A tip for new iOS14/iPadOS14/MacOS 11/Watch OS 7 users.

[Stuey3D]

Hi all just a tip for you with regards to Apple’s latest device updates that may cause issues on certain router setups.

If you are like myself I have my Asus router OCD level setup, every device has a proper name and icon under the network map page, and they all have their priorities assigned under adaptive QOS.

These latest OS updates will cause these settings not to apply to your Apple devices unless you change one option. Under these new updates a new WiFi privacy option is enabled by default and that is “Private Address” what this does is generate a random MAC address whenever you connect to your wifi, which is what breaks any per device options you have set in the router as the Apple device will appear as something else each time it connects. Apple state this is to stop you from being tracked over different wifi networks which is a good thing in the long run, but probably not needed on your home network.

Luckily it is easy to disable and have the device present its proper MAC address to the router:

Go to Settings - Wifi - Your Network Name - Toggle private address to OFF

Your device will then quickly drop off and reconnect to your wifi, this time with the correct MAC address and therefore router settings. Apple will warn that this is a privacy issue so be aware of that.

Hope this helps.

 

[Robinbb]

Top Tip thanks!

 

[m0rF1uS]

Thank you!

 

[MarkyPancake]

Good to know.

 

[coxhaus]

I have no problem with my Cisco setup. Maybe you need to setup for class of service rather than track each individual. This may just be the tip of the iceberg for what is coming.

 

[Stuey3D]

I have no problem with my Cisco setup. Maybe you need to setup for class of service rather than track each individual. This may just be the tip of the iceberg for what is coming.

I have QOS setup for class of service with just a handful of devices given higher priority on a device basis, for me the big one it breaks is my nice neat naming scheme I have in my routers “Network Map” page. Quite often the devices don’t share their proper names to the router or they end up truncated so look broken and the list ends up all messy, I have manually named and given each of the 30+ devices that connect to my network their own names and icons, this however is tied to the MAC address so if the Apple devices are using random ones then it breaks my nice neat setup.

 

[quadra2030]

Found it in Apple developer documentation..

Users are always in control - users can control enablement of the feature at any time for each network.
Addresses are generated randomly for every network
Addresses are not linked to your identity
Addresses are updated for all networks daily by the device, NO server is involved in address generation. Since addresses are generated randomly, it is very unlikely that two devices on the same network will generate the same address.
A new MAC will be used whenever a new address has been generated and the device re-joins the network
Users can see which MACs are generated for each network in the Wi-Fi scan list, even before joining the network

And from testing..

When Private Address is on, Probe Requests seem to use the daily local random MAC address when connecting to a network and the target SSID is present in the request. When Private Address is off, Probe Requests seem to use the iOS 13 behavior of using frequently-changing local random MAC addresses.
MAC addresses are not local and do not appear to necessarily fall within any particular vendors' OUI ranges.

 

[coxhaus]

I am watching my IP binding table for DHCP and I am not seeing a lot of new IPs being generated for all of our iPhones and iPads. It has not been long since IOS14 came out so it could be me but I have my leases set to never expire and I don't see a big increase of IPs. And we have at least 5 IOS14 devices.

PS
We have at least 5 IOS14 devices and 3 Apple watches. A few more older iPads.

 

[Stuey3D]

On my devices I disabled it on my home network, but prior to disabling my router was generating random IP’s for them.

 

[Stuey3D]

Right now I have multiple duplicate IP entries on the DHCP leases page for the Apple Watch as I’ve just been setting up mine and the wife’s new Series 6’s, some IP’s generated for the “Private Addresses” and now they have IP’s for their correct MAC Addresses.

 

[JagoUK]

Indeed. Had issues with this the other day at work as we use MAC authentication for mobile devices. Devices upgrading to iOS 14 then not connecting to WiFi.
We are looking at MDM to push a rule to disable this "feature" Apple kindly thrust upon us (Not the first time).

Only issue is a lot of our devices are limited to WiFi only. So if they update first we have thousands of devices we will have to manually put back on WiFi ‍

 

[coxhaus]

Seems like MAC authentication is not very safe as someone can just change their MAC and be on your network. Most people use Radius. Some of the latest wireless APs tie into active directory for Windows shops.

 

[JagoUK]

Seems like MAC authentication is not very safe as someone can just change their MAC and be on your network. Most people use Radius. Some of the latest wireless APs tie into active directory for Windows shops.

If that was directed at me then 1. They would need to copy a trusted MAC. 2. They would need to know the password.

Both feasible if someone really wanted to put the effort in. But you can say that about anything.

Yes I'd rather we used certificates, but 1. Not all devices support them. 2. And more importantly, I'm not in charge of that.

 

[coxhaus]

I just read that IOS14 does not change MACs on the same SSID. I have 2 SSIDs house wide and 1 of them is guest so maybe that is why I am not seeing a lot of IPs being generated in my IP binding table.

 

[ScyldScefing]

Per Apple:

Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7

To further protect your privacy, your iPhone, iPad, iPod touch, or Apple Watch can use a different MAC address with each Wi-Fi network....

To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.

I'm finding that the MAC address remains the same on the same Wi-Fi network after renewing the lease. I am not seeing that renewing the lease generates a new, different, random MAC address when connecting to the same Wi-Fi.

But, turning the iOS' device's Wi-Fi off and back on did generate a different MAC address, the first time. Doing that again after a short interval, a minute or two, produced that same MAC address. I'll see what happens after longer intervals. Does that different MAC address remain static for that Wi-Fi network indefinitely, as Apple's quote above indicates?

 

[sfx2000]

Indeed. Had issues with this the other day at work as we use MAC authentication for mobile devices. Devices upgrading to iOS 14 then not connecting to WiFi.

Don't use MAC addresses to authenticate mobile devices - rather use profiles, for example, generated by Apple Configurator (it's free, BTW) for Apple iOS related devices.

(secret tip - Apple Configurator can also work with Apple TV's for WPAx-Enterprise authentication...)

 

[sfx2000]

I just read that IOS14 does not change MACs on the same SSID. I have 2 SSIDs house wide and 1 of them is guest so maybe that is why I am not seeing a lot of IPs being generated in my IP binding table.

How I read it, seems to ring true there...