Forgetting Wi‑Fi on a Jamf‑Managed Mac: give your networks a graceful exit

Have you ever looked at your Mac’s Wi‑Fi list and wondered why it insists on clinging to an SSID you haven’t used since last Christmas? Maybe it’s that guest network you used once to download some drivers, or a test SSID from a lab build. macOS is wonderfully helpful – it will happily auto‑join anything it remembers – but forgetting a network requires an admin password. On a Jamf‑managed fleet where most users are standard accounts, that’s an unnecessary round‑trip to the service desk.

After dealing with one too many “my laptop keeps hopping onto the wrong Wi‑Fi” tickets, I spent an afternoon spelunking through authorizationdb and the hidden airport preferences. The result is a tiny zsh script that lets standard users forget Wi‑Fi networks and flip the Forget This Network switch without being prompted for admin. It’s a little hack, but it makes life calmer for everyone involved.

Why bother?

1. Clingy networks – macOS loves to auto‑join known SSIDs, even if they’re slow or out of range. Sometimes you just want to say goodbye.
2. No admin, no problem – by default, forgetting a Wi‑Fi network prompts for an admin password. On managed Macs this gets in the way of self‑service.
3. Jamf self‑service – our Jamf portal is full of great tools. This script slots neatly into a policy so users can fix their own connectivity woes.
4. Because I could – hacking around Apple’s authorizationdb is weirdly fun and I needed a break from SCCM logs.

What the script actually does

Under the hood, the script does three key things:

• Grants standard users the right to unlock and modify the Network pane in System Settings via the generic system.preferences right.
• Disables the hidden “Require admin to turn Wi‑Fi off/on” prompts by tweaking the airport preferences.
• Edits the authorizationdb policy for system.preferences.network to enforce a sole allow rule, meaning no more pop‑ups when you click Forget This Network.

In plain English: it tells macOS that forgetting Wi‑Fi networks is fine for any user on a Jamf‑managed Mac.

Caveats & considerations

• The script must run as root. When deployed via Jamf, ensure your policy runs the script with the correct privileges.
• It modifies system authorisation policies. If you later decide you want to re‑enable admin prompts, you’ll need to restore the default rights.
• Tested on macOS Sequoia 15.5. It should work on earlier releases, but I haven’t tried it. Pull requests welcomed!
• If you have other tools managing authorizationdb, make sure they don’t overwrite these changes.

Using it with Jamf

1. Save the script as forget-wifi.sh (or whatever you like).
2. Upload it to Jamf Pro and create a policy scoped to the Macs that need this ability.
3. Set the Execution Frequency to Once per computer – you only need to loosen the rights once.
4. After the policy runs, users can open System Settings → Wi‑Fi, select the network and hit Forget This Network without being prompted for an admin password.

Final thought

I wrote this to scratch an itch. Sometimes the best tools are the ones that quietly remove friction from your day. If you’re tired of your Mac hanging on to the wrong SSID, grab the script, deploy it with Jamf and enjoy the silence.

👉 Download the script on GitHub – if you spot a bug , open an issue. If you’re still haunted by an old SSID after running it, try a sage smudge or call your nearest spiritual adviser. 😉