MAC ID to User ID: The New Identity Currency for Enterprises

Advocating for enterprises to be in control of their wireless onboarding, identity & access management
 
MAC Randomization & the changing user onboarding landscape

The growing adoption of MAC randomization by Apple, Android and other device OEM’s is setting in motion some changes that will reshape how enterprises manage Wi-Fi network access & onboarding.

MAC randomization is not new. It has existed in some or the other form in most operating systems. Up until 2019, a device’s MAC address was only randomized during the probing phase. As soon as the device was connected to the network, the unique MAC address was made available to the network provider.

But growing concerns around user privacy made Android enhance this feature in their Android 10 update, where MAC addresses were randomized not only during the probing phase but also after association. While this was a major development, it didn’t cause as big a stir as the launch of iOS 14 – primarily because Apple created quite an industry scare in its first few beta releases of iOS 14. Even though the final release has less aggressive randomization behavior than betas, one thing is clear – the wheels of change are turning.

These recent developments were implemented with a view to put tighter controls around user privacy but they’re also expected to impact several Wi-Fi features and services across various products. Considering that MAC addresses have been reliable identifiers by enterprises and have been used for multiple networking operations – from authentication and provisioning to granular management and control – these changes are likely to cause a disruption in the wireless and networking industry.

What does this mean for the enterprise?

In short, the ability to uniquely identify an endpoint device on your network has become increasingly difficult and will overtime become nearly impossible. This should not be a surprise as it was in fact, a long time coming. Over the last two decades, handset OEM’s (Mac randomization/device identity control) and SPs (5G/service control) have exerted control over the users from both ends. For these players, it’s all about who owns the user and in this tug of war, the enterprise is the biggest loser.

The big news for enterprises here is that if you do not take action at this moment in time, then you may lose complete control over the experience for your buildings, people & assets.

In a world where your websites and mobile apps are becoming smarter by the day, it is critical for enterprises to own their wireless onboarding. It is the gateway for identity management, connectivity, loyalty based differentiated experiences and analytics for employees, visitors and IoT devices.

In 2021, your buildings and campuses deserve to be as smart as your website and apps and for this to materialize, wireless onboarding and identity is a critical control point for the enterprise.

Cisco wireless, through our investment in multiple technologies and solutions such as Cisco DNA Spaces & Cisco ISE is ready to provide enterprise with a framework that they truly deserve putting enterprise identity, security and privacy at the forefront.

So what’s the extent of impact?

Since enterprises and MDM solutions rely on MAC addresses to uniquely identify identity and manage network control, MAC randomization can present many unexpected challenges and disruption of Wi-Fi services such as onboarding, analytics, troubleshooting and performance of MAC based apps. It is also expected to increase the load on the network and cause some anomalies.

How Can Cisco help you respond?
Next Gen Onboarding from Cisco:
Move from Mac ID to an enterprise controlled user ID.

Cisco has invented, standardized and adopted several solutions that we now bring to you under the umbrella called Next Gen Onboarding Experiences. Next Gen Onboarding is about advocating for enterprises to be in control of their onboarding, identity & access management. Our approach is simple : Wi-Fi onboarding designed with enterprise identity that is seamless, smart and monetizable depending on your type of business.

We understand that your onboarding goals will vary based on the kind of people, devices and buildings that you operate. And hence, within Next Gen Onboarding, you will find several paths that will help you meet your goals and also move from Mac ID to an enterprise controlled user ID based on your goals.

Broadly our solutions are categorized under

1. Next Gen Onboarding for Visitors: If you are in a business vertical that requires onboarding of customers, guests, students or visitors, then Cisco DNA Spaces offers a full suite of solutions such as OpenRoaming, Mobile App SDK, Smart Captive Portals and Service Provider Offload.

