Disable Wi-Fi Private MAC Address on macOS 15

Steven_Xu
Contributor

In macOS 15, the new Private MAC address settings is enabled by default, and there is a new settings in Profile to disable it, BUT it's only for a spacified SSID.

If you need a global setting to disable the Private MAC for all existed and new SSID, try to create a new policy to run this command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist PrivateMACAddressModeSystemSetting -int 1

It will not disable the Private MAC Address immediately, but it will work after forgot the network or reboot the computer.

 

20 REPLIES 20

AJPinto
Honored Contributor III

If I remember correctly, it's not just for a specific SSID. I think that SSID's network must be deployed with a Configuration Profile.

sdagley
Esteemed Contributor II

@AJPinto You are correct, in Jamf Pro 11.9.1 the "Disable MAC Address Randomization (macOS 15 or later)" option is part of the Network payload in a Configuration Profile and only applies to the SSID being configured in that Network payload.

emanueldiaz_09
New Contributor III

Anybody have issues with this working? I saw Jamf has the option now in WiFi configuration profile, but in our network anything with Private Mac Address is blocked. So I think when users upgrade to sequoia they dont get the chance to grab that setting before they are blocked. 

 

sdagley
Esteemed Contributor II

Here is a blog post by @brunerd which describes a mechanism for disabling MAC address randomization that can be deployed to Macs running macOS Sonoma so when they are upgraded to macOS Sequoia they won't start with randomization enabled: 

https://www.brunerd.com/blog/2024/09/27/getting-ahead-of-private-wi-fi-address-changes-in-macos-sequ...

brunerd
Contributor

Thanks for tagging me @sdagley and nicely spotted @Steven_Xu I've added support for setting the PrivateMACAddressModeSystemSetting key in my script setPrivateMACAddressMode.sh script. It's such a poorly named key so I refer to it (disable)PrivateMACAddressModeSystemSetting in the script and logs so the 0/1 "boolean" logic makes more sense. It only sets the default behavior and will have no effect on a network where the PrivateMACAddressModeUserSetting key is already set to static or rotating but it does take effect without reboot if you restart the WiFi via the script: restartWiFi_HC=1

sdagley
Esteemed Contributor II

@Steven_Xu Should this setting PrivateMACAddressModeSystemSetting to 1 via a Configuration Profile result in any Wi-Fi configuration previously set to Fixed or Rotating reverting to Off after a restart? That is not the behavior I am seeing on my test Mac (although that Mac is running a version of macOS Sequoia >15.0.1)

thetfordb
New Contributor III

Is anyone able to prevent the Private MAC Address feature from enabling when upgrading from Sonoma to Sequoia (15.0.1)?  I thought setting the PrivateMACAddressMode key prior to the upgrade was working, but no longer does in my testing.

 

The Wi-Fi configuration profile is not reinstalling, but the PrivateMACAddressMode key is being removed from the plist and there are several keys being added: PrivateMACAddressEvaluatedAt, PrivateMACAddressEvaluationState, CachedPrivateMACAddress, and CachedPrivateMACAddressUpdatedAt. *note the Wi-Fi profile does not currently have the setting to disable the Private MAC option configured.  I didn't want to deploy any configuration updates until I work out all the details.  I may need to try this upgrade scenario on my test environment that has the key configured.  

 

 

sdagley
Esteemed Contributor II

@thetfordb Deploying the PrivateMACAddressModeSystemSetting setting @Steven_Xu posted via Configuration Profile didn't work (possibly because of the MCX wrapping Jamf Pro applies to an App & Custom Settings payload), but following his example of writing the setting directly to the com.apple.airport.preferences.plist did work for me. 

thetfordb
New Contributor III

@sdagley I am using a script to deploy the setting.  No configuration profile in my scenario has the setting configured.

sdagley
Esteemed Contributor II

I'm looking at a Mac I applied the PrivateMACAddressModeSystemSetting key to com.apple.airport.preferences.plist while running macOS 14.6.1 and it is still there after upgrading to 15.0.1 and 15.1. That _may_ however be because I wrote an EA to check for the presence of the key and if it isn't found it gets re-written to that .plist.

thetfordb
New Contributor III

Could be.  My script is running when the EA detects the value is not 'off'.  I could have the EA make the modification which would be more immediate.  I just don't like to modify things with an EA.

sdagley
Esteemed Contributor II

I should have been clearer. I have an EA that checks for the mod, a Smart Group that uses the output of the EA to report Macs that don't have the mod, and a Policy scoped to that Smart Group to apply the setting

thetfordb
New Contributor III

I may have resolved my issue.  The configuration profile with the 'Disable MAC Address Randomization (macOS 15 or later)' setting enabled is needed prior to the upgrade.  If you rely solely on the plist modification, the "evaluation" will still happen.  If you have the profile in place, it seems to obey the setting in the plist file upon upgrade to Sequoia.  I was testing in my production environment where we haven't updated our Wi-Fi config profile yet.  My test environment has it and this workflow seems to work as designed.

steepndeep
New Contributor

Is there a command I can run to turn off Private MAC Address for a specific SSID? I don't want to change the default setting for all networks, just our school's SSID. 

I used what @Steven_Xu posted above and put it in a script. 

 

#!/bin/bash

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist PrivateMACAddressModeSystemSetting -int 1

 

Create a policy to deploy it to your devices. I scoped to all. You can begin with a test environment if you want to test it. You will need a reboot after the command is ran. If you don't have a way of doing that yet i found this article super helpful. You will need to deploy swiftdialog for it to work. 

https://medium.com/@laclementine/nudge-your-users-to-restart-their-mac-a66a93afc483 

Once devices reboot the setting will be set. 

I also turned off Private Mac addresses in Jamf configuration policy. 

Screenshot 2024-10-30 at 10.38.14 AM.png

Hope this helps!

 

 

Thanks! But I think this sets it as the default for ALL new and existing networks. I just want to set it for one specific SSID. Any ideas?

I also use the Config Profile, but I'm finding that it doesn't always work.

Sorry about thaT! Miss read your post. 

I just dissected @brunerd s script that he posted. I tried his, but it did not work. I did find the piece that is needed though:

#!/bin/bash
/usr/libexec/PlistBuddy -c "add :wifi.network.ssid.'enter SSID Here':PrivateMACAddressModeUserSetting string off" /Library/Preferences/com.apple.wifi.known-networks.plist

Just add your SSID. The mode is set to "off" if thats what you want. I believe the other options are "rotating" and "fixed"

For where "enter SSID here" is written you can use a parameter in Jamf (ex: $4) and set it to a variable so you can reuse it if needed. 

hope this helps!

Awesome, I will give this a shot. Thanks!

Hi, my org is about to release OS15 to the populace and I need to deploy something that will disable this so users can continue to use the specific SSID of the wifi network. I tried deploying your script to a device that had the network in it's known list already so it failed (item already exists). This was already on 15 so I don't know if that was the cause but I guess I just want to know if this will work if I deploy to machines running 14, 13, etc and have the setting still in place post-upgrade so we don't get a bunch of calls that the wifi isn't working anymore.