Differentiating Apple products by their MAC addresses
Apple has registered a ton of MAC address ranges for its products. Does anyone know whether it's feasible to reliably identify which Apple product (particularly iPad, iPod, iPhone, and MacBooks) a particular device is in network traffic via specific MAC address prefixes? In other words, is there something about the MAC address of an iPad that is distinguishable from the MAC address of a MacBook, for instance?
Solution 1:
No, sorting or determining a pattern in the MAC address isn't a feasible way to map to model of Apple product.
Over years of watching MAC addresses on networks as well as the explosion of devices on the iOS end of things, if there were a nice pattern, it would start showing in deployments with hundreds of devices.
For example, I have one Mac that has data on about 1,000 iOS devices that have been connected over time to that Mac while iPhone configuration utility was running. Looking at the data now, there are no clear patterns to help differentiate between the device types.
This also applies to Macs. Sadly, my data here is in the hundreds and not thousands presently. Yes - a string of MacBooks when ordered together will usually have sequential addresses (more so than sequential serial numbers in fact) - but over time, the iMacs seem mixed in with the Airs and the MacBook Pro.
It could be that there is some encoding present and no-one has stumbled across which bits are coded with model numbers, but a simple sort of the MAC addresses has the devices all jumbled up. Perhaps if you can find someone that runs the mobile device management software for a very large company or school district and see if they are curious enough to see if a larger data set would yield some better results for you.
I haven't seen a case where a Mac and an iOS device share the same smaller block of MAC addresses, but I can't even rule that out for you based on my experience running networks that log MAC address and are in a position to know what hardware is associated with which MAC address over the years.
My guess is the addresses are issued sequentially rather than by final destination. It would make sense to dole out parts of each region to factories that are expected to make 5 or 10 thousand devices in the next month and onle issue more once the existing addresses are consumed. If so, we might have better luck trying to bin the numbers by approximate manufacturing date rather than by where it ends up in a shipping product. Also consider on the Mac end, repairs often give a new MAC address to portables and even desktop Macs when the ethernet controller is replaced.
Solution 2:
Reply two years after asking, it is not feasible relying only on the Mac address.
Since you mention monitoring the network traffic, The best approach would be to listen Bonjour traffic (multicast dns).
By default, machines are called 'jannies-iphone.local', 'gregs-macbook.local', 'peters-imac.local'...
Bonjour is pretty talkative and generate noise for AFP, SMB, VNC, RAOP, DAAP and other services/protocols. I would suggest you to use "Bonjour Browser" then script something with Tshark (Wireshark command line) to automatize the process.
Without remote scans, you can manage your devices by :
Running an agent (or profile) on each OS X and iOS devices to fetch 'sysctl hw.model' or its serial number. 'Mac Tracker' can help you to see the different models of Mac and their spec and serial number pattern.
Using Profile Manager, Configurator or any MDM solutions. (But this does not address your question).
Find iOS and OS X running on the network :
Also you could use a network tool such as nmap with the option -A, -O, or -sV (Active Fingerprinting and service version) and filter Apple mac addresses prefix using a network anylizer.
Looking at the service version, port numbers [tcp 65xxx being a iphone-sync port, tcp 548 AFP (OS X)] will help you to determine OS X version and Hardware but not precisely. (You will not be able to differentiate, iPad, iPhone, and iPod, or Mac Model).
Solution 3:
If you are simply needing to identify whether it is a Macintosh product or not you could try the this MAC address lookup service. It allows you to type in the MAC address, and it will tell you what the vendor name is. It is not likely to be helpful in terms of identifying specific vendors for programatic use, however it has worked for me in regards to finding if the machine is an Apple product.
UPDATE:
Aside from utilizing an internal database it is not likely that you will be able to do what you are asking. If you did decide to setup an internal database it may be prudent to utilize the serial number or another unique ID available for each machine.