3.5.1 Ensure 'Disable Association MAC Randomization' is 'Configured'

Information

This recommendation pertains to disabling MAC randomization as needed.

Rationale:

MAC randomization is a feature available from iOS 14 onward and is enabled by default. Although this feature enhances privacy for individuals by using random and different addresses for each Wi-Fi network, it can lead to problems in some circumstances, such as captive portals, MAC-based Access Control Lists, etc. In such cases, disabling this feature may be necessary. This is a per-network setting, meaning it can be turned off for specific networks only.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This remediation procedure cannot be accomplished with a checkbox, it needs to be applied on a per-network basis as appropriate.
From the Configuration Profile:

Open Apple Configurator.

Open the Configuration Profile.

In the left window pane, click on the Wi-Fi tab.

In the right window pane, select the relevant Wi-Fi configuration.

In the right window pane, check the checkbox for Disable Association MAC Randomization.

Deploy the Configuration Profile.

From the device:

Tap Settings.

Tap Wi-Fi.

Tap the relevant network.

Disable the option Private Address.

See Also

https://workbench.cisecurity.org/benchmarks/15548