Remove Wireless Network (SSID)

sepiemoini
Contributor III
Contributor III

I am attempting to remove our guest wireless network (SSID) using WPA2 personal from all machines in my environment. I have scoured through JAMF Nation, in search of posts looking to achieve the same. I was able to find a handful of useful discussions but none were fully applicable to my current requirement.

Some posts had suggested achieving this in a configuration profile and supplying a bogus password so the machine is never able to connect to the network. I would like to remove the guest wireless network from all machines rather than fully implementing an all out ban from ever connecting to it again. In short, I'd like to accomplish the following:

  1. Create a smart computer group which inventories all machines with the guest network SSID. That is, all machines that have the guest network saved as a preferred network.
  2. Remove the SSID from all machines in this smart computer group.

Please let me know what your thoughts are and if this is best approached with an extension attribute and/or script. Thanks!

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

@sepiemoini If you want to only scope the SSID removal to a Smart Group, then I suggest splitting the script up into 2 discrete scripts.
One would be the EA script, so its capturing the list of saved wireless entries:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

Then create a Smart Group that would use a "Like" operator to gather any machines that have the specified SSID for removal in their results.
Create a policy that runs the following separate script on it:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID> 2>/dev/null

And use the Smart Group you created before as its scope. Have it run on whatever frequency you want. Important to remember to gather new inventory after it all runs, so hopefully the preferred wireless list will no longer contain the offending SSID and the Mac will fall out of the Smart Group.

View solution in original post

AVmcclint
Honored Contributor

I realized that I forgot to share a script someone wrote for me that is somewhat relevant to this thread. In our environment, our WiFi access is controlled by 802.1x (via Config Profiles), but users are still free to connect to their home and other WiFi networks. When users connect to more and more networks, the SSIDs are saved. The more SSIDs a Mac remembers, the greater chance of general connectivity problems arise (one user had over 100 SSIDs remembered and he had all kinds of problems). Since our users do not have admin rights, they end up having to call me to manually clear out all the excess SSIDs.

One time, I accidentally removed our company SSID (the 802.1x one) from a computer and it was a real pain in the butt to get it restored to the computer. To make things easy for everyone I had a colleague who was much better at scripting build something that would check the list of all remembered SSIDs and delete them all EXCEPT for the company's SSID and whatever SSID the user might be on at the time the script is run (so they wouldn't lose their current connection). This is the resulting script. I put it in Self Service so users can run it when they need to and not worry about needing admin rights. It works like a champ.

#!/bin/bash
# in this script, COMPANY WiFi can be replaced with whatever your particular SSID is named.

SSIDS=$(networksetup -listpreferredwirelessnetworks "en0" | sed '1d')
CURRENTSSID=$(networksetup -getairportnetwork "en0" | sed 's/^Current Wi-Fi Network: //')

while read -r SSID; do
  if [ "$SSID" == "COMPANY WiFi" ]; then
    echo Skipping $SSID
  elif [ "$SSID" == "$CURRENTSSID" ]; then
    echo Skipping your current network $SSID
  else
    echo Deleting $SSID
    networksetup -removepreferredwirelessnetwork "en0" "$SSID"
  fi
done <<< "$SSIDS"

echo Done!

View solution in original post

52 REPLIES 52

bvrooman
Valued Contributor

I do the same thing! We have a specific personal-device network which uses a captive portal to authenticate, and users (for various nonsense reasons) seem to like connecting their Macs to it. That makes the Mac lose its connection to Casper once the network requires re-authentication.

I use an ongoing offline policy to run this script at checkin:

#!/bin/sh

for interface in $(networksetup -listnetworkserviceorder | grep Hardware | awk '/Wi-Fi/ { print $NF }' | awk -F ")" '{ print $1 }')
do
    echo "Disconnecting $interface from non-internal device network"
    networksetup -removepreferredwirelessnetwork $interface YourNetworkSSIDHere
done

musat
Contributor III

If you were looking to go the Smart Group route you could build an EA using the output from:

networksetup -listpreferredwirelessnetworks "en0"

And only include those devices that have your guest network in the list.

musat
Contributor III

As a test I just created an EA with the script of:

#!/bin/bash
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "en0")
echo "<result>$PreferredNetworks</result>"
exit 0

And this is successfully returning the complete list of Preferred Networks. I then creates a Smart Group with the criteria that this EA is "like" our Guest network, and it seems to be correctly pulling only those device with this network.

sepiemoini
Contributor III
Contributor III

Thanks so much, @musat!

I am returning the following errors on just a small handful of machines.

en0 is not a Wi-Fi interface. ** Error: Error obtaining wireless information.

When performing a quick SSH session, their en1 is their Wi-Fi interface and not their en0, hence the above error. I modified your suggested script and received the list of preferred networks for the listed en1 port and then removed it.

networksetup -listpreferredwirelessnetworks "en1"
sudo networksetup -removepreferredwirelessnetwork en1 <WirelessSSID>

My question to you now is, how do I target the few machines producing the "en0 is not a Wi-Fi interface" error and correct this?

mm2270
Legendary Contributor III

You should never hardcode "en0" into a script that needs to know the wifi interface id to capture something or affect a change. Instead, get the wi-fi identifier first in the script using networksetup and then use that as a variable in the command later.

#!/bin/sh

WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

sepiemoini
Contributor III
Contributor III

Great, thanks @mm2270!

I've now gone ahead and created a Smart Computer Group which targets the machines with the older SSID which needs to be removed which is achieved by the results of newly created extension attribute. There does not appear to be a designated payload that will achieve this so I imagine that a small script removing <networkSSID> will have to be created. As mentioned above, assuming the standard en0 is the designated wireless port, the below removed the problematic SSID. How would I modify this into a script where the "en0" is not assumed and hardcoded?

networksetup -listpreferredwirelessnetworks "en0"
sudo networksetup -removepreferredwirelessnetwork en0 <WirelessSSID>

mm2270
Legendary Contributor III

@sepiemoini Same way as in my script above. Get the id of the wireless port first, then use that in replace of en0 or en1 in the -removeprefererredwirelessnetwork command.

Truthfully, you could just skip creating an EA for this and go straight for a removal in a script. Although, the only issue is if you only had it running once per computer, later on the SSID could be added and not subsequently removed from the Mac. Using a Smart Computer Group scoped to a policy set to Ongoing would ensure that every time a machine lands in the smart group, the policy would run on it to remove the SSID on next check-in or trigger.

sepiemoini
Contributor III
Contributor III

Awesome, thanks @mm2270! How does the bellow script look?

#!/bin/sh
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')
echo "<result>$PreferredNetworks</result>"
sudo networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID>

UPDATE: that worked :)

adamcodega
Valued Contributor

One last change would be to remove sudo. It's not required in scripts Casper will run because Casper already runs them with the elevated privileges.

mm2270
Legendary Contributor III

Hi @sepiemoini, @adamcodega is correct. Drop the sudo since its not needed.
Beyond that change though, what you seem to have is a combination of an EA and a script making a change. Maybe what I stated above wasn't clear, but my intention wasn't for you to combine the 2. I was thinking you could just have a script run on a trigger or periodic basis that would locate and remove the SSID in question. I don't know that I would do an EA output and a removal command in the same script myself. The reason is, once the echo command gets run, that gets captured, then uploaded along with other inventory data to the JSS as the result for the EA. Yet, right after the inventory collection you're removing the SSID from the Mac. So basically, you'll have Macs reporting that <WirelessSSID> is present on them, but you just removed it, so it will be inaccurate inventory. I'm not sure that's what you want.

If you wanted, you could reverse it all, like this.

#!/bin/sh

## Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

## Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID> 2>/dev/null

## Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

This should first locate and remove the offending SSID, then collect inventory based on what the new preferred wireless network list is. If the -removepreferredwirelessnetwork command above was successful, the list should not include the <WirelessSSID> in the results.

Make sense?

AVmcclint
Honored Contributor

As a result of this post, I ran networksetup -listpreferredwirelessnetworks "en0" via ARD on a bunch of our Macs and I found one MBP that had 105 saved SSIDs! Since there is no way to purge everything EXCEPT the company's SSID, I copied all the ones I wanted to delete and pasted them into an Excel spreadsheet and worked with it to create a separate networksetup -removepreferredwirelessnetwork en0 <WirelessSSID> for each and every SSID (minus the one I wanted to keep). I then saved that as a txt and massaged it some more to remove tabs and empty spaces, then pasted that into ARD to run on that one computer.

It's unfortunate that there's no easier way to clean them up without making the users local admins.
(I am unable to remove our company's SSID because it is controlled by an 802.1x profile. Deleting the SSID causes the 802.1x to really freak out and I found it next to impossible to rejoin the SSID with the computer cert manually. I ended up having to remove the 802.1x profile and re-adding it to fix the problem)

sepiemoini
Contributor III
Contributor III

@mm2270 I am not sure that I am following 100% of all that. I did however make the change to the script and dropped the "sudo." My workflow is as follows: based on the preferred wireless network EA, create a smart computer group which looks for <WirelessSSID> that needs to be remove, run the below policy scoped to that group and have it run at recurring check-in and have it set to ongoing.

