Forget network as a standard user

Question

Created 13h

Replies 4

Boosts 0

Participants 5

This post is from the WWDC26 Business & Education Q&A.

The user in our Organization are not allowed to have admin permissions on their macs. They also use Eduroam to connect to the wireless network. When they change their password, which hapends every 90 days, sometimes the pop-up to re-enter the password doesn't work. Sice they are not admin on the computer, they are not able to forget the network to re-join with new credentials. Is there a Config Profile that would allow standar user to change network settings? if not, is there a group that would allow it, similar to lpadmin for allowing standar user to change printer settings?

Answered by Device Management Engineer in 891512022

Device management is moving away from configuration profiles to declarative configurations, but I get what you're asking here 😄

Historically, organizations have achieved this on macOS by using security authorizationdb commands of various kinds to change certain OS authorization prompts and what types of accounts are allowed to authenticate in those scenarios.

That being said - System Preferences eventually became the Settings app we have today, and they contents have flowed and changed to adapt with modern OS design - and not all the previous solutions IT organizations had developed using security authorizationdb commands continue to work with these changes.

And to your point - this is also complicated by the fact there's no native MDM capability directly for this. Organizations achieved these command runs either using local agents that their MDM vendor offered or other IT solutions - nothing directly supported by Apple itself.

It would be extremely helpful if you could file a Feedback with your Developer account that captures your above mentioned use case (and any other similar needs regarding authorization prompt changes for standard users - call out each) - and explicitly mention your desire for this to work directly as an MDM configuration, without the need for additional local automation.

Feel free to post the FB# of the Feedback in this thread once you've filed it, or if you've already filed something in that space you can mention that as well.

Answer 1

Device Management Engineer OP

Apple

12h

Recommended

Device management is moving away from configuration profiles to declarative configurations, but I get what you're asking here 😄

Historically, organizations have achieved this on macOS by using security authorizationdb commands of various kinds to change certain OS authorization prompts and what types of accounts are allowed to authenticate in those scenarios.

That being said - System Preferences eventually became the Settings app we have today, and they contents have flowed and changed to adapt with modern OS design - and not all the previous solutions IT organizations had developed using security authorizationdb commands continue to work with these changes.

And to your point - this is also complicated by the fact there's no native MDM capability directly for this. Organizations achieved these command runs either using local agents that their MDM vendor offered or other IT solutions - nothing directly supported by Apple itself.

It would be extremely helpful if you could file a Feedback with your Developer account that captures your above mentioned use case (and any other similar needs regarding authorization prompt changes for standard users - call out each) - and explicitly mention your desire for this to work directly as an MDM configuration, without the need for additional local automation.

Feel free to post the FB# of the Feedback in this thread once you've filed it, or if you've already filed something in that space you can mention that as well.

Answer 2

Kale_Kingdon OP

6h

Not OP but I submitted one for this. I'm in the same boat and wish a Device Management Service could handle the small but annoying calls to authorizationdb that we need to do on every Mac. The only two I can think of right now are Forgetting a Network and Adding a Printer.

FB23048818.

Thanks for everything you all do.

Answer 3

brandonharshe OP

6h

I agree with the above post: Forgetting Wi-Fi and printer management are the only two I can think of right now.

Are feedbacks from multiple people helpful? I would love to file one from my AppleSeed for IT account, if so.

Answer 4

Documentation Engineer OP

Apple

7m

An alternative approach would be using privilege management as part of Platform SSO.

This would allow you to map specific groups in your IdP to local authorization rights, like printer management, changing network settings, or modifying time settings.

You can find more information about privilege management with Platform SSO at https://support.apple.com/guide/deployment/dep7bbb05313#depec2a40322