Terminal Commands for Managing OS X WiFi Configuration: Disabling Wireless and Enforcing Admin Privileges


2 views

When managing enterprise Mac deployments, controlling wireless network configurations becomes crucial for security and network management. The primary objectives are:

  • Disabling WiFi interfaces across multiple machines
  • Enforcing admin privileges for WiFi configuration changes
  • Implementing these controls via terminal commands for remote deployment

The foundational command for WiFi management is the networksetup utility. To disable WiFi:

networksetup -setairportpower en1 off

To verify the current status:

networksetup -getairportpower en1

For enterprise management, we need deeper control than simple interface toggling. The solution involves modifying system preferences files and permissions.

Method 1: Using defaults Command

This modifies the system preferences plist file:

sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminIBSS -bool YES
sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminNetworkChange -bool YES
sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminPowerToggle -bool YES

Method 2: Direct Plist Modification

For more granular control, edit the plist directly:

sudo /usr/libexec/PlistBuddy -c "Add :RequireAdminIBSS bool true" /Library/Preferences/com.apple.airport.bt.plist
sudo /usr/libexec/PlistBuddy -c "Add :RequireAdminNetworkChange bool true" /Library/Preferences/com.apple.airport.bt.plist

For mass deployment via RDM, combine these commands into a script:

#!/bin/bash

# Disable WiFi immediately
networksetup -setairportpower en1 off

# Configure admin requirements
sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminIBSS -bool YES
sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminNetworkChange -bool YES
sudo defaults write /Library/Preferences/com.apple.airport.bt.plist RequireAdminPowerToggle -bool YES

# Set proper permissions
sudo chmod 644 /Library/Preferences/com.apple.airport.bt.plist
sudo chown root:admin /Library/Preferences/com.apple.airport.bt.plist

# Refresh system preferences
killall cfprefsd

After implementation, verify the settings:

defaults read /Library/Preferences/com.apple.airport.bt.plist

Common issues and solutions:

  • If changes don't persist after reboot, check System Integrity Protection status
  • For managed environments, consider creating a Configuration Profile instead
  • Interface names (en1) may vary - check with networksetup -listallhardwareports

For large deployments, Mobile Device Management (MDM) with configuration profiles provides better scalability:

<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.example.wifi.restrictions</string>
            <key>PayloadUUID</key>
            <string>YOUR-UUID-HERE</string>
            <key>PayloadDisplayName</key>
            <string>WiFi Restrictions</string>
            <key>RequireAdministratorForIBSS</key>
            <true/>
            <key>RequireAdministratorForNetworkChange</key>
            <true/>
            <key>RequireAdministratorForPowerToggle</key>
            <true/>
        </dict>
    </array>
</dict>

When administering a fleet of macOS devices in corporate environments, controlling wireless network access becomes crucial for security and compliance. The standard GUI approach doesn't scale for hundreds of machines, necessitating terminal-based solutions that can be deployed through RMM tools or MDM solutions.

Basic WiFi power control is straightforward:

# Turn WiFi off
networksetup -setairportpower en0 off

# Turn WiFi on 
networksetup -setairportpower en0 on

Note: Interface names may vary (en0, en1, etc.). Find yours with:

networksetup -listallhardwareports

To enforce admin requirements for network changes, we need to modify System Preferences privileges using the security utility and authorization database:

# Create a temporary authorization right file
cat > /tmp/network.rights <
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>allow-root</key>
    <true/>
    <key>authenticate-user</key>
    <true/>
    <key>class</key>
    <string>user</string>
    <key>comment</key>
    <string>Requires admin authentication for network changes</string>
    <key>created</key>
    <real>$(date +%s)</real>
    <key>group</key>
    <string>admin</string>
    <key>modified</key>
    <real>$(date +%s)</real>
    <key>shared</key>
    <true/>
    <key>timeout</key>
    <integer>0</integer>
    <key>tries</key>
    <integer>10000</integer>
    <key>version</key>
    <integer>0</integer>
</dict>
</plist>
EOF

# Apply the authorization right
sudo security authorizationdb write system.preferences.network < /tmp/network.rights
sudo security authorizationdb write system.services.systemconfiguration.network < /tmp/network.rights

For mass deployment, package these commands in a script and deploy via:

  • Jamf Pro (using policies or configuration profiles)
  • Munki (via postinstall scripts)
  • Ansible playbooks for macOS management

Sample deployment script structure:

#!/bin/bash

# Disable WiFi
networksetup -setairportpower en0 off

# Set admin requirements
security authorizationdb write system.preferences.network < /path/to/network.rights
security authorizationdb write system.services.systemconfiguration.network < /path/to/network.rights

# Optional: Remove WiFi interfaces from Network Preferences
defaults write /Library/Preferences/com.apple.airport.bt.plist ReqAdminWifi -bool YES
defaults write /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist RequireAdminNetworkChange -bool YES

To verify the settings took effect:

security authorizationdb read system.preferences.network

Common issues include:

  1. Incorrect interface identifier (use networksetup -listallhardwareports to verify)
  2. SIP (System Integrity Protection) interfering with authorizationdb changes
  3. MDM profile conflicts with local settings

For more granular control, create mobileconfig profiles using tools like mcxToProfile or Apple Configurator:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDisplayName</key>
            <string>WiFi Restrictions</string>
            <key>PayloadIdentifier</key>
            <string>com.company.wifirestrictions</string>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadUUID</key>
            <string>$(uuidgen)</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>RequireAdminPowerToggle</key>
            <true/>
            <key>RequireAdminNetworkChange</key>
            <true/>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Restricts WiFi configuration changes to admins</string>
    <key>PayloadDisplayName</key>
    <string>Network Restrictions</string>
    <key>PayloadIdentifier</key>
    <string>com.company.networkpolicy</string>
    <key>PayloadOrganization</key>
    <string>Your Organization</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>$(uuidgen)</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>