These solutions allow you to move to an enterprise user ID also driving the following business outcomes:

  • Seamless Onboarding & User Insights: improve the customer onboarding experience with a seamless and secure Wi-Fi connection and improve Wi-Fi attach rates for better customer insights
  • Customer Acquisition and Loyalty Experience: create a differentiated experience for loyalty customers via seamless onboarding, and contextual & location based targeted engagement
  • Enhance carrier indoor coverage: ensure reliable indoor connectivity for a better customer experience via automatic handoff between cellular and Wi-Fi, with a cost-effective solution instead of expensive DAS deployments
  • Wi-Fi monetization: provide avenues to monetize Wi-Fi and turn enterprise wireless investment into a revenue source

2. Next Gen Onboarding for employees & enterprise guests: If you are in the need for onboarding employees & enterprise guests into the enterprise wireless network, Cisco has a combined offering through Cisco ISE & Cisco DNA Spaces that delivers simplified and secure enterprise onboarding across

  • Onboard employees with Cisco ISE – ISE uses MAC address as THE identifier in the network. To deal with randomized MAC addresses, ISE will use a unique identifier, a GUID, within its database and map it to various other identifiers, including the MAC address, that it learns about the endpoint including from other products. Onboarding employees using a secured and scalable model with the capability to pass a unique device identity to down stream applications
  • Onboard enterprise guests with Cisco ISE & Cisco DNA Spaces – multiple options to onboard enterprise guests: 1) ISE guest portal 2) DNA Spaces captive portal 3) DNA Spaces SDK to integrate with your enterprise apps
  • Onboard corporate assets with DNA Spaces – A robust and simple way to onboard corporate asset tags using DNA Spaces IoT Services that allocates a unique ID for each asset onboarded

 

ISE currently works with Microsoft’s SCCM product to uniquely identify endpoints based on a different attribute within the certificate used for authentication like the hostname and maps it to the MAC address it currently sees. This enables ISE and SCCM to exchange compliance information of any Windows endpoint in the network. The same principle is being extended across ISE’s different MDM/UEM integrations to share compliance info across all OSs.

The ability to assign and track a device using a GUID that flexibly adjusts to the unique device ID learned from other systems and sharing it through pxGrid ensures that all products in ISE’s ecosystem will be able to identify the endpoint. While this is evolving, Cisco is taking the lead to ensure that different vendors are aligned with a common approach to identify unique devices despite MAC randomization and continue to provide value and reduce disruption for our customers.

Why you should trust Cisco?

Cisco has a long history of pioneering innovations in Wi-Fi onboarding. From Hotspot 2.0 to smart captive portal toolkits to App SDK for loyalty and OpenRoaming for seamless access, Cisco has invented many of these technologies and worked with ecosystem partners to standardize and adopt them into industry standards.

Our scale in Wi-Fi onboarding is unmatched globally. One of every two enterprise Access Point in the world is from Cisco wireless. Cisco DNA Spaces is the largest indoor location services cloud platform in the world with over 5.4 billion visits and 1.2 billion devices processed across 4.5 Billion enterprise sq. feet of business locations. Cisco Identity Service Engine (ISE) is the market leader and owns $282 million† (49%) of the NAC market († According to Gartner) with 41000 customers globally, and has a vast partner ecosystem of 150+ technology partners.

Future Outlook

At Cisco, we believe that user privacy is a fundamental human right. Cisco DNA Spaces has always supported privacy mechanisms of platforms like Microsoft, Android and iOS. We have implemented mechanisms to limit the use of MAC address in the platform and limit sharing with partner apps. We believe OpenRoaming provides a privacy safe path forward and is available now as a part of Cisco DNA Spaces. Cisco ISE does zero-trust security for the workplace through secure employee & enterprise guests onboarding. We are committed to keeping your enterprise secure and adopt industry best practices. Our next gen onboarding suite covers the most extensive set of solutions that will manage your transition from Mac ID to an enterprise controlled user ID and also making the Wi-Fi onboarding seamless, smarter and monetizable.