diff --git a/hosts/common/programs/modemmanager.nix b/hosts/common/programs/modemmanager.nix
index a6a682591..a9a6f07d9 100644
--- a/hosts/common/programs/modemmanager.nix
+++ b/hosts/common/programs/modemmanager.nix
@@ -3,16 +3,33 @@ let
   cfg = config.sane.programs.modemmanager;
 in
 {
-  sane.programs.modemmanager = {};
+  sane.programs.modemmanager = {
+    # mmcli needs /run/current-system/sw/share/dbus-1 files to function
+    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+  };
 
   systemd.services.ModemManager = lib.mkIf cfg.enabled {
+    aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
+    after = [ "polkit.service" ];
+    requires = [ "polkit.service" ];
+    wantedBy = [ "network.target" ];
     serviceConfig = {
+      Type = "dbus";
+      BusName = "org.freedesktop.ModemManager1";
       # only if started with `--debug` does mmcli let us issue AT commands like
       # `mmcli --modem any --command=<AT_CMD>`
-      # N.B.: the extra "" in ExecStart serves to force upstream ExecStart to be ignored
-      ExecStart = [ "" "${pkgs.modemmanager}/bin/ModemManager --debug" ];
+      ExecStart = "${cfg.package}/bin/ModemManager --debug";
       # --debug sets DEBUG level logging: so reset
-      ExecStartPost = [ "${pkgs.modemmanager}/bin/mmcli --set-logging=INFO" ];
+      ExecStartPost = "${cfg.package}/bin/mmcli --set-logging=INFO";
+
+      Restart = "on-abort";
+      StandardError = "null";
+      CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
+      ProtectSystem = true;
+      ProtectHome = true;
+      PrivateTmp = true;
+      RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
+      NoNewPrivileges = true;
     };
   };
 }
diff --git a/hosts/common/programs/networkmanager.nix b/hosts/common/programs/networkmanager.nix
index a84429a84..acd4a65c1 100644
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@@ -14,7 +14,8 @@ in
     enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
   };
 
-  # these aren't the complete services, but just the fields Nix needs to manually set/override from the package's official service file
+  # add to systemd.packages so we get the service file it ships, then override what we need to customize (taken from nixpkgs)
+  systemd.packages = lib.mkIf cfg.enabled [ cfg.package ];
   systemd.services.NetworkManager = lib.mkIf cfg.enabled {
     wantedBy = [ "network.target" ];
     aliases = [ "dbus-org.freedesktop.NetworkManager.service" ];
@@ -61,8 +62,17 @@ in
     networkmanager.gid = config.ids.gids.networkmanager;
   };
   services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
-  # add to systemd.packages so we get the service file it ships
-  systemd.packages = lib.mkIf cfg.enabled [ cfg.package ];
+  security.polkit.enable = lib.mkIf cfg.enabled true;
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (
+        subject.isInGroup("networkmanager")
+        && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+            || action.id.indexOf("org.freedesktop.ModemManager")  == 0
+        ))
+          { return polkit.Result.YES; }
+    });
+  '';
 
   boot.kernelModules = [ "ctr" ];  #< TODO: needed (what even is this)?
   # TODO: polkit?