Preventing Admin Users from Removing Network SSID on Managed Macs

feolaney
New Contributor III

I'm looking for the best way to prevent all Mac users with local admin privileges from removing a wireless/wired profile and SSID configuration for a specific wireless/wired network.

The goal is to ensure that the wireless network settings are enforced and cannot be modified or removed by the end-users, even if they have admin access on their Macs.

Is this possible?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

I don't think there's a way to do that. Even using the 

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport prefs commands I don't think that button can be locked down. And even if you could, those prefs are only to prevent non-admins from adjusting any of the settings in Wi-Fi, and since you mentioned these are admin level users... honestly you're really looking at removing admin rights from users to prevent this. I know that's much easier said than done, but I suspect there won't be any other way.

View solution in original post

3 REPLIES 3

pete_c
Contributor III

Deploy a computer-level configuration profile with a Wi-Fi payload.  Test first and don’t delete the payload without adjusting scope to None first, as always.

feolaney
New Contributor III

Tried this, pushed a computer level configuration profile with a Wi-Fi payload.  Removing it is prevented UNLESS the user is connected to it, then they can click "Forget this Network" and have it removed.

mm2270
Legendary Contributor III

I don't think there's a way to do that. Even using the 

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport prefs commands I don't think that button can be locked down. And even if you could, those prefs are only to prevent non-admins from adjusting any of the settings in Wi-Fi, and since you mentioned these are admin level users... honestly you're really looking at removing admin rights from users to prevent this. I know that's much easier said than done, but I suspect there won't be any other way.