In addition to systemkeychain, I seem to recall there was some kind of "master password" you can assign a Mac, possibly at installation. Though that may have been just a FileVault master password.
But.... The real issue is that (and I say this in the most sage-y, supportive, loving way I can) you are using the wrong WiFi security solution. Managing thousands of computers with WPA just doesn't scale. In theory, you should either keep that single password secret (which means changing it on all machines every time a sysadmin leaves the company) or let users set up their own WiFi and change that master password every time an employee leaves the company. For thousands of machines, neither scales. With that many users it is worthwhile to set up 802.1X which can authenticate each Mac based on their LDAP username/password. (the system actually uses RADIUS betwen the WiFi base station and the LDAP server). Now each person has their own password and they get locked out when you freeze their account. The only problem now becomes people sharing their password to let guests on. There are ways to solve that, just ask. A quick search finds articles like http://www.wi-fiplanet.com/tutorials/article.php/3114511 which give a lot more info. The high-end WiFi base stations can do multiple forms of authentication at once, letting you transition easily to 802.1X. In fact, those usually also have the ability to serve multiple "network names" (SSIDs) at the same time, giving different access to different SSIDs. (for example, a Guest-Network SSID that only lets people access the internet) -Tom P.S. If you are going to touch every machine once to set up new authentication, you might take the opportunity to set up each machine with Puppet so that future updates can be automated. Yes, that's a big heap of scope creep, but I promise you it will help in the future. Even if your current Puppet config is simply a no-op, eventually you'll really benefit from being able to add Puppet modules that do things like verify security settings, install patches, and so on. P.P.S. The best of both worlds would be to have users enable Puppet so it isn't YOU that is touching every machine. I've seen sites that have distributed a package that all users were required to install that installed Puppet. It works better if the package also fixes some annoying (to the users) problem, and even better if something stops functioning if they haven't installed the package by a certain date... that way they visit the helpdesk who can help them install the package. (I'm not saying to break their machines, just offer a new feature that everyone REALLY wants). _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
