Preventing MacMini WiFi sharing
July 25, 2012 12:54 PM   Subscribe

Can I prevent/disable our users from MacMini wireless sharing on our office network?

In our office network which covers several buildings and includes Cisco switches connected to an ASA 5505, I have run into users turning their MacMini's into WiFi hotspots. The network is quite large and I have many other responsibilities besides network admin, so I'd like to be able to prevent/disable this somehow automatically at the network level.

(Yes, we have a corporate IT appropriate use policy in place that is supposed to prevent this at that level, but like anything else, given the time and opportunity, end uses exploit whatever they can. Management does not think of any violations of the AUP as their problem, unfortunately and won't do anything about it as opposed to say, testing positive on a drug test.) I don't really know why people are doing this as we have WiFi in the same areas they are setting their Macs up for this.

I assume the MacMinis are setting up some private DHCP server and doling out IP address on that network, so I am not sure how I'd even see these devices that are accessing through the WiFi hotspot created by the Mini's.
posted by bellastarr to Computers & Internet (10 answers total)
Do you have any OS X Servers set up? This is pretty easy to disable using Open Directory's Computer Management function.
posted by Oktober at 1:00 PM on July 25, 2012

No OS X Servers, only Windows and Linux servers.
posted by bellastarr at 1:03 PM on July 25, 2012

If they are sharing out via the WiFi, that means they have an Ethernet connection, as I don't think that card (or the internet sharing software) can both connect via WiFi and publish a hotspot with it.

If the Mac Minis are owned by the company, just open them up and remove the WiFi card.

If they are personal, you'll have to just periodically sniff for rogue networks and shut them down as you find them.
posted by tomierna at 1:12 PM on July 25, 2012

I'm pretty sure if you have a mac, you can purchase Apple Remote Desktop and send a command to every system like "sudo ifconfig down," where you put the name of the interface (en1, for example) in there.

But then I think a user would still be able to manually re-enable the interface.

Depending on how much time you want to spend on this, you could also set up a crontab task on each system (or deploy it with ARD) to disable the WiFi connection every 5 minutes.

posted by MonsieurBon at 1:28 PM on July 25, 2012

It is possible to remove the wireless (Airport/Bluetooth) card from the main logic board, but it's not easy.
posted by Oktober at 2:01 PM on July 25, 2012

Don't allow users admin privileges, set their user account up so they can not access system preferences to turn on internet sharing.
posted by HuronBob at 2:10 PM on July 25, 2012

Users need Admin privileges (or the Admin password) to enable internet sharing. Did you guys really give them the password?

I've done remote administration. Is it possible to re-set the Admin password on the Minis remotely? Or, are you going to have to manually reset the password?
posted by Thorzdad at 2:33 PM on July 25, 2012

sorry...that should be I've NOT done remote admin....
posted by Thorzdad at 2:36 PM on July 25, 2012

I'm sorry to say it, but it sounds like you have a human problem, not a technological problem. If your management is not interested in security issues, then you are pretty much out of luck. You need to make your case to them that if people are doing this it's the same as propping the door open with a big "good stuff to steal here" sign. If they still don't care then they don't care.
posted by Phredward at 4:03 PM on July 25, 2012

I don't think there is any way to do this at the network level. As far as the network is concerned, all it can see are packets coming from the MacMini, which is probably acting like a NAT router, meaning it is rewriting the MAC addresses of all the packets.

The best you *might* be able to do is get the ASA to look for packets coming from MacOS but with signatures of other operating systems, and then shut them down. But I don't know if an ASA can do that.

Your wireless APs might be able to listen to the wireless spectrum near themselves and at least *report* foreign networks so you can try to narrow things down.

You also might conduct some surveillance and see just what they are doing with these networks.

So you'll have to disable it somehow in the Minis themselves. And convince management why this is a bad idea.
posted by gjc at 7:48 PM on July 25, 2012 [1 favorite]

« Older I accidentally re-sent my follow up letter to a...   |   New Laptop: What to Get? Newer »
This thread is closed to new comments.