Switching configurations on log in and log out

PaulHazelden
Valued Contributor

Is there a way to swap one configuration for another, depending on if a user is signed in or not?

We have some laptops, and really want to set them up as multi user devices, which for us will mean signing in using NoMad. For this to work, we will need a WiFi configuration to give access to our network, so that the NoMad system can authenticate and log in the user account.

Once the user is signed in, we want the WiFi configuration to switch over to using our main WiFi network. Then when the user logs out, we want the WiFi to switch back to the previous one, totally forgetting the user credentials.

I guess a way to create a smart group based on if there is an account logged in or not will be a good place to start. Then all I would need to do is create the 2 configurations and set them to apply or exclude as required.
But this would need to be done as the user logs in, or as they log out. And the configuration doesnt want to get caught in the middle - One WiFi configuration removed before the new WiFi configuration is sent.
My initial thoughts were an EA, to look for the login, but this will not report back until the device checks in. I also have a bash script that runs via a LaunchAgent for logging in and can easily add to that, but I have nothing running on logout, I know Apple will be turning off login and logout hooks at some point so they are not an option.

Does anyone have any thoughts on how to acomplish this?

Or am I going to go insane running round in circles and never getting there?
All help is greatly appreciated, thank you.

1 ACCEPTED SOLUTION

MacOS and iOS are very different beast that need different approaches in some cases, this is one of them.

 

Tools like Forcepoint or Netskope that handle this kind of SSL restriction on a network level based on who is registered as logged in by the endpoint would be a far better solution. You can use AD groups, provision whatever access you want a given AD group to have and assign a user to it. When a user with a given AD groups logs in they will inherit whatever access that AD Group has for internet and network resources. Configure the clients for when no one is logged in to lock down and allow only the basic access. All done with one network, and secure that network however you like. 

 

Netskope on nondomain bound macs is a mess, forcepoint has a failover if your macs are not domain bound. Both have solutions for nonAD environments, but I am not as fluent in them.

View solution in original post

3 REPLIES 3

AJPinto
Valued Contributor

 

Your way is probably the most straight forward, though it will be a complete and total mess. I still can’t get around the “Why” question. Why are we wanting to change networks as/after a user logs in? If you just want to know who is using the device for reporting and auditing purposes, that is more of a security function and there are plenty of tools that do that very well.

Its kind of complex to explain but...

Our current network setup uses multiple VLAN's, Membership of a group will route you through your VLAN, which comes with various access rights.
The network that the un-signed in device connects to is very restricted. If we dont know who you are you cant access anything.

We have a similar set up running on iPads, via a different MDM. Restricted network with no user sign in, as soon as they sign in it moves them across to the main WiFi and gives access and also un restricts the apps.

Right now we have no multi user per device solution for WiFi only devices. And we have been asked to provide one. All of our laptops are single user only, we manually create an account on the device for them to use, but it is not linked to their network account. hence all of their rights are provided from their WiFi connection.

MacOS and iOS are very different beast that need different approaches in some cases, this is one of them.

 

Tools like Forcepoint or Netskope that handle this kind of SSL restriction on a network level based on who is registered as logged in by the endpoint would be a far better solution. You can use AD groups, provision whatever access you want a given AD group to have and assign a user to it. When a user with a given AD groups logs in they will inherit whatever access that AD Group has for internet and network resources. Configure the clients for when no one is logged in to lock down and allow only the basic access. All done with one network, and secure that network however you like. 

 

Netskope on nondomain bound macs is a mess, forcepoint has a failover if your macs are not domain bound. Both have solutions for nonAD environments, but I am not as fluent in them.