Configuration profiles for utguest restriction
Introduction
UT policy requires that employees do not use the "utguest" wireless network and instead use the "utexas" wireless network when working with UT data. UT system is mandating that UT Austin develop a solution to prevent employees from using the utguest wireless network. The Jamf policy in this wiki page leverages Jamf, a script, and an offline policy that executes on network state change to accomplish this.
The script used in this policy was copied from a Jamf Nation post. The script was slightly modified for our environment. The script was tested on MacOS 10.12.x, 10.13.x, 10.14.x, and 10.15.0
End User Experience
Whenever the user changes network state (change Wi-Fi networks, go from wireless-to-wired, etc...) the script in this policy will execute. The first thing the script does is set the "utexas" Wi-Fi network to be at the top of the preferred list of Wi-Fi networks in MacOS so that it will be automatically connected to first when detected. Next the script checks to see if the person is connected to the "utguest" network. If they are, the Wi-Fi interface is turned off, the utguest Wi-Fi network is removed from the preferred list of Wi-Fi networks in MacOS, and a message is displayed to the end user. The message displayed to the end user informs them of the utguest network policy and that when they turn on their Wi-Fi interface again, it will connect them to the "utexas" Wi-Fi network.
Policy Setup Instructions
Log into the Jamf admin interface and create a new script with the following contents:
Create a new Jamf policy with the following settings:
Trigger: Network State Change
Execution Frequency: Ongoing
Make Available Offline: Enabled
Scripts: Select the script you created in step 1
Scope: Set the scope to cover the macOS computers you want to deploy this policy to.
Future Improvements
Would be good to leverage the script parameters capability to make the "banned" Wi-Fi networks and "work/trusted" Wi-Fi network variables that can be defined with two script parameters.
Non-Jamf Implementations
It is probably possible to take the script above and configure it as a cron job, LaunchDaemon, or something similar in order to have it run at regular intervals to check for an active connection to the utguest network. The Jamf specific command to display the notification window would need to be replaced with something else available on computers.
- Application and Global Settings
- Deploying Microsoft Defender to macOS devices
- Compliance Configuration and Extension Attribute
- EPM Core team audit of Jamf Pro server
- Global Configuration Policies
- Global Security & Compliance policies
- MAC Address Randomization: How it works and What IT needs to know
- macOS Packet Firewall
- Nessus Agent deployment to campus Jamf instances
- Application Usage Logs
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Automatic install of Code42 in Campus JAMF
- Upgrade to future macOS major releases
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Jamf - Server Maintenance and Update Process
- Jamf Connect
- Welcome to Jamf - Service Overview
- Common Configuration Profiles for Site Administrators
- Test and pilot
- Self Service Plus
- Jamf Connect changes