mstenseth
Contributor
Contributor

iOS disable MAC-address randomization

Running on cloud environment version 20.8.0.3 (2008).

When are functionality for disabling MAC-address randomization releasing?

Labels (2)
22 Replies
KevinKrumm
Enthusiast
Enthusiast

I'm in the same boat also - Right now we are delaying iOS updates until there is a setting.

0 Kudos
chengtmskcc
Expert
Expert

How does this setting affect iOS update?

0 Kudos
sturmanc
Enthusiast
Enthusiast

Getting Ready for Apple Fall 2020 Releases (79996)

https://kb.vmware.com/s/article/79996?lang=en_US

https://github.com/vmware-samples/euc-samples/blob/master/iOS-Samples/Fall-2020/iOS14-WiFi.md

iOS 14 WiFi

This payload includes:

• Disable MAC address randomization

Paste the entire XML snippet (<dict>...</dict>) into the Custom XML payload in Workspace ONE UEM.

<dict>

  <key>PayloadDescription</key>

  <string>Configures wireless connectivity settings.</string>

  <key>PayloadDisplayName</key>

  <string>WiFi (Example Wi-Fi)</string>

  <key>PayloadIdentifier</key>

  <string>195c2047-813f-423e-b8c6-56a47a721b6e.Wi-Fi</string>

  <key>PayloadOrganization</key>

  <string></string>

  <key>PayloadType</key>

  <string>com.apple.wifi.managed</string>

  <key>PayloadUUID</key>

  <string>36297c23-1c2f-43e9-8863-bea2c33ca318</string>

  <key>PayloadVersion</key>

  <integer>1</integer>

  <key>ProxyType</key>

  <string>None</string>

  <key>SSID_STR</key>

  <string>Example Wi-Fi</string>

  <key>DisableAssociationMACRandomization</key>

  <true/>

</dict>

chengtmskcc
Expert
Expert

Thanks for sharing.

I'm still unclear how this MAC-address randomization setting affects iOS updates. Can anyone help clarify?

0 Kudos
KevinKrumm
Enthusiast
Enthusiast

It doesn't affect iOS updates it affects devices that need to connect to a network that uses mac addresses to auth --- Like a NAC.

SHMike
Contributor
Contributor

So to use this XML do you have to modify any of the lines at all for your wifi profile? Do you just put it in the custom settings of the wifi profile or someplace else?

0 Kudos
chengtmskcc
Expert
Expert

You can copy the XML as is without any modification.

While you can add this to the existing WiFi profile, I would suggest pushing this setting via a separate profile for easier management and troubleshooting in the future.

0 Kudos
SHMike
Contributor
Contributor

Have you been successful at getting it to work? I've tried pushing it once to some test devices. But the users of those devices said the setting was still on.

0 Kudos
KevinKrumm
Enthusiast
Enthusiast

You do have to edit it where says example wifi ... i believe

0 Kudos
KevinKrumm
Enthusiast
Enthusiast

With my testing it works, it turns off the setting but doesn't disable it - meaning the user could still toggle it back on.

0 Kudos
SHMike
Contributor
Contributor

I was able to get it to work off my personal home wifi. But I'm having problems getting it to work off our corporate wifi which uses certificate based authentication. I had to set the PayloadDIsplayName to the name of the profile pushing the wifi package and the SSID_STR to the display name of the Wifi to get it to work on my home wifi with a separate profile package. Now we are trying to get it to work with the corporate wifi package but haven't had any success yet.

0 Kudos
JohnCharette
Contributor
Contributor

Looks like the most recent patch allows disabling of it:

20.8.0.7 Patch Resolved Issues

  • AAPP-10836: HTTP proxy support for APNs.
  • AAPP-10934: iOS devices are checking in continuously while checking for available OS Updates.
  • AAPP-10946: Prevent MAC address randomization for Apple device Wi-Fi.
chengtmskcc
Expert
Expert

Thank you all. Like others have said, we were able to turn off but not keep it disabled with the custom XML file (we are SaaS 20.05).

If the patch in 20.8 will keep this setting disabled, then it's a good excuse for us to either upgrade or request the same patch be backported to our current version.

0 Kudos
CharlesTchia
Contributor
Contributor

well...we just got some bad news today about the hotfix. They've informed us that this hotfix won't be available for 20.07 and we need to upgrade to 20.8. Considering we've only just upgraded last month to 20.07, and that support for this runs till January 2022, I don't understand why the hotfix can't be made available to an existing supported product.

0 Kudos
chengtmskcc
Expert
Expert

Here's a response from VMware support:

"I have tested the MAC-Access Randomization profile using custom XML. Yes, the behaviour is the same as you mentioned i.e it disables the private IP but doesn't grey it out.

On testing the same feature on console 2008 to 2011 with the built-in option in the wifi payload the result is the same as above, the private IP is disabled with the profile but the user can turn it ON if they want."

So I guess that means there's no fix in sight unless anyone else heard differently?

sturmanc
Enthusiast
Enthusiast

Apple included this in iOS 14.2 BETA 4 where the MDM profile will be disabled.  We have tested the custom XML with iOS 14.2 BETA 4 to confirm.

chengtmskcc
Expert
Expert

That's great news!

Although I don't see any reference to this in the release note.

https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-14_2-beta-release-note...

0 Kudos
HimanshuMishra
Enthusiast
Enthusiast

Hello All,

Anyone experiencing issues with auto joining the network after the private address disabled via xml payload. Our corporate network profile uses certificate based authentication. After the private address is disabled, I could not rejoin the network. I get a prompt to enter my credentials and received the notification to trust the new certificate. Further attempts to join results in “Unable to join the network". I had to repush the network profile to restore the network connectivity.

Thanks!

0 Kudos
BenCrawford
Contributor
Contributor

We are having similar issues which I am having trouble nailing down. We dont have CBA on network but do use whitelisting. Randomly the wifi network just disappears. this is happening on a number of devices but not all at the same time. Since we only push the one profile to the devices we have to use configurator to push a temp profile to the devices. Sometimes the network shows up other times we have to remove the profile and reinstall it for it to show up. This all happens while the profile is visible in the ios settings. So the profile isnt removing itself to make this happen. This has become a total thorn since the last couple ios 14 versions. Problem seems to come with randomization allowed or disallowed on the network. We have 10ish devices in each of 6 clusters in the building. This seems to present on certain devices here and there but we seem to be getting reports in each day now. So I am thinking as devices update the problem is spreading. Wifi is working on ~50 or so devices while this occurs so I don't believe that is the problem. Thinking apple or the mdm or both have something really borked in these recent implementations. 

0 Kudos