Apple Wi-Fi Sharing - How to effectively prevent it?

SteveWeidner
Here to help

Apple Wi-Fi Sharing - How to effectively prevent it?

I'm working with a school district where primarily Apple devices are used.  As a result of using iPads and MacBooks at school, staff and students tend to have iPhones as their personal devices.

 

There is no BYOD network for students, they are allowed to use only school-owned devices which are governed by policies to maintain CIPA compliance.  Anyone reading this knows however, that end-users want to use their own devices for social media, games, etc. so it is virtually impossible to entirely prevent students from using their phones.  Staff are allowed to use their personal phones on the Staff SSID, but that network is not CIPA compliant so no students are to be using that SSID.  However...

 

Because of this iOS feature (https://support.apple.com/en-us/HT209368), the Staff credentials have been shared.  Eventually it got to a student device resulting in students connecting to the Staff SSID and sharing it with their friends.  To summarize the page linked, once an Apple device has a Wi-Fi connection set up, that device can share Wi-Fi credentials with another device, as long as 1) Wi-Fi and Bluetooth are enabled on both devices, 2) the device owner permits it (tapping "Share Password" on screen), and 3) the new-person is in the first user's contact list.  
We would love to be able to disable this "Wi-Fi password sharing" feature on school and staff-owned devices, but Apple does not provide that option.

 

We believe that creating a new hidden SSID with a new PSK may stop this behavior, and are preparing to test the theory. Our logic is, if new-person's device can't see the SSID, it won't try to associate, if it can't associate, the Apple "feature" won't reach out to nearby devices looking for credentials.

 

Has anyone in the Community 'tackled' this scenario before and if so, what was your solution?

 

Thanks!

3 Replies 3
BrandonS
Kind of a big deal

I think the only solution may be to not use PSK.  If you happen to use Google for Education there is a very easy and elegant solution using Google sign in: https://documentation.meraki.com/MR/MR_Splash_Page/Google_Sign-In

 

Besides that you can use radius and consider other third party methods.

 

 

- Ex community all-star (⌐⊙_⊙)
ww
Kind of a big deal
Kind of a big deal

Other option is to keep the psk and additional block all traffic on that ssid. And then whitelist or apply a group policy to the specific client that are allowed. 

 

But when staff have new byod hardware you have to allow that once again

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If all of your Apple devices are managed - change to using certificate-based authentication.

 

Another painful option - change the WiFi firewall rules to default "block all".  Then create a group policy called "Authorised", "Teacher", "printer", etc and manually apply the group policy to devices that are allowed.  In this group policy, create a firewall override to allow access again.

 

Similar to the above, but using VLANs.  You could make the default VLAN one that doesn't work.  Then if it is a teacher's device, have group policy put the teachers into a teacher VLAN.  If it is a "school" device drop them into the "school" vlan.

You can use a single SSID for everyone using this scenario.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels