Prevent Access To Certain Wi-Fi Network SSIDs Via Bash Script

In enterprise environments, there is often an open guest network and a secured enterprise network.  Often, you do not want users to connect to the guest network because it is throttled down and does not grant access to organizational network resources.  Below is a script that can be run as a Launch Daemon, which will turn the wireless off and display a dialog if a user connects to the wrong network.

#!/bin/bash
undesiredNetwork="Undesired-SSID"

wifi=$(networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/,/Ethernet/' | awk 'NR==2' | cut -d " " -f 2)
ssid=$(networksetup -getairportnetwork $wifi | cut -d " " -f 4)

case $ssid in
"$undesiredNetwork")
echo "Switching off PatientWifi SSID..."
networksetup -setairportpower $wifi off
networksetup -removepreferredwirelessnetwork $wifi $ssid
osascript -e 'tell application "System Events" to display alert "blah blah blah" as critical'
;;
esac

You can also require a password to change networks with this command:

/usr/libexec/airportd prefs RequireAdminNetworkChange=YES RequireAdminIBSS=YES