Adjust private Wi-Fi settings on Mac
Private Wi-Fi helps reduce the tracking of Mac by Wi-Fi network operators and can be a useful security setting if users travel or work remotely. When users report connectivity issues, private Wi-Fi settings may be the cause.
Overview
When users can’t connect to Wi-Fi networks or lose access to network resources, private Wi-Fi addresses might be interfering with network systems that rely on device identification. Understanding how private Wi-Fi works helps you determine when to adjust these settings or escalate to network administrators.
Private Wi-Fi and its uses
By default, Mac improves privacy by using a different MAC address for each Wi-Fi network. This unique MAC address is the Mac’s private Wi-Fi address, which it uses for only that network. If you erase all content and settings or reset network settings on Mac, it uses a different private address the next time it joins the network.
The feature operates in three settings:
Off: When set to Off, Mac uses its hardware MAC address.
Fixed: When set to Fixed, Mac uses a private address, but the private address doesn’t rotate, regardless of the network’s security or length of time since the user last joined the network. Mac chooses Fixed by default when joining a new network that uses WPA2 or stronger security.
Rotating: When set to Rotating, Mac uses a private address that rotates to a different private address every two weeks. Mac chooses Rotating by default when joining a new network that uses weak security or no security.
For secure networks like WPA2 or WPA3, Mac defaults to Fixed. For networks with weak or no security, Mac defaults to Rotating to provide maximum privacy protection.
Private Wi-Fi addresses and device management
The Private Address setting introduced in macOS 15 is turned on by default. Organizations might need to take either of these actions:
Update Wi-Fi network security or management settings to work with private addresses.
Or use Wi-Fi device management settings to turn off a device’s Private Address setting for their Wi-Fi network.
Change private Wi-Fi settings
Have the user complete the following task:
On the Mac, choose Apple menu > System Settings, then click Wi-Fi in the sidebar.
Click the Details button.
Note: To use a private Wi-Fi address for a network other than the one the device is currently connected to, click next to the name of that network.
Click the “Private Wi-Fi Address” pop-up menu, then choose an option among Off, Fixed, or Rotating.
Click OK.
Connecting to a previously known network
When a device connects to a network that it remembers connecting to before upgrading to macOS 15:
It tries to connect using the private address.
If it can’t connect because the organization’s Wi-Fi network doesn’t allow a device to join using a private address, it immediately tries to connect using its hardware MAC address.
During this time, and until the device successfully connects using the private address:
The Private Address setting remains off for that network in Settings.
The device continues to try to connect using the private address when rejoining the network. If it fails, it continues to use the hardware MAC address.
After the device successfully connects using a private address, that MAC address is used for future connections to that Wi-Fi network. Exceptions:
If the device forgets the network, then it will also forget the private address used with that network unless it has been less than 24 hours since the network was last forgotten.
If Private Wi-Fi Address is set to Rotating, the device uses a private address that rotates to a different private address every 2 weeks.
Connecting to a new network
In most cases, Apple devices use only the private address to join new Wi-Fi networks. If a device has a device management configuration with the Private Address setting turned off, it uses the hardware MAC address to join. If a device connects to a Wi-Fi network during Setup Assistant, it first uses the hardware MAC address to join and then treats that network as a previously known network.
When a private Wi-Fi address is used, the device will use a generic hostname in DHCP (Dynamic Host Configuration Protocol) requests.