rbartholomeu
Contributor
Contributor

Randomized MAC android

Jump to solution

Customer started rolling out Android devices in many sites and as they are running version 10 or above a randomized MAC address is used by default. Customer also uses AirWatch to control device enrollment/registration and this started to cause issues as now the updates AAA server (Aruba Clearpass) gets from Airwatch (through APIs) are based off of device's MAC and not randomized.

There is no such thing in Airwatch to disable this setting on an Android device and we are looking for a workaround.

1 Solution

Accepted Solutions
RogerDeane
VMware Employee
VMware Employee

There's nothing we can do from a Workspace ONE UEM standpoint.    Google has decided to not allow access to the actual WiFi MAC address for any mode other then Work Managed.   I have personally met with Google in Mountain View about this issue and they are very firm on their stance.   We have been working with Cisco and other NAC providers to try and find a way to solve this problem but at this point we don't have a solution.   The NAC knows the actual MAC from with WiFi networking hardware and not much else.   We know most everything else about the device except the actual MAC so there isn't anything in common.  

If anyone else in the community has any other feedback or a solution I would love to hear it.

Roger

View solution in original post

8 Replies
RogerDeane
VMware Employee
VMware Employee

This has been an issue for a while.   Workspace ONE UEM (AirWatch) can get the correct MAC for a fully managed device (Work Managed) but for all other modes we can only get the randomized MAC.   This is a restriction created by Google.   I've heard that there are ways around this but I'm not aware of how they work.  We are always working with Cisco ISE and Aruba Clearpass to try and make the integration as good as possible.   Below is a link to a blog post that you may find helpful, I'm certainly going to read through it.

Android Q for Enterprise: Wi-Fi MAC Randomizaion – Arsen Bandurian: Technical Blog

Hope that helps!

Roger

rbartholomeu
Contributor
Contributor

Thank you,

That means a feature request has to be raised.

0 Kudos
RogerDeane
VMware Employee
VMware Employee

There's nothing we can do from a Workspace ONE UEM standpoint.    Google has decided to not allow access to the actual WiFi MAC address for any mode other then Work Managed.   I have personally met with Google in Mountain View about this issue and they are very firm on their stance.   We have been working with Cisco and other NAC providers to try and find a way to solve this problem but at this point we don't have a solution.   The NAC knows the actual MAC from with WiFi networking hardware and not much else.   We know most everything else about the device except the actual MAC so there isn't anything in common.  

If anyone else in the community has any other feedback or a solution I would love to hear it.

Roger

View solution in original post

RioTim
Contributor
Contributor

Hi Roger, All,

Further to this thread, I have a customer with Work Managed Android 10 tablets enrolled,  being pushed EAP-TLS WiFi profile, Root and device cert. Had to populate the Anonymous Identity with a value to get the client to present its cert (unsure if this is expected behaviour).

Workspace ONE has the real MAC of the device, though when the clients connects to the managed SSID, the random MAC used.

Is it possible to force the client to use its real MAC via the WS1 profile applied to the device?

They use ClearPass RADIUS, and have the legacy API integration, as well as the newer extension integration for real-time posture updates. When the client uses the random MAC, ClearPass can't reference Endpoint attributes for the authentication, as the random MAC doesn't match the data pushed from WS1 (for the real MAC).

WorkSpace ONE runs v2008, though they are upgrading to 2011 this week, in case that has additional capability in this regard.

Appreciate any light you might be able to shed on this for us.

Tim

0 Kudos
EdK2020
Contributor
Contributor

Hey all - 

Samsung has an OEM Config tool called Knox Service Plugin that can help you force the actual device MAC address for specific SSIDs

https://play.google.com/work/apps/details?id=com.samsung.android.knox.kpu

Under the app config section you need to do the following:

1. Under DO policies - enable the top setting of Device Policy Controls

2. In that same DO section Device Policy -> Wi-Fi Policy -> ENABLE Allow to configure Wi-Fi (Configure details below)

3. Back out of that section of the app config and scroll down to Wi-Fi Configurations

4. Configure here and add your SSID along with passcode and enable the skip randomization

 

0 Kudos
CharlesTchia
Contributor
Contributor

Hi

So with a COPE setup, even if we go into network settings and select "Use device MAC", it still doesn't use the actual MAC?

0 Kudos
EdK2020
Contributor
Contributor

I've seen this work in COPE

if you manually select to use the device mac it will use the device mac

 

0 Kudos
yeqi
VMware Employee
VMware Employee

It seems like there is some workaround for intune and Aruba clearpass integration. Do we have any update about this ?

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MessageKey=21e0a0ce-de42-...

 

0 Kudos