Private Wi-Fi address settings in iOS and macOS

adam:ONE® KB & Manual
,
1

The privacy of MAC addresses is continuing to improve across Apple’s product lineup, with the latest enhancement on macOS Sequoia (15.x).

However, the MAC address is often used as a unique identifier on security appliances as a way to map endpoints to appropriate security policies. adam:ONE also supports this mechanism and all MAC addresses on-first-seen event are registered on your dashboard, and the subnet’s default policy is assigned.

When the same device returns with a new random MAC address, it will be auto-enrolled in the dashboard with the new MAC address, without the old one being removed. This causes device accumulation to happen, and along with it, the unintentional policy re-assignment from what the end user expects.

An earlier knowledge base article describes this in detail at https://adamnet.io/macrandom including how to mitigate it on older iOS versions.

In enterprise environments utilizing 802.1X or other device-to-policy mapping, this is of no concern as the network authentication maps the user to the correct policy, regardless of MAC address.

Since the launch of macOS 15 and iOS 15, some terminology and features have changed and improved.

Change #1 : Random / Private Wi-Fi address feature is now available on macOS

Change #2: Random / Private Wi-Fi address comes with three settings instead of two (on/off) on a per-SSID basis:

  • Rotating (changes about daily on the same wifi)
  • Fixed (keeps the same random MAC address for a given SSID indefinitely)
  • Off (uses the real hardware MAC address)

Refer to Apple’s own “how this feature works” article here:

Which setting is best for you?

This question is important because both Rotating and Fixed setting are actually random MAC addresses, and therefore will auto-generate the Random MAC tag on the dashboard like this:

dashboard-devices-random-mac
dashboard-devices-random-mac2581×1429 292 KB

The best way to remember your optimum settings is to consider this table:

Option Devices on Trusted Networks Public WiFi / untrusted network Note
Rotating No value - don’t use Best option Adds “Random MAC” tag on dashboard
Fixed Second Best Second best Adds “Random MAC” tag on dashboard
Off Best option Never use

Turning off Private Wi-Fi on managed endpoints

To provision iOS / macOS devices automatically to set Private Wi-Fi Address to Off, any MDM is able to do that. Here’s a sampling of Apple Configurator setting showing this feature:

disable-private-configurator
disable-private-configurator1582×953 145 KB

The toggle is also easily identified in Mobile Device Management software that supports iOS natively.

Turning off Private Wi-Fi on unmanaged endpoints

For unmanaged iOS / macOS devices, it is as simple as selecting the Wi-Fi network, selecting Off and acknowledging the prompt as shown here:

turn-off-private-wifi
turn-off-private-wifi1412×1242 145 KB

Managed clients and Licensed Technology Partners can also request support for any additional support.

2 Likes