MAC Address Randomization: How it works and What IT needs to know
Katelyn Russell
What is MAC Address Randomization and How does it work?
Apple platforms use a randomized media access control address (MAC address) when performing Wi-Fi scans when not associated with a Wi-Fi network. These scans can be performed to find and connect to a known Wi-Fi network or to assist Location Services for apps that use geofences, such as location-based reminders or fixing a location in Apple Maps. Note that Wi-Fi scans that happen while trying to connect to a preferred Wi-Fi network aren’t randomized. Wi-Fi MAC address randomization support is available on iPhone 5 or later.
Apple platforms also use a randomized MAC address when conducting enhanced Preferred Network Offload (ePNO) scans when a device isn’t associated with a Wi-Fi network or its processor is asleep. ePNO scans are run when a device uses Location Services for apps that use geofences, such as location-based reminders that determine whether the device is near a specific location.
Because a device’s MAC address changes when disconnected from a Wi-Fi network, it can’t be used to persistently track a device by passive observers of Wi-Fi traffic, even when the device is connected to a cellular network. Apple has informed Wi-Fi manufacturers that iOS and iPadOS Wi-Fi scans use a randomized MAC address and that neither Apple nor manufacturers can predict these randomized MAC addresses.
iOS 14, iPadOS 14, and watchOS 7 introduce a new Wi-Fi privacy feature: When an iPhone, iPad, iPod touch, or Apple Watch connects to a Wi-Fi network, it identifies itself with a unique (random) MAC address per network. This feature can be disabled either by the user or using a new option in the Wi-Fi payload. This feature does not apply to devices using tvOS (AppleTV, etc). Under certain circumstances, the device will fall back to the actual MAC address.
What IT needs to know
In order to ensure the security and enable proper access control of all University owned Apple devices on the University of Texas campus, the Wi-Fi Privacy feature is disabled for the following Wi-Fi networks:
- UTexas
- UTexas-IOT
Implementation
This is accomplished by a configuration profile assigned to each Apple device through our Endpoint Management System (JAMF), turning the Wi-Fi Privacy feature off while connected to these networks.
EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization.
- Welcome to Jamf - Service Overview
- Application and Global Settings
- macOS Packet Firewall
- Deploying Microsoft Defender to macOS devices
- Global Configuration Policies
- Automatic install of Code42 in Campus JAMF
- Compliance Configuration and Extension Attribute
- Global Security & Compliance policies
- EPM Core team audit of Jamf Pro server
- MAC Address Randomization: How it works and What IT needs to know
- Upgrade to future macOS major releases
- Nessus Agent deployment to campus Jamf instances
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Jamf Connect
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Test and pilot
- Jamf - Server Maintenance and Update Process
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache. If you require further assistance, please email wikihelp@utexas.edu.