How to exclude an SSID from iCloud Keychain

[JustJohnDoe]

So I'm doing my homework before enabling iCloud Keychain and while there doesn't seem to be much information available (on this specific issue anyway) it looks like you cannot exclude a WiFi network from iCloud Keychain. I've read the help files at apple support sites, and searched the forums.

Why would you want to exclude an SSID?

Well, our offices use two completely segregated WiFi networks for obvious security reasons. The "Employee" Network is a full enterprise network, requires a certificate to be installed in order to connect, and any device that has ever connected to the "Guest" network is systematicaly excluded from connecting to the Employee network.

Because the networks are so effectively segregated, there is a rather liberal policy on the guest network and employees are welcome to use that SSID for their personal laptops, and mobile phones pretty much as they wish. So we do.

I anticipate this causing an issue if I Implement iCloud keychain due to my mix of devices:

1. Personal Mac Air - Regularly connects to "Guest" network, and can only connect to "Guest" network. (Mavericks OSX9.0)
2. Personal iPhone - Regularly connects to "Guest" network, and can only connect to "Guest" network. (iPhone 4s on iOS 7.0.3)
3. Employer issued iPhone - Regularly connects to "Employee" network, and can only connect to "Employee" network. (iPhone 4s on iOS 7.0.3)

Since we are also allowed to setup our work phone on our own iCloud ID so that we can use find iPhone, apps, etc. I have all three devices sharing my iCloud ID. I anticipate this will present a problem even if I get rid of my personal phone and go with only the employer issued phone.

Once I turn on iCloud Keychain and enable it on all three devices (which I do want to do for the plethora of logins I'd like to manage) it will sync the "Guest" SSID and password to the employer issued iPhone, and I could have a problem.

Has anyone else encountered this, and how have you dealt with it? Is there a way to exclude a specific SSID from iCloud Keychain, even if that method is not documented on Apple Support?

Thanks,

J

 

[Weaselboy]

Is your concern the company phone will then automatically login to the guest wifi network? Just go into the company iPhone settings and configure wifi not to automatically join networks, and to only join networks you specifically allow. This way even though the SSID and PW are in the Keychain the phone won't join the guest network on its own.

 

[JustJohnDoe]

Is your concern the company phone will then automatically login to the guest wifi network? Just go into the company iPhone settings and configure wifi not to automatically join networks, and to only join networks you specifically allow. This way even though the SSID and PW are in the Keychain the phone won't join the guest network on its own.

I did consider that, but that sort of defeats the purpose of "simple" and what Keychain is meant to deliver.

My iPhone doesn't connect to random networks without asking, but once I've joined a secure network with a valid password, I want it to join on it's own next time... Just not that one network.

 

[canuckle]

I have a similar issue (2 actually) although not as complex or critical as the OP.

I have an iMac and MB Air. I don't want/need the same iCloud Keychain networks connecting automatically, as the iMac is wired to LAN. Any network I join on the MBA is automatically replicated on the iMac though. Join networks automatically is OFF, but it doesn't matter. If I turn on the WiFi on the iMac, it joins my home network because the MBA is configured to join it. If I delete the networks from the known networks on the iMac, they delete on the MBA. Add them back on the MBA, back they come on the iMac.

I like to use the iMac for inSSIDer and site survey as I'm in a congested area and change channels frequently. Plus, I shouldn't have to turn off wifi if I don't want to.

Same/similar issue with mail, where any account added/changed on my MBA shows up on my iMac. As an example I want my work email on the MBA but not on the iMac. I've searched forever for a 'switch' or way to prevent both of these situations, to no avail.

 

[Bear]

Is your concern the company phone will then automatically login to the guest wifi network? Just go into the company iPhone settings and configure wifi not to automatically join networks, and to only join networks you specifically allow. This way even though the SSID and PW are in the Keychain the phone won't join the guest network on its own.

"Ask to Join Networks" doesn't apply to known networks. And my guess is that if it's on the Keychain, it's a known network.

 

[Weaselboy]

"Ask to Join Networks" doesn't apply to known networks.

I realize that. I was hoping it would not see it as "known" if it had never been approved and actually joined.

And my guess is that if it's on the Keychain, it's a known network.

You don't need to guess any longer. I just reset network settings on my iPhone then turned on keychain sync and sure enough it hops right on the network that synced in as part of the keychain from my MBA. So that idea is out the window.