Accessing Current Wi-Fi SSID/BSSID on Managed macOS Devices Without User-Enabled Location Services

Question

Created 22h

Replies 1

Boosts 0

Participants 2

This post is from the WWDC26 Privacy & Security Q&A.

We are developing an enterprise security solution for macOS that includes Wi-Fi awareness and network-based policy enforcement - WiFi Control.

On current macOS releases, access to the connected Wi-Fi's SSID/BSSID appears to require Location Services authorization. In many corporate environments, end users do not have local administrator privileges and cannot enable Location Services themselves. Enabling it often requires coordination with IT administrators, which can be difficult to scale in large organizations with a geographically distributed workspace.

This creates a deployment challenge for enterprise security products because network identification becomes unavailable on managed Macs, even when the device is enrolled and managed through MDM.

As far as we understand:

MDM on macOS does not provide a mechanism equivalent to managed-device Wi-Fi control available in iOS management scenarios.
System Extension running with elevated privileges cannot obtain the current SSID/BSSID through frameworks such as CoreWLAN even when Location Services access is granted (it requires user session).

Our questions are:

Is there currently any supported API or entitlement that allows enterprise security products to determine the currently connected SSID/BSSID on managed macOS devices without requiring end users to enable Location Services?
Are there plans to provide a managed-device exception, entitlement, or MDM-controlled authorization model for enterprise security vendors that need network identity information for security and compliance use cases?
Would Apple consider exposing SSID/BSSID information to approved System Extensions or Endpoint Security-based products in managed corporate environments, while maintaining existing privacy protections for consumer devices?

We fully understand the privacy rationale behind restricting Wi-Fi information, but enterprise security and compliance solutions often need to identify trusted and untrusted networks. Today, the Location Services dependency significantly complicates deployment and usability in managed corporate environments.

Any guidance on recommended approaches or future platform direction would be greatly appreciated.

Answer 1

Engineer OP

Apple

19h

There is no entitlement that bypasses the Location Services requirement for reading CNCopyCurrentNetworkInfo / CoreWLAN SSID/BSSID.

Apple's direction around managing devices is Declarative Device Management, and between DDM, Network Framework and Endpoint Security, there is significant amounts of configuration and telemetry available to enterprise tools (as well talking with the MDM's own APIs or the WLAN controllers directly). For example we are aware of solutions in market that maintain awareness of state of the wider environment and which device is where by interaction with Device Management servers and WLAN controllers.

There is no DDM predicate at the moment that answers if a device is on or off a managed network at the moment.

Depending on what you are trying to achieve, the SSID and BSSID are not globally unique may not be a strong signal on their own to anchor a trust decision on. Depending on device configuration by Device Management service, you could also have a cases where a Mac was connected to both a "trusted" and an "untrusted" network simultaneously.

It is worth filing feedback in Feedback Assistant around what you are trying to achieve.