319ddf05dce9497ebc724a5edef9fffb

I understand that with your proposed workflow, there is one script and no need to specify a new EA and I fully understand the benefit of shortening this to what you have suggested. My question to you is this: will the smart computer group and scope work with this proposed procedure? I see that your script spits out the report of saved, preferred wireless networks once the one in question is removed (presumably as an EA, right?)

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID> 2>/dev/null

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

mm2270
Legendary Contributor III

@sepiemoini If you want to only scope the SSID removal to a Smart Group, then I suggest splitting the script up into 2 discrete scripts.
One would be the EA script, so its capturing the list of saved wireless entries:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

Then create a Smart Group that would use a "Like" operator to gather any machines that have the specified SSID for removal in their results.
Create a policy that runs the following separate script on it:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID> 2>/dev/null

And use the Smart Group you created before as its scope. Have it run on whatever frequency you want. Important to remember to gather new inventory after it all runs, so hopefully the preferred wireless list will no longer contain the offending SSID and the Mac will fall out of the Smart Group.

arajabzadeh
New Contributor III

Hi is it possible for an SSID not to show even in my wifi list ?

sepiemoini
Contributor III
Contributor III

@mm2270 Perfect, that's exactly what I was attempting to do. I made a few modifications to the removal script --namely to remove the echo command that I was previously using--but believe this is good to go. Thanks!

robby_c137
New Contributor III

@mm2270 brilliant! Let's say I wanted the script to look for any parameters in the policy present to use for multiple WirelessSSIDs. Can this be done?

That way I can easily add/remove SSIDs without going back into the script.

dmillertds
Contributor

I'm trying to use this script to remove an undesired SSID from a static group (this is a one-time thing, don't really need the smart group/EA bit). I built a policy to run once and included the script, plus inventory update. In my test bed, the policy ran successfully, in that the SSID was removed, but the policy is stuck at "pending" and there is nothing in the logs to show it even ran. Any ideas appreciated.

mm2270
Legendary Contributor III

Dan, is the policy dropping the network connection on the Macs when it removes the preferred wireless network? Guess what I'm asking or saying is, if the Mac is losing a network connection when it runs it will not be able to upload a log back to the JSS to know it ran. It's one of the things of how policies work. Basically the steps look like:

  • Mac checks in with JSS to ask if there's anything it needs to run.
  • JSS says "yes here are your instructions" and sends the info down to the Mac
  • At that point, it's up to the local jamf binary to take over and execute the instructions
  • Only at the end when the policy is "complete" does it send back a log saying "everything worked" or "there was a problem. Here are the notes"

If it never gets that log back it remains as Pending indefinitely in the JSS.

Is it possible that's the issue here?

dmillertds
Contributor

Hmm. That's a good point, and it might be. I put the test box on a wired connection, and re-ran the policy and it worked. I'm not sure if it was on the SSID to be removed or not before it ran, but that might explain it. For the target population, that situation is very likely - in fact, that's the whole point, to get them off of it (and take it out of the remembered list). I'll play with it a bit more to see.

kirk_magill
New Contributor

How do you do this step: "Then create a Smart Group that would use a "Like" operator to gather any machines that have the specified SSID for removal in their results." I can't figure out in the creation of the smart computer group how to specifically get the SSID as the criteria.

mm2270
Legendary Contributor III

@kirk.magill Did you follow the instructions to set up an Extension Attribute that captures the SSDs on each Mac? If not, that needs to happen first before you can use it as criteria for a Smart Group.

kirk_magill
New Contributor

Yep - did it wrong. I setup a script to run off a policy - which worked, but does not allow me to make the Smart Group. Thanks! @mm2270

kirk_magill
New Contributor

I am having more troubles with this now. I am getting a response telling me "Script result: Network XXXX was not found in the preferred networks list.

Am I having a problem because my SSID has a space in the name? e.g. SSID Wifi ?

mm2270
Legendary Contributor III

@kirk.magill Can you post the script you're using in its entirety? I'm guessing you just need to surround the SSID in double quotes to get around the issue, but it would help to see exactly what your version of the script looks like.

kirk_magill
New Contributor

!/bin/sh

Get the wireless port ID

WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

Run a SSID removal if its present

networksetup -removepreferredwirelessnetwork $WirelessPort <Sigourney Wifi> 2>/dev/null

kirk_magill
New Contributor

"Sigourney Wifi" , the double quotes did it. Thanks again for the follow-up!

mm2270
Legendary Contributor III

Ok, cool. Had a feeling that was all that was needed.

a_holley
Contributor

I need to remove an SSID that accidentally got pushed out to a few machines.

