Reliable method of detecting wifi use?

Taylor_Armstron
Valued Contributor

I know this is a somewhat touchy subject, just looking for some pointers.

Institutional policy prohibits connecting to the internal network via wifi. I suspect a few of our remote field offices are ignoring this, and connecting their Macs to a WAP in the office. Partly to audit for compliance, but honestly, more for my own sake to help troubleshoot issues with specific machines that seem to always fail mounting our DP's, is there a reliable method to query for which network connection is being used? Once upon a time, we could just test for en1 or en0, but now, with laptops lacking built-in ethernet and relying on Thunderbolt, etc,. I'm not sure if there's a single approach that will cover all systems. FWIW, our hardware runs the gamut from old(er) 1st gen Intel Mac systems up to brand-new systems.

I'm picturing some sort of EA to gather the info, but again, don't know how to approach the issue of which network may be named what anymore.

3 ACCEPTED SOLUTIONS

alexjdale
Valued Contributor III

I use this command in my scripts (replace the jss.address with your JSS or whatever URL you want):

route get jss.address | grep interface | awk '{print $2}'

This gives me the network interface being used (en0, en1, etc) and then you can work from that to determine what type of adapter it is and if it should be allowed.

View solution in original post

alexjdale
Valued Contributor III

Yeah, for all remotely recent laptops (model like MacBook), en0 will be wireless. That describes 98% of the hardware I manage.

There is probably some way to leverage system_profiler to ID the adapter once you know en0, en1, etc.

system_profiler SPEthernetDataType will give you the Ethernet cards, and SPNetworkDataType will return all of the network adapter information if you can find a decent way to parse it.

Example:

system_profiler SPNetworkDataType | grep -B 2 en2 | grep Hardware

This returns "Hardware: Airport" on my Mac Pro. I get "Hardware: Ethernet" for en0. VPN will make things funky though. For our VPN, the route get command returns a utun adapter so I know it's on VPN.

View solution in original post

crmanski
New Contributor

I found this post to be helpful when I needed an extension attribute for finding the current active wifi network.
https://www.jamf.com/jamf-nation/discussions/19092/remove-wireless-network-ssid#responseChild114169

View solution in original post

10 REPLIES 10

Taylor_Armstron
Valued Contributor

Well, may have solved my own question, but still not positive it is working, but just in case anyone else is looking along similar lines:

It appears that you can test for this by setting "NIC Speed equal to n/a"

Right now I'm only picking up one system, a user who is VPN'd in from home, so I'd like more data, but that appears to work. I'm showing 10/100 and 10/100/1000 for all other machines known to be on wired connections, so will continue to monitor it.

jared_f
Valued Contributor

@Taylor.Armstrong If you want to keep them on a wired network I would be proactive and just restrict it rather than hunting down each machine.

I would use a configuration profile to lock out the "network" section in system preferences. There is no need to have it enabled if the user is just plugging in an ethernet cable. I would then use a custom configuration profile that hides the wifi icon in the menu bar (I have a link to a discussion that has one). Then, I would have a script ready that would have a script that disables the wireless.

Something might work here:

https://www.jamf.com/jamf-nation/discussions/12853/disable-wifi

If these are take home devices it may become a little complicated. Something like iBeacons may have to be used to time when the policy applies.

alexjdale
Valued Contributor III

I use this command in my scripts (replace the jss.address with your JSS or whatever URL you want):

route get jss.address | grep interface | awk '{print $2}'

This gives me the network interface being used (en0, en1, etc) and then you can work from that to determine what type of adapter it is and if it should be allowed.

View solution in original post

Taylor_Armstron
Valued Contributor

Thanks @jared_f . The problem is we can't disable it for laptops who travel outside of the office, we just need to restrict it when IN the office. (some of the users are emergency responders, so critical that they can access networks outside when necessary).

Main issue I'm having is that certain subnets that SHOULD be able to get to our distribution points are repeatedly failing to mount the shares... I've spoken to their department's IT staff, and he suspects someone set up a WAP, but this is also an office about 7 time zones away, so my immediate need is simply to track down anything that might point me to a solution there. Right now its more of trying to confirm a hunch.

Taylor_Armstron
Valued Contributor

@alexjdale - thanks... I'll toss in an EA for a few days to pull that value and see what it looks like.

Still have to brush up on my familiarity with the newer hardware though, my brain is still stuck in the "ethernet = en0 for everything" mode, but I know that may not be the case.

jared_f
Valued Contributor

@Taylor.Armstrong What about a script that would just clear out the recently joined wireless networks? Maybe make it run once per day.

alexjdale
Valued Contributor III

Yeah, for all remotely recent laptops (model like MacBook), en0 will be wireless. That describes 98% of the hardware I manage.

There is probably some way to leverage system_profiler to ID the adapter once you know en0, en1, etc.

system_profiler SPEthernetDataType will give you the Ethernet cards, and SPNetworkDataType will return all of the network adapter information if you can find a decent way to parse it.

Example:

system_profiler SPNetworkDataType | grep -B 2 en2 | grep Hardware

This returns "Hardware: Airport" on my Mac Pro. I get "Hardware: Ethernet" for en0. VPN will make things funky though. For our VPN, the route get command returns a utun adapter so I know it's on VPN.

View solution in original post

blackholemac
Valued Contributor III

I know this is a non-technical and boring way to solve but the way we do this is by IP address...our internal wifi puts out one series of IPs, the guest network another and the wired network another set....this I can see instantly just by the IP address the machine is pulling, how they are connected .

Non technical, but it works for us

crmanski
New Contributor

I found this post to be helpful when I needed an extension attribute for finding the current active wifi network.
https://www.jamf.com/jamf-nation/discussions/19092/remove-wireless-network-ssid#responseChild114169

View solution in original post

Taylor_Armstron
Valued Contributor

Thanks all.

Few responses/followups:
@jared_f - Clearing networks would probably generate complaints as they are allowed to connect laptops to wifi at home, etc., just not allowed to access internal resources (eg, file servers). That's a management policy, no technical policy blocking it currently. But clearing out their home wifi network regularly would probably come back to bite me 🙂

alexjdale - Appreciated. I could probably put something in a script that would 1st check for VPN (known subnets) and skip the rest if it sees the machine on a VPN subnet. Thanks - that may point me in the right direction.

blackholemac - In most cases, that would work, but what I suspect is that someone is simply tossing an Airport express on the existing LAN in bridge mode. These are remote offices, most with part-time on-site IT support who seem to never respond to emails asking questions, and aren't much more responsive to their IT management within their own departments 😉 Yes, in any well-designed network this would make sense, but not in this case since IF they are using wifi, they're attempting to hide it at least to some degree.

@crmanski - Much appreciated. Going to test that, and maybe combine with the snippit that alexdale suggested, I think between the two of those I can probably get what I'm after. Thanks!