Introduction

UT policy requires that employees do not use the "utguest" wireless network and instead use the "utexas" wireless network when working with UT data. UT system is mandating that UT Austin develop a solution to prevent employees from using the utguest wireless network. The Jamf policy in this wiki page leverages Jamf, a script, and an offline policy that executes on network state change to accomplish this.

The script used in this policy was copied from a Jamf Nation post. The script was slightly modified for our environment. The script was tested on MacOS 10.12.x, 10.13.x, 10.14.x, and 10.15.0

End User Experience

Whenever the user changes network state (change Wi-Fi networks, go from wireless-to-wired, etc...) the script in this policy will execute. The first thing the script does is set the "utexas" Wi-Fi network to be at the top of the preferred list of Wi-Fi networks in MacOS so that it will be automatically connected to first when detected. Next the script checks to see if the person is connected to the "utguest" network. If they are, the Wi-Fi interface is turned off, the utguest Wi-Fi network is removed from the preferred list of Wi-Fi networks in MacOS, and a message is displayed to the end user. The message displayed to the end user informs them of the utguest network policy and that when they turn on their Wi-Fi interface again, it will connect them to the "utexas" Wi-Fi network.

Policy Setup Instructions

1. Log into the Jamf admin interface and create a new script with the following contents:
   1. Shell Script to Ban UTGuest Wi-Fi Connections Expand source

      #!/bin/zsh
      
      ##Blocks access to Guest network
      
      #  VARIABLES
      
      # Get the wireless network service (wservice)
      wservice=`/usr/sbin/networksetup -listallnetworkservices | grep -Ei '(Wi-Fi|AirPort)'`
      
      # Get the wireless hardware port (whwport)
      whwport=`networksetup -listallhardwareports | awk "/$wservice/,/Ethernet Address/" | awk 'NR==2' | cut -d " " -f 2`
      
      # Find the ALL network hardware ports (hwports)
      hwports=`networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2`
      
      # Get the wireless network (wirelessnw)
      wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4`
      
      # Get the SSID
      SSID=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I\
      | grep ' SSID:' | cut -d ':' -f 2 | tr -d ' '`
      
      # Work SSID
      WorkSSID=utexas
      
      # Authentication to use eg WPA2 Enterprise
      Auth=WPA2E
      
      # Index for SSID
      Index=0
      
      # SSIDs to Block
      #Block1=XXXXXX
      
      ####################################################################################
      
      # Set the preferred wireless network to WorkSSID
      /usr/sbin/networksetup -addpreferredwirelessnetworkatindex $whwport $WorkSSID $Index $Auth
      
      # Turn the wirless hardware port on
      # Uncomment this line if you want to force the WiFi connection to always be enabled
      #/usr/sbin/networksetup -setairportpower $whwport on
      
      # Get the wireless network (wirelessnw)
      wirelessnw=`networksetup -getairportnetwork $hwports | cut -d " " -f 4`
      
      # Block  wireless networks
      
      case $wirelessnw in
      	utguest)
      		networksetup -setairportpower $whwport off
      
      		# Removed guest network from preferred network list to prevent endless looping
      		/usr/sbin/networksetup -removepreferredwirelessnetwork $whwport utguest
      
      		# Display message to user connect to UT Employee wireless network
      		TITLE="UTGuest Wireless Network Access Denied"
      		MSG="Please turn on your Wi-Fi in order to connect to the UT employee wireless network \"utexas\". Wireless network connections to the \"utguest\" network by UT employees is not permitted per UT policy. This wireless network is only to be used by guests of the University who are not a current faculty, staff, or student. Contact the College of Education Information Technology Office (ITO) for questions or concerns - (512) 471-4357, help@education.utexas.edu."
      
      		/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "$TITLE" -description "$MSG" -button1 "Close" -lockHUD
      
      	;;
      esac
      
      exit 0
      
      

2. Create a new Jamf policy with the following settings:
   1. Trigger: Network State Change
   2. Execution Frequency: Ongoing
   3. Make Available Offline: Enabled
   4. Scripts: Select the script you created in step 1
   5. Scope: Set the scope to cover the macOS computers you want to deploy this policy to.

Future Improvements

• Would be good to leverage the script parameters capability to make the "banned" Wi-Fi networks and "work/trusted" Wi-Fi network variables that can be defined with two script parameters.

Non-Jamf Implementations

It is probably possible to take the script above and configure it as a cron job, LaunchDaemon, or something similar in order to have it run at regular intervals to check for an active connection to the utguest network. The Jamf specific command to display the notification window would need to be replaced with something else available on computers.