Help

Hiding WiFi password

tsossong
New Contributor III

Posted on ‎04-12-2017 12:21 AM

Hi nation,

one of my current projects is to try to hide the WiFi password from the user in any way.
Our setup is: Deploystudio Image and DEP with PreStage Enrollments. The WiFi Setup with all SSIDs come from Casper - 3 different policies. Our students are local administrators on their own machines.
This is why they also can access the keychain.

1st I thought its hidden and not written to the keychain when I use just the Wifi Profile, but unfortunate it will be written to the keychain first time the SSID gets connected.
Is there a way to prevent the password to be written to the keychain? Or is there a way to make the entry unaccessable for the current logged in user but readable for the whatever process activates and connects to the Wifi?

0 Kudos
Reply
7 REPLIES 7

psliequ
Contributor III

Posted on ‎04-12-2017 05:18 AM

If they don't need access to it generally you could create a software restriction that disallows students from opening Keychain Access at all. Applications can still write password entries to it but users can't look at the entries themselves.

0 Kudos
Reply

tsossong
New Contributor III

Posted on ‎04-12-2017 05:49 AM

@psliequ cool, oversaw this option. It works quite. But here comes my layciness: There is no option to disallow a specific app. In 9.96 i only can Allow apps, allow folders or disallow folders. I can you build a policy containing all allowed apps and have to modify it maybe if a new app comes in (will be a lot with our BYOD-Macs) or I disallow the Utilities folder. I tested the last solution and figured out: If you copy the keychain app (what is possible even if the launch of apps from Utilities folder is prohibited) to the applications folder you can open the copy.

0 Kudos
Reply

psliequ
Contributor III

Posted on ‎04-12-2017 05:55 AM

Instead of a Configuration Profile, look at the section in Jamf Pro for 'Restricted Software.' You have finer grained control there over what specific processes are allowed to run, and moving the app to a different location in the filesystem will continue to block the process.

0 Kudos
Reply

tsossong
New Contributor III

Posted on ‎04-12-2017 06:41 AM

Yes...sorry...but...than a administrator also cant access the keychain access. I would love to have a mixture of both. A restricted software policy that I can scope to user level. Feature request?

0 Kudos
Reply

csanback
New Contributor III

Posted on ‎04-12-2017 07:18 AM

Not sure if this will help or not. But we use a machine certificate for authentication to our WiFi. We embedded that into a profile. So that way you don't need a password just the right profile/cert combo. Just a thought.

0 Kudos
Reply

Robert_MSD25
New Contributor II
In response to csanback

Posted on ‎07-28-2022 09:35 AM

We've tried this approach, but with Monterey, we can't automatically renew the AD machine cert, and any attempt to replace it or its associated profile kicks the machine offline and it won't reconnect. How do you manage this?  We're using Radius, Machine credentials, AD certs.

0 Kudos
Reply

blackholemac
Valued Contributor III

Posted on ‎04-12-2017 08:49 AM

We had problems with that but they got solved when we went 802.1X. That solved that problem but opened quite a few other cans of snakes.

0 Kudos
Reply