Apple published a brief summary of the newly introduced “Private Address” Wi-Fi feature. Since it does not go into the detail, I tested the public iOS 14.0 release on an iPhone SE and iPad Mini in my lab. Here is how it actually works.
New Wi-Fi networks
For SSIDs you have not connected to before, iOS 14 devices generate a random MAC “Private Address” and they use this MAC address permanently for this SSID. This address does NOT change over time. This works as expected.
Previously used Wi-Fi networks
Known Wi-Fi networks you have already connected to at least once before the upgrading to iOS 14 get a different treatment though. And this is where things are not as straightforward as the documentation suggests.
After upgrading to iOS 14, I connect to a known network which I have already used before the upgrade. The MAC address that is used is actually the real hardware MAC address of the Wi-Fi adapter for 24 hours. Note that the “Private Address” feature is enabled. This could potentially be considered a UI bug.
24 hours after first connecting from an iOS 14 device to this known SSID, the “Private Address” feature kicks in and the MAC address for this SSID automatically switches from the real MAC address to a randomly generated MAC address. Personally, I assume that this 24-hour period has been developed to allow enterprises to disable Private Address feature on their managed iOS devices using MDM, but I may be wrong.
From this point onwards the same randomly generated Private Address is permanently used for this SSID and does NOT change over time.
One thought on “Apple iOS 14 Private Address feature, per SSID Wi-Fi MAC randomisation and how it actually works”
Wanted to add another scenario. If you connect to a Wi-Fi during setup assistant, the iPad will report the built-in Wi-Fi MAC address as well. I haven’t fully tested this yet, but I suspect that after 24 hours, the private address feature will take effect, similar to how upgrading to iOS 14 works.
I suspect this is so companies that pre-approve MAC addresses on their network can use the MAC address printed on the box to upload in to their system. However, they will still need to push a profile down to prevent the MAC address from changing after 24 hours.