Disable Wake for Network Access

What the Wake for Network Access disabler does

This Automox Worklet™ disables Wake for Network Access (WoL) on macOS endpoints by modifying the system power settings. The Worklet uses the pmset command to set the womp (wake on magic packet) parameter to 0, preventing endpoints from responding to network wake requests.

When an endpoint has Wake for Network Access enabled, other endpoints on the same network can send magic packets to remotely wake it from sleep mode. This feature simplifies IT operations in some scenarios but introduces security risks by providing an additional attack surface.

The Worklet completely eliminates this remote activation capability, verifying endpoints remain in their intended power states without external network interference.

Why disable Wake for Network Access on macOS

Wake for Network Access creates a security vulnerability by allowing unauthorized users to remotely activate endpoints over Wi-Fi. Attackers on the same network, or attackers who have compromised network infrastructure, can send specially crafted packets to wake sleeping endpoints and potentially gain access to system resources.

Disabling this feature aligns with security best practices and helps you meet compliance requirements from frameworks like CIS Benchmarks and NIST 800-53. You maintain control over endpoint power states while reducing the number of potential attack vectors.

For organizations managing fleet security across macOS endpoints, automating this configuration through The Worklet maintains consistent security posture without requiring manual intervention on each endpoint.

How Wake for Network Access disabling works

1. Evaluation phase: The Worklet queries the current power settings using pmset -g and checks the womp parameter value. If the value is 1 (enabled), the evaluation fails and the Worklet proceeds to remediation. If the value is 0 (disabled), no remediation is needed.

2. Remediation phase: The Worklet executes pmset -a womp 0 to disable Wake for Network Access across all power profiles on the endpoint. This change persists across sleep and wake cycles.

Wake for Network Access configuration requirements

• macOS 10.13 (High Sierra) or later

• Root or administrator privileges to modify system power settings

• Access to the pmset command-line utility

• Wireless network adapter present on the endpoint

• No conflicting Mobile endpoint Management (MDM) policies that override power settings

Expected endpoint behavior after remediation

After the Worklet completes successfully, endpoints will no longer respond to Wake for Network Access requests. Even if another endpoint on the network sends a magic packet or similar wake trigger, the endpoint remains in its current power state (sleep, hibernate, or off).

Users can verify the change by opening System Preferences and navigating to Energy Saver. The Wake for network access checkbox will be unchecked. You can also confirm the setting using the command pmset -g and verifying that womp shows 0. This configuration prevents all remote activation methods while preserving normal power management and sleep scheduling.

How to validate disable wake for network access changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for disable wake for network access.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as pmset, else, exit, then rerun evaluation for compliance.