Alan Siu's Blog

Scripting disabling auto-join for Wi-Fi networks

What about a Wi-Fi profile?

You may be thinking, “Why would I want to script disabling Wi-Fi auto-join, when I can just set it with a profile?” After all, in Apple’s MDM documentation, it seems that you can just do so, right?

AutoJoin boolean
If true, the device joins the network automatically.
If false, the user must tap the network name to join it.
Available in iOS 5 and later, macOS 10.7 and later, tvOS 9 and later, visionOS 1 and later, and watchOS 3.2 and later.
Default: true

In my testing (at least as of macOS 26.2—maybe Apple will change this in a future release), setting that auto-join setting via profile does set it to false, but it doesn’t enforce it as false. In other words, if the Wi-Fi profile is in place and set to not auto-join, you can still go into System Settings and set it to auto-join.

Using defaults write

So maybe you want to use something like Munki, Outset, or Jamf to script setting periodically a Wi-Fi to not autojoin.

The file you want to modify is /Library/Preferences/com.apple.wifi.known-networks.plist. It is read-only by root, and if you want to do any manual (non-scripted) testing, you may have to temporarily give Terminal full disk access. (I’m guessing whatever management tool you use to run scripts will run as root and already has full disk access.)

It’s really as simple as running a command like this:
/usr/bin/defaults write /Library/Preferences/com.apple.wifi.known-networks wifi.network.ssid.NAMEOFSSID -dict-add AutoJoinDisabled -bool TRUE where NAMEOFSSID is the ssid of the Wi-Fi network you want to disable auto-join for.

You can then do a quick check using
/usr/bin/defaults read /Library/Preferences/com.apple.wifi.known-networks wifi.network.ssid.NAMEOFSSID
or
/usr/bin/defaults read /Library/Preferences/com.apple.wifi.known-networks wifi.network.ssid.NAMEOFSSID | /usr/bin/grep AutoJoinDisabled

If you want to reverse it (enable auto-join), you can just flip the boolean:
/usr/bin/defaults write /Library/Preferences/com.apple.wifi.known-networks wifi.network.ssid.NAMEOFSSID -dict-add AutoJoinDisabled -bool FALSE

It may seem weird to you to add a dictionary when flipping the boolean back and forth, but because it’s the same name, a duplicate dictionary doesn’t get added—you end up just replacing the old dictionary with the new value (TRUE or FALSE).

Technically, if you enable auto-join via System Settings, that dictionary gets deleted, but I saw only -dict-add in man defaults; I didn’t see a -dict-delete option. In my testing, flipping the boolean to FALSE has the same effect.

Not using defaults write?

Can you use /usr/libexec/PlistBuddy instead? I haven’t found a way to do that, since the .plist is a list of dictionaries instead of a dictionary at the top level. It’s also possible that if you use PlistBuddy, the changes may not take place right away, whereas defaults write appears to work immediately (you may have to quit out of System Settings, though, to see the change reflected).

You might also be able to use Python to ingest and modify the .plist, but you do run the same risk of the change not taking effect right away.

Posted

in

by

alanysiu

Tags:

, , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *