Yes, WorkPass supports connections from devices that have enabled MAC address randomization (Private Address) in all zones. Being able to connect to Wi-Fi using a random MAC address is a new feature recently released in Android 10, Windows 10, and iOS 14. Through our Advanced Device Typing feature, your Plume will still be able to properly recognize devices with a random MAC and assign them to the proper device category and icon. The device brand, name, and model should also still be displayed.
Limitations when using a random MAC on Plume networks
Using a random MAC address is a great way to improve privacy, particularly when connecting to Guest networks like the one you created in WorkPass.
Certain features and policies rely on a consistent MAC address on the device to function, which you should keep in mind for devices connecting to both Secure and Employee zones.
- Employee device assignments and any rules and WorkPass features associated with those assignments
- Secure device groupings
- Device and Employee level Content Access and Shield rules
- Sharing rules for devices in the Secure zone
- IP reservations and port forwarding*
- Device approvals
In most cases, a device will use the same randomized MAC on saved networks. You can assign devices using a random MAC to employees and set rules without issues, however, the challenge will be if the MAC changes.
Every time a device changes its MAC address, the device will appear as new to your Plume network and these rules/configurations will have to be applied to the device again. Depending on how often devices rotate their MAC address, it can make it challenging to maintain the rules you've set.
|Device Type||Default when connecting to a new network||Same Private MAC (Random MAC) used on saved networks?||
When does the Private MAC
(Random MAC) rotate?
|iOS 14 or later||Private MAC (Random MAC)||YES||Stays the same even when the network is forgotten|
|WatchOS 14 or later||Private MAC (Random MAC)||YES||Stays the same even when the network is forgotten|
|iPadOS 9 or later||Private MAC (Random MAC)||YES||Stays the same even when the network is forgotten|
|Private MAC (Random MAC)||YES||Stays the same even when the network is forgotten|
|Windows 10||Device MAC||YES||
Changes when network is forgotten or can change every 24 hours (optional)
How to limit the impact of random MAC addresses
- Set up your rules and assignments based on both the device MAC and random MAC.
- Since most devices will use the same random MAC on a network, you can apply the same settings and assignments for both MAC addresses that may be used for the device.
- This particularly easy for devices belonging to the business that you manage.
- A limitation of this option is only one Primary device can be assigned to an employee.
- Turn on the Limited network access for new devices feature in both the Secure and Employee zones.
- This blocks local network access for all devices with an unrecognized MAC that connect to either the Secure or Employee zones until approved by you.
- When asked for approval by your employee, assign the new device MAC to the employee's profile or ask them to use the device MAC address to connect to the network.
- This feature should always be enabled anyways in case your Wi-Fi passwords are compromised.
- Have Content Access and Shield rules set up at the network level. This ensures the security of all devices connecting to your network.
*These are set using the WorkPass app only when Plume is operating in Router Mode. When operating Plume in Bridge Mode, these will set on the router, however, the impact of an unrecognized MAC address will be the same. IP assignments and port forwarding rules will have to be done again if the device's MAC changes. Other features on your router such as MAC filtering will also have issues with unrecognized MAC addresses.