Set-Service lfsvc -StartupType Automatic
Start-Service lfsvc
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v Value /t REG_SZ /d Allow /f

• To configure Trusted Networks, you need to go to Settings -> Configuration -> Trusted Network -> Create New

  
   

• Once you click on Create New, you will be able to see the configuration page of the Trusted Network

• You can select the Network Type as either SSID, Wired, or Wireless.

• When you select Network Type as SSID, add the SSID of the WI-FI network you are connected. 
   
  • SSID is the name of a Wi-Fi network. For example, when you are in the office, you may see a Wi-Fi network called “Office_WiFi” on your devices. That name is the SSID. It is simply the visible name of the wireless network that allows users to identify and connect to the internet. 

• When you select the Network Type as Wired, you need to add the Source MAC address. To find the MAC address, you can use the following methods:

  For Windows:
  
  Run the following PowerShell script as an administrator. 

  $string = (Get-NetAdapter | Select-Object InterfaceDescription, MediaType, ifIndex, Status | Where-Object { $_.Status -eq "Up" }| Sort-Object -Property ifIndex | Select -First 1).MediaType
  if ($string -like "*.11*") { 
  $bssidOutput = netsh wlan show interfaces | Select-String "BSSID"
  if ($bssidOutput.Count -gt 0){
  $address=[regex]::Match($bssidOutput, '([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}').Value
  Write-Host("wireless",$address)
  }else{
  Write-Host("Error","Interface details not found for Wifi adaptor.")
  }
  }else{
  $gateways = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true } | Select-Object -ExpandProperty DefaultIPGateway)
  $arpOutput = 0
  if ($gateways.Count -eq 1) {
  $arpOutput = arp -a | Select-String -Pattern "^\s*$gateways\s+([0-9A-Fa-f]{2}-){5}[0-9A-Fa-f]{2}"
  } elseif ($gateways.Count -gt 1) {
  $gateway=$gateways[0]
  $arpOutput = arp -a | Select-String -Pattern "^\s*$gateway\s+([0-9A-Fa-f]{2}-){5}[0-9A-Fa-f]{2}"
  }
  else {
  Write-Host("Error","Gateways not found")
  }
  if ($arpOutput -ne 0){
  if ($arpOutput.Count -eq 1) {
  $address=[regex]::Match($arpOutput[0].ToString().Trim(), '([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}').Value
  Write-Host("wired",$address)
  } elseif($arpOutput.Count -gt 1) {
  $address=[regex]::Match($arpOutput[1].ToString().Trim(), '([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}').Value
  Write-Host("wired",$address)
  } else {
  Write-Host("Error","ARP details not found for the gateway.")
  }
  }
  }

   

  Example: 

  

  Once the MAC address has been obtained, add it to your Trusted Network under the Wired configuration.

  

   

  For MacOS: 

  Run the script in the Terminal.

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' 
| while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/BSSID/{print $2}')
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

• When you select the Network Type as Wireless, you need to set the BSSID. You can use the same script used to retrieve the MAC address on a Wired connection
   
  • A BSSID  is a unique identifier assigned to a specific wireless access point that is broadcasting a Wi-Fi network. It is typically the MAC address of that access point’s wireless interface.

For example on Windows:

Once the MAC address has been obtained, add it to your Trusted Network under the Wireless configuration.

• Make sure to save all your changes. 

On macOS devices, sometimes, the script above may not work as expected, and the result may be empty. This can be about EPP or AV. Therefore, you may consider using 2 different alternative scripts, which must be run over Terminal as well, below:

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' | while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/BSSID/{print $2}')
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

interface=$(networksetup -listnetworkserviceorder | awk -F': ' '/Device: / {gsub(/[ )]/, "", $3); if(length($3) > 0) print $3}' | while read -r line; do interface_status=$(ifconfig "$line" 2>/dev/null | grep status | awk '{print $2}'); if [[ "$interface_status" == "active" ]]; then echo "$line"; break; fi; done)
summary=$(ipconfig getsummary "$interface")
if echo "$summary" | grep -q "BSSID"; then
echo "wireless" $(sudo ioreg -l -n AirPortDriver | grep -o 'IO80211BSSID.*<[0-9a-fA-F]*>' | awk -F '<|>' '{print $2}' | fold -w2 | paste -sd: -)
else
default_gateway=$(route -n get default | awk '/gateway:/{print $2}')
echo "wired" $(arp -a | grep "$default_gateway" | awk '{print $4}' | head -n 1)
fi

• As a final step, you need to enable the Trusted Network feature on the Agent Profiles as shown in the image below, and click Save. Please note that this feature can be enabled on Windows and/or macOS.
  
  
   
• If you created a new agent profile, it's important to note that when a new agent profile is created, the agent profile needs to be manually reordered and applied (dragged and dropped) in the hierarchy to ensure the new agent profile is applied.
  

Note: As part of the recent changes in macOS Sonoma, Apple has restricted access to the BSSID necessary for defining Wireless Trusted Networks. The Sonoma update now requires Location Services to be enabled to access BSSID information. This change has impacted how Trusted Networks are managed on macOS devices.

Consequently, for macOS Sonoma and later versions, the Trusted Network feature in Timus Connect will now utilize the SSID instead of BSSID. This change ensures compliance with Apple's updated privacy and security guidelines.

We recommend that all macOS users and administrators update their settings to use SSID for defining Trusted Networks. Although it is technically possible to enable Location Services to access BSSID, we are currently evaluating the potential legal and privacy implications of requesting such permissions.

For more details on how Apple's changes affect network management, please refer to discussions in the Apple Developer Forums, where even Apple engineers have acknowledged these changes.

You can find more details here: Apple Developer Forums.

Note 2: Why is Location Service required for Trusted Network on Windows and macOS?

Windows
Windows classifies Wi-Fi scan results as location data. As a result, commands and system APIs that access nearby Wi-Fi information require Location Services to be enabled. This design prevents applications from inferring a user’s physical location without explicit consent.

macOS
On macOS, nearby Wi-Fi and Bluetooth signals are considered precise location indicators. Apple restricts access to Wi-Fi scanning unless Location Services are enabled and the appropriate permissions are granted.

Summary
On both operating systems, Wi-Fi data can be used to infer physical location. Therefore, OS-level privacy controls require Location Services to be enabled in order to perform Trusted Network detection.

Unfortunately, this change was not a decision on our side; it originates from operating system vendors.
 
Both Microsoft and Apple have recently modified how applications can access Wi-Fi information. In particular, access to the Wi-Fi BSSID (the MAC address of an access point) is now restricted and requires location permission.
 
The reason for this policy is that BSSID information can be used to infer a device’s physical location. Large databases map Wi-Fi access points to geographic coordinates, which allows applications to estimate a user’s location even when GPS is not enabled. To prevent applications from determining a user’s location without consent, operating systems now classify Wi-Fi scan results as location-sensitive data and therefore require location permissions before this information can be accessed.
 
For further details, please refer to the following sources:
 
Windows: Changes to API behavior for Wi-Fi access and location
https://learn.microsoft.com/en-us/windows/win32/nativewifi/wi-fi-access-location-changes
 
Apple discussion regarding Wi-Fi BSSID and location permissions
https://discussions.apple.com/thread/256000297?answerId=261244473022&sortBy=rank#261244473022

Updated May 08, 2026 21:00