Identity=unix-group:admin;unix-group:sudo This works for Ubuntu because they default to using sudo. It will not help Debian systems with a root password, which do not put the desktop user in the sudo group. It would work if you used the netdev group. I don't know if that is a good idea.
Why not make network-manager default to having "Available to all users" unchecked. Then it would not prompt for passwords for new wifi networks. This would mean that, until the desktop user logs in, the machine would not be on the network, so for reliable remote access, the admin would need to override this new default, and enter their password. Seems sane to me. -- see shy jo
signature.asc
Description: Digital signature
