Ventura Standard User Wifi Networks

New Contributor II

We have implemented a setup of JAMF Pro with Jamf connect into our environment. We have a mix of standard and admin users, and then we have a process to do admin items as needed. 

One area is our Network items, standard users cant troubleshoot, forget networks, etc. 

This is obviously a massive issue, and being unable to connect to on travel or troubleshoot to get things moved along to the network, is creating massive productive gaps. 

From what I see, Apple really locks down some of this, but it makes no sense why its so locked down. 

Any work around? We really need ALL users, to be able to control their network settings. ESP, when they travel for company events. 



Contributor III

I noticed this too, still looking myself 

Valued Contributor II

Why not create a temporary admin policy in Self Service? I have used this for the last several years.

There are a lot of ways to implement this. You can have it on all the time and only allow it to be ran once a day or you can scope it to a group of computers and add the computers to the group to allow the users to use the policy. There are more ways to do this. These are just two methods.

I actually spent a lot of time looking at this and running into issues on different Operating systems... it was one we were ultimately going to possibly go with. In the end we went with Admin by Request, which works until they arent connected to the internet and it starts to be a mess. So we have clear ways to give temporary admin access, BUT that is NOT what management and security want. They want an exception for Networking as it shouldnt be blocked in the first place. 


The script I linked above installs a launchdaemon that demotes the user back to standard so it doesn't matter if the computer is connected to the internet or not.

Yep. Again, I went through that entire process. The point is, for the users who become standard, they dont want them to have quick and simple admin access (otherwise they would just give it.), even with the logging feature. I was at the point of ready to deploy this above. But then Admin by Request took it over. 

They want to see if there is a way to make an exception for a standard user without giving admin access. 


Deploy a policy with a script attached to it that modifies the authorizationdb and gives standard users access to the networking pane/settings, printers, etc. See here for one of many references on the topic. 

It's hacky, but it's been done for ages by many Mac admins including myself.


New Contributor II

Hi, there is a way but very expensive.

I try Cyberark endpoint privilege manager and Delinea privilege manager. That products give this option.

Admin by Request still not perfect for macos.

I look for cheaper solution too.