Hiding WiFi password

tsossong
New Contributor III

Hi nation,

one of my current projects is to try to hide the WiFi password from the user in any way.
Our setup is: Deploystudio Image and DEP with PreStage Enrollments. The WiFi Setup with all SSIDs come from Casper - 3 different policies. Our students are local administrators on their own machines.
This is why they also can access the keychain.

1st I thought its hidden and not written to the keychain when I use just the Wifi Profile, but unfortunate it will be written to the keychain first time the SSID gets connected.
Is there a way to prevent the password to be written to the keychain? Or is there a way to make the entry unaccessable for the current logged in user but readable for the whatever process activates and connects to the Wifi?

7 REPLIES 7

psliequ
Contributor III

If they don't need access to it generally you could create a software restriction that disallows students from opening Keychain Access at all. Applications can still write password entries to it but users can't look at the entries themselves.

tsossong
New Contributor III

@psliequ cool, oversaw this option. It works quite. But here comes my layciness: There is no option to disallow a specific app. In 9.96 i only can Allow apps, allow folders or disallow folders. I can you build a policy containing all allowed apps and have to modify it maybe if a new app comes in (will be a lot with our BYOD-Macs) or I disallow the Utilities folder. I tested the last solution and figured out: If you copy the keychain app (what is possible even if the launch of apps from Utilities folder is prohibited) to the applications folder you can open the copy.

psliequ
Contributor III

Instead of a Configuration Profile, look at the section in Jamf Pro for 'Restricted Software.' You have finer grained control there over what specific processes are allowed to run, and moving the app to a different location in the filesystem will continue to block the process.

tsossong
New Contributor III

Yes...sorry...but...than a administrator also cant access the keychain access. I would love to have a mixture of both. A restricted software policy that I can scope to user level. Feature request?

csanback
New Contributor III

Not sure if this will help or not. But we use a machine certificate for authentication to our WiFi. We embedded that into a profile. So that way you don't need a password just the right profile/cert combo. Just a thought.

We've tried this approach, but with Monterey, we can't automatically renew the AD machine cert, and any attempt to replace it or its associated profile kicks the machine offline and it won't reconnect. How do you manage this?  We're using Radius, Machine credentials, AD certs.

blackholemac
Valued Contributor III

We had problems with that but they got solved when we went 802.1X. That solved that problem but opened quite a few other cans of snakes.