Block connection to specific SSID

Discussion in 'OS X Mavericks (10.9)' started by Glaic, Aug 7, 2014.

  1. Glaic macrumors newbie

    Aug 7, 2014
    Hi All,

    We have CISCO enterprise level WAPs (1142 upto 3602 models) across multiple sites (lets say 20 sites for this scenario). These WAPs all advertise the same 2 networks, we'll call them INTERNAL and EXTERNAL.

    Devices owned by us and issued to users are on the INTERNAL network via a certificate and AD object, devices not owned by us connect based upon the users credentials to the EXTERNAL network (phones tablets etc) - and get put directly to the internet via our proxy/firewall setup and have no access to anything internal.

    Now, for our Windows devices certificated to the INTERNAL network we have a Group Policy Object which prevents their connection to the EXTERNAL network.

    Our MAC OSX 10.9.x devices also certificate onto the INTERNAL network - however, users can opt to connect these to the EXTERNAL network due to a lack software level policy to prevent it.

    This causes headaches for IT support, as users then complain printers/mounted shares/internal only sites don't work.

    We can't easily manage MAC addresses for the fleet (keeping track of MAC addresses across 20 sites is far too involved), and we outsource management of our controllers anyway which means on site techs don't have access to blacklist/whitelist MACs on a whim.

    What I am looking for is a profile based lock down to the wireless to prevent users connecting to networks named EXTERNAL, not a DHCP change, not a controller level change - I am hunting for a client OS level fix, that straight up hides the EXTERNAL name, or otherwise gives them a message that connection to it is disallowed by their administrator.

    So far google has turned up nothing but users who once connected to a network and don't know how to disconnect themselves.. And a few people suggesting that we push a dummy profile that then fails, which is just an ugly response to what should be a cleanly resolvable fault.

    Lastly, users need to maintain ability to connect to other networks, for when they take their laptops home.

    I tried a forum search, and a google search on this site - I found one relevant topic: (didn't want to necro it) and it was dealing with someone who lacked the enterprise level system we have.

    Thoughts.. ideas? all welcome.

  2. dzejms macrumors member


    Aug 23, 2013
    It should be doable with automator script. I will have a look, as i might need it at work too.
  3. Nodle, Feb 23, 2015
    Last edited: Feb 23, 2015

    Nodle macrumors newbie

    Feb 23, 2015
    Holey thread revival batman!

    I have an equivalent set up to OP where we have 3 networks.
    The first of which is authenticated via cert and AD object (The trusted wireless)
    The second is a captive portal which we use for BYOD devices and has no access to our network unless you authenticate through the captive portal with radius to allow Limited network access
    The third is another captive portal which we create accounts on our controller. This is the guest network for visitors and has no access to our network.

    Like OP, I too would like to stop the staff from connecting to our BYOD and guest networks.
    When they do this stops them being able to access our network resources which becomes a pain for everyone.

    Also like OP we have a Group Policy to do this for our Windows clients.

    Did you have any luck here dzejms?
  4. grahamperrin macrumors 601


    Jun 8, 2007
    networksetup(8) Mac OS X Manual Page

    launchctl(1) Mac OS X Manual Page

    At /Library/LaunchAgents you could add something to use networksetup with the -removepreferredwirelessnetwork flag for each of the two networks. (Removal requires admin privileges.)

    Food for thought:

    sh-3.2$ sw_vers
    ProductName:	Mac OS X
    ProductVersion:	10.9.5
    BuildVersion:	13F1066
    sh-3.2$ networksetup -listallhardwareports | grep -A 1 Wi-Fi
    Hardware Port: Wi-Fi
    Device: en1
    sh-3.2$ networksetup -listpreferredwirelessnetworks en1
    Preferred networks on en1:
    	virgin broadband
    	Three Graces
    sh-3.2$ networksetup -removepreferredwirelessnetwork en1 piano
    Removed piano from the preferred networks list
    Unable to commit systemconfig database.
    ** Error: Error obtaining wireless information.
    sh-3.2$ sudo networksetup -removepreferredwirelessnetwork en1 piano
    Removed piano from the preferred networks list
    sh-3.2$ networksetup -listpreferredwirelessnetworks en1
    Preferred networks on en1:
    	virgin broadband
    	Three Graces
    However, you can not assume that Wi-Fi will be at en1.

    More food for thought: the accepted answer to How do I set a specific system setting using a script or a profile? System Preferences/Networks/WiFi/Require authorisation to turn wifi on/off – it's not the same question, but in the answer there's a neat demonstration of how to discover the port, and so on.

    Also in Ask Different: How to hide or remove certain SSIDs from the wifi menubar icon – I added a bounty.

    Last but not least, an interesting answer to Prevent from switching Wi-Fi networks. With that as inspiration, you could script something that switches to the appropriate network whenever the user connects to one of the two inappropriate networks.

    For what it's worth, I'd go for scripted switching.

    Whilst there might be the temptation to hide things, that's not ideal in an environment where some consistency is desirable. (Consider, for example, a member of staff demonstrating, to guests, steps towards connecting – without actually connecting. If you hide networks from members of staff then you may receive reports that those networks are not working properly.)

Share This Page