Commercial Virtual Access Point Alternatives For Mac

Commercial firewalls vs. Open source firewalls Learn the advantages and disadvantages of commercial and open source firewalls in a side-by-side comparison. How To Setup a Point To Point Wireless Access Point Link for IP Cameras May 25, 2016 by Matthew Rossi. Our 2.4GHz wireless access point radio is a great product to use for long range wireless video transmission, especially in cases where your camera's built-in wireless radio or wireless router are just not strong enough to provide a stable.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

Historically and traditionally, MAC has been closely associated with multilevel security (MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.

Historical background and implications for multilevel security[edit]

Historically, MAC was strongly associated with multilevel security (MLS) as a means of protecting US classified information. The Trusted Computer System Evaluation Criteria (TCSEC), the seminal work on the subject, provided the original definition of MAC as 'a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity'^[1]. Early implementations of MAC such as Honeywell's SCOMP, USAF SACDIN, NSA Blacker, and Boeing's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement.

The term mandatory in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by order of a government such as the Executive Order 12958 for US classified information. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms; only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.

Strength[edit]

Degrees[edit]

In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of a MLS system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85.^[2] Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.

Evaluation[edit]

The Common Criteria^[3] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2^[4] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).^[5]Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)^[6] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.

Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).

Implementations[edit]

A few MAC implementations, such as Unisys' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

• Amon Ott's RSBAC (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the project owner.
• An NSA research project called SELinux added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.^[7]
• TOMOYO Linux is a lightweight MAC implementation for Linux and Embedded Linux, developed by NTT Data Corporation. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.^[8] Differently from the label-based approach used by SELinux, TOMOYO Linux performs a pathname-basedMandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, learning, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the 'learning' mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.
• SUSE Linux and Ubuntu 7.10 have added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API that allows modules of kernel code to govern ACL (DAC ACL, access control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36.^[9]
• Linux and many other Unix distributions have MAC for CPU (multi-ring), disk, and memory; while OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives. Linux distributors disable MAC to being at best DAC for some devices – although this is true for any consumer electronics available today.
• grsecurity is a patch for the Linux kernel providing a MAC implementation (precisely, it is an RBAC implementation). grsecurity is not implemented via the LSM API.^[10]
• Microsoft Starting with Windows Vista and Server 2008 Windows incorporates Mandatory Integrity Control, which adds Integrity Levels (IL) to processes running in a login session. MIC restricts the access permissions of applications that are running under the same user account and which may be less trustworthy. Five integrity levels are defined: Low, Medium, High, System, and Trusted Installer.^[11] Processes started by a regular user gain a Medium IL; elevated processes have High IL.^[12] While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis: e.g. IE7 and downloaded executables run with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages via User Interface Privilege Isolation. Named objects, including files, registry keys or other processes and threads, have an entry in the ACL governing access to them that defines the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access.^[13]
• FreeBSD supports Mandatory Access Control, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as Biba and multilevel security.
• Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in multilevel security mode^{[citation needed]}. Access to the labels and control mechanisms are not^{[citation needed]} robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled^{[citation needed]}.
• Apple's Mac OS X MAC framework is an implementation of the TrustedBSD MAC framework.^[14] A limited high-level sandboxing interface is provided by the command-line function sandbox_init. See the sandbox_init manual page for documentation.^[15]
• Oracle Label Security is an implementation of mandatory access control in the Oracle DBMS.
• SE-PostgreSQL is a work in progress as of 2008-01-27,^[16][17] providing integration into SE-Linux. It aims for integration into version 8.4, together with row-level restrictions.
• Trusted RUBIX is a mandatory access control enforcing DBMS that fully integrates with SE-Linux to restrict access to all database objects.^[18]
• Astra Linux OS developed for Russian Army has its own mandatory access control.^[19]
• Smack (Simplified Mandatory Access Control Kernel) is a Linux kernelsecurity module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal.^[20] It has been officially merged since the Linux 2.6.25 release.^[21]
• ZeroMAC written by Peter Gabor Gyulay is a Linux LSM kernel patch. ^[22]

See also[edit]

• Attribute-Based Access Control (ABAC)
• Context-based access control (CBAC)
• Discretionary access control (DAC)
• Lattice-based access control (LBAC)
• Organisation-based access control (OrBAC)
• Role-based access control (RBAC)

Footnotes[edit]

