Starting with macOS 27, apps from the Mac App Store can no longer read the system’s ARP table - so every sandboxed network scanner, ours included, just lost the ability to show MAC addresses. This page explains who’s affected, who isn’t, why Apple did it, and all four ways around it.
With macOS 27, Apple began blocking sandboxed apps from reading the system’s ARP table - the small in-kernel list that maps IP addresses on your local network to MAC addresses. This isn’t a bug, and it isn’t something a scanner developer can code around inside the sandbox. It’s a deliberate platform change, and it’s permanent.
Quick refresher for anyone who doesn’t dream in hex: every device on your network has two addresses. The IP address is assigned by your router and changes whenever the DHCP lease rolls over. The MAC address is burned into the hardware and never changes. The ARP table is where your Mac keeps the mapping between the two, and reading it is how a network scanner can tell you “that’s your Sonos” instead of “that’s… a device.”
App Sandbox is mandatory for anything distributed through the Mac App Store. Put those two facts together and the consequence is simple: as of macOS 27, no App Store network scanner can look up MAC addresses. Not Fing, not LanScan, not our own IP Scanner. All of them. This is a platform rule, not a quality difference between apps.
MAC addresses do two jobs in a network scanner, and both just broke for sandboxed apps.
First, the manufacturer lookup. The first half of a MAC address identifies the vendor - that’s how a scanner labels something “Sonos,” “HomePod,” or “Samsung TV” without you telling it anything. No MAC, no vendor name. Everything is suddenly just an IP address and a shrug.
Second, and this is the one that actually hurts: persistence. Because a MAC address never changes, it’s the anchor that your notes, custom names, and icons stick to. IP addresses rotate. If your scanner can only see IPs, then the printer you carefully labeled “Kitchen HP” in June may show up as a different address in July, and your annotation is now pointing at the wrong device - or at nothing. Losing MAC lookup doesn’t just remove a column of data; it slowly turns a carefully curated network map into a wall of shifting unknowns.
If you updated to macOS 27 and your scanner “broke,” this is what happened. The app didn’t get worse. The floor moved.
arp -a works exactly as it always has. Terminal isn’t sandboxed.One more thing worth being precise about, because it’s the first idea every developer has: a sandboxed app cannot cheat by quietly running arp as a child process. Child processes inherit the parent’s sandbox. The command launches, and returns nothing useful. Believe us, we checked.
It’s a privacy move, and - as much as it pains us to say while it breaks a feature we’ve shipped since 2002 - it’s a legitimate one.
A MAC address is a globally unique, permanent hardware identifier. That’s exactly what makes it useful to a network scanner, and exactly what makes it valuable to advertisers, data brokers, and anyone else building persistent device fingerprints. An app that can read the ARP table can enumerate the hardware identity of every device in your home, forever, across networks and IP changes. Apple decided that sandboxed apps - the ones making the fewest promises about what they do - shouldn’t have that capability by default.
You don’t have to like the collateral damage (we don’t) to acknowledge the reasoning is sound. iOS made the same call back in iOS 7, which is why no iPhone network scanner has ever shown you a MAC address. macOS 27 simply brings the Mac in line with the rest of Apple’s platforms. In hindsight, the surprise isn’t that it happened - it’s that it took this long. (For the technical details of what the sandbox restricts, see Apple’s App Sandbox documentation.)
There are four real ways to get MAC addresses back on macOS 27. Here they all are, including the ones that don’t involve us.
arp -a still works, it’s free, and it’s already on your Mac. The trade-off: it’s raw text. No manufacturer names, no history, no persistence, no notes - just IPs and MACs for devices your Mac has recently talked to. Fine for a one-off check; not a tool you’d want to live in.
Any scanner distributed outside the App Store keeps full ARP access - open-source Angry IP Scanner is the best-known example. The trade-off: you’re outside the App Store’s sandboxing and automatic updates, and depending on the tool, the feature set and UX may be more utilitarian than a commercial scanner. But it genuinely works, and for some people it’s the right answer.
Run a Linux guest (or an older macOS) in bridge mode and scan from inside it. A user in our Reddit thread said this is exactly what they planned to do, and honestly - it works. It is also a multi-gigabyte hypervisor deployed to read a table your Mac already has in memory. We admire the spite. We don’t recommend it as a lifestyle.
IP Broadcaster is a free, tiny menu-bar app we distribute directly from this site - which means it isn’t sandboxed, which means it retains full ARP access on macOS 27. It snapshots the MAC address table and shares it automatically with IP Scanner and IP Scanner Ultra - over the local network and via iCloud, tagged per Wi-Fi network. That includes the iOS and visionOS versions, which have never had native MAC access. It launches at login and sits quietly in the menu bar.
The honest limitations: it only helps on networks where you can actually run it - it can’t rescue you on a coffee-shop network - and because DHCP leases rotate, its snapshot goes stale if it’s not kept running. It’s built to be left on in the background at home or the office, and that’s where it shines.
Pick whichever fits. If you just need one MAC address once, use Terminal. If you live in a different scanner, use that. If you use IP Scanner, IP Broadcaster puts things back the way they were - plus, for the first time, on your iPhone.
Nothing changed on iOS - and that’s the interesting part. iOS has blocked ARP access since iOS 7, so iPhone scanners have spent a decade labeling devices with whatever they could infer without MACs. macOS 27 didn’t export a Mac problem to iOS; it imported iOS’s rules to the Mac.
There’s one genuinely new wrinkle, though, and it runs in the happy direction: because IP Broadcaster shares its MAC snapshot via iCloud and the local network, IP Scanner on iOS and visionOS can now display MAC addresses and manufacturer names - something no on-device iOS scanner has ever been able to do. A Mac in the corner running a free menu-bar app quietly becomes the eyes for every other device you own.
macOS 27 blocks sandboxed apps from reading the ARP table. Every App Store network scanner is affected; Terminal and direct-download apps are not. Apple’s reasons are real, the damage to power users is also real, and there are four workable fixes - one built into your Mac, two from other people, and one free one from us. We’ve been building network scanners since 2002, and our advice is the same as always: use the tool that fits, and label your devices while you still can.
macOS 27 blocks sandboxed apps — which includes every app from the Mac App Store — from reading the system’s ARP table, which maps IP addresses to MAC addresses. Without MAC addresses, scanners can’t identify device manufacturers or keep labels attached to devices, so previously identified devices appear as unknown.
Yes. Terminal is not sandboxed, so arp -a works exactly as before on macOS 27. The restriction only applies to sandboxed apps, such as those distributed through the Mac App Store.
No. Angry IP Scanner is distributed outside the Mac App Store and is not sandboxed, so it can still read the ARP table and display MAC addresses on macOS 27. The restriction applies only to sandboxed apps.
Four ways: run arp -a in Terminal; use a non-sandboxed scanner distributed outside the App Store (such as Angry IP Scanner); scan from a virtual machine in bridge mode; or run a free non-sandboxed helper like IP Broadcaster, which shares MAC data with sandboxed scanners like IP Scanner.
All of them. App Sandbox is mandatory for Mac App Store distribution, and the sandbox is what macOS 27 restricts — so Fing, LanScan, IP Scanner, and every other App Store scanner loses MAