It’s been a busy 2 weeks since Apple released macOS Sequoia! One of the new features is private Wi-Fi addresses aka “MAC address randomization”. While this all well-and-good and can “improve your privacy”, it has been causing headaches for folks in the environments where random MAC address are not a good thing.
Now, Apple did think about this somewhat as evidenced by: About private Wi-Fi addresses and enterprise networks and Wi-Fi MDM settings for Apple devices but they didn’t really do a complete “dress rehearsal” of what would happen: You can’t deploy an MDM WiFi profile with the DisableAssociationMACRandomization key until the Mac is already upgraded to macOS Sequoia and once upgraded to Sequoia the MAC randomizes and that could break your connectivity to get the new config profile! It’s a real “chicken and egg problem” 🐣 that is laid out in great detail here.
Seeing the angst created, the contortions required, and overall FML vibes this was causing I did some investigations to see what could be done and guess what? You can pre-populate the PrivateMACAddressModeUserSetting value to off in the wifi.network.ssid.<SSID> dictionary of /Library/Preferences/com.apple.wifi.known-networks.plist before a Mac upgrades to Sequoia! 🎉 Note: When you set this via script (versus GUI), the change does not take effect until reboot, the MAC stays randomized and the UI does not reflect this. This doesn’t matter if it’s for an upgrade to Sequoia but just letting you know if you try it on Macs already on Sequoia, it won’t take effect until a reboot. If there’s some clever Update: Thanks to boberito in the MacAdmins Slack, he figured out that killing kill -HUP that can be sent let me know. I tried killall cfprefsd but that wasn’t enough.cfprefsd and airportd would update the UI and power cycling the Wi-Fi would cause this change to take effect! I’ve added an option to the script to do this, set restartWiFi_HC="1" to restart Wi-Fi, just be aware you better make sure your Wi-Fi reconnects!
If that’s all you need to know, then god-speed and good luck to you! If you’d like a Jamf script and extension attribute read on…
You can use the script setPrivateMACAddressMode to set the mode of one or more SSIDs on a target Mac. As it is, the SSID must have been previously connected to so the wifi.network.ssid.<SSID> gets filled out. I tried writing the value to an un-populated dictionary and Wi-Fi just wigged out (like nothing in the SSID list kinda weirdness!). Keep that caveat in mind. If you can figure out a minimum viable set of keys that are needed then good for you but for this script, it’ll just skip the SSID if it’s not in alrready in com.apple.wifi.known-networks. This script can be used with Jamf and its policy script parameters or if you are on another MDM, just hard-code the SSIDs, I’ve made allowances for that.
Next, this is a Jamf extension attribute OS-Private MAC Address Mode it will report the mode and the SSID (example: off|My Cool Wifi). You can have it report all known networks or just hardcode the value for specific SSID(s). It can be useful when used in a Smart Group. You could deploy a Major Update deferral config profile to block Sequoia then make a Smart Group for exclusion using OS-Private MAC Address Mode ‘is like‘ off or ‘matches regex‘ ^off\|for more precise matching . When someone becomes a member the Smart Group it excludes them from the Major Update deferral config profile and can then upgrade to Sequoia.
Lastly, if you don’t have Jamf but want to see what the values are getPrivateMACAddressMode will spit out a a human readable list of SSIDs and modes (off, static, rotating, and NOT_SET)
I usually try to put more pictures and illustrations in my posts but every moment I spend not publishing this, the more weekends that are possibly ruined by thinking about the suck that is macOS Sequoia Private Wi-Fi addresses in managed environments. I think this pic will sum things up! 😄
UPDATES: A couple things to keep in mind: 1) If you deploy Config Profiles with Wi-Fi payloads, then it will blow away everything about the SSID com.apple.wifi.known-networks every time the config profile is redeployed! 2) That means if you do deploy a Wi-Fi config profile with the Sequoia-only DisableAssociationMACRandomization key it will blow away the manually set key PrivateMACAddressModeUserSetting in com.apple.wifi.known-networks. The EA OS-Private MAC Address Mode currently does not attempt to resolve if an SSID has a corresponding config profile profile with the DisableAssociationMACRandomization key set, so it will be blank. 3) As of 15.0.1 a user can still change the setting even when deployed via MDM, contrary to Apple’s stated behavior: “This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it”. 3b) Actually I found that if you killall airportd before rebooting, it’ll lock the value – until reboot. 4) Apple also draws user attention to setting with a caution icon ⚠️ in the Wi-Fi dropdown rather than a “check” icon like they use for managed Login Items in System Settings (the whole thing is an inconsistent mess)
Update 2: Steven Xu over in the Jamf Nation forums found that setting the PrivateMACAddressModeSystemSetting key to 1 (integer, not boolean) within /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist will disable Private MAC Addresses by default. Newly joined networks or networks where the PrivateMACAddressModeUserSetting key for an SSID is off or not already set to static or rotating will use their actual MAC address. I’ve added support for setting this key in setPrivateMACAddressMode and it too will not take effect in Sequoia+ until either a reboot or setting the variable to restartWiFi_HC="1". Just keep in mind, perhaps you want your users to have Private MAC addresses by default when joining new and unknown networks? Why should the free Wi-Fi at the food court or coffee shop get your real MAC address anyway!? The getPrivateMACAddressMode script and extensions attribute OS-Private MAC Address Mode have been updated to report on (disable)PrivateMACAddressModeSystemSetting also.
Code in this post:
- setPrivateMACAddressMode – set the mode via Jamf (or others)
- OS-Private MAC Address Mode – Jamf Extension Attribute
- getPrivateMACAddressMode – interactive command line tool