New IOS 14 Privacy Feature Impacting NAC and MDM Implementations

Written by Scott Searcy on Sep 25, 2020 11:36:15 AM

On September 16, Apple introduced iOS 14, the latest version of the iOS operating system. This release includes a number of privacy and security enhancements. One of those enhancements is a feature that provides a private (think randomized) MAC address when connecting to Wi-Fi networks.

The concept behind the feature is described by Apple as follows:

To further protect your privacy, your iPhone, iPad, iPod touch, or Apple Watch can use a different MAC address with each Wi-Fi network.

To communicate with a Wi-Fi network, a device must identify itself to the network using a unique network address called a media access control (MAC) address. If the device always uses the same Wi-Fi MAC address across all networks, network operators and other network observers can more easily relate that address to the device's network activity and location over time. This allows a kind of user tracking or profiling, and it applies to all devices on all Wi-Fi networks.

To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.

(Source: https://support.apple.com/en-us/HT211227)

For public networks, this feature makes sense and indeed provides enhanced user privacy. But businesses and educational institutions are increasingly deploying NAC (network access control) and MDM (mobile device management) solutions in order to prevent access to unauthorized users. To do that, NAC and MDM solutions depend on successfully identifying user devices, and in many deployments that is done by using a device’s MAC address.

Because Apple chose to enable this option by default for all Wi-Fi networks, user devices previously authorized in NAC and MDM solutions are no longer recognized after being upgraded to IOS 14 and are consequently prevented access. In order to regain network access, users must disable the “private address” option for the Wi-Fi networks being protected by MDM and NAC solutions. Instructions for doing this can be found here: https://support.apple.com/en-us/HT211227

Scott Searcy

Scott is Technical Communications Coordinator at IntegraONE and is tasked with helping inform and educate our customers regarding technologies, products and support-related issues. Scott has been in the IT industry for longer than he would like to admit, having held both individual contributor and managements roles in software development, technical marketing, systems management, project management and service delivery.