The EA worked fine, but when I try to test the removal of the SSID on one of the machines that has it, I get this error:

Executing Policy Remove SSIDs Running script RemoveWireless.sh... Script exit code: 2 Script result: /Library/Application Support/JAMF/tmp/RemoveWireless.sh: line 7: syntax error near unexpected token `2' /Library/Application Support/JAMF/tmp/RemoveWireless.sh: line 7: `networksetup -removepreferredwirelessnetwork $WirelessPort <"Dick's Place Free WiFi"> 2>/dev/null' Error running script: return code was 2. Running Recon...

Yes, the SSID is called Dick's Place Free WiFi. No, it's nothing bad. Any suggestions?

sapalmerBCS
New Contributor III

@a.holley I believe the single quote in the SSID is causing the issue. Try escaping it out by making it <"Dick's Place Free WiFi"> in your script

a_holley
Contributor

@sapalmerBCS hmm, tried that and it didn't work. Thanks anyway

baldiesrt
New Contributor

I got the same error as @a.holley . Realized we need to remove the < > in the ssid location.

baldiesrt
New Contributor

I got the same error as @a.holley . Please make sure you remove the < > in the ssid location.

baldiesrt
New Contributor

FYI, this only removes it from preferred list but if the user rejoins that network on their own, they will NOT get prompted for the wpa password. If anyone knows how to remove that, please let me know.

DA001KL
New Contributor III

Should we put logic in to connect to new SSID ?

AVmcclint
Honored Contributor

I realized that I forgot to share a script someone wrote for me that is somewhat relevant to this thread. In our environment, our WiFi access is controlled by 802.1x (via Config Profiles), but users are still free to connect to their home and other WiFi networks. When users connect to more and more networks, the SSIDs are saved. The more SSIDs a Mac remembers, the greater chance of general connectivity problems arise (one user had over 100 SSIDs remembered and he had all kinds of problems). Since our users do not have admin rights, they end up having to call me to manually clear out all the excess SSIDs.

One time, I accidentally removed our company SSID (the 802.1x one) from a computer and it was a real pain in the butt to get it restored to the computer. To make things easy for everyone I had a colleague who was much better at scripting build something that would check the list of all remembered SSIDs and delete them all EXCEPT for the company's SSID and whatever SSID the user might be on at the time the script is run (so they wouldn't lose their current connection). This is the resulting script. I put it in Self Service so users can run it when they need to and not worry about needing admin rights. It works like a champ.

#!/bin/bash
# in this script, COMPANY WiFi can be replaced with whatever your particular SSID is named.

SSIDS=$(networksetup -listpreferredwirelessnetworks "en0" | sed '1d')
CURRENTSSID=$(networksetup -getairportnetwork "en0" | sed 's/^Current Wi-Fi Network: //')

while read -r SSID; do
  if [ "$SSID" == "COMPANY WiFi" ]; then
    echo Skipping $SSID
  elif [ "$SSID" == "$CURRENTSSID" ]; then
    echo Skipping your current network $SSID
  else
    echo Deleting $SSID
    networksetup -removepreferredwirelessnetwork "en0" "$SSID"
  fi
done <<< "$SSIDS"

echo Done!

jcshofner
New Contributor III

This was a great read on removing SSIDS through policies. However, I have one question. How would this be used as a logout hook?

palmeida
New Contributor III

This has been a helpful thread, I would like to add that when using these methods, it does not remove the entry from the keychain and you'd need a line

security delete-generic-password -l $SSID "/Library/Keychains/System.keychain"

IDS_TEAM_ADC
New Contributor

This has been a helpfull thread for me too. Just followed the informations and it seems to be working fine. Deleting the password from the keychain was the most pain. I am new to scripting, so i just made the misstake and tried first:

security delete-generic-password -l $mySSID "/Library/Keychains/System.keychain"

this dons't work like expected. so I just tried with:

security delete-generic-password -l mySSID "/Library/Keychains/System.keychain"

THX guys

GabeShack
Valued Contributor III

Hey @mm2270 ,
Im wanting to try something different using some of the above methods. I need to see if a specific network is listed in the preferred network list and then scope a specific policy to machines that are missing that network.
(Back story, we use an 802.11x profile that is pushed to district devices, however I am finding that somehow it gets removed from the preferred list and then needs the profile excluded from that device and then included again to fix it). What I'm trying to do is create an extension attribute that searches the preferred list for a specific entry, and then returns a yes or no so I can make smart group for those devices and then unscope and rescope that group to re push the wireless profile. I figured I just need to add a grep to the original EA above, but I'm not having much success.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools