iOS 14 Per-Network MAC Addresses

With per-network MAC addresses in iOS 14, will there be user-facing controls to turn this on or off on a network-by-network basis?

Some networks may use DHCP reservations or MAC Access Controls for example and need an unchanging MAC, while for other networks privacy may be the strongly preferred mode for the user.

Also, how are the MAC addresses generated? Is a server involved? MAC addresses will change daily for each device-network pairing and need to be unpredictable to network observers, but can't be the same as other devices' current set of MAC addresses.

Accepted Answer

The introduction to the feature is mentioned in the "Build trust through better privacy" video (https://developer.apple.com/videos/play/wwdc2020/10676/).

Key points :
  • Users are always in control - users can control enablement of the feature at any time for each network.

  • Addresses are generated randomly for every network

  • Addresses are not linked to your identity

  • Addresses are updated for all networks daily by the device, NO server is involved in address generation. Since addresses are generated randomly, it is very unlikely that two devices on the same network will generate the same address.

  • A new MAC will be used whenever a new address has been generated and the device re-joins the network

  • Users can see which MACs are generated for each network in the Wi-Fi scan list, even before joining the network

Networks that use MAC-based access inherently track devices. Privacy on tracking networks can be controlled using the temporary address so that participation with the tracking network is also temporary.


Answers

The introduction to the feature is mentioned in the "Build trust through better privacy" video (https://developer.apple.com/videos/play/wwdc2020/10676/).

Key points :
  • Users are always in control - users can control enablement of the feature at any time for each network.

  • Addresses are generated randomly for every network

  • Addresses are not linked to your identity

  • Addresses are updated for all networks daily by the device, NO server is involved in address generation. Since addresses are generated randomly, it is very unlikely that two devices on the same network will generate the same address.

  • A new MAC will be used whenever a new address has been generated and the device re-joins the network

  • Users can see which MACs are generated for each network in the Wi-Fi scan list, even before joining the network

Networks that use MAC-based access inherently track devices. Privacy on tracking networks can be controlled using the temporary address so that participation with the tracking network is also temporary.


I have follow up questions:
  • Does randomization follow the IEEE scheme (2nd from the last bit of the first octet as 1)?

  • Is randomization enabled by default?

  • Is daily randomization enabled by default?

As the official release is getting closer, and we need to get our apps ready for this feature can you support us with below questions?
  • Will the private MAC address feature be turned on by default?

    • Is this feature currently available for testing on Beta 14 iOS?

  • is the new MAC address format different from the current one?

Will the randomized MAC still use an OUI portion registered to Apple?
I just updated several iOS devices to iOS 14.

• Private Address is turned on by default, and I would expect them to change daily. If you use DHCP reservations or other router action based on MAC address, you'll need to turn Private Address off on relevant devices for relevant networks.

• MAC addresses are not local and do not appear to necessarily fall within any particular vendors' OUI ranges.
We may need Apple Staff  to reply for an authoritative answer, but after more investigation, daily Private Addresses do seem to have the local bit set, but not necessarily in any of Apple's OUI ranges when de-localized.

When Private Address is on, Probe Requests seem to use the daily local random MAC address when connecting to a network and the target SSID is present in the request. When Private Address is off, Probe Requests seem to use the iOS 13 behavior of using frequently-changing local random MAC addresses.
The WWDC video mentioned that

"A new MAC address will also be generated for networks every 24 hours, and the new private address will be used when the user leaves and rejoins the network."

Is this still happening? I cannot find this information in the KB article here any more
https://support.apple.com/en-us/HT211227