These days, iOS devices use a private Mac address (aka “Private WiFi Address”) on WiFi by default. In fact, if you turn off this feature, iOS will swear at you giving a big scary “Privacy warning” about your behavior in using a real Mac address.
From an admin perspective, I’m finding this a big pain, I get devices with random Mac addresses connecting to the network, and I’ve no idea if it’s one of my devices, or if it’s a malicious device which has managed to find the WiFi password. What makes that worse is iCloud, I have passwords saved to iCloud, so if I connect to a network on one device, all my other devices suddenly know how to do that as well. They’re quite happy to connect to a network I never told them to.
On my devices, I’ve tried to turn off the feature, so I know which device is connecting, but the option to disable private Macs is a per SSID option, and I have several SSIDs.
What would be really helpful is the ability to deny access to private Mac addresses. The router already knows which is a private Mac address, it shows up in the client list. (It seems to be a bit in the Mac address is used to say it’s private.) The AP has the ability to deny Mac addresses, but only on a 1 by one basis, not 140 million million of them.
I did come across a system which did this recently (the WiFi on a cruise ship), from a UI perspective, this made things difficult for the end user, but I’m prepared to live with this to make my admining easier.