How to manage or disable MAC randomization in iOS and iPadOS 14

Apple's newest feature enhances network security, but it may cause disruptions when users join wireless networks from iOS devices. Here's how to work around them.

Apple devices

Image: iStock/Ivan-balvan

Apple released iOS 14 and iPadOS 14, its latest versions of the mobile operating systems, in September. While the rollout has been largely trouble-free to users and enterprises deploying the latest update, there has been a specific hiccup that affects the way in which devices connect to wireless networks that has been causing some kerfuffle in organizations.

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download  (TechRepublic Premium)

The issue comes from the MAC randomization, or the Private Address feature, that enhances a device's security while on a wireless network by masking its MAC address with a modified one to protect the privacy of the device and the user, and their whereabouts while accessing the internet on the network to which they are connected.

The aim of this feature is to protect users from being tracked while on public hotspots. And while the feature works as designed, it also has the added downside of limiting or altogether preventing access to certain wireless networks or network services, depending on the network or service's configuration. This has been causing headaches for networks relying on the true MAC address of the device to provide access to networks and services.

Luckily, the feature does not affect all wireless network vendors or all network implementations. Plus, the way in which the feature is incorporated into iOS and iPadOS makes it relatively easy to correct or disable—either by the users themselves or through a Mobile Device Network (MDM) if the device is enrolled and configured appropriately. Below, we dive into how to go identify whether MAC randomization is enabled, what are some of the more commonly affected services, and how to work around it to re-establish access to networks and services.

One MAC per SSID that changes often

Part of the MAC randomization or private address spec requires that a new MAC address be generated—at random—for each SSID (wireless network) a device connects to. Also, this private address must be unique for each network, so if you connect to Wi-Fi at home, work, and the local coffee shop, a new private address will be generated for each of the different networks accessed. Every 24 hours a new private address will be regenerated, adding another layer of security and complexity.

SEE: How to secure your iOS Lock Screen (TechRepublic)

Note: Apple has yet to provide clarity on the 24-hour regeneration time frame. Some vendors have noted this to be the case while others have not. Despite this, Apple has said that the additional step of randomizing MAC addresses will be a complimentary setting to this feature in the future.

Identifying if MAC randomization is enabled 

Identifying the private address used on a device locally is as easy as going to Settings, Wi-Fi, then tapping on the connected wireless network's name to view the configuration. If the Private Address setting is enabled, the Wi-Fi Address setting below it will display the private address being used.

Identifying the private address used on devices remotely will be a bit more difficult. If the device is being managed with an MDM, accessing the record of the device in question and looking up the MAC address should reveal the most recently updated device info. If the MAC address displayed matches one of the formats below, the device most likely has a private address enabled.

  • X2:XX:XX:XX:XX:XX
  • X6:XX:XX:XX:XX:XX
  • XA:XX:XX:XX:XX:XX
  • XE:XX:XX:XX:XX:XX

Common services affected by using a private address 

Let me stress that enabling MAC randomization does not inherently mean the following services will be affected nor that the list is exhaustive. To what degree private addresses affect access to networks or services will come down to how the network or service is configured and how the wireless equipment vendor handles MAC randomization.

DHCP

The IP address leasing service may not be able to assign an address to your device using a spoofed MAC address. Some devices seem to timeout when requesting an IP address, which prevents them from accessing the network or its resources. In other instances, when the DHCP server binds an IP address to the true MAC address, such as a device that has connected to that network before updating to iOS 14, when it reconnects using the private address it is assigned the same IP as was previously bound to the true MAC address causing duplicate IP address issues in the DHCP database. 

SEE: How to use the group messaging features in iOS 14 (TechRepublic)

MAC filtering

MAC filtering works by granting access only to a specified set of devices to either access the network resources or internet access, or both. If employing some sort of MAC filtering based on the true MAC address of a device, when a device with the private address feature enabled connects, the MAC address used to communicate with the network will be different and will likely be blocked from accessing the network or resources.

Mobile Device Management

Similar to MAC filtering above, some MDM vendors assign unique numbers to identify a device's record in the database, others use the serial number or the MAC address. Since the private address is different from the true MAC address, this may lead to these devices not updating their status to the MDM server, or worse, not communicating any data, including configuration profiles and app deployment, leading the device to not only be inaccessible, but also not obtain the latest security, configuration, and apps required.

SEE: 5 MDM solutions worth checking out (TechRepublic)

Connected to network but no network access

Another common behavior affecting wireless systems from several different vendors is that devices will connect to wireless networks and may even obtain a valid IP on the network's subnet but will fail to transmit/receive any data. This is especially true if the device stored connectivity profiles from before updating to iOS 14. 

Turn off the private address feature 

While there are some potential solutions to mitigate the effects of MAC randomization on your networks, many of these solutions are site-specific, depending almost exclusively on how your particular network is set up.

SEE: Best hidden features in iOS 14 (TechRepublic)

For a more user-centric solution to resolving this issue locally, users can simply go to Settings, Wi-Fi, then tap on the wireless network they are trying to connect to, and toggle Private Address Off. Do note that the private address feature is one that works per-network, so if there are 20 different saved networks on the device, the user will need to manually toggle off the setting once for each network. The good news is that not every network may require a private address to be turned off, so it only needs to be done on those that are being affected by connectivity issues.

For a holistic solution to resolving this issue remotely, devices that are enrolled in MDM solutions can create a configuration profile using the Wi-Fi payload to specify the name of the wireless network they wish to modify settings on, and toggle on the setting named "Disable association MAC address randomization." This will change the settings of the named SSID and disable private addresses for that network simultaneously. The configuration profile may include additional payloads within it disabling MAC randomization for multiple SSIDs.

Also see