MAC address Randomisation and how to use Systems Manager to avoid

PaulF
Meraki Employee
Meraki Employee

MAC address Randomisation and how to use Systems Manager to avoid

Whilst MAC address Randomisation has been with us since Android 10, it was turned on by default when joining networks with iOS 14. This has had an impact on companies that use MAC address auth, or features like Meraki Sentry (which uses Systems Manager).

 

So, firstly, you can use Systems Manager to manage this with iOS:


https://youtu.be/Bj9Gg7h50Gk

 

But I also wanted to put some background with regards to the OS support for MAC randomisation:

 

Windows:


Can be turned ON for Windows. It’s either included, or not included, depending on the version of windows, and depends on the WiFi network card vendor


It can be done by network, or system wide


https://support.microsoft.com/en-us/help/4027925/windows-how-and-why-to-use-random-hardware-addresse...


https://support.microsoft.com/en-us/help/4578384/why-use-random-hardware-addresses


Android:

 

From Android 8.0, Android devices use randomised MAC addresses when probing for new networks while not currently associated with a network. In Android 9, you can enable a developer option (it's disabled by default) to cause the device to use a randomized MAC address when connecting to a Wi-Fi network.

 

In Android 10, MAC randomization is enabled by default for client mode, SoftAp, and Wi-Fi Direct.

 

https://source.android.com/devices/tech/connect/wifi-mac-randomization


iOS / WatchOS / iPadOS

 

Apple added MAC address randomization to its devices starting from iOS 8. In iOS 8, randomized addresses are only used while unassociated and in sleep mode. iOS 9 was extended to also use randomization in what Apple calls location and auto-join scans.


Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7: https://support.apple.com/en-gb/HT211227


macOS:

 

macOS does not appear, at this time, to use randomisation for MAC addresses

 

Background:
http://papers.mathyvanhoef.com/asiaccs2016.pdf

 

2 Replies 2
GIdenJoe
Kind of a big deal
Kind of a big deal

Does it have a severe impact on networks using MAB like an ISE guest portal?
For example could this cause everytime your device wakes up to have to reclick on the Guest portal for access and leave a huge footprint on the radius server?

ConnorL
Meraki Employee
Meraki Employee

Awesome article @PaulF!

 

It looks like this will be coming to the public release of macOS Big Sur. At least from what I could tell during the WWDC 20 videos. My iMac running build 20A5364e doesn't have this option yet, however.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels