Disable WiFi MAC Randomization on Samsung with Intune

Why disable MAC Randomization?

In some scenarios setting static IP Addresses for mobile devices is a requirement (such as EPOS, Kiosks, Meeting Room Self-Service Tablets etc.). With most modern Mobile Devices, they are shipped with MAC Randomization enabled by default, and that is certainly the case for Samsung Tablets.

This was introduced back in Android 8.0 when probing for new networks, however, starting in Android 10 this was enabled by default for client mode activities as mentioned in the Android Documentation.

MAC randomization prevents listeners from using MAC addresses to build a history of device activity, thus increasing user privacy.

-Samsung Documentation

What is the solution?

The solution is to use the Knox Service Plugin from Samsung, coupled with an Intune OEM Configuration profile. By using both of these elements you can control various aspects of the device configuration, however, we are only going to to cover MAC Randomization.

Myself and my colleague have seen issues with this when using Certificate Authentication for your WiFi. That is not to say it will not work, you will have to configure the Knox Service Plugin to connect to your network with certificate. For this post I will be focusing on the core configuration and a WPA2 network.

Pre-requisites

To have the ability to disable MAC Randomization on Samsung Devices with Intune you will need the following;

  • Samsung Knox Platform for Enterprise Commercial Key
  • Samsung Knox Service Plugin Managed Google Play App
  • Intune Licenses
  • Intune Administrator Role (Custom RBAC Roles are not in scope)

If you do not have a Samsung Knox license or account, take a look at my Getting Started with Samsung Knox for Enterprise post.


Import the Samsung Knox Service Plugin App

  1. Browse to Microsoft Endpoint Manager
  2. Select Apps from the left-hand pane, then select Android
  3. Select Managed Google Play app from the App type list, then press Select
  4. Search Knox Service Plugin, select the app shown below
Knox Service Plugin MGP
  1. Select Approve, read the permission page, if you are happy click Approve
  2. Select Keep approved when app requests new permissions, then click Done
  3. Click Sync

Allow up to 15 minutes for the application to appear, if it doesn’t appear go back to the Managed Google Play Store and click Sync again.

Once the application has synced assign this to your devices.


Obtain the commercial key for Knox

  1. Login to Samsung Knox
  2. Hover over Knox Platform for Enterprise, then click See License
  3. Select the Commercial Keys, locate the Knox Platform for Enterprise: Premium Edition key
  4. Copy the contents of the License Number field.

Creating the OEM Config Profile

  1. Browse to Microsoft Endpoint Manager
  2. Select Devices from the left-hand pane, then select Android
  3. Select Configuration Profiles
  4. Click Create Profile
    • Platform: Android Enterprise
    • Profile Type: OEMConfig
  5. Click Create
  6. Enter a Name and Descriptions
  7. Click Select an OEMConfig app
  8. Select Knox Service Plugin, then click Select
  9. Configure the following settings:
    • Profile name:: <suitable name for your organization>
    • KPE Premium or Knox Suite License key: The commercial key you obtained in the previous section
    • Debug Mode: I would only change this to true during testing, I would not change this if your devices in production have the KSP installed.
  10. Locate Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted), then click Configure
  11. Select true on the Enable device policy controls slider
  12. Locate Device customization controls (Premium), then click Configure
  13. Select true on the Enable device customization slider
  14. In the left-pane select Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
  15. Locate Device Controls, then click Configure
  16. Locate Wi-Fi Policy, then click Configure and set the following settings
    • Enable Wi-Fi policy controls: true
    • Allow Automatic Wi-Fi Connection to saved SSIDs: true
    • Allow Wi-Fi State Change: true
    • Allow to configure Wi-Fi (Configure details below): true
  17. In the left-pane select Knox Service Plugin
  18. Locate Wi-Fi Configuration, then click Configure
  19. In the left-hand pane click the three ellipses () next to Wi-Fi Configurations, then click Add Setting
  20. Enter you network details, then change the Skip Mac randomization slider to true

Your Wireless Credentials can be seen in plain text when using a PSK.

  1. The policy is not in a state to disable MAC randomization, complete the policy creation and add any scope tags and Assignments on the next pages.

Testing

Now the policy is created, if you haven’t already done so assign this to a group that contains test devices. If you want visibility that the settings have applied properly, change the Debug mode setting to true within your OEMConfig policy.

You will also need to assign the Knox Service plugin to the same group as the OEMConfig Profile.

You can only assign one KSP profile to a device at any given time.

Once you deploy the application and configuration to the device, you will be prompted to to Agree the licence terms first, without doing so the Knox Service Plugin will not function.

After you have agreed the licence terms, launch the Knox Service Plugin app. Press on the Configuration on …. section, here you will see the configuration applied to your device. If you press on the Configuration results in the top left-hand corner, and then select Policies received you will see the JSON representation of the policy you have defined.

As mentioned previously, you will see your PSK in plain text, as shown below.

KSP PSK in Clear Text

You will not be able to see on the network side, that this device is connecting with the correct MAC Address.

Please don’t forget to change debug mode to false before a production rollout

Conclusion

There are many many things you can do with the Knox Service Plugin, and I have been told by a Samsung Support rep that this can work with a Certificate Based network. However, I do not have the means to test therefore it is not included in this guide. Should I have a requirement for it in the future you can bet your last dollar I will blog about it :).

comments powered by Disqus