[anishathalye]

This is known behavior: according to the iOS 10 Security white paper [1], "iOS uses randomized Media Access Control (MAC) address when conducting Wi-Fi scans while it isn't associated with a Wi-Fi network... Note that Wi-Fi scans which happen while trying to connect to a preferred Wi-Fi Network aren't randomized".

I haven't put much thought into it, but I wonder why they don't randomize all probe requests...

[1]: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[agf]

I would assume because MAC-based whitelisting is a commonly used WiFi access control mechanism?

[eridius]

Also possibly because, if it is associated with a wifi network, then it's already sending packets with its MAC address, so there's not much point in randomizing some of the packets.

[developer2]

In addition to those who whitelist based on MAC address, some networks also assign "static IPs" via DHCP based on the MAC address.