Jamf Nation Community

lizmowens · ‎03-01-2017

I know there are several older threads on this topic, but after reading them all and even trying some of the suggestions, I'm still not getting what I need. Maybe some of you will have other suggestions. Here's the issue:
Our middle school students all have school-issued Macbook Airs, and our teachers use ARD to monitor them. To get around that monitoring, students would simply turn the wifi off and play some offline games or do something else off topic undetected. So I found a great script shared here that requires students to authenticate as an admin to turn wifi off. It took all of 30 minutes for a couple of tech savy kids to realize that if they wanted to get around that all they had to do was go to "Join other networks", type in some random string of characters, and press join, so that the computer disconnects from the student network and looks for a non-existent network. Is there a similar way via a script to prevent them from being able to do that? The kids do take these machines home and connect to networks there, but those are remembered networks already. Any suggestions, scripts, magical spells to make these kids not act like kids are greatly appreciated. :)

sdagley · ‎03-01-2017

@lizmowens Take a look at this post on keeping machines on your preferred wireless network: https://www.jamf.com/jamf-nation/discussions/22083/managing-wifi-on-macos

BoscoATX · ‎03-01-2017

@lizmowens I ran into an issue like this in one of our Mac labs when students were logging into the campus wifi instead of using the default ethernet. It caused all kinds of problems with OS and software updates. I locked down the wifi with the below command:

networksetup -setairportpower en1 off
/usr/libexec/airportd prefs RequireAdminPowerToggle=YES

It turns off the wifi and requires admin to make changes to the settings. You'd just need to change off to on in the first.

lizmowens · ‎03-01-2017

@BoscoATX , if I use that setup will it prevent them from connecting to their home network? Or does it just limit them to networks they have previously connected to?

Thanks, @sdagley , I'll take a look at that thread!

BoscoATX · ‎03-01-2017

@lizmowens The setting only controls wifi power. They should be able to connect to any networks stored in their Keychain.

mm2270 · ‎03-01-2017

@lizmowens The command you're looking for is

sudo /usr/libexec/airportd en0 prefs RequireAdminIBSS=YES

This enables the following checkbox in System Preferences > Network > Wi-Fi

Note that in the above, I'm using en0 as the Wi-Fi port, which may not always be the case, especially for Desktops or older Macs with a build in Ethernet port. You can create a full script that will determine the correct Wi-Fi port and use that in the command, like so:

#!/bin/sh

WIFIPORT=$(/usr/sbin/networksetup -listallhardwareports | awk '/Wi-Fi|AirPort/{getline; print $NF}')

/usr/libexec/airportd $WIFIPORT prefs RequireAdminIBSS=YES

As long as the students aren't admins, and combined with your other airportd command that prevents them from disabling Wi-Fi, that should stop at least some of them from getting around the controls. Of course, this doesn't prevent them from doing something like connecting Wi-FI to a personal hotspot or something, which may generate the same issue for your teachers.

Last thing, you can combine the above setting into your other script which sets the requirement for admin rights to toggle Wi-Fi.

/usr/libexec/airportd $WIFIPORT prefs RequireAdminIBSS=YES RequireAdminPowerToggle=YES

lizmowens · ‎03-01-2017

Perfect! Thank's y'all!

supson · ‎10-26-2018

Kind of late here in this post, but hoping to find out the commands to CHECK All of those boxes? We have wifi labs and students try to connect to their hotspots to bypass our internet filtering, let me know if you have the lines to check all 3 boxes under Require Administrator to:

Rocky · ‎10-26-2018

The 3 prefs are:
RequireAdminIBSS (Boolean)
RequireAdminNetworkChange (Boolean)
RequireAdminPowerToggle (Boolean)

Jamf Nation Community

Removing Wifi Icon or Option for "Join other Networks"