Cisco has warned that an iOS 14 privacy feature can break some network setups used by corporations, schools, colleges, and retail chains.
The potential problems result from the the fact that iPhone and iPads on the latest OS default to using a random MAC address when connecting to Wi-Fi networks …
Apple introduced the feature as a privacy protection, primarily against retailers who use MAC addresses to track customers who connect to their Wi-Fi networks. Using a random MAC address breaks that – which most of us would consider to be a good thing – but it can also break device-management systems used in companies and educational establishments.
Cisco explained the problem, which also applies to the same feature in Android 10. The company says it can break Cisco Identity Services Engine (ISE) services as it uses MAC address lookup. This can impact two key systems used by many organizations.
Mobile Device Management (MDM) systems. These are used when deploying devices owned by the organization to employees or students. MDM ensures that all devices have the same configuration, apps, security policies, and so on. Devices can be automatically updated to the latest configuration when they connect to the network, but random MAC addresses mean that they may no longer be recognized.
The same problem applies to Bring Your Own Device (BYOD) systems, where employees and students are allowed to use their own devices to connect to organizational networks, provided that the devices comply with certain security requirements.
The MAC address of the client at the time of BYOD onboarding is embedded in the certificate that is returned to the client. Due to this, a dual-SSID flow using MAC-in-SAN or BYOD_is_Registered condition will fail as the MAC address between the onboarding SSID and the secured SSID is different. This is also true for single-SSID flows for devices that are upgraded from a previous version of iOS to iOS 14 (single-SSID flows for devices upgraded to Android 10 are unaffected) as the MAC address randomization is enabled by default on all SSIDs on the device.
Worse, Cisco says there is no easy solution to this beyond asking users to switch off the feature on their devices.
There is currently no large scale solution for the issues introduced by third-party MAC address randomization, only workarounds are available […]
For Profiling and MDM services, end users can be instructed to disable MAC address randomization on the device before obtaining intended network access. In order to do so, users can be redirected to a modified hotspot page that provides instructions to disable MAC address randomization when the device uses a random MAC address to connect to the network. Once MAC address randomization is disabled, the user can connect normally.
If your company or school asks you to switch off this iOS 14 privacy feature, it’s likely to avoid these issues.