Description
When enabled on devices, the Wi-Fi Safelist restriction prevents devices from connecting to non Jamf Now managed WiFi networks.
This means that any misconfiguration of the SSID, password, or security type of the network configured under the WiFi tab in Jamf Now will result in the device dropping its WiFi network as well as hide the network on the device itself under Settings > WiFi. This can lead to situations where the device cannot reconnect to WiFi due to WiFi Safelist blocking all Wifi networks.
This article provides troubleshooting steps if a device becomes disconnected from WiFi due to the WiFi Safelist and steps to ensure the network configured on the WiFi tab are configured correctly.
Devices disconnected from WiFI
If a device becomes disconnected from WiFi due to Wi-Fi Safelist, here are some troubleshooting steps to facilitate reconnection to a network so the device can receive Jamf Now commands:
Bring the device in physical proximity to a Jamf Now managed network that is configured correctly to allow for WiFi connectivity. Note that this option only works for Jamf Now managed networks that are 100% confirmed to be configured correctly to match the network.
Connect the device via Ethernet via an Apple USB Ethernet Adapter: https://www.apple.com/shop/product/MC704LL/A/apple-usb-ethernet-adapter
If neither option are available, the device must be erased and set up as new. Recovery Mode can be used to restore the device back to factory settings:
Recovery Mode for iPad: https://support.apple.com/en-us/108925
Recovery Mode for iPhone/iPod: https://support.apple.com/en-us/HT201263
Confirming the networks on the blueprint WiFi tab are configured correctly
Create a test blueprint in Jamf Now that you can use for testing to avoid impacting other devices in existing blueprints.
We recommend copying an existing blueprints to avoid configuring the test blueprint from scratch. For assistance see Blueprints in Jamf Now.
Start with WiFi Safelist as disabled by deselecting the restriction under Blueprints > Restrictions > Network & Cellular > Wi-Fi Safelist. This will allow for testing to occur without the fear of the device losing WiFi connectivity.
Configure the WiFi tab of the blueprint by entering the SSID, Security, and Password fields according to the WiFi network the device will connect to. Ensure that the SSID, security type, and password all 100% match how the network in question is configured. The security type of the network can be found under System Settings > General > About > System Report > WiFi on a Mac that is in proximity to the network.
One misconfigured setting will result in the device being unable to automatically connect to the network.
Assign a test device to the test blueprint.
Ensure the device has either never connected to the network previously or ensure any previous remembered network is deleted by going to Settings > WiFi > click on WiFi > Forget this Network on the device.
Once the blueprint has installed on the device, try connecting the device to the WiFi managed by Jamf Now. Is the device able to connect to the network without prompting for a password? If so, that should indicate the managed WiFi network in Jamf Now is correctly configured.
Enable the Wi-Fi Safelist restriction under Blueprints > Restrictions > Network & Cellular > Wi-Fi Safelist.
Confirm that the Restrictions tile of the device shows as Applied in Jamf Now (under the Dashboard tab).
Check whether the device is able to both connect to and recognize the Jamf Now managed networks under Settings > WiFi on the device itself.
If the networks disappear under Settings > WiFi post installation of Wi-Fi Safelist, that indicates the Jamf Now managed WiFi networks are misconfigured and need correction. If this occurs, circle back to step 3 and ensure the network is configured correctly.