How to completely block specific Wi-Fi SSID on macOS?

Question

I'm looking for a way to totally blacklist a Wi-Fi network (by SSID) in macOS.

And no, I promise you that I really (truly!) do not need to just have the computer "forget it" by removing it from the network list. I need to completely and totally prevent the computer from connecting to a certain network entirely.

It's super, crazy easy on Windows. Is there any way to do this on a Mac?

Answer 1

There's no blacklist function (that I know of) but there are a couple of simple workarounds detailed below.

Restrict to Admins Only

Your first option would be to set up networking and restrict it so only Admins can join networks (Network Settings → WiFi Adapter → Advanced)

The caveat here is that the user can no longer be an admin.

Progmatically remove network

If you’d prefer this automated, your second option is to have a terminal command run periodically:

networksetup -removepreferredwirelessnetwork en1 SSID

If the SSID doesn't exist, it will just error out without any issues. If it does exist, it will remove it from the preferred (saved) network list.

You could put this is a simple bash script

#!/bin/bash
SSID=MyBannedSSID
net=$(networksetup -listpreferredwirelessnetworks en1 | grep ${SSID} | cut -f2)
ap=$(networksetup -getairportnetwork en1 | cut -d ":" -f 2 | cut -c 2-)
Remove Network if exists in saved networks
if [ "$net" = "$SSID" ]
  then networksetup -removepreferredwirelessnetwork en1 ${SSID}
  sleep 5               # Sleep 5 seconds to allow removal to complete.
else echo "No Network"
fi
#Power cycle wireless adapter if connected to banned network
if [ "$ap" = "$SSID" ]
  then  networksetup -setairportpower en1 off
        sleep 2            #Sleep 2 seconds for service to die
        networksetup -setairportpower en1 on
fi

Then, use cron or launchd (preferred) to run it periodically. The caveat is that while they may join the network, it will eventually (per your schedule) delete it. The time interval will be entirely up to you.

You have to run this as root (meaning put in /Library/LaunchDaemons if using launchd) otherwise it will ask you for a password every time.

What the script is doing

• Checks to see if banned SSID is saved
• Removes the saved network if it exists
• Power cycles the airport card if it's attached to the banned SSID

Answer 2

I've just tested this and it works!

You need the app Apple Congifurator 2, it's on the App Store, made by Apple.

Create a new profile, in the wifi section create a new payload. Fill out the information, including the correct security type. Set the password to something wrong. Uncheck the 'Auto Join' option.

Now, why does this work? The profile sets settings which cannot be changed by the user and so if you configure it with a password the user will not be able to uninstall the profile. Since you have configured the wrong password for the profile, the computer won't be able to connect to the network and will show an incorrect password popup. That's where the "auto join" setting comes in. By configuring the device to not automatically join that network, the device will only attempt to connect to it when the user selects it out of the menu. Since the user can't change the stored password they won't be given the option to try a new password and so won't be able to connect. With auto join off, you also won't get tons of "incorrect password" errors on the device any time the network is in range since it won't bother to connect to it.

Answer 3

I have no experience but what I would try: setup a new acccount, give it administrator rights, login in this new account, go to SystemPreferences, ParentalControls: in there set parental controls for your main account, set the access to ...aruba... as forbidden.