Accommodating Private Wi-Fi Addresses on your School Network

By: James Garringer, Consulting Engineer

Apple Private Wi-Fi Address protects user privacy by changing the Media Access Control (MAC) address used when connecting to Wi-Fi networks. While other major desktop and mobile operating systems may incorporate some variation of this concept, our rigorous approach to safeguarding users means that Apple devices enable Private Wi-Fi Address by default. This occasionally leads to questions from organizational IT teams about how to best accommodate Apple devices on-network, particularly where the MAC address is used for device authentication. To make sure you have a smooth and secure networking experience with all Apple devices, we asked one of our resident Wi-Fi experts to share the technical details and best practices around this important feature. 

How it works

When Private Wi-Fi Address is enabled, the universal MAC address associated with Mac, iPhone, iPad, Apple Vision Pro, or Apple Watch won’t be static, instead the device generates a unique MAC address for each Wi-Fi network the device connects to throughout its connection. Each subsequent connection to the same network will use the same unique address.

Administrators can recognize Private Wi-Fi Address-enabled devices connected to a wireless network as having MAC addresses whose second character is a 2, 6, a, or e. With the prevalence of randomized MAC addresses, it isn’t recommended to rely only upon the Organizationally Unique Identifier (OUI), or 24-bit prefix in the MAC address. Depending on your network configuration, it is sometimes necessary to update Wi-Fi network settings or disable it on your managed Apple devices to maintain network connectivity.

Private Wi-Fi Address has been available since iOS 14, iPadOS 14, macOS 15, visionOS 1, and watchOS 7.

MAC address randomization and Private Wi-Fi Address

MAC address randomization and Private Wi-Fi Address are distinct features with different purposes. iOS 8 or later prevents device tracking by assigning a randomized locally administered MAC address during network discovery. When probing for networks, devices running iOS 8 or later frequently randomize the MAC address used to transmit probe requests to the broadcast address to protect user privacy. Private Wi-Fi Address protects user privacy during network association. When the two features are combined (randomized MAC address during network discovery and Private Wi-Fi Address during network association), they help prevent MAC address tracking of the device and user behavior.

Randomized MAC address broadcast during network discovery. This MAC address will appear the same to each network, but may change over time as it is broadcast.

Private Wi-Fi Address used during association. The MAC address will be unique to, and always used with this network.

Rotating Private Wi-Fi Address

Starting with iOS 18, iPadOS 18, macOS Sequoia 15, watchOS 11, and visionOS 2 Private Wi-Fi Address can rotate. By default a static MAC address is used, but for weak security Wi-Fi networks the MAC address changes every two weeks. Weak networks are those that do not use WPA2 or stronger security.

Managing Private Wi-Fi Address and MDM

There are two options to accommodate for Private Wi-Fi Address on your network. The preferred method is to leverage an alternative authentication protocol such as EAP-TLS or EAP-PEAP rather than MAC address filtering to maintain Private Wi-Fi Address and protect user privacy across networks. While transitioning to the alternative protocol, you can disable Private Wi-Fi Address using an MDM solution. 

Apple devices support extensible authentication protocol with transport layer security (EAP-TLS) for per-device accountability, and user-based authentication with EAP-PEAP for per-user accountability. Both EAP-TLS and EAP-PEAP, among other secure protocols, are available in the Wi-Fi payload in MDM solutions. Check your MDM vendor’s documentation for details.

Private Wi-Fi Address may also be disabled on a per-network basis either manually on the device or through an MDM solution. While your network continues to rely on knowledge of the MAC address for authentication, disabling Private Wi-Fi Address selectively for your corporate network (SSID) using the MDM setting will allow your devices to continue to access your networks while you implement an alternative protocol.

Devices upgraded to iOS 14, iPadOS 14, macOS 15, and watchOS 7 connect to previously-known MAC-filtered networks using the universal MAC address. They will attempt to associate with the Private Wi-Fi Address on subsequent connections, but use the universal MAC address until the first successful association with a Private Wi-Fi Address.

Connections to new networks always use the Private Wi-Fi Address. You can manually deploy configuration profiles or create an MDM-delivered Wi-Fi payload to disable Private Wi-Fi Address on enrolled devices for managed networks. Your MDM solution must support the DisableAssociationMACRandomization key in the Wi-Fi payload, and you must provide the SSID for each network where you would like to disable Private Wi-Fi Address. The device will then use the user setting for all other networks.

Example: Wi-Fi payload configuration in Apple Configurator 2.18.

Accommodate for Private Wi-Fi Address using one of the two methods to ensure that your corporate devices continue to seamlessly access your enterprise networks. As always, if you have additional questions, please reach out to your Apple team. 

Resources

• Apple Developer: Wi-Fi Device Management Profile
• MDM Settings for IT Administrators: Wi-Fi payload
• About private Wi-Fi addresses and enterprise networks
• Use private Wi-Fi addresses on Apple devices
• Recommended settings for Wi-Fi routers and access points