OOOOOoooo damn that's a new kind of judo I need to pick up.

Thanks dude!

@timkimpton - Thanks for the link to the older Lingon! I had been looking for that sucker but wasn't finding it anywhere. The version on the App Store is so dumbed down its practically useless. The older version is the bees knees!

@Jared Thanks but i just googled it and got the ideas and got it working by luck ;)

@mm220 no probs i always keep the old one ;)

Ive updated the script to make it clearer, marked it as the answer and added something my colleague was after.

Now and again my department "Information Systems" needs to get to an unproxied network.

At the bottom of the script this show how myself and my colleague can get to this restriced network but if they are not in our department then they can't ;)

Thanks to everyone, this has got to be one of the longest discussions i have been involved in LOL.

Thanks tkimpton

#!/bin/bash

line is missing at the very top of your script (marked as the answer).

@Kumarasinghe Thanks

Ive updated the script with better environment variables so that it is more portable so it should work by just filling them in for your environment.

I had a problem with one blocked SSID that looks like an open network but has a log in authentication page we use for guests.

I found users were trying to connect to it with unauthorised corporate devices and the script threw them off ;) but ... because it technically successfully connected it was added to the preferred network list ;(

I have now added a mechanism that if a user that is not in the allowed department and they connect, then it disconnects them from the blocked ssid, removes all the preferred networks and then adds your work ssid :)

Hope that helps.

oh and i added a mechanism to contact the jss at the bottom.

I was getting tired of users switching between networks and my Casper Remote failing because it was trying to connect to an ip address the machine was no longer using.

This way the machine updates it ip to the JSS :)

Thanks Tim.

FYI
Also we use jamf binary to check the JSS availability (taken from a script done by JAMF)

#!/bin/bash

# Check to see if the JSS is available and if yes, then submits the current IP 
checkjss=`/usr/sbin/jamf checkJSSConnection -retry 0 | grep "The JSS is available"`

if [ "$checkjss" == "The JSS is available." ]; then
    /usr/sbin/jamf log
fi

exit 0

@Kumarasinghe Thanks thats brilliant! I have added this instead :)

Hi Jared
Wondering if you could help me out here. Not sure what I am doing wrong here, copied & pasted the script as the above marked answer. I do not need to turn off WiFi ports since Ethernet is not used. All I am trying to do is restrict access to one specific SSID (name has spaces) and add another SSID as the only preferred in the network list. Testing out on a Mountain Lion 10.8.5 client.

Lines I had to edit from the above script to make it work for me:
1) #!/bin/bash --- had to put in a space after the #!
2) Had to prefix /usr/sbin in all lines wherever networksetup was being used

Issues facing:
1) I guess because of the space in the WorkSSID name, I cannot get to add using the full name. For example, "ABC WIFI" is getting added as "ABC" which is actually another existing SSID. I need to block only the "ABC WIFI". How can I add/block an SSID which has spaces?
2) When I run the script as a login Policy in Casper, everytime I try to login to the client, a Keychain password window keeps popping up (looks like it is trying to run 'networksetup') just before login.

Would you please mind telling me whats wrong with my modified script below and how could I fix the issues above? Thanks!

#! /bin/bash

# SETTING THE ENVIRONMENT VARIABLES

# Get the ethernet hardware port (ehwport)
ehwport=`/usr/sbin/networksetup -listallhardwareports | awk '/.Ethernet/,/Ethernet Address/' | awk 'NR==2' | cut -d " " -f 2`

# Get the wireless network service (wservice)
wservice=`/usr/sbin/networksetup -listallnetworkservices | grep -Ei '(Wi-Fi|AirPort)'`

# Get the wireless hardware port (whwport)
whwport=`/usr/sbin/networksetup -listallhardwareports | awk "/$wservice/,/Ethernet Address/" | awk 'NR==2' | cut -d " " -f 2`

# Find the ALL network hardware ports (hwports)
hwports=`/usr/sbin/networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`

# Get the wireless network (wirelessnw)
wirelessnw=`/usr/sbin/networksetup -getairportnetwork $hwports | cut -d " " -f 4`

# Get the SSID
SSID=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I
| grep ' SSID:' | cut -d ':' -f 2 | tr -d ' '`

# Current Logged in User
consoleuser=`ls -l /dev/console | cut -d " " -f4`

# Carry out an OS version check
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,4)}'`

# Work SSID
WorkSSID="ABC WIFI"

# Index for SSID
Index=0

# Check to see if the JSS is available and if yes, then submits the current IP
checkjss=`/usr/sbin/jamf checkJSSConnection -retry 0 | grep "The JSS is available"`

# Department allowed to bypass SSID restrictions
Dept=GroupInCasper

# SSIDs to Block
Block1="ABC Guest"

####################################################################################

# Get the wireless network (wirelessnw)
wirelessnw=`/usr/sbin/networksetup -getairportnetwork $hwports | cut -d " " -f 4`

# Block  wireless networks
case $wirelessnw in
$Block1)
;;
esac

# If logged in user is in GroupInCasper allow access to SSIDs but block everyone else!
if
dscl . -read /Users/"${consoleuser}" | grep "$Dept"
then echo "$Dept Allowed!"
else

# Remove Wireless networks
/usr/sbin/networksetup -removeallpreferredwirelessnetworks $whwport

# Set the preferred wireless network to WorkSSID
/usr/sbin/networksetup -addpreferredwirelessnetworkatindex $whwport $WorkSSID $Index None

# Check to see if the JSS is available and if yes, then submits the current IP 
checkjss=`/usr/sbin/jamf checkJSSConnection -retry 0 | grep "The JSS is available"`

if [ "$checkjss" == "The JSS is available." ]; then
    /usr/sbin/jamf log
fi

exit 0

Hi Jared or if anyone else around,
Could I get some scripting help please? I am fine now with the previous errors and SSID with spaces issue. But now I just need some help modifying Tim's script due to my environment.