1. ^http://csrc.nist.gov/publications/history/dod85.pdf
2. ^'Technical Rational Behind CSC-STD-003-85: Computer Security Requirements'. 1985-06-25. Archived from the original on July 15, 2007. Retrieved 2008-03-15.
3. ^'The Common Criteria Portal'. Retrieved 2008-03-15.
4. ^US Department of Defense (December 1985). 'DoD 5200.28-STD: Trusted Computer System Evaluation Criteria'. Retrieved 2008-03-15.
5. ^'Controlled Access Protection Profile, Version 1.d'. National Security Agency. 1999-10-08. Retrieved 2008-03-15.
6. ^'Protection Profile for Multi-Level Operating Systems in Environments Requiring Medium Robustness, Version 1.22'(PDF). National Security Agency. 2001-05-23. Retrieved 2018-10-06.
7. ^National Information Assurance Partnership. 'The Common Criteria Evaluation and Validation Scheme Validated Products List'. Archived from the original on 2008-03-14. Retrieved 2008-03-15.
8. ^'TOMOYO Linux, an alternative Mandatory Access Control'. Linux 2 6 30. Linux Kernel Newbies.
9. ^'Linux 2.6.36 released 20 October 2010'. Linux 2.6.36. Linux Kernel Newbies.
10. ^'Why doesn't grsecurity use LSM?'.
11. ^Matthew Conover. 'Analysis of the Windows Vista Security Model'. Symantec Corporation. Archived from the original on 2008-03-25. Retrieved 2007-10-08.
12. ^Steve Riley. 'Mandatory Integrity Control in Windows Vista'. Retrieved 2007-10-08.
13. ^Mark Russinovich. 'PsExec, User Account Control and Security Boundaries'. Retrieved 2007-10-08.
14. ^TrustedBSD Project. 'TrustedBSD Mandatory Access Control (MAC) Framework'. Retrieved 2008-03-15.
15. ^'sandbox_init(3) man page'. 2007-07-07. Retrieved 2008-03-15.
16. ^'SEPostgreSQL-patch'.
17. ^'Security Enhanced PostgreSQL'.
18. ^'Trusted RUBIX'.
19. ^(in Russian)Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации
20. ^'Official SMACK documentation from the Linux source tree'. Archived from the original on 2013-05-01.
21. ^Jonathan Corbet. 'More stuff for 2.6.25'. Archived from the original on 2012-11-02.
22. ^'zeromac.uk'.

References[edit]

• P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998.
• P. A. Loscocco, S. D. Smalley, Meeting Critical Security Objectives with Security-Enhanced Linux Proceedings of the 2001 Ottawa Linux Symposium.
• ISO/IEC DIS 10181-3, Information Technology, OSI Security Model, Security FrameWorks, Part 3: Access Control, 1993
• Robert N. M. Watson. 'A decade of OS access-control extensibility'. Commun. ACM 56, 2 (February 2013), 52–63.

External links[edit]

• Weblog post on the how virtualization can be used to implement Mandatory Access Control.
• Weblog post from a Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
• GWV Formal Security Policy Model A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet.

This article is for network administrators and others who manage their own network. If you're trying to join a Wi-Fi network, one of these articles should help:

• Mac: Connect to the Internet and check for Wi-Fi issues
• iPhone, iPad, iPod touch: Join a Wi-Fi network and resolve Wi-Fi issues

Follow these steps first

Before you change your settings, follow these steps:

• Make sure that your Wi–Fi router's firmware is up to date. For AirPort Time Capsule, AirPort Extreme, or AirPort Express Base Station, check for the latest firmware using AirPort Utility.
• Make sure that your Wi-Fi devices support the settings this article recommends.
• If possible, back up your Wi–Fi router's settings.
• Forget or remove the Wi-Fi settings for your network from any devices that connect to your Wi-Fi router. This will prevent the devices from attempting to connect to your network with the old configuration. You'll need to reconnect these devices to your network when you're done applying the new settings.
• Configure all Wi–Fi routers on the same network with the same settings. Otherwise, devices could have difficulty connecting to your network, or your network could become unreliable.
• If you're using a dual-band Wi–Fi router, configure both bands to have the same settings, unless otherwise noted below.

SSID or Wi-Fi network name

The SSID (service set identifier), or network name, identifies your Wi-Fi network to users and other Wi-Fi devices. It is case sensitive.

Set to: Any unique name

Choose a name that's unique to your network and isn't shared by other nearby networks or networks you're likely to encounter. If your router came with a default SSID, it's especially important that you change it to a different, unique name. Some common default SSID names to avoid are linksys, netgear, dlink, wireless, 2wire, and default.

If your SSID isn't unique, Wi-Fi devices will have trouble identifying your network. This could cause them to fail to automatically connect to your network, or to connect to other networks that share the same SSID. It might also prevent Wi-Fi devices from using all routers in your network, or prevent them from using all available bands of a router.

