How to avoid your employees to use the wireless guest service?
When designing wireless services, I.T departments usually create one service/SSID for employees and one for visitors (check my tips to deploy this). The wireless service for visitor usually relies on self service (user creates his account directly on the portal) or sponsorship (either the employee or the receptionist will create the account for the visitor).
In any case, your employees can easily connect their professional devices to the guest service (and be sure they will!). This brings some confusion, some issues (device may switch between SSIDs) and security concerns (if the policies are not aligned).
Here are a few tips to force your employees not to use the guest SSID.
1) Provide a service aligned with needs
Okay, this may seem obvious but, if you provide a good connectivity to users and if they have access to whatever they need, they will certainly not try to find something better.
I have seen companies providing a good smartphone with WiFi access to Internet and they never tried to connect on another SSID.
Same for laptops, if you provide a seamless (but secured) access to Internet (whatever the browser or application they use), users will not need to try another solution.
2) Degrade user experience for employees on guest SSIDDon’t worry, I’m not talking about a mediocre Internet access. I’m talking about implementing limitation that matches exactly the visitor needs (in terms of bandwidth quota, time quota, filtering, opening hours for example) but not your employees needs. Employees may switch to the guest SSID but will quickly go back to the official one!
3) Block the SSID on professional devices
For some operating system, it is possible to block some WiFi SSIDs via a policy pushed to the device (MDM, GPO or anything similar).
Here are a few links to implement this restriction:
- On Windows via GPO
- On Windows via Command Line
- On MacOS X, it seems only possible to cheat with a script
- For Android and Apple IOS, it does not seem possible.
If you are not able to block an SSID, you can push the configuration for the SSID with wrong security settings.
Example: Considering your visitor SSID is named “MyCompany visitors” and is configured as an open SSID (which is usually the case for guest access). Just push a profile for “MyCompany visitors” configured with a WEP key and the device will never be able to connect.
4) Converge both SSIDs
This is the ultimate way! Having one SSID providing both services. This can be achieved for example with 802.1X authentication. A corporate laptop will authenticate automatically via login/password or certificate and anyone else will be redirected to a web portal. The Web portal will allow the visitor to authenticate themselves.