Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OSXphoto

macrumors regular
Original poster
Dec 23, 2013
224
76
Hi all,

In my use case (see below) storing WiFi passwords in keychain (which is as designed) and syncing these passwords (adding and removing) is an issue. I'm looking for the easiest solution.

Use case
In our home network (all controlled by UniFi Cloud key) we have different WiFi SSID's, each on a separate subnet (VLAN) and segregated by firewall rules:

- "JansenFamily" for our Macs, ipads and iphones
- "JansenExternal" for school and work laptops that are not managed by ourselves
- "JansenLegacy" for older devices that don't get security patches, such as very old Macs

My wife still uses a 2008 Macbook Unibody, which I assigned the "JansenLegacy" SSID. The WiFi password gets stored in her keychain.

My wife also sometimes uses my 2015 MacBook Pro and she has her own account on that machine. My 2015 MBP is assigned to "JansenFamily" and the WiFi password is stored in my keychain.

However, WiFi passwords stored on a machine are stored for all users on that machine.

Thus, when my wife logs on to my 2015 MBP, her keychain gets synced on that machine so the WiFi password for "JansenFamily" is stored in her keychain. Then when she logs on to the old 2008 Macbook again, her keychain gets sync'ed on that machine, so that machine suddenly can connect to "JansenFamily" automatically, which is obviously not what I want.

Solution A
Dedicate one machine to one person only
Pros: straightforward easy solution
Cons: not flexible: My wife needs my 2015 MBP for some apps that don't run (so well) on the old MacBook

Solution B
Change the order of preferred networks on the 2008 MBP so that "JansenLegacy" is higher in the list
Pros: quick and easy
Cons: if for some reason "JansenLegacy" is not available or has a weaker signal, the machine will switch to "JansenFamily" after all

Solution C
Assign a whitelist to WiFi SSID "JansenFamily" containing only the MAC addresses of the devices that I allow to connect.
Pros: rock solid
Cons:
- tedious to do the work in the settings
- maintenance load: whenever a new device joins the family I need to update the whitelist

Solution D
Assign a blacklist to WiFi SSID "JansenFamily" containing only the Macbook MAC address.
pros:
- rock solid
- faster than solution C
- maintenance load is similar in concept

Any other solutions you can think of?

Thanks!
 

OSXphoto

macrumors regular
Original poster
Dec 23, 2013
224
76
You are right on all three counts. But I prefer to stay safe and accept a bit of paranoia :).
Going to implement solution C as I don't see any other less maintenance intensive options...
 

James_C

macrumors 68030
Sep 13, 2002
2,819
1,849
Bristol, UK
Easiest solution would be to buy your wife a new Mac and enable guest access on UniFi Cloud key to give access to the internet only for school and work devices.
 

OSXphoto

macrumors regular
Original poster
Dec 23, 2013
224
76
Wouldn't turning off Keychain syncing in System Preferences>iCloud for your wife's account on your MacBook Pro keep this from happening?
Good suggestion. Yes it most likely would, but then she would also lose Safari password syncing, which she uses a lot. But I will keep this in mind :D
 
Last edited:

OSXphoto

macrumors regular
Original poster
Dec 23, 2013
224
76
Easiest solution would be to buy your wife a new Mac and enable guest access on UniFi Cloud key to give access to the internet only for school and work devices.
Hi James, yes that is of course the best solution in terms of quality, but it's the worst in terms of spending. Actually I am planning on getting a couple of the first ARM macbooks for the kids, so by then my wife can get the 2017 MBAir that our oldest is using now for school. Until then I will keep the VLAN active.
As for guest access: yes good point indeed. Still the guest access will have a different SSID with its own password, so the keychain-WiFi-password-keeps-popping-up issue will still be there.
 

ian87w

macrumors G3
Feb 22, 2020
8,704
12,636
Indonesia
Imo you can delete "JansenLegacy" and have the family machines to connect to "JansenFamily." Just put an updated browser on her old machine with an ad blocker, make sure the Firewall is turned on, and I believe you'll be fine.
 

Taz Mangus

macrumors 604
Mar 10, 2011
7,815
3,504
On your wife's 2008 MacBook open System Preferences→Network→Advanced..., drag JansenLegacy to the top of the list and uncheck Auto-Join for JansenFamily. This way it forces your wife's MacBook to always auto join JansenLegacy network.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.