Jamf Nation Community

sepiemoini · ‎03-07-2016

I am attempting to remove our guest wireless network (SSID) using WPA2 personal from all machines in my environment. I have scoured through JAMF Nation, in search of posts looking to achieve the same. I was able to find a handful of useful discussions but none were fully applicable to my current requirement.

Some posts had suggested achieving this in a configuration profile and supplying a bogus password so the machine is never able to connect to the network. I would like to remove the guest wireless network from all machines rather than fully implementing an all out ban from ever connecting to it again. In short, I'd like to accomplish the following:

Create a smart computer group which inventories all machines with the guest network SSID. That is, all machines that have the guest network saved as a preferred network.
Remove the SSID from all machines in this smart computer group.

Please let me know what your thoughts are and if this is best approached with an extension attribute and/or script. Thanks!

mm2270 · ‎03-08-2016

@sepiemoini If you want to only scope the SSID removal to a Smart Group, then I suggest splitting the script up into 2 discrete scripts.
One would be the EA script, so its capturing the list of saved wireless entries:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

echo "<result>$PreferredNetworks</result>"

Then create a Smart Group that would use a "Like" operator to gather any machines that have the specified SSID for removal in their results.
Create a policy that runs the following separate script on it:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Run a SSID removal if its present
networksetup -removepreferredwirelessnetwork $WirelessPort <WirelessSSID> 2>/dev/null

And use the Smart Group you created before as its scope. Have it run on whatever frequency you want. Important to remember to gather new inventory after it all runs, so hopefully the preferred wireless list will no longer contain the offending SSID and the Mac will fall out of the Smart Group.

View solution in original post

AVmcclint · ‎12-14-2017

I realized that I forgot to share a script someone wrote for me that is somewhat relevant to this thread. In our environment, our WiFi access is controlled by 802.1x (via Config Profiles), but users are still free to connect to their home and other WiFi networks. When users connect to more and more networks, the SSIDs are saved. The more SSIDs a Mac remembers, the greater chance of general connectivity problems arise (one user had over 100 SSIDs remembered and he had all kinds of problems). Since our users do not have admin rights, they end up having to call me to manually clear out all the excess SSIDs.

One time, I accidentally removed our company SSID (the 802.1x one) from a computer and it was a real pain in the butt to get it restored to the computer. To make things easy for everyone I had a colleague who was much better at scripting build something that would check the list of all remembered SSIDs and delete them all EXCEPT for the company's SSID and whatever SSID the user might be on at the time the script is run (so they wouldn't lose their current connection). This is the resulting script. I put it in Self Service so users can run it when they need to and not worry about needing admin rights. It works like a champ.

#!/bin/bash
# in this script, COMPANY WiFi can be replaced with whatever your particular SSID is named.

SSIDS=$(networksetup -listpreferredwirelessnetworks "en0" | sed '1d')
CURRENTSSID=$(networksetup -getairportnetwork "en0" | sed 's/^Current Wi-Fi Network: //')

while read -r SSID; do
  if [ "$SSID" == "COMPANY WiFi" ]; then
    echo Skipping $SSID
  elif [ "$SSID" == "$CURRENTSSID" ]; then
    echo Skipping your current network $SSID
  else
    echo Deleting $SSID
    networksetup -removepreferredwirelessnetwork "en0" "$SSID"
  fi
done <<< "$SSIDS"

echo Done!

View solution in original post

GabeShack · ‎03-24-2021

So far I've got the below working to list only the one network I need, just need to make an If its there or if its not there logic.

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g' | grep -no "YourSSID")

EDIT: So the grep -no returns the results of each line that matches instead of an exact match and the -w returns all networks with the name I specify. My problem is our district has 3 networks all named the same at the beginning with Admin, and Guest added to two of them. I need to look at the preferred list and just have a yes or no if the exact match exists in it.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mm2270 · ‎03-24-2021

Hey @gshackney, just use the start and end line indicators with grep to match the exact line and ignore the others. For example, say the results of pulling the preferred networks list looked something like this.

WiFi-Network-01
WiFi-Network-01-Guest01
WiFi-Network-01-Guest02

And you want to match only on WiFi-Network-01 and not the others, you can use the following syntax:

grep "^WiFi-Network-01$"

grep recognizes the ^ and $ as indications of start of line and end of line, respectively, so it knows not to look any further than WiFi-Network-01. It ignores the 2 results with the "-Guest" in the names, since the "-Guest" part comes after the $ end of line indicator.

GabeShack · ‎03-25-2021

@mm2270 Thanks for the reply, interesting when I try with the added ^ and $ and remove the grep modifier I get no results. If I remove the grep altogether it shows all the preferred networks networks again, and if I do a -w it shows the three similarly named networks. Perhaps it has to do with the spaces in the name? I don't see any issue listing the name here, the network name is Princeton Schools and the other two are Princeton Schools Guest and Princeton Schools Admin all with spaces and no underscores.

From what I was looking up it looked like there was another command to cover blank spaces possibly?

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g' | grep "^Princeton Schools$")
echo "<result>$PreferredNetworks</result>"

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mm2270 · ‎03-25-2021

Hi @gshackney. The spaces shouldn't make any difference in how grep is matching them since you have the string contained in double quotes. In fact, the test I ran on this was on my home wifi network which has spaces in it, and it worked fine. I have 2 network SSIDs that differ just slightly and I was able to match only the one I was targeting.

Just out of curiosity though, what OS are you running this test on? I wonder if it's a Big Sur issue. I only tested on Catalina but I can try it on Big Sur also if needed.

Something else you can try is to capture your saved network results into your variable first and then echo it back and run that through grep.

PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

NetworkCheck=$(echo "$PreferredNetworks" | grep "^Princeton Schools$" > /dev/null 2>&1; echo $?)

if [ "$NetworkCheck" == "0" ]; then
     result="Yes"
else
     result="No"
fi

echo "<result>$result</result>"

GabeShack · ‎03-25-2021

Hey @mm2270 ,
The district is locked at Catalina currently. That looks a bit more clean. Let me try this thanks.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

GabeShack · ‎03-25-2021

@mm2270 In testing this on my computer which has both Princeton Schools and Princeton Schools admin on the preferred list, its showing no with the EA, so I'm thinking something is still not quite right. Here is the modified EA with your new lines:

#!/bin/sh

##Get the wireless port ID
WirelessPort=$(networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

##Collect new preferred wireless network inventory and send back to the JSS
PreferredNetworks=$(networksetup -listpreferredwirelessnetworks "$WirelessPort" | sed 's/^   //g')

NetworkCheck=$(echo "$PreferredNetworks" | grep "^Princeton Schools$" > /dev/null 2>&1; echo $?)

echo "$NetworkCheck"

if [ "$NetworkCheck" == "0" ]; then
     result="Yes"
else
     result="No"
fi

echo "<result>$result</result>"

Another script that I'm using to push a specific network to the top of the priority list is working perfectly, so maybe I should be looking at how that is filtering the name and copying it. Listing it below:

#!/bin/bash

# A tool to set an existing remembered SSID as the most preferred network by script.
# Copyright (C) 2019  Paul Nelson

# This program is free software: you can redistribute it and/or modify it under the 
# terms of the GNU General Public License as published by the Free Software Foundation, 
# version 3.

# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 
# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
# See the GNU General Public License for more details.
# https://www.gnu.org/licenses/gpl-3.0.html

# To run: mac_wipri "SSID"
# Wrap the SSID in double quotes.
# Requires sudo/administrative rights

# if [ -z "$1" ]; then
#    echo "No SSID name supplied. Exiting.";
#   exit;
# fi

SSIDNAME=$"Princeton Schools"

NETFILE="/Library/Preferences/
SystemConfiguration/com.apple.airport.preferences.plist"

#Get SSID for desired network
SSIDID=`xpath $NETFILE "
(//dict/dict/dict/string[text()='$SSIDNAME'])
[1]/parent::dict/preceding-sibling::key[1]" 
2>/dev/null | sed -e 's/key/string/g'`

# Make sure the desired SSID exists in the list.
if [ -z "$SSIDID" ]; then
 echo "No matching SSID value can be found in $NETFILE. Exiting.";
 exit;
fi;

# Get the current preferred network list
ORDERLIST=`xpath $NETFILE "(//dict/key[text()='PreferredOrder'])
[1]/following-sibling::array[1]" 2>/dev/null | sed '1d;$d'`

# Count number of current entries in the network list
NUMENTRIES=`echo "$ORDERLIST" | wc -l | sed -e 's/ //g'`
echo "There are $NUMENTRIES entries in preferred network list."