Hidden network

Hidden networks don't broadcast their SSID over Wi-Fi. This option might be incorrectly referred to as a closed network, and the corresponding nonhidden state might be referred to as broadcast.

Set to: Disabled

Because hidden networks don't broadcast their SSID, devices might need more time to find them and connect to them. Hiding a network doesn't secure your Wi-Fi network, because the SSID can still be discovered in other ways. You should always enable security on your Wi-Fi router.

MAC address authentication or filtering

Restricts access to a Wi-Fi router to devices with specific MAC (Media Access Control) addresses.

Set to: Disabled

When enabled, this feature allows a user to configure a list of MAC addresses for the Wi-Fi router, and restrict access to devices with addresses that are on the list. Devices with MAC addresses not on the list will fail to associate with the Wi-Fi network. MAC addresses can be changed easily, so don't rely on them to prevent unauthorized access to the network.

iOS 8 and later uses a randomized MAC address when running Wi-Fi scans. The scans are conducted when a device isn't associated with a Wi-Fi network and its processor is asleep. A device’s processor goes to sleep shortly after the screen is turned off. Wi-Fi scans are run to determine if a user can connect to a preferred Wi-Fi network. Enhanced Wi-Fi scans are run when a device uses Location Services for apps that use geofencing, such as location-based reminders, that determine if the device is near a specific location.

Security

The security setting controls the type of authentication and encryption used by your Wi-Fi router, which allows you to control access to the network and specify the level of privacy for data you send over the air.

Set to: WPA2 Personal (AES)

WPA2 Personal (AES) is currently the strongest form of security offered by Wi-Fi products, and is recommended for all uses. When enabling WPA2, be sure to select a strong password that can't be guessed by third parties.

If you have older Wi-Fi devices that don't support WPA2 Personal (AES), a good second choice is WPA/WPA2 Mode, also known as WPA Mixed Mode. This mode allows newer devices to use the stronger WPA2 AES encryption, while still allowing older devices to connect with older WPA TKIP-level encryption. If your Wi-Fi router doesn't support WPA/WPA2 Mode, WPA Personal (TKIP) mode is the next best choice.

For compatibility, reliability, performance, and security reasons, WEP is not recommended. WEP is insecure and functionally obsolete. If you must choose between WEP and TKIP, choose TKIP.

Due to serious security weaknesses, the WEP and WPA TKIP encryption methods are deprecated and strongly discouraged. Use these modes only if necessary to support legacy Wi-Fi devices that don't support WPA2 AES and can't be upgraded to support WPA2 AES. Devices using these deprecated encryption methods can't take full advantage of the performance and other features of 802.11n and 802.11ac. As a result, the Wi-Fi Alliance has directed the Wi-Fi industry to phase out WEP and WPA TKIP.

If your security is set to None or unsecured mode, you're using no authentication or encryption. Anyone can join your Wi-Fi network, use your Internet connection, access any shared resource on your network, and read any traffic you send over the network. Using an unsecured network is not recommended.

2.4GHz radio mode

This setting controls which versions of the 802.11n/ac standard the network uses for wireless communication on the 2.4GHz band.

Set to: Auto or 802.11n/ac

Routers that support 802.11 should be configured for 802.11n/ac for maximum speed and compatibility. Different Wi-Fi routers support different radio modes, so the setting varies depending on the router. In general, enable support for all modes. Devices can then automatically select the fastest commonly supported mode to communicate. Choosing a subset of the available modes prevents some devices from connecting. For example, 802.11ac devices can't connect to a Wi-Fi router in 802.11n-only mode. Also, choosing a subset of the available modes might cause interference with nearby legacy networks, and nearby legacy devices might interfere with your network.

5GHz radio mode

This setting controls which versions of the 802.11a/b/g/n standard the network uses for wireless communication on the 5GHz band. Newer standards support faster transfer rates, and older standards provide compatibility with older devices and additional range.

Set to: Auto or 802.11n/ac

Routers that support 802.11n should be configured for 802.11n/ac mode for maximum speed and compatibility. Different Wi-Fi routers support different radio modes, so the setting varies depending on the router. In general, enable support for all modes. Devices can then automatically select the fastest commonly supported mode to communicate. Choosing a subset of the available modes prevents older devices from connecting. For example, 802.11ac devices can't connect to a Wi-Fi router in 802.11n-only mode. Also, choosing a subset of the available modes might cause interference with nearby legacy networks, and nearby legacy devices might interfere with your network.

Channel

This setting controls which channel your Wi-Fi router uses to communicate.

Set to: Auto

For best performance, choose 'Auto' mode and let the Wi-Fi router select the best channel. If this mode isn't supported by your Wi-Fi router, choose a channel that's free from other Wi-Fi routers and other sources of interference. Read about possible sources of interference.

2.4GHz channel width

Channel width controls how large of a 'pipe' 'is available to transfer data. However, larger channels are more subject to interference and more likely to interfere with other devices. A 40MHz channel is sometimes called a wide channel, and a 20MHz channel is a narrow channel.

Set to: 20MHz

Use 20MHz channels in the 2.4GHz band. Using 40MHz channels in the 2.4GHz band can cause performance and reliability issues with your network, especially in the presence of other Wi-Fi networks and other 2.4GHz devices. A 40MHz channel might also cause interference and issues with other devices that use this band, such as Bluetooth devices, cordless phones, and neighboring Wi-Fi networks. Routers that don't support 40MHz channels in the 2.4GHz band do support 20MHz channels.

5GHz channel width

Channel width controls how large of a 'pipe' is available to transfer data. Larger channels are more susceptible to interference, and more likely to interfere with other devices. Interference is less of an issue in the 5GHz band than in the 2.4GHz band. A 40MHz channel is sometimes called a wide channel, and a 20MHz channel is a narrow channel.

Set to:
For 802.11n access points, set the 5GHz band to 20MHz and 40MHz.
For 802.11ac access points, set the 5GHz band to 20MHz, 40MHz, and 80MHz.

For best performance and reliability, enable support for all channel widths. This allows devices to use the largest width they support, which results in optimal performance and compatibility. Not all client devices support 40MHz channels, so don't enable 40MHz-only mode. Devices that support only 20MHz channels can't connect to a Wi-Fi router in 40MHz-only mode. Similarly, don't enable 80MHz-only mode, or only clients capable of 802.11ac will be able to connect. Routers that don't support 40MHz or 80MHz channels do support 20MHz channels.

DHCP

The Dynamic Host Configuration Protocol (DHCP) assigns addresses that identify devices on your network. Once assigned, devices use these addresses to communicate with each other and with computers on the Internet. The functionality of a DHCP server can be thought of as similar to a phone company handing out phone numbers, which customers then use to call other people.

Set to: Enabled, if it's the only DHCP server on your network

There should be only one DHCP server on your network. This DHCP server might be built in to your cable modem, DSL modem, or router. If more than one device has DHCP enabled, you will likely see address conflicts and have issues accessing the Internet or other resources on your network.

NAT

Network address translation (NAT) translates between addresses on the Internet and those on a local network. The functionality of a NAT provider is like that of a worker in an office mail room who takes a business address and an employee name on incoming letters and replaces them with the destination office number in a building. This allows people outside the business to send information to a specific person in the building.

Set to: Enabled, if it's the only router providing NAT services on your network

Generally, enable NAT only on the device that acts as a router for your network. This is usually your cable modem, your DSL modem, or your standalone router, which might also act as your Wi-Fi router. Using NAT on more than one device is called double NAT, and that can cause issues with accessing Internet services, such as games, Voice Over IP (VoIP), Virtual Private Network (VPN), and communicating across the different levels of NAT on the local network.

WMM

WMM (Wi-Fi Multimedia) prioritizes network traffic according to four access categories: voice, video, best effort, and background.

Set to: Enabled

All 802.11n and 802.11ac access points should have WMM enabled in their default configuration. Disabling WMM can cause issues for the entire network, not just Apple products on the network.

Location Services

Some countries or regions have regulations that affect wireless signal strength and the use of Wi-Fi channels. When you travel to other countries or regions, make sure that your devices have Location Services turned on so that you can connect to Wi-Fi networks in that country or region.

On your Mac:

1. Choose Apple menu > System Preferences, then click Security & Privacy.
2. Click in the corner of the window, then enter your password.
3. In the Privacy tab, select Location Services, then select Enable Location Services.
4. Scroll to the bottom of the list of apps and services, then click the Details button next to System Services.
5. In the Details dialog, select Wi-Fi Networking.

On your iPhone, iPad, or iPod touch:

1. Go to Settings > Privacy, then turn on Location Services.
2. Scroll to the bottom of the list, tap System Services, then turn on Wi-Fi Networking.
   

Wireless carrier Wi-Fi networks

Wireless carrier Wi-Fi networks are networks configured by your carrier and their partners. Your iPhone treats them as known networks and automatically connects to them. If you see 'Privacy Warning' under the name of your carrier's network in Wi-Fi Settings, your cellular identity might be exposed if a malicious hotspot impersonates your carrier's Wi-Fi network.

To prevent automatically joining your carrier’s Wi-Fi networks, tap Settings > Wi-Fi. Tap next to the network name and then turn off Auto-Join.