Skip to main content
Question

WiFi Configuration Profile that autojoins or automatically re-deploys

F
Forum|alt.badge.img+4

Hello Jamf Nation!

I'm trying to create a configuration profile for our Office WiFi network. I have already referred to Jamf's documentation about creating a config profile for a network and that seemed to work when I tested it. Our office network doesn't need any certs or authentication to join and only needs the WiFi password to join, so no extra requirements there.

However, one thing I tried while testing the configuration profile was to remove the WiFi network from the Mac's system preferences and see if the configuration profile would automatically redeploy and reconnect to the Office WiFi like it did initially. That did not happen. I am under the assumption that if for whatever reason the WiFi network were to be removed from a user's system preferences, the config profile will just sit there until it is removed and re-added in Jamf Pro. Since we are in a hybrid work environment, we do not want to go the route of blocking access to system preferences, and it might be a little tough having to manually search to see if all of our computers actually have the WiFi network saved. We were also thinking of having this run as an event every login, but our users seldom reboot or logoff so it might not help us out there. (old habits never die)

My question then is; before having to go the route of just packaging this and tossing it in Self Service, is there any way that we can have this run automatically to make sure that if the Office WiFi were to ever be removed for whatever reason, it will redeploy itself per the config profile?

Thank you for your time!

-Frank S.

    9 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3540 replies
    • March 17, 2022

    @fspa9686 As you've noticed, Configuration Profiles do not re-apply themselves if the configuration they installed like Wi-Fi configurations or certificates are somehow removed. Apple did mention a new Configuration Profile architecture at WWDC21 that will address this, but it's coming to iOS devices first, and hopefully at WWDC22 they'll talk about when we can expect it on the Mac. In the meantime...

    Here's an outline of how you could trigger a re-deploy by via Self Service using a Smart Group, an Extended Attribute, a Scrip, and a Policyt:

    1. Create an Extension Attribute that looks for a hidden file on your Macs (e.g. /Library/YourOrg/.NeedNewWi-FiProfile
    2. Create a "Needs New Wi-Fi Configuration" Smart Group that a Mac will be added to if that Extension Attribute find that file
    3. Add the "Needs New Wi-Fi Configuration" Smart Group as an Exclusion for your current Wi-Fi Configuration profile
    4. Create a Script named "Redeploy Office Wi-Fi" that does the following:
      1. Create the /Library/YourOrg/.NeedNewWi-FiProfile file
      2. Run a `jamf recon` so your EA runs and the Mac is added to the "Needs New Wi-Fi Configuration" Smart Group which will trigger Jamf Pro to remove the existing Wi-Fi profile
      3. Delay for 10-15 seconds to give Jamf Pro some time to remove the existing profile
      4. Delete the /Library/YourOrg/.NeedNewWi-FiProfile file
      5. Run a `jamf recon` so your EA runs and the Mac is removed from the "Needs New Wi-Fi Configuration" Smart Group which will trigger Jamf Pro to re-install your Wi-Fi profile
    5. Create a Policy that can be triggered via Self Service that has a Script payload for the "Redeploy Office Wi-Fi" script
    B
    F
    2 people like this
    • B
      btowns
    • F
      fspa9686
    F
    Forum|alt.badge.img+4
    • fspa9686
    • Author
    • Contributor
    • 13 replies
    • March 17, 2022
    sdagley wrote:

    @fspa9686 As you've noticed, Configuration Profiles do not re-apply themselves if the configuration they installed like Wi-Fi configurations or certificates are somehow removed. Apple did mention a new Configuration Profile architecture at WWDC21 that will address this, but it's coming to iOS devices first, and hopefully at WWDC22 they'll talk about when we can expect it on the Mac. In the meantime...

    Here's an outline of how you could trigger a re-deploy by via Self Service using a Smart Group, an Extended Attribute, a Scrip, and a Policyt:

    1. Create an Extension Attribute that looks for a hidden file on your Macs (e.g. /Library/YourOrg/.NeedNewWi-FiProfile
    2. Create a "Needs New Wi-Fi Configuration" Smart Group that a Mac will be added to if that Extension Attribute find that file
    3. Add the "Needs New Wi-Fi Configuration" Smart Group as an Exclusion for your current Wi-Fi Configuration profile
    4. Create a Script named "Redeploy Office Wi-Fi" that does the following:
      1. Create the /Library/YourOrg/.NeedNewWi-FiProfile file
      2. Run a `jamf recon` so your EA runs and the Mac is added to the "Needs New Wi-Fi Configuration" Smart Group which will trigger Jamf Pro to remove the existing Wi-Fi profile
      3. Delay for 10-15 seconds to give Jamf Pro some time to remove the existing profile
      4. Delete the /Library/YourOrg/.NeedNewWi-FiProfile file
      5. Run a `jamf recon` so your EA runs and the Mac is removed from the "Needs New Wi-Fi Configuration" Smart Group which will trigger Jamf Pro to re-install your Wi-Fi profile
    5. Create a Policy that can be triggered via Self Service that has a Script payload for the "Redeploy Office Wi-Fi" script

    Thanks for the insight @sdagley ! This does seem like something I may want to look into, but now that I am thinking about it given the hybrid nature, I think I might want to lean onto the side of just making the WiFi Profile available in Self Service for people that need the office network to install, without the need to redeploy

    How would I go about doing that?

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3540 replies
    • March 18, 2022

    @fspa9686 If you don't care about your Wi-Fi Configuration Profile being installed before users initiate that from Self Service there is a Distribution Method selection on the General settings for a Configuration Profile that lets you select Make Available in Self Service instead of Install Automatically (be sure to set Allow Removal to Yes if you do that so the users can remove and re-install it).

    You _could_ make it automatic by having the script run locally on a Mac and be triggered by a LaunchDaemon that's watching for the Wi-Fi configuration to change, but I'm not exactly sure where Apple is storing that setting now (it used to be one of the files in /Library/Preferences/SystemConfiguration but that doesn't appear to be true for Monterey)

    F
    1 person likes this
    • F
      fspa9686
    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • March 18, 2022
    @fspa9686 wrote:

    and it might be a little tough having to manually search to see if all of our computers actually have the WiFi network saved.

    Actually this isn't that hard, and you may want to build an Extension Attribute that pulls the Wi-Fi Preferred Networks list as part of your overall solution. I assume this is what you're referring to when you say you went into System Preferences and removed the network. You removed it from the Network > Wi-Fi > Advanced > Wi-Fi > Preferred Networks list, correct?

    F
    Forum|alt.badge.img+4
    • fspa9686
    • Author
    • Contributor
    • 13 replies
    • March 18, 2022
    mm2270 wrote:
    @fspa9686 wrote:

    and it might be a little tough having to manually search to see if all of our computers actually have the WiFi network saved.

    Actually this isn't that hard, and you may want to build an Extension Attribute that pulls the Wi-Fi Preferred Networks list as part of your overall solution. I assume this is what you're referring to when you say you went into System Preferences and removed the network. You removed it from the Network > Wi-Fi > Advanced > Wi-Fi > Preferred Networks list, correct?


    Correct, that's where I removed it from when I was testing

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • March 18, 2022
    fspa9686 wrote:

    Correct, that's where I removed it from when I was testing


    Ok, in that case, a simple Extension Attribute kind of like this could work to help you know which Macs have that entry still in the settings or not.

     

    #!/bin/zsh ssid="SSID Name Here" checkforSSID=$(/usr/sbin/networksetup -listpreferredwirelessnetworks en0 | sed 's/^ *//g' | grep "^$ssid") if [ "$checkforSSID" ]; then result="True" else result="False" fi /bin/echo "<result>$result</result>"

     

    Couple of things. The above makes the assumption that all of your Macs are fairly new laptop models that all have "en0" as their Wi-Fi identifier. If that isn't the case, you'll have to add in a line that gets the Wi-Fi device ID to use in the command first.

    Second, it's worth noting that by default, non admins cannot make changes to the Preferred Networks list, unless you've given them some kind of access with a change to the security preferences. Or if they are local admins.

    Lastly, the space in this section between the ^ and * characters,

    s/^   *//g'

    is actually a tab character. I'm pretty sure the Jamf forums don't retain that, so if you copy/paste this into a script editor, be sure to highlight that space and replace it with a tab, or the script probably won't work.

    F
    1 person likes this
    • F
      fspa9686
    F
    Forum|alt.badge.img+4
    • fspa9686
    • Author
    • Contributor
    • 13 replies
    • March 21, 2022
    mm2270 wrote:

    Ok, in that case, a simple Extension Attribute kind of like this could work to help you know which Macs have that entry still in the settings or not.

     

    #!/bin/zsh ssid="SSID Name Here" checkforSSID=$(/usr/sbin/networksetup -listpreferredwirelessnetworks en0 | sed 's/^ *//g' | grep "^$ssid") if [ "$checkforSSID" ]; then result="True" else result="False" fi /bin/echo "<result>$result</result>"

     

    Couple of things. The above makes the assumption that all of your Macs are fairly new laptop models that all have "en0" as their Wi-Fi identifier. If that isn't the case, you'll have to add in a line that gets the Wi-Fi device ID to use in the command first.

    Second, it's worth noting that by default, non admins cannot make changes to the Preferred Networks list, unless you've given them some kind of access with a change to the security preferences. Or if they are local admins.

    Lastly, the space in this section between the ^ and * characters,

    s/^   *//g'

    is actually a tab character. I'm pretty sure the Jamf forums don't retain that, so if you copy/paste this into a script editor, be sure to highlight that space and replace it with a tab, or the script probably won't work.


    Thanks for the response @mm2270 !

    So I understand that this will assist me in finding out who has the SSID in their settings and who doesn't, but a couple of things that I am hoping we could use some of this context to assist with the following;

    1. if the users are offline and cannot connect to self service, some manner of getting the WiFi profile deployed and make sure they're connected.

    2. if they are online but are not connected to the specific office network SSID, to switch them to that network.

    Hope this makes sense and you could provide further insight

    mm2270
    Forum|alt.badge.img+16
    • mm2270
    • Legendary Contributor
    • 7880 replies
    • March 21, 2022
    fspa9686 wrote:

    Thanks for the response @mm2270 !

    So I understand that this will assist me in finding out who has the SSID in their settings and who doesn't, but a couple of things that I am hoping we could use some of this context to assist with the following;

    1. if the users are offline and cannot connect to self service, some manner of getting the WiFi profile deployed and make sure they're connected.

    2. if they are online but are not connected to the specific office network SSID, to switch them to that network.

    Hope this makes sense and you could provide further insight


    Hi @fspa9686 Before I get into anything a question for you is, how is your Jamf environment set up? Meaning, is it cloud based and accessible to any Mac just generally connected to the internet, or is it on prem and internal only?

    In your first scenario above, I'm not sure I understand what you mean by "the users are offline and cannot connect to self service" Do you mean their WiFi is off? If so, I don't really know how something like that could be handled since you'd have no access to their machine. Maybe I'm just not understanding the circumstance you're talking about.

    Regarding:

    2. if they are online but are not connected to the specific office network SSID, to switch them to that network.

    Something like this could be handled with a LaunchAgent and script I imagine. Basically something that would look to see if the specific SSID was available (in range) and if so, is the Mac connected to it? If not, try to switch to that connection. Would something like that work in your case? In most cases there shouldn't be a need to reinstall the profile for that.

    F
    1 person likes this
    • F
      fspa9686
    F
    Forum|alt.badge.img+4
    • fspa9686
    • Author
    • Contributor
    • 13 replies
    • March 21, 2022
    mm2270 wrote:

    Hi @fspa9686 Before I get into anything a question for you is, how is your Jamf environment set up? Meaning, is it cloud based and accessible to any Mac just generally connected to the internet, or is it on prem and internal only?

    In your first scenario above, I'm not sure I understand what you mean by "the users are offline and cannot connect to self service" Do you mean their WiFi is off? If so, I don't really know how something like that could be handled since you'd have no access to their machine. Maybe I'm just not understanding the circumstance you're talking about.

    Regarding:

    2. if they are online but are not connected to the specific office network SSID, to switch them to that network.

    Something like this could be handled with a LaunchAgent and script I imagine. Basically something that would look to see if the specific SSID was available (in range) and if so, is the Mac connected to it? If not, try to switch to that connection. Would something like that work in your case? In most cases there shouldn't be a need to reinstall the profile for that.


    Thanks!

    For #1 there's nothing we can do if they aren't connected to a network - that makes sense.

    So one possibility would be to have them connect to any available known network and then use self service to add the SSID we need. So then the self service config profile should be persistent?


    If they delete the SSID or save a bad password in the SSID settings will the config profile work?
    Is it a feasible process to have them uninstall and reinstall the self service config profile if they lose the SSID somehow?

    We're just looking for the easiest most robust way for staff to manage their own SSID in the office as we don't hand out the SSID password.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings