Configuration profiles for utguest restriction
- Katelyn Russell
Introduction
UT policy requires that employees do not use the "utguest" wireless network and instead use the "utexas" wireless network when working with UT data. UT system is mandating that UT Austin develop a solution to prevent employees from using the utguest wireless network. The Jamf policy in this wiki page leverages Jamf, a script, and an offline policy that executes on network state change to accomplish this.
The script used in this policy was copied from a Jamf Nation post. The script was slightly modified for our environment. The script was tested on MacOS 10.12.x, 10.13.x, 10.14.x, and 10.15.0
End User Experience
Whenever the user changes network state (change Wi-Fi networks, go from wireless-to-wired, etc...) the script in this policy will execute. The first thing the script does is set the "utexas" Wi-Fi network to be at the top of the preferred list of Wi-Fi networks in MacOS so that it will be automatically connected to first when detected. Next the script checks to see if the person is connected to the "utguest" network. If they are, the Wi-Fi interface is turned off, the utguest Wi-Fi network is removed from the preferred list of Wi-Fi networks in MacOS, and a message is displayed to the end user. The message displayed to the end user informs them of the utguest network policy and that when they turn on their Wi-Fi interface again, it will connect them to the "utexas" Wi-Fi network.
Policy Setup Instructions
- Log into the Jamf admin interface and create a new script with the following contents:
- Shell Script to Ban UTGuest Wi-Fi Connections Expand source
#!/bin/zsh ##Blocks access to Guest network # VARIABLES # Get the wireless network service (wservice) wservice=`/usr/sbin/networksetup -listallnetworkservices | grep -Ei '(Wi-Fi|AirPort)'` # Get the wireless hardware port (whwport) whwport=`networksetup -listallhardwareports | awk "/$wservice/,/Ethernet Address/" | awk 'NR==2' | cut -d " " -f 2` # Find the ALL network hardware ports (hwports) hwports=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2` # Get the wireless network (wirelessnw) wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4` # Get the SSID SSID=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I\ | grep ' SSID:' | cut -d ':' -f 2 | tr -d ' '` # Work SSID WorkSSID=utexas # Authentication to use eg WPA2 Enterprise Auth=WPA2E # Index for SSID Index=0 # SSIDs to Block #Block1=XXXXXX #################################################################################### # Set the preferred wireless network to WorkSSID /usr/sbin/networksetup -addpreferredwirelessnetworkatindex $whwport $WorkSSID $Index $Auth # Turn the wirless hardware port on # Uncomment this line if you want to force the WiFi connection to always be enabled #/usr/sbin/networksetup -setairportpower $whwport on # Get the wireless network (wirelessnw) wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4` # Block wireless networks case $wirelessnw in utguest) networksetup -setairportpower $whwport off # Removed guest network from preferred network list to prevent endless looping /usr/sbin/networksetup -removepreferredwirelessnetwork $whwport utguest # Display message to user connect to UT Employee wireless network TITLE="UTGuest Wireless Network Access Denied" MSG="Please turn on your Wi-Fi in order to connect to the UT employee wireless network \"utexas\". Wireless network connections to the \"utguest\" network by UT employees is not permitted per UT policy. This wireless network is only to be used by guests of the University who are not a current faculty, staff, or student. Contact the College of Education Information Technology Office (ITO) for questions or concerns - (512) 471-4357, help@education.utexas.edu." /Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "$TITLE" -description "$MSG" -button1 "Close" -lockHUD ;; esac exit 0
- Create a new Jamf policy with the following settings:
- Trigger: Network State Change
- Execution Frequency: Ongoing
- Make Available Offline: Enabled
- Scripts: Select the script you created in step 1
- Scope: Set the scope to cover the macOS computers you want to deploy this policy to.
Future Improvements
- Would be good to leverage the script parameters capability to make the "banned" Wi-Fi networks and "work/trusted" Wi-Fi network variables that can be defined with two script parameters.
Non-Jamf Implementations
It is probably possible to take the script above and configure it as a cron job, LaunchDaemon, or something similar in order to have it run at regular intervals to check for an active connection to the utguest network. The Jamf specific command to display the notification window would need to be replaced with something else available on computers.
EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization.
- Welcome to Jamf - Service Overview
- Application and Global Settings
- macOS Packet Firewall
- Deploying Microsoft Defender to macOS devices
- Global Configuration Policies
- Automatic install of Code42 in Campus JAMF
- Compliance Configuration and Extension Attribute
- Global Security & Compliance policies
- EPM Core team audit of Jamf Pro server
- MAC Address Randomization: How it works and What IT needs to know
- Upgrade to future macOS major releases
- Nessus Agent deployment to campus Jamf instances
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Jamf Connect
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Test and pilot
- Jamf - Server Maintenance and Update Process
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.