# Don't make changes if it's the only network
if [ "$NUMENTRIES" -le "1" ]; then
 echo "Only one network, so no need to make priority changes. Exiting.";
 exit;
fi;

# Get the row number for the first preferred network entry
PREFTOP=`/usr/bin/grep -n -x "$ORDERLIST" $NETFILE | 
cut -f1 -d: | head -n 1`
echo "Preferred network list starts at row $PREFTOP in $NETFILE."

# Get the row number of network we want to set as highest priority
SSIDTOMOVE=`echo "$ORDERLIST" | /usr/bin/grep -n $SSIDID | cut -f1 -d:`
if [ "$SSIDTOMOVE" -eq "1" ]; then
   echo "$SSIDNAME is already top of the priority list. Exiting.";
   exit;
fi

# Print the SSID and current row number for the entry
echo "$SSIDNAME is position number $SSIDTOMOVE in preferred ordering list."

# Now actually make the changes to the file
echo "Moving $SSIDNAME to top of preferred network list..."
printf %s\n $(( PREFTOP - 1 + SSIDTOMOVE ))m$(( PREFTOP - 1)) w q 
| ed -s $NETFILE

# With knowledge of the starting row you could add additional networks
# and handle relative priorities for additional networks if desired.

# Verify that the change worked by checking current position in list
ORDERLIST=`xpath $NETFILE "(//dict/key[text()='PreferredOrder'])
[1]/following-sibling::array[1]" 2>/dev/null | sed '1d;$d'`
NEWLOCATION=`echo "$ORDERLIST" | /usr/bin/grep -n $SSIDID | cut -f1 -d:`
echo "$SSIDNAME is now at position number $NEWLOCATION in preferred network list"

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

GabeShack · ‎03-25-2021

@mm2270 I made the following based on that and this seems to work, if you wouldn't mind checking me though?:

#!/bin/bash
SSIDNAME=$"Princeton Schools"

NETFILE="/Library/Preferences/
SystemConfiguration/com.apple.airport.preferences.plist"

#Get SSID for desired network
SSIDID=`xpath $NETFILE "
(//dict/dict/dict/string[text()='$SSIDNAME'])
[1]/parent::dict/preceding-sibling::key[1]" 
2>/dev/null | sed -e 's/key/string/g'`

# Make sure the desired SSID exists in the list.
if [ -z "$SSIDID" ]; then
 echo "<result>Missing Princeton Schools</result>"; else

echo "<result>Has Princeton Schools</result>"

fi

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

sdagley · ‎03-25-2021

@gshackney Not that it's relative to your discussion about finding out if a Wi-Fi SSID is missing, but here's a script to re-order the SSID list when you want to have multiple SSIDs moved to the top of the priority order: https://www.jamf.com/jamf-nation/discussions/18223/re-order-wifi-preferred-networks#responseChild141...

GabeShack · ‎03-25-2021

@sdagley The one script at the end, 3 posts up, by Paul Nelson (bash script) works great for that same purpose (although it's just for one network not multiple). Thats what I borrowed from to grab the specific name from the preferred list.
Thanks though!
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

sdagley · ‎03-25-2021

@gshackney Yeah, my point in posting was there is an alternative to the bash prioritization script which handles a variable number of SSIDs, and for the benefit of some without a GPLv3 license.

dugnl · ‎06-20-2023

So, this post started several years ago. But, I don't think the. SSID removal "networksetup -removepreferredwirelessnetwork $WirelessPort <Sigourney Wifi> 2>/dev/null" functions in the newer operating system.

I'm attempting to run this today and on Monterey, I get "** Error: The amount of parameters was not correct."

When I look at the parameters it shows "networksetup -removepreferredwirelessnetwork <device name> <network>"

This means to me that we must now put a device name in it's place. Is this what everyone else is seeing? If so, how are the public networks being hidden now or disconnected? I'm also at a University and too many macs are on a guest network with very limited bandwidth. I want to disconnect them from that network and prevent that network from showing up. Imacs are plugged into ethernet but also on the guest network.

AVmcclint · ‎06-20-2023

I’ve been using my script (posted above) to prune the list of remembered SSIDS in Ventura with no problems. The core commands should still work.

dugnl · ‎06-20-2023

TY. Rereading this post and I'm thinking it's my fault. Really appreciate your reply.

Jamf Nation Community

Remove Wireless Network (SSID)