Posted on 02-12-2015 04:29 PM
Hello,
At our school we run two wireless networks on separate SSID's, one is for staff and student BYOD stuff which gets limited access to the rest of the network and the other is for school owned domain bound laptops. We have recently been having some issues where users are joining domain bound Macs to the BYOD network which results in them not being able to reach the domain controller and consequently, not being able to log in. Is there a way we can prevent these laptops from connecting to this specific wireless network or stop them from changing the network settings using casper? Thanks.
Daniel Oliver
Posted on 02-12-2015 07:04 PM
I was asked to do a very similar thing just yesterday. I had a quick search, and all I could find was this: https://jamfnation.jamfsoftware.com/discussion.html?id=5327
Haven't tried it yet, but it'd be a script that you'd have running at regular intervals (cron/LaunchDaemons?). Although there's a new trigger in JSS 9 for "Network State Change" - you could possibly bind the script to that?
I would love for there to be a way to blacklist an SSID, which would prevent access instead of automatically disconnecting with the above script. IF anyone has a way, I'm all ears.
Posted on 02-12-2015 09:28 PM
Just tried it, and it works well. Created a script and a new cached (as in, "Make available offline") policy that is triggered by the "Network State Change" event.
This is what the script looks like (courtesy of the above-mentioned link):
#!/bin/bash
wifi=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`
ssid=`networksetup -getairportnetwork $wifi | cut -d " " -f 4`
case $ssid in
PatientWifi|SecExternal)
echo "Switching off PatientWifi SSID..."
networksetup -setairportpower $wifi off
networksetup -removepreferredwirelessnetwork $wifi $ssid
osascript -e 'tell application "System Events" to display alert "blah blah blah" as critical'
;;
esac
Posted on 02-13-2015 03:32 AM
Will these users be administrators on the Macs?
The following will enable the 'require administrator authorisation to change network':
/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES
From here: https://jamfnation.jamfsoftware.com/discussion.html?id=5528
We use the following to remove our Guest network from our Macs for the same reason as you:
#!/bin/bash
sudo networksetup -removepreferredwirelessnetwork en0 GuestNetworkName
exit 0
Note, it'll be en0 for retinas, en1 for non-retinas.
Posted on 09-23-2015 04:05 PM
@Aaron This is great, any ideas on how to change the icon used for the system events popup? Not sure if thats something that can be edited though...
Posted on 09-23-2015 04:31 PM
@rmaldon The final part in the osascript line ("as critical") is the identifier to specify the icon. Although apparently you can use the "with icon" identifier too, ie; "with icon caution" or "with icon stop". Google tells me you can also pass a file reference to a .icns file.
There's no reason why you couldn't use jamfhelper or cocoadialog though.
Posted on 09-24-2015 04:41 AM
One thing you may also be able to do is deploy a configuration profile to these macs. You can do 1 of 2 things:
1: In the configuration profile purposefully put the wrong password for the Wi-Fi network. That way it won't join.
2: Put the correct credentials, but UNCHECK the Auto Join box when making the profile. This way to join the network it would have to be selected from the AirPort menu. It should prevent the system from roaming onto that network.
As always, test test test.