You can disable the MODE button on a Cisco AP. Why do you ask? This command prevents unauthorized users from gaining access to the access point CLI and creating a "inside rogue".
I consulted at a government agency and part of their requirements was to disable all means except
console access which also included disabling the MODE button. They feared someone could reset the AP and reconfigure it as a "inside rogue".
console access which also included disabling the MODE button. They feared someone could reset the AP and reconfigure it as a "inside rogue". By default the MODE button is enabled.
ap#config t
ap(config)#boot mode-button
Negate
ap(config)#no boot mode-button
SHOW BOOT
ap#show boot
BOOT path-list:
Config file: flash:/config.txt
Private Config file: flash:/private-config
Enable Break: no
Manual Boot: no
Enable IOS Break: no
HELPER path-list:
NVRAM/Config file
buffer size: 32768
Mode Button: on
NOTE:
If you lose the privileged EXEC mode password for the access point after entering this command, you will need to contact the Cisco Technical Assistance Center (TAC) to regain access to the access point CLI.