Jamf Nation Community

hendersond · ‎11-07-2019

All of our school district owned iPads and Macs are joined to a secure WiFi network called VCSdistrict. We also have a WiFi network called VCSguest that needs no authentication to join. Personal devices are joined to VCSguest.

Is there any way to prevent users (staff and students) from taking a district owned iPad or Mac and joining VCSguest? We want to make sure that district owned devices remain on the secure VCSdistrict network

d_mccullough · ‎11-07-2019

If I'm not mistaken, you can do this in Configuration Profiles, where you can only allow connection to recognized Wi Fi networks.

hendersond · ‎11-07-2019

What section of config profiles?

d_mccullough · ‎11-07-2019

Looks like a Configuration Profile with a Network payload containing the correct Wi Fi network information, with Auto Join enabled, should do this.

hendersond · ‎11-07-2019

I think that will automatically have the iPad or Mac join the correct WiFi network, I do not think it will prevent the user from joining a different WiFi network

teodle · ‎11-07-2019

You could use JAMF to pull a report for all School-owned airport MAC addresses and then have your networking team blacklist them from getting an IP on the "Guest" network, if that's something they're willing to do.

hendersond · ‎11-07-2019

That sounds like it would work but also sounds like a huge amount of work. I was hoping that there was some way within Jamf to do this

d_mccullough · ‎11-07-2019

Here's what I was looking for.

https://www.jamf.com/jamf-nation/feature-requests/4961/lock-ipad-to-ssid

This was, at least previously, possible.

hendersond · ‎11-07-2019

This will work with one big caveat that makes it a non-starter for us. I do want users to be able to join other wifi networks when the iPad or Mac is off campus. I just want the ability to restrict them from joining one particular wifi network when on campus

d_mccullough · ‎11-07-2019

Found it... so it's for-sure you'll be able to do this on iOS.

hendersond · ‎11-07-2019

If I uncheck this option and an iPad or Mac is taken off campus to a coffee shop with a wide open wifi network, I am thinking it will not be able to join it. Is that correct? That would be a problem

d_mccullough · ‎11-07-2019

Right. You might need a different solution, then. Sorry!

patgmac · ‎11-07-2019

One thing you can try. Deploy a profile with the SSID of the guest network, but with the WRONG password (in this case, ANY password).

hendersond · ‎11-07-2019

If I have already deployed a WiFi profile that works in joining the device to the proper secure wifi network, will the new wifi profile I push out just keep attempting to join my VCSguest wifi network over and over when of course it cannot since I have provided the incorrect password?

patgmac · ‎11-07-2019

I left out an important detail, uncheck the "auto join" with that guest network profile.

atomczynski · ‎11-07-2019

You can have multiple profiles for multiple SSID payloads. In fact you should keep them separated for simplicity and troubleshooting.

Look · ‎11-07-2019

Have you considered getting the networks team (if you have such a thing) to look at it from the other side.
Why not have the WiFi network refuse (or divert to an information page) connections from a list of owned devices, you could probably generate the list (or have it pulled automatically) from JAMF if it didn't exist.
This would mean you didn't need to lock the devices down so people could still use them at home etc...

Jamf Nation Community

Keep user from joining one particular WiFi network