Can you tell me how I can place two conditions into the script based on which the whole script will Run or Exit out. I do not wish to turn off WiFi as part of the script.
Condition 1 - If the currently connected WiFi is a certain 'restricted' SSID, then ONLY run the full script and also, only if it meets the 2nd condition ----- If not, echo & exit out.
Condition 2 - Only if the currently logged in user is anyone else who is NOT the local administrator (i just used a single administrator user instead of Dept variable)

Below are short versions of the two different conditions as two separate scripts. Both works fine separately, i just need to know how to link them together and run the whole script if the two conditions are met:

==========================================================
# Restricted WiFi
blockedwifi="ABC Guest"

# Get the currently connected wireless network
currentwifi=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | awk '/ SSID/ {split($0, parts, ": ") ; print parts[2]}'`

# Remove restricted WiFi networks
case $currentwifi in
$blockedwifi)
------------------"At this point, it should run the whole script and also only if 2nd condition is met"--------------------
else
echo "Connected to authorized WiFi"
;;
esac


# Current Logged in User
consoleuser=`ls -l /dev/console | cut -d " " -f4`

# Allowed to bypass SSID restrictions
Admin=administrator

# If logged in user is administrator, allow access to restricted SSID but block everyone else!
if
dscl . read /Users/"${consoleuser}" | grep "$Admin"
then echo "$Admin is allowed Guest access"
else
------------- "At this point, it should run the whole script and also only if 1st condition was met"

==============================================================

HI Guys,

I have modified tkimpton script above to work for my environment (awesome job on that btw) I was just wondering how people are deploying this? I tried Lingon and I can't seem to get it to run correctly, this would be preferable as if it detects a change the machine would deal with it as opposed to have an ongoing script in the JSS that is going to create a lot of network traffic. The other was was at login but surely this would just run for the login intermission and then thereafter would not run any more?

We have a issue where we now have so many mobile devices and laptops everything is on the Wifi, I would like to try get this on the Macs so that they at least will disable the Wifi when the ethernet is plugged in a free up some of the reservations. There are sometimes so many devices on the Wifi no one can connect due to the address leases all being taken.

Anyone got any ideas?

@Treger I haven't been using Lingon now for a little while, although it should still work to create a valid working LaunchDaemon. You can try using LaunchControl if you have issues with Lingon.

The big question though is, what is the trigger to have the script run? Ours is set up to use a WatchPath of /Library/Preferences/SystemConfiguration That directory gets modified, or the files within it, each time there is a network change (and sometimes when there isn't one) so it should run the script when Ethernet of any kind is plugged into the Mac, see that there is a valid Ethernet connection and disable Wi-Fi.

Keep in mind also that when this was all written, it was before Casper Suite 9.x. The latest version can now run policies based on Network State Change, so that's also an option to look at if you don't want to use a local launchd job.

Thanks @mm2270 I will give the script a go with the Network State Change policy, I think it would be easiest going forward. I may give the LaunchControl a go in any case just to see the differences in behaviour...

Ok, With Casper It does initially disconnect the wireless but after a while with the ethernet plugged in the Wireless reconnects. Launch Control I have no experience with and I am having a problem running it, it will only let me execute with root and when in as root it will not let me connect to the Wifi even with the ethernet out... Maybe because the script is actually pulling user creds for the Wifi so it may work as a user but if may not allow my local admin accounts to access the wifi...

Ok... I got it working quite well with LaunchControl, however it seems to not like detecting the secondary Ethernet on the new Mac Pro, If I connect and disconnect the primary NIC it works flawlessly, as soon as I use the second NIC, it can't seem to detect the change... Thunderbolt connections are not detected either... I may have to do this on a laptop and see if there is a difference although the Retinas run off thunderbolt ethernet too...

I've been using this script for a while however now im getting a box popup saying "networksetup is trying to modify the system network configuration. Type your password to allow this."

If I delete /library/preferences/systemconfiguration/preferences.plist I no longer get the prompt.

I realize this thread is pretty old but it's relevant to an issue I'm working on. Hopefully someone can help me out. I'm utilizing the case statement method outlined by @jarednichols but trying to add a wildcard to the case. Basically I want to look for any network with "iPhone" in the name.
I've tried

case $ssid in
SSID1|SSID2|*iPhone)

case $ssid in
SSID1|SSID2|*iPhone*)

and

case $ssid in
SSID1|SSID2|@iPhone)

but they don't seem to do anything.

In case anyone in the future is trying to implement this, I was able to figure out the wildcard searches for network SSID's. The case statement looks like this. My mistake was not quoting the text string as well as putting the wildcard (*) inside the quotes, which made it a literal string.

case $ssid in
  "Xfinity"*|*"iPhone"*|*"Guest"*)
       ;;
esac