With the release of Apples IOS 14.0, we are going to have some massive issues with blacklisting clients and ensuring devices stay connected on MAC address authenticated networks. Is there anything that meraki can roll out to help mitigate these issues?
Good point, I hadn't thought of the blacklisting. We do this in two ways, device and/or email address (if public and on splash page). Normally device isn't easy to change, but email is. Now both are essentially easy to change.
It does make it very hard to build an open public network (such as guest networks) when Apple does things like this.
The funny thing is - I think this will erode privacy - not improve it.
At the moment, you can often just connect to a public network, and the only information they have on you is a MAC address - which on its own is useless.
Now public networks are going to have to collect personally identifiable information like your name, email address, possible mobile number, and then find some way for you to prove who you are before they can give you access.
Technically you can block clients using randomization but it needs some smarts on your RADIUS server side of things. Look for the second-least-significant bit of the first octect of the MAC addr to be a 1 (this is a locally adminstered address marker) and deny it if a client matches it, look for the least significant bit to be a 0 as well if you want to specifically target unicast.
Your problem if you successfully create the policy is that users would need to know how to turn off the MAC randomization for the SSID(s) in order to be able to connect
No i totally agree. But like i said is anything available. Meraki has been a huge help in simplifying our organizations network management, it's only fitting to ask. Maybe something could be on the horizon or some suggestions for Best Practices i might not be aware of.
If your Apple device is enrolled in Systems Manager, you can disable MAC randomization within any wireless profile you push - though possibly with the exception of a Sentry profile, currently. The device user can, of course, choose to turn off MAC randomization themselves: https://support.apple.com/en-us/HT211227 I suspect, once people are being required to login far more often, by WiFi setups that can no longer readily spot them as being them, this might happen quite a lot.
MAC address randomisation (or "Private address" as iOS settings call it) on iOS 14 breaks Systems Manager sentry enrolment which we've relied on for the last 3 years. 😐
The sequence goes like this:
1) The user connects to the SSID, attempts to browse and is redirected to the enrolment page by the Sentry.
2) The user downloads and installs the MDM profile which registers the MAC address of the device in MDM.
3) Meraki whitelists the MAC address found in the MDM profile on the SSID to allow the user to access the internet.
4) The WiFi Mac address of the device does not match the MDM Mac address so the user remains trapped in the Sentry being redirected back to reinstall the profile again and again...
So far I haven't found any fix other than telling users to manually turn off the Private Address setting in their WiFi settings, which is a huge pain in the neck when you have hundreds of users and they're all under 18 so aren't good at following instructions...
While there is an MDM profile setting to disable Private address it looks like it can only be applied to WiFi networks which are deployed by profile. We don't use WiFi profile deployment for BYO devices - users have their own individual usernames and passwords to gain access to the SSID, and the Sentry then takes care of ensuring they enrol their device before they can have internet access. (Although that is also broken at the moment due to an unrelated issue)
Once again Apple adds a "user privacy" feature which breaks enterprise use of iOS devices without providing an enterprise mechanism to turn it off!
Thanks for the reply. I watched your video as well but as we don't push out WiFi protocols for BYO devices (users have their own username and password authenticated via radius) that doesn't help our situation. (Although I have enabled that in the WiFi profile we push to company owned and managed devices before they update to iOS 14)
One small saving grace is that Systems Manager Sentry is not able to authorize a device with MAC randomisation enabled (since it can't correlate the WiFi and MDM MAC addresses) so a user can't get past the sentry until they manually disable MAC randomisation in their WiFi settings. Not very user friendly (they need to be informed out-of-band that they need to do this) but at least it prevents devices connecting and being able to use WiFi until this is done, and at that point all MAC based functionality will be working again.
I agree that there needs to be a device wide MDM setting for this for enterprises to disable this feature on their managed devices, although even then they would still initially connect with a randomised MAC address until they had enrolled and received the profile, at which point the device would presumably reconnect with the correct MAC address, leaving behind a "ghost" device in the WiFi device list.
A bit a of a mess really but this is typical of Apple introducing far reaching changes to how fundamental technology works without providing a way for enterprises to manage it properly.