IOS 14.0 MAC Address Randomization

jetaylor
Here to help

IOS 14.0 MAC Address Randomization

With the release of Apples IOS 14.0, we are going to have some massive issues with blacklisting clients and ensuring devices stay connected on MAC address authenticated networks. Is there anything that meraki can roll out to help mitigate these issues?

 

 

https://support.apple.com/en-us/HT211227

 

 

Thanks for all you guys do!

9 REPLIES 9
AnythingHosted
Building a reputation

Hello, here is a another topic:

 

https://community.meraki.com/t5/Wireless-LAN/Impact-of-iOS-14-random-MAC-on-IPSK-and-Meraki-function...

 

 

Good point, I hadn't thought of the blacklisting. We do this in two ways, device and/or email address (if public and on splash page). Normally device isn't easy to change, but email is. Now both are essentially easy to change.

PhilipDAth
Kind of a big deal
Kind of a big deal

It does make it very hard to build an open public network (such as guest networks) when Apple does things like this.

 

The funny thing is - I think this will erode privacy - not improve it.

 

At the moment, you can often just connect to a public network, and the only information they have on you is a MAC address - which on its own is useless.

Now public networks are going to have to collect personally identifiable information like your name, email address, possible mobile number, and then find some way for you to prove who you are before they can give you access.

@jetaylor This is something that is out of Meraki's control. 

No i totally agree. But like i said is anything available. Meraki has been a huge help in simplifying our organizations network management, it's only fitting to ask. Maybe something could be on the horizon or some suggestions for Best Practices i might not be aware of. 

WB
Building a reputation

Technically you can block clients using randomization but it needs some smarts on your RADIUS server side of things. Look for the second-least-significant bit of the first octect of the MAC addr to be a 1 (this is a locally adminstered address marker) and deny it if a client matches it, look for the least significant bit to be a 0 as well if you want to specifically target unicast.

 

Your problem if you successfully create the policy is that users would need to know how to turn off the MAC randomization for the SSID(s) in order to be able to connect

GreenMan
Meraki Employee
Meraki Employee

If your Apple device is enrolled in Systems Manager, you can disable MAC randomization within any wireless profile you push - though possibly with the exception of a Sentry profile, currently.   The device user can, of course, choose to turn off MAC randomization themselves:   https://support.apple.com/en-us/HT211227    I suspect, once people are being required to login far more often, by WiFi setups that can no longer readily spot them as being them, this might happen quite a lot.Screenshot 2020-09-17 at 13.18.19.png

DBMandrake
Here to help

MAC address randomisation (or "Private address" as iOS settings call it) on iOS 14 breaks Systems Manager sentry enrolment which we've relied on for the last 3 years. 😐

 

The sequence goes like this:

 

1) The user connects to the SSID, attempts to browse and is redirected to the enrolment page by the Sentry.

2) The user downloads and installs the MDM profile which registers the MAC address of the device in MDM.

3) Meraki whitelists the MAC address found in the MDM profile on the SSID to allow the user to access the internet.

4) The WiFi Mac address of the device does not match the MDM Mac address so the user remains trapped in the Sentry being redirected back to reinstall the profile again and again...

 

So far I haven't found any fix other than telling users to manually turn off the Private Address setting in their WiFi settings, which is a huge pain in the neck when you have hundreds of users and they're all under 18 so aren't good at following instructions...

 

While there is an MDM profile setting to disable Private address it looks like it can only be applied to WiFi networks which are deployed by profile. We don't use WiFi profile deployment for BYO devices - users have their own individual usernames and passwords to gain access to the SSID, and the Sentry then takes care of ensuring they enrol their device before they can have internet access. (Although that is also broken at the moment due to an unrelated issue)

 

Once again Apple adds a "user privacy" feature which breaks enterprise use of iOS devices without providing an enterprise mechanism to turn it off!

PaulF
Meraki Employee
Meraki Employee

I've pulled this together with regards to MAC randomisation and OS support for it.         MAC address Randomisation and how to use Systems Manager to avoid               

 

Whilst it's possible to turn this off on an SSID per SSID basis, it can be impactful in all sorts of other ways

 

What appears to be lacking is the ability to turn this off device wide in iOS 14.

 

If you've got the ability, raise cases with Apple to ask for this feature.

Hi Paul,

 

Thanks for the reply. I watched your video as well but as we don't push out WiFi protocols for BYO devices (users have their own username and password authenticated via radius) that doesn't help our situation. (Although I have enabled that in the WiFi profile we push to company owned and managed devices before they update to iOS 14)

 

One small saving grace is that Systems Manager Sentry is not able to authorize a device with MAC randomisation enabled (since it can't correlate the WiFi and MDM MAC addresses) so a user can't get past the sentry until they manually disable MAC randomisation in their WiFi settings. Not very user friendly (they need to be informed out-of-band that they need to do this) but at least it prevents devices connecting and being able to use WiFi until this is done, and at that point all MAC based functionality will be working again.

 

I agree that there needs to be a device wide MDM setting for this for enterprises to disable this feature on their managed devices, although even then they would still initially connect with a randomised MAC address until they had enrolled and received the profile, at which point the device would presumably reconnect with the correct MAC address, leaving behind a "ghost" device in the WiFi device list.

 

A bit a of a mess really but this is typical of Apple introducing far reaching changes to how fundamental technology works without providing a way for enterprises to manage it properly.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels