Can I Restrict Airport Networks to Specific Mac User Accounts? [Ask MacRx]

WiFi Networks

Apple likes to make things as easy as possible to join WiFi networks, especially when the network isn’t password protected. However in one reader’s case this isn’t a good thing but rather a major headache:

Is there a way to RESTRICT joining certain wifi networks to certain OS X user accounts?
When using my MacBook Pro, I have two basic OS X logins. One for known SECURE wifi networks, and one for INSECURE wifi networks. The problem is that Airport settings always remember the INSECURE network, and almost always tries to connect my SECURE OSX login to the INSECURE wifi, at which point Mail (or other apps) start up and shoot my logs/passes across the air for all to see.

I know I can manually remove the insecure networks each time, but that’s painfully annoying. Likewise, for requiring manual approval to joining a network.

Scott

Hi Scott,

I’ve had my own share of frustrations with Macs joining networks other than what I prefer also. Airport seems to love open, non-password protected networks and will join “Linksys” or “D-Link” when I really want what I’ve used before.

I don’t know of a way to restrict access to specific WiFi network by user account, only by the machine’s MAC (ethernet or WiFi) address on the network. That said you do have some control over the process.

Once you have the secure and insecure networks remembered on the Mac, go to the Network System Preference Pane, select Airport (or WiFi), then click the Advanced button. You’ll see a list of networks the Mac has previously joined, which you can drag in order of preference. Put the ones you want at the top, remove the rest, then uncheck the box to Remember networks this computer has joined. That should behave more consistently.

Related
  • Timothy Levesque

    You can write a shell script and use launchd to tell it to stay connected to a specific network.    In the following script it not only does this but also keeps the airport turned on.  Basically what this script does is watch the airport status, if it is turned off it will check for the correct access point which is determined by the SSID you enter into the script…once it finds the correct wireless network it connects the airport to it when it powers on.  This is a good way to ensure that you are always connecting to the right network.  The great thing about this script is that you can place different versions of it (Different SSIDs) and then place a different launchd script into each users LaunchAgent folder to point to the correct script and force them to connect to the correct SSID. 
    An example of the script is below:

    —————————————————————————-
    APSTATUS=`networksetup -getairportpower en0 | awk ‘{print $4}’`
    WIFILIST=”THESSIDYOUWANTTHEMTOCONNECTTO”

    # Check for power status
    if [ ${APSTATUS} == "Off" ] ;then
            networksetup -setairportpower en0 On
    fi
    sleep 4
    # Network scan
    AVAILWIFI=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | awk ‘{print $1}’`

    for NETWORKSCAN in ${AVAILWIFI}
            do 
                    for YOURNET in ${WIFILIST}
                            do
                                    if [ ${YOURNET} == ${NETWORKSCAN} ]; then
                                            networksetup -setairportnetwork en0 ${YOURNET}
                                    fi
                            done
                    done
    exit

    ————————————————

    You can edit this to remove the airport status / power on section.  You will also need to check that your airport adapter is addressed as en0..if it is addressed differently, such as en1 …you will need to change that in the script.

  • harringtonjw

    If you want to restrict by username you’ll need to setup a radius server. I have a radius server that authenticates against my Apple Open Directory server however you can also have it authenticate against Active Directory or setup a simple standalone LDAP server

  • Anthonygodwin

    BTW, you’re trying to connect to an unsecured network. An insecure network doesn’t really know who it is or what it’s doing.

  • Adam Rosen

    LOL!  Good point!

About the author

Adam RosenAdam Rosen is an IT consultant specializing in Apple Macintosh systems new and old. He lives in Boston with two cats and too many possessions. In addition to membership in the Cult of Mac, Adam has written for Low End Mac and is curator of the Vintage Mac Museum. He also enjoys a good libation.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in How-To, MacRx | Tagged: , , , |