Disabling MAC randomization by default for provisioning devices.

Question

Level 1

14 points

Disabling MAC randomization by default for provisioning devices.

I need to find a way to turn off MAC randomization as default for provisioning Apple devices. We run a MAC whitelist for onboarding devices since the device doesn't have an auth cert from our CA. MAC randomization set to on by default causes some of our devices to fail onboarding since the MAC it uses for network access is sometimes randomized. Is there a way to turn this off during the initial provisioning process via the welcome screen? The device is managed in ABM and an MDM, so we can't get to the point where the device downloads its config during the "this device is managed by X org".

Posted on Sep 5, 2025 9:54 AM

Reply

Answer 1

John Galt

Level 10

156,794 points

Sep 5, 2025 7:56 PM in response to RyokoX37

Any attempt to provision Apple devices using their MAC addresses exclusively will fail. MDM device enrollment uses their serial numbers and installed profiles. To my knowledge Apple never used MAC addresses for that purpose, which are easily determined and just as easily spoofed.

Reply

Answer 2

RyokoX37 Author

Level 1

14 points

Sep 5, 2025 8:31 PM in response to John Galt

I think you might be misunderstanding the question. MAC randomization is on by default for the devices, the issue there is that they can’t hit our wireless network because we use a MAC whitelist for ZT/C2C policies for onboarding since the device doesn’t have a cert issued by our CA. So the issue is that we get stuck in a provision loop because the device is denied network access because it randomizes the MAC as opposed to using the hardware MAC out of the box. And since it can’t hit network it can’t enroll the device, and since the device is managed by our MDM you end up getting stuck on the welcome screen.

So what I need to know is how to turn this off from the welcome screen since I can’t finalize the provisioning and disable it in settings.

Reply