c</string>
        <string>/usr/local/bin/GUESTremover.sh</string>
    </array>
</dict>
</plist>
EOF

sleep 2

chown root:wheel /Library/LaunchDaemons/org.yourorg.GUESTremover.plist
chmod 644 /Library/LaunchDaemons/org.yourorg.GUESTremover.plist

sleep 2

launchctl load -w /Library/LaunchDaemons/org.yourorg.GUESTremover.plist

gquattro
New Contributor III

I appreciate the feedback here! Does anyone know of a way to simply request administrator passwords before changing to a different Wi-fi? Seems simple enough, cannot find the syntax to achieve this.

larry_barrett
Valued Contributor

b35da8038a9f486ca9c7e6364b1272c7

mm2270
Legendary Contributor III

The options in the screenshot above can be set using the airport command line utility.

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport prefs RequireAdminIBSS=YES RequireAdminNetworkChange=YES

If you push the above out from a Jamf policy, just drop the sudo since it's not needed.
Note that the RequireAdminIBSS option prevents them from creating an ad-hoc network on their Mac. That'll be a useful option to enable. The RequireAdminNetworkChange option is obvious.
Also note that all of this requires that the users are not local admins or don't have local admin credentials. If they have either, they'll be able to override these options.

Another option you could play with, using the same utility is the RememberRecentNetworks. If that Guest network is not configured for their Macs, then setting the above to NO would mean even after they connect, it would prevent their Mac from remembering the connection. So next time it wakes up, it should not auto reconnect to Guest. The only problem is this would also stop their system from remembering other networks, like their home one if they take the Macs with them. That could be a problem, so you'll have to decide if you want to do that or not.

larry_barrett
Valued Contributor

One of the main reasons we've let this dog lie is our students get to bring their Macbooks home. Not being able to connect to their home network would kinda cruel.

rhoward
Contributor

@gquattro We have our computers for students set to only allow wifi to change if you are an administrator using this:

sudo /usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES RequireAdminPowerToggle=NO

Hope this helps!

sdagley
Esteemed Contributor II

@larry_barrett In a previous role at a K12 school with a 1:1 using MacBook Airs I handled letting students connect to their home Wi-Fi with 2 2 scripts - one that made sure the campus Wi-Fi was always #1 in the Preferred Networks list (see Preferred Wireless Network priority and one that would check the active SSID and if it wasn't the campus SSID AND that SSID was available it'd drop the Wi-Fi connection temporarily (I don't have a copy of that script handy, but somewhere on Jamf Nation is the one I built it from). When Wi-Fi came back up they'd get the campus SSID due to its #1 spot on the list. It worked great except for the student that lived close enough to the campus that at home they still saw the school SSID (when we turned off 2.4GHz that problem went away)

jared_f
Valued Contributor

This script is from 2016, but I don't see why it wouldn't work!

#!/bin/bash

# Monitor and Manage WiFi Networks                      
# Del Brown                                  
# 11/21/16                                
# delonline@icloud.com                     
#                                                            
# Begin Variable Definitions
#Replace WIFINAME with your school WiFi.  Leaving it empty will disconnect from any network.

WifiWhitelist="WIFINAME"

# End of Variable Definitions

# Begin Function Declarations
connect ()
{

for SchoolNetwork in $WifiWhitelist
    do
        #loop through whitelist and connect to whitelisted network found
        echo " Available Network ""$SchoolNetwork"
        networksetup -setairportnetwork en0 "$SchoolNetwork" &>/dev/null
    done
}

disconnect ()
{
echo "Time to disconnect"
# send disconnect command to en0
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -z
#exit 1
}

onSchoolNetwork ()
{
# test to see if the school network has been joined.  You can either use the networksetup command or the airport utility for this

MyWifi=`networksetup -getairportnetwork en0 | awk '{print $4}'`
#MyWifi=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --getinfo | grep " SSID" | awk '{print $2}'`

# Call the disconnect function if a network outside of school is joined
for AllowedID in $WifiWhitelist
    do
        if [ "$AllowedID" == "$MyWifi" ]
            then # Asset is on the school network
            echo "I am connected to the School Network ""$AllowedID"
            exit 1  
        fi
    done

echo "Device is not connected to School Network so disconnect and reconnect to the school"
disconnect
connect
exit
}


atSchool ()
{
WifiAvailable=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | awk '{print $1}'`
# test to see if the Asset is at school by scanning for school networks and see if one is the school
for ScannedNetworks in $WifiAvailable
    do
        for SchoolNetwork in $WifiWhitelist
            do
                if [ "$SchoolNetwork" == "$ScannedNetworks" ]
                    then
                        AssetAtSchool="Yes"
                        echo "The Device is at school"
                        return
                fi
            done
    done
AssetAtSchool="No"
echo "asset is not at school so we don't care and we'll exit"
exit
}

# End Function Declarations

#########################

#program starts here
atSchool
onSchoolNetwork

Source: https://www.jamf.com/jamf-nation/discussions/22083/managing-wifi-on-macos

gquattro
New Contributor III

@rhoward This makes a lot of sense and will do the trick for us I believe, thank you :)