Automatically forget wireless networks

November 15, 2011

Our wireless network uses WPA Enterprise, which requires users to enter both their username and their password.  We do this for two reasons. First we like the extra security.  Second, we like to be able to track down who was doing what on the network if an issue ever comes up.

We also have a number of “general use” laptops that people can use for various purposes, powerpoint presentations, weekend services, working away from their desk, etc. As such, on these laptops we don’t want the system to remember and automatically reconnect to the wireless network with the previous users identity credentials.  Here is the documentation for what we did to make this possible.

First, you will want to go into the System Preferences, Network, and go to the Advanced settings on the AirPort adapter. The Remember networks this computer has joined should be turned off. You know that little checkbox that asks if you want to remember this network that is checked by default? This makes it unchecked by default. Not perfect, but much more helpful. Second the Disconnect when logging out should be turned on. This will, as it says, disconnect from the airport when the user logs out. Just a helpful cleanup.

Next we use a LogoutHook script to reset a few things on the laptop. There are actually 2 scripts, but one just calls the other. I decided to create a single LogoutHook.sh script that calls all the other logout hook scripts, in case I decide to add more in the future. You want both these scripts owned by root, the easiest way to do this is via Terminal and use sudo nano filename to edit the file.

You will want to create the following script in /usr/local/bin/LogoutHook.sh

#!/bin/sh
#

/usr/bin/logger -i "Running Logout Hooks..."

/usr/local/bin/airport-cleanup.sh

/usr/bin/logger -i "Finished with Logout Hooks..."

You will then need to mark the script as executable: sudo chmod a+x /usr/local/bin/LogoutHook.sh

Next create the cleanup script in /usr/local/bin/airport-cleanup.sh

#!/bin/sh
#
# This script is designed to be run as root via the LogoutHook system.
# It's purpose is to ensure that the airport system has been disconnected
# and all EAP entries have been removed. It also restores the keychain
# to a vanilla keychain if one exists.
#

AIRPORT="/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport"

#
# Disconnect from the airport network and remove all preferred networks.
#
$AIRPORT -z
/usr/sbin/networksetup -removeallpreferredwirelessnetworks AirPort

#
# Delete any EAP 802.1x profiles.
#
rm -f /Users/*/Library/Preferences/com.apple.eap.profiles.plist
rm -f /Users/*/Library/Preferences/ByHost/com.apple.eap.bindings.*

Again, mark the script as executable: sudo chmod a+x /usr/local/bin/airport-cleanup.sh

Finally, you need to register the LogoutHook script in the system:
sudo defaults write com.apple.loginwindow LogoutHook “/usr/local/bin/LogoutHook.sh”

Now, every time a user logs out it should “de-configure” the airport settings.  If somebody manually checks the Remember this network checkbox when connecting to the wireless network, it will save the password in their keychain.  This will not cause an automatic reconnect or anything, it just leaves it around. So far this script setup has worked well for us.