Student can Locate the password for Student SSID

HTCS-Bobd
Comes here often

Student can Locate the password for Student SSID

Students with iPads can look at the wireless networks in settings and look at the SSID password for the connected network. This password should stay hidden and not available to students. I have not found a policy setting in SM that will prevent this ability. Is anyone aware of a way to block students from locating and seeing the SSID password?

10 Replies 10
alemabrahao
Kind of a big deal

Unfortunately, as of now, there isn't a direct setting in SM to prevent students from viewing the SSID password on their iPads.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal

If you want to prevent this type of situation you can use another more secure authentication method, such as 802.1x or even MAB.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_8...

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
vassallon
Kind of a big deal

If you're pushing out a wireless profile from Meraki they shouldn't be able to see the password.

 

How are the student iPads getting connected to your network?

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
rhbirkelund
Kind of a big deal
Kind of a big deal

It's no different from any other OS. You can also get the PSK from any configured SSID on Windows as well. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
vassallon
Kind of a big deal

Yes, you are correct that windows does share PSK but iOS and MacOS does not share PSKs that are pushed via profile to enrolled devices from MDM.

 

I know this as I submitted a bug report with Apple when this feature was originally introduced. I've also just tested this with a MacBook and iPad and neither device is showing the PSK password when you look in the Wi-Fi settings.


I also recommend disabling Share passwords over AirDrop as this will stop the sharing of wireless passwords between devices.

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
BrandonD
Meraki Employee
Meraki Employee

Hi @HTCS-Bobd,

 

As @alemabrahao noted there isn't a direct restriction/setting for the referenced use case, mainly because Apple changed the way that iOS displayed known PSKs previously with iOS 16. I believe in my previous testing, versions prior to iOS 16 you are unable to reveal the password (see below.)

 

 

That being said, I did do some testing on my iOS 18 device and was successfully able to prevent viewing of a MDM deployed SSID PSK when enabling the following restriction:

 

 

Please note that this will prevent users from joining any SSIDs outside of those defined & deployed with MDM configuration, and we advise testing with one device prior to enabling 'globally'. This is to ensure the WiFi Payload is properly configured as if improperly deployed, it could prevent the device from connecting to the internet and processing future commands.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
vassallon
Kind of a big deal

There was an a bug when this feature was originally implemented which allowed pushed out wifi profiles to have the passwords shown.

 

I just double checked on iPads running 18.3.2. and 18.4.1 and the password field is not being displayed on my pushed out wireless profiles. 

 

What is your process for connecting iPads to wireless to start? The reason, I ask is if you are hand entering the password then that could be the reason why it is able to be shown.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
HTCS-Bobd
Comes here often

I have tried to find a solution to automatically apply the Wireless authentication through Meraki with Sentry and a couple other processes from factory defaults and have not had any success autoconfiguring an iPad thought the first several screens before having to select the SSID and entering a password. After it authenticates it will auto install all configs and Apps. However even though the policy forces the SSID the password is still accessible. iPadOS 17.7.1 

vassallon
Kind of a big deal

That explains why the password would still be present and visible. We have our iPads connect to an open WiFi that is restricted to just access Meraki and Apple networks to allow the iPad to set up and then switch to our normal student network. 

 

Do you have more than one SSID being broadcast? Can you try setting up the iPad another network and then seeing if it works correctly and no longer shows the PSK?

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
BlakeRichardson
Kind of a big deal
Kind of a big deal

In an education environment I would strongly suggest using 802.1x; are the devices school supplied or BYOD?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels