No announcement yet.

iphones keep changing mac (wifi) address so kids policies are not enforced

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • iphones keep changing mac (wifi) address so kids policies are not enforced

    I finally figured out why my kids iphones keep escaping my policy enforcement and blocking.

    My setup:
    Basically I have
    kids phones tagged with a username in devices panel, example kids-name.
    firewall rule for kids set up to block all internet traffic.
    policy manager set up with logic like : username = *kids* time of day= ___, etc.
    if matches policy, then kids are blocked properly.

    So this works great for days (more or less), which tells me I have everything setup fine.

    All of the sudden nothing gets enforced on the kids iphone (at the same time the kids devices such as chromebooks are getting enforced fine). So clearly the iphones are doing something to escape the policy.

    I have concluded that it is due to them switching mac address on the network(s), which then means they appear as a different mac address and they are no longer tagged with the proper username. I need to stop this.

    when it happens is:
    1. if they enter the untangle contrlled newtork a different wifi or vlan. that changes the address in device panel. I go and manually tag the new address and policies are back to getting enforced.
    2. If iphones have "private address" turned on on the iphone it changes wifi address every time iphone is powered on/off or simply when private address is toggled. Same end result as #1 above.

    How do I stop this. I can't go down and tag the new mac address with their usernname every time it changes?
    If it is not possible to force the iphones to have only one username, I need to know how to set up Policy Manager (not with username) to make the desired behavior work.


  • #2
    Wow I have the same issue at a friends house with all their Apple devices and the settings for private MAC addresses is easily toggled by the device owner bypassing all their rules. I did find this article from Cisco:

    Mobile endpoints utilizing random MAC address is nothing new. But the way it is utilized has changed since it was first introduced. In the beginning, the randomization of MAC was used to probe for known wireless networks by the devices. By randomizing the MAC address used in the probe request frame,...

    I was thinking about writing a rule that would block a randomized MAC address in the firewall app but it doesn't seem to take kindly to regular expressions which is the solution in the Cisco article.

    How has others addressed this? Looking though the rules pattern for MAC addresses it looks like the Glob match may work.
    Last edited by RonV42; 02-19-2022, 09:37 AM.


    • #3
      This is default behavior of the iOS to prevent tracking. Rotation MAC addresses are a feature of iOS and Android but is on by default on iOS.

      Apple's newest feature enhances network security, but it may cause disruptions when users join wireless networks from iOS devices. Here's how to work around them.

      Like HTTPS limiting inspection, this is the future. MAC addresses were never 100% reliable and now they are never reliable. If you have MDM on those devices, you can control its ability to rotate the MAC address. Otherwise, the need to have the device sign-in on every connect is needed.
      Last edited by jcoffin; 02-19-2022, 09:38 AM.
      Attention: Support and help on the Untangle Forums is provided by
      volunteers and community members like yourself.
      If you need Untangle support please call or email [email protected]


      • #4
        Yes understood been battling it for a year on my friends Apple devices. Do you think a Glob match may work to identify the randomized OUI? For a simple rule, any MAC address’ first octet that ends 2,6,A,E would be a random MAC address. Here is what I was thinking of making a total of 4 rules to add for 2,6,A,E

        Click image for larger version

Name:	random mac block.png
Views:	1
Size:	14.9 KB
ID:	384315
        Last edited by RonV42; 02-19-2022, 09:45 AM.


        • #5
          Using wild card match defeats the purpose of identify the device as any device could have those MAC addresses. MDM or maybe using VPN within the network. I see captive portal more useful in this case but a chore for users.
          Attention: Support and help on the Untangle Forums is provided by
          volunteers and community members like yourself.
          If you need Untangle support please call or email [email protected]


          • #6
            So what I'm hearing is that any hopes of using Untangle to manage kids devices, is not going to work? Unless I have some type of hotel style login (captive portal) every time they need to use the web? Neither them nor I is going to tolerate that. Which means that unless I want to "cut the internet off" for every user of the network, I can't segregate any devices reliably using untangle?

            I converted to Untangle (from using Circle for this function) thinking it could be an acceptable substitute for Circle. It works somewhat well for this until the moment the user switches addresses, which can be at the toggle of a switch on their device. I hate to go back to Circle, but that seems like where I'm headed.


            • #7
              I think Cisco did the leg work in the article I linked to the 2nd number of the first octet gives away that it's random based on that the locally administered bit is set. Yes this rule would intercept anything with a LAA but I wouldn't expect to see much of them in the wild or inside of the home except for Apple, Android, Windows that have generated random MAC's. I am going to try some tests in my home lab and report back.

              Just for more info I created 50 virutal interfaces on a raspberry pie since they would be locally administered and all had a "2" as the second number of the first octet. I did like the recomendation for redirection to a web site that instructs on how to disable random mac but this would take a heck of a lot more work that just blocking and having the father of the kids taking the device and turning random macs for access.
              Last edited by RonV42; 02-19-2022, 09:58 AM.


              • #8
                This is pretty far beyond my understanding, other than you might be saying there is a way to match a random address based on some changing characteristic in part of the mac address.

                If you figure out something, please let me know what policy manager rule might be used to identify those devices.


                • #9
                  Yep, I am poking around with two approaches one just to block the access though a block all policy based on the random mac address and then having the kids father "fix" the wireless profile on the apple devices not to use a random mac. The other would be a static captive portal page that says "fix your darn device, until then no internet for you!".


                  • #10
                    This guy has a video that addresses a possible work around. it was oringially posted on another thread I have.
                    Another Requested Video for Untangle. How to block devices & apply a schedule rule to it ! Good example would be, you have kids and want their internet devic...

                    I have no idea if this will work. Anybody have any ideas?


                    • #11
                      Yes I have seen his video(s). He had to turn off private mac addresses for wireless network on the phone to make sure the mac address was static. Then he assigned a username to the device. Any "smart" kid can search or find out though word of mouth how to change that setting back and defeat the internet block.


                      • #12
                        Yes, even if the kids don't know that the device will do it. He did mention a workaround is to put the kids devices onto only one vlan and block that vlan. The problem is that it does that for every device (which may be fine) on that network. And if the kids or guests find out the password to the defualt network then no blocking.


                        • #13
                          and unfortunately in this instance, i can't see where iphone parental controls (screen time) allows me to block them from changing this setting. If it did my problem would be solved (at least for a while).


                          • #14
                            The setting you are looking for is under the wireless network settings. IMO I just created a Kids network and block that at a certain time! Not sure if that's 100% acceptable. BTW thank you for watching my video


                            • #15
                              The only way to really handle this mess is to setup a wireless network that goes into a dedicated VLAN that has the kids' controls applied to it. Then set the password on the SSID to something the kids know, and RESET the rest of them so they don't.

                              Otherwise, yeah if your kid goes and flips that switch... the device is no longer flagged and therefore no longer controlled. So you have to use something you can control, the network.
                              Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
                              Phone: 866-794-8879 x201
                              Email: [email protected]