How to Control MAC Randomization on Samsung Devices
Android devices running the Android 10 operating system (Android Q) have a new feature that randomizes the MAC address for different Wi-Fi connections. This feature is enabled by default but can be deactivated for specific Wi-Fi networks.
MAC randomization prevents listeners from using MAC addresses to build a history of device activity, thus increasing user privacy.
You might come across customers who leverage the MAC address to connect to their corporate networks and with MAC randomization that might be an issue. On Samsung devices, IT administrators can configure a device to use “Phone MAC” instead, by leveraging the Knox Service Plugin (KSP).
This blog post walks through the high-level steps to control MAC randomization with KSP using VMware Workspace ONE® UEM. Two scenarios are covered, when KSP is managed as a public app and as an internal app.
Considerations
- Although Samsung supports controlling this feature on version 1.2.57, for more complex implementations of KSP, I recommend using version 1.2.63 and later.
- If you are leveraging Workspace ONE UEM to configure Wi-Fi on the devices, make sure you test that the KSP configuration does not conflict with those settings.
Control MAC Randomization when KSP is managed as a public app
- Add the KSP app as a public application in the Workspace ONE UEM console.
- Click Configure to launch the app config options.
- Enable device policy controls.
-
Scroll down to the Device Controls section and click Wi-Fi Policy.
-
Enable Wi-Fi Policy Controls and Allow to configure Wi-Fi (Configure details below). You can leave the other configurations as defaults.
-
Click Add.
-
Scroll down to Wi-Fi Configurations and click Configure.
-
Provide the Wi-Fi Network Name, Security Type, and Enable Skip MAC Randomization. You can leave the Password text box blank if the Wi-Fi configuration is managed by Workspace ONE UEM.
Control MAC Randomization when KSP is managed as an internal app
- Add the KSP application as an internal app in the Workspace ONE UEM console.
- Create a new Android profile.
- Under the custom settings payload add the following XML (if you have other configurations, add this XML to the corresponding sections).
<characteristic type="com.airwatch.android.androidwork.app:com.samsung.android.knox.kpu" uuid="8aac143a-03b6-4bb7-a94d-079f5a8b6173"> <parm name="profileName" value="KSP Profile" type="string" /> <parm name="verboseMode" value="false" type="boolean"/> <parm name="schemaVersion" value="18.0.0" type="hidden"/> <parm name="doPolicies" type="bundle"> <bundle> <parm name="doPoliciesIsControlled" value="true" type="boolean" /> <parm name="doDevControls" type="bundle"> <bundle> <parm name="doDevControlsWifi" type="bundle" > <bundle> <parm name="doDevControlsWifiIsControlled" value="true" type="boolean" /> <parm name="doDevControlWifiConfiguration" value="true" type="boolean" /> </bundle> </parm> </bundle> </parm> </bundle> </parm> <parm name="profileDevControlsWifiConfigs" type="bundle_array" > <bundle_array> <parm name="profileDevControlsWifiConfig" type="bundle" > <bundle> <parm name="profileDevControlsWifiConfigNetworkName" value="{NetworkName}" type="string" /> <parm name="profileDevControlsWifiConfigSecurityType" value="{SecurityType}" type="string" /> <parm name="profileDevControlsWifiConfigSkipRandomization" value="true" type="boolean" /> <parm name="profileDevControlsWifiConfigPassword" value="" type="string" /> </bundle> </parm> </bundle_array> </parm> </characteristic> - Save and Publish the profile.
Check out more resources in Understanding Android Enterprise Activity Path on Digital Workspace Tech Zone. This activity path contains curated assets to help you level up your knowledge in the arena of Android Management.