- Jamf Nation Community
- Products
- Jamf Pro
- Re: Report: Laptops that have connected to certai...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Report: Laptops that have connected to certain SSID in less 24 hours?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 02:24 PM
My apologies for my noobness. I haven't used JAMF since version 8, and then went full time SCCM Admin.
At my new position we are in the process of hiring a new JAMF Engineer so until then I thought I'd take a poke a this and ask the good folks at jamf nation for a little love.
We are wanting to see which laptops we have under management with JAMF have connected to a certain wifi location in the past 24 hours.
Thanks very much for the help,
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 02:31 PM
I don't know if there's an effective way to do this. You can create an Extension Attribute that will capture the current Wi-Fi AP at the time the Mac submits inventory, but you'd have to craft something a bit different, that would send that information into a local file with timestamps, and continue to append to the file, not overwrite it, and then capture that files contents into an Extension Attribute. Even then, it might be hard to generate an actual report like what you're asking for.
I don't know if there is any "history" stored on the Mac that you can parse thru that would give you this info directly. Maybe in one of the logs listed in Console, though I'm not sure.
What are you using on the backend to manage the access points? Would it perhaps be easier to look at getting a report out of logs from the access points themselves instead of from your Macs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 02:40 PM
Well that's what I thought to so I first went to networking. But Infosec is suspecting someone setup a rogue AP at one of our conferences that would match our corporate one. Our networking team wasn't onsite at the hotel so they don't have any logs.
I was curious if we could pull from the preferred wifi list who had that rouge AP and maybe compare mac address?
Just thinking out loud,
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 02:41 PM
I was thinking something like this? But didn't know how to run it.
"networksetup -listpreferredwirelessnetworks | grep -q "AP"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 02:57 PM
You could use that command to pull the list of preferred networks that have been added, but I'm pretty certain that's not going to help you much. There is no IP address or other related information associated with those items. it's just a list of network names.
That being said, I would imagine that the information like IP address and connection type for each of those listed preferred network names is stored somewhere within the OS. I just don't know what command would reveal that information or what file they are contained in.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2015 09:31 PM
OK, did a quick search since this was on my brain. I found this. Check it out as it may help you get what you're looking for:
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences RememberedNetworksWhile this won't show the MAC address of the access point that generated the saved entries, it does show you several other details, like the SSID info, not just the human readable SSID name, and the security type.
Assuming for a moment that the SSID data is what may help track down these possible rogue connections, something like this should get that information into an Extension Attribute field. Just change the SSID_Name variable to the actual SSID Name that you are looking to get info on.
#!/bin/sh
SSID_Name="SSID Name"
WiFiPort=$(networksetup -listallhardwareports | egrep -A1 "Wi-Fi|AirPort" | awk '/Device/{print $NF}')
if [[ $(networksetup -listpreferredwirelessnetworks $WiFiPort | grep "$SSID_Name") ]]; then
SSIDData=$(defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences RememberedNetworks | grep -B1 "$SSID_Name" | awk -F'>|<' '/SSID/{print $2}')
else
SSIDData="Not Found"
fi
echo "<result>$SSIDData</result>"Hope that helps somewhat.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-18-2015 07:58 AM
You could have a script that fires on network changes, captures the current SSID (/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/ SSID/ {print substr($0, index($0, $2))}'), and keeps a plist of all SSIDs that system has connected to along with the last connection date/time.
The script could then flush SSIDs not connected to in the last 24 hours and write a list that gets pulled into an extension attribute.
