For those running the latest operating systems for your computers, phones, and tablets, you may have noticed the changes to how your device connects to wireless networks. Apple has made headlines for their iOS 14 update that enables randomized Mac addresses by default. While this implementation is somewhat unique in that it does more to protect user privacy, this is not the first time this feature has been added to operating systems.
The mechanism to generate private MAC addresses hasn’t changed, making it possible for access points and network equipment to determine if the address that a device is probing with is real or fake. For a simple rule, any MAC address where the first octet ends with 2, 6, A, or E is a random MAC address. WatchGuard already uses this knowledge to determine if a client device is using its real MAC address or not and filters out these addresses in some analytics reports.
In private and corporate networks, MAC address randomization is seen as a hindrance to policy enforcement and a nuisance on the network. This is especially true if the network relies on MAC address controls or DHCP reservations with specific policies tied to IP addresses or IP address ranges. Even in guest networks, MAC addresses and DHCP leases play a role in identifying devices that have or have not completed a captive portal login.
Companies like Apple, Google, and Microsoft, who are making the operating systems we use daily, have good reasons to include this privacy measure and I genuinely support them. For network administrators and marketing analysts it means that we must change the way that we do things. Policies can be user-bound instead of IP-bound. Marketing campaigns can provide incentives for guest users to provide data. One of the goals of better privacy controls, outlined in a video from the WWDC 2020 conference, is to better balance the personal information that users provide with the features that the service provides. This is a great way for organizations to build trust with their users.
To respond to these changes, we will have to teach our devices how to tell the difference between private home or work networks and public guest networks. When on private networks, it’s okay to disable private MAC addresses, and for corporations use group policy to disable private MAC addresses on Domain and Private networks. By doing this, you can maintain the DHCP reservation list and firewall policies based on IP addresses or address ranges.
For providers of public and guest Wi-Fi networks, these changes will impact the data that can be made available “for free” when devices do not connect to the guest Wi-Fi networks. It’s up to businesses to choose what incentives to provide when trying to collect personal information, but users want to have a better balance of the services provided when giving up this valuable data. This doesn’t mean that we can’t get aggregate information on the number of people who are on premises, but when tracking loyalty of a customer, using a name will be more efficient than trying to track by a rotating set of numbers.