MAC address randomization – why it causes problems and how to turn it off

In this topic, you will learn why MAC address randomization causes issues in Portnox Cloud™ and how to turn it off manually.

MAC address randomization can cause unexpected license overuse in Portnox Cloud. When a device uses randomized MAC addresses, Portnox Cloud treats each address as a separate device, even though they belong to the same endpoint.

Symptoms

A sudden increase in the number of devices shown in Portnox Cloud.
Multiple devices appear under a single user account, even though the user has only one device.
Licensing overage alerts.

Confirmation

To check whether a MAC address is randomized or fixed, look at the second character of the MAC address. This character indicates whether the address is locally or universally administered.

If the second character is 2, 6, A, or E, the MAC address is likely locally administered (randomized). For example: 92:B1:B8:42:D1:85.
If the second character is different from 2, 6, A, or E, the MAC address is likely universally administered (factory-assigned).

References: Wikipedia: MAC address, Mist: Get to know MAC Address Randomization.

Root cause

Portnox Cloud uses the MAC address as a unique identifier for each endpoint. When a device randomizes its MAC address for each connection, Portnox Cloud sees every new MAC address as a new device. This behavior leads to:

Multiple records for the same physical device.
Exceeded licensing limits.
Difficulty tracking devices and managing endpoint history.

Resolution

Turn off MAC address randomization on client devices.

Windows 10/11:

Go to Settings > Network & Internet > Wi-Fi.
Select Manage known networks.
Select your corporate or Portnox SSID.
Set Random hardware addresses to Off.

For more information, see this Microsoft Support article.

macOS:

Open Apple menu > System Settings, then select Wi-Fi from the sidebar.
Select the Details or More Info button next to the network.
Set Private Wi-Fi Address to Off.

For more information, see this Apple support article.

UEM/MDM/GPO:

Windows does not provide a built-in policy to disable MAC randomization, but scripts can achieve this. For examples, see: Spiceworks: Disable Random Hardware Address Option in Windows 10, Microsoft Learn: How to disable Wi-Fi random hardware addresses using GPO.
For macOS, see this Apple support article.

Note:

Portnox onboarding guides for UEM and MDM deployments already include steps to disable MAC address randomization where the platform allows it.