How to handle randomized MAC addresses on Android 9+ and iOS 14+

Previous versions of Android and iOS already used randomized MAC addresses prior to joining a WiFi network. This proved to be a great privacy addition as it disabled passive MAC address “following” just because the WiFi radio was on.

Modern Android and iOS take MAC address randomization one step further by generating MAC addresses even when connected, never revealing the real MAC address. This new setting is now the default, which is a positive move for when you join someone else’s hotspot.

However, in your own network, there’s no advantage to a privatized MAC address whatsoever, assuming you (or people you trust) manage your network.

adam:ONE uses MAC addresses as unique identifiers so the dashboard administrator can assign policies based on the MAC address. Note that little “home network” privacy is gained because the NAME of the device is still visible on your own network in any case.

On a per-network basis, you can turn off MAC address randomization by navigating to Settings -> WiFi -> Click on the (i) beside your connected WiFi and disable the Private Address like this:

On Android, choose your WiFi Network -> Advanced -> Privacy and choose Use device MAC like this:

Note that you don’t need to do this to any other WiFi network except the SSIDs that utilize adam:ONE for security.

References:

iOS feature: https://support.apple.com/en-us/HT211227
Android feature: https://source.android.com/devices/tech/connect/wifi-mac-randomization

Users that don’t like filtering or just passive users won’t have any incentive to do this. It’ll have to be a one policy fits all approach.

Our recommended default policy is a kind of Holding Tank. This is the case with every managed deployment, in any case.

If you deploy the same approach, users will be incentivized.

Any “stranger” that comes onto your network needs to be treated as such. As per @David 's suggestion they need to be in the HoldingTank (Essentially a modified No-Internet policy). If your device presents itself as a stranger it will not be allowed to go anywhere. So regardless if the user “likes filtering” or not, they will have to allow their device to present itself as a Known entity to get access in our out of the protected network (Meaning: not with a randomized address).

Getting Internet access is a pretty good incentive. :slight_smile: