Block connection to specific SSID

[Glaic]

Hi All,

We have CISCO enterprise level WAPs (1142 upto 3602 models) across multiple sites (lets say 20 sites for this scenario). These WAPs all advertise the same 2 networks, we'll call them INTERNAL and EXTERNAL.

Devices owned by us and issued to users are on the INTERNAL network via a certificate and AD object, devices not owned by us connect based upon the users credentials to the EXTERNAL network (phones tablets etc) - and get put directly to the internet via our proxy/firewall setup and have no access to anything internal.

Now, for our Windows devices certificated to the INTERNAL network we have a Group Policy Object which prevents their connection to the EXTERNAL network.

Our MAC OSX 10.9.x devices also certificate onto the INTERNAL network - however, users can opt to connect these to the EXTERNAL network due to a lack software level policy to prevent it.

This causes headaches for IT support, as users then complain printers/mounted shares/internal only sites don't work.

We can't easily manage MAC addresses for the fleet (keeping track of MAC addresses across 20 sites is far too involved), and we outsource management of our controllers anyway which means on site techs don't have access to blacklist/whitelist MACs on a whim.

What I am looking for is a profile based lock down to the wireless to prevent users connecting to networks named EXTERNAL, not a DHCP change, not a controller level change - I am hunting for a client OS level fix, that straight up hides the EXTERNAL name, or otherwise gives them a message that connection to it is disallowed by their administrator.

So far google has turned up nothing but users who once connected to a network and don't know how to disconnect themselves.. And a few people suggesting that we push a dummy profile that then fails, which is just an ugly response to what should be a cleanly resolvable fault.

Lastly, users need to maintain ability to connect to other networks, for when they take their laptops home.

I tried a forum search, and a google search on this site - I found one relevant topic: https://forums.macrumors.com/archive/index.php/t-817755.html (didn't want to necro it) and it was dealing with someone who lacked the enterprise level system we have.

Thoughts.. ideas? all welcome.

Cheers,
/Glaic

 

[dzejms]

It should be doable with automator script. I will have a look, as i might need it at work too.

 

[Nodle]

It should be doable with automator script. I will have a look, as i might need it at work too.

Holey thread revival batman!

I have an equivalent set up to OP where we have 3 networks.
The first of which is authenticated via cert and AD object (The trusted wireless)
The second is a captive portal which we use for BYOD devices and has no access to our network unless you authenticate through the captive portal with radius to allow Limited network access
The third is another captive portal which we create accounts on our controller. This is the guest network for visitors and has no access to our network.

Like OP, I too would like to stop the staff from connecting to our BYOD and guest networks.
When they do this stops them being able to access our network resources which becomes a pain for everyone.

Also like OP we have a Group Policy to do this for our Windows clients.


Did you have any luck here dzejms?

 

[grahamperrin]

… to stop the staff from connecting to our BYOD and guest networks. …

networksetup(8) Mac OS X Manual Page

launchctl(1) Mac OS X Manual Page

At /Library/LaunchAgents you could add something to use networksetup with the -removepreferredwirelessnetwork flag for each of the two networks. (Removal requires admin privileges.)

Food for thought:

sh-3.2$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.9.5
BuildVersion:	13F1066
sh-3.2$ networksetup -listallhardwareports | grep -A 1 Wi-Fi
Hardware Port: Wi-Fi
Device: en1
sh-3.2$ networksetup -listpreferredwirelessnetworks en1
Preferred networks on en1:
	eduroam
	virginmedia4531387
	virgin broadband
	virginmedia7721352
	D-Link
	TALKTALK-5DDD24
	Three Graces
	BTHub3-3XMJ
	piano
sh-3.2$ networksetup -removepreferredwirelessnetwork en1 piano
Removed piano from the preferred networks list
Unable to commit systemconfig database.
** Error: Error obtaining wireless information.
sh-3.2$ sudo networksetup -removepreferredwirelessnetwork en1 piano
Password:
Removed piano from the preferred networks list
sh-3.2$ networksetup -listpreferredwirelessnetworks en1
Preferred networks on en1:
	eduroam
	virginmedia4531387
	virgin broadband
	virginmedia7721352
	D-Link
	TALKTALK-5DDD24
	Three Graces
	BTHub3-3XMJ

However, you can not assume that Wi-Fi will be at en1.

More food for thought: the accepted answer to How do I set a specific system setting using a script or a profile? System Preferences/Networks/WiFi/Require authorisation to turn wifi on/off – it's not the same question, but in the answer there's a neat demonstration of how to discover the port, and so on.

Also in Ask Different: How to hide or remove certain SSIDs from the wifi menubar icon – I added a bounty.

Last but not least, an interesting answer to Prevent from switching Wi-Fi networks. With that as inspiration, you could script something that switches to the appropriate network whenever the user connects to one of the two inappropriate networks.

For what it's worth, I'd go for scripted switching.

Whilst there might be the temptation to hide things, that's not ideal in an environment where some consistency is desirable. (Consider, for example, a member of staff demonstrating, to guests, steps towards connecting – without actually connecting. If you hide networks from members of staff then you may receive reports that those networks are not working properly.)