How to disable macOS’s hotspot login float-over window

Alfabeck Lauder finds the way in which Apple manages Wi-Fi logins at public networks a bit maddening:

When I’m travelling, I frequently gain access to the Internet on my Mac via public Wi-Fi networks. Before I can connect, I’m invariably confronted with a window, (“magic window”) giving me instructions and the means for connecting/disconnecting to/from the Internet and monitoring my usage. What on earth are these?

Lauder dislikes these windows because they float above everything else, can’t be resized, and don’t seem to be attached to any app. Lauder lives in a remote location and uses a combination of mobile hotspot and Wi-Fi router, so he sees this magic window (I like the term) all the time, and it interferes with his ability to manage his setup.

Among other things:

…if I inadvertently leave a magic window open when putting my computer to sleep, the system sometimes freezes when waking, necessitating a restart.

Lauder is hitting a feature Apple added to make it easier to log in at Wi-Fi hotspots that use a so-called “captive portal” page with which you have to interact before you gain access to the network. iOS has a similar feature, presented in the same overlay manner, no matter what you’re doing.

Captive portals have to let a computer or mobile device connect to the Wi-Fi network, but intercept all that traffic until it’s been given approval. These portals fake the domain name system (DNS) lookup values for any network connection made, including in a browser, which lets them display a login page. (These portals also typically use the unique network identifier—the MAC address—built into all Wi-Fi and ethernet hardware, to prevent a bypass without approval.)

Tom Bridge

Gaining approval is sometimes as simple as clicking an I Agree button or entering an email (even a fake one) and checking a box that says you agree to network-use policies. Other times, you have to enter account information or pay for access, as in a hotel or conference center. Software like that from Boingo Wireless that ties you into paid networks can bypass all this by sending credentials and automatically joining a preferred network.

This captive portal screen floats on top of everything else as a design choice to help people figure out that they don’t truly have network access. Because you can’t reach the Internet, every network activity you engage in or that your system handles in the background breaks. So you can see the thinking behind this.

How does Apple know you’re connected to a captive hotspot? This is what’s tripping Lauder up. In iOS and on the Mac, whenever you connect to any Wi-Fi network, the operating system tries to perform a DNS lookup for the address www.apple.com and then check in with an Apple server. If the returned address isn’t correct or the connection to a test page doesn’t go through but it gets some response, it means you’re connected to a portal. Apple then displays the page return in Lauder’s “magic window.” (Once Apple had trouble with its DNS, which prompted the hotspot login screen to appear on everyone’s attempt to connect to a network everywhere.)

In years past, you could modify system settings values and even use a defaults write command, but those seem to have stopped working with El Capitan. Fortunately, there’s a simple solution. The easiest way to disable this behavior is to rename the helper app that creates the login page.

Because of System Integrity Protection (SIP), a feature introduced in El Capitan to protect system files from modification by malware, you can’t just move the file if you have that feature enabled (it’s on by default). Follow our instructions to restart your Mac in Recovery mode and disable SIP. Restart and follow the steps below. Then restart again to re-enable SIP. (The instructions are for El Capitan, but work identically for Sierra.)

1. In the Finder, select Go > Go To Folder.
2. Enter /System/Library/CoreServices and hit return.
3. Find Captive Network Assistant, click it, and rename it with an extra word, like Captive Network Assistant Do Not Launch and press return.
4. Enter your password when prompted to make the change.

Now, when you connect to any portal-protected hotspot, or even Lauder’s home network setup, the app shouldn’t launch and you should be able to proceed in bliss.

Because macOS can be self repairing and install missing components during updates, you may have to repeat these steps in the future if it recurs. This approach should work in Mac OS X 10.8 to 10.11 and macOS Sierra.

Ask Mac 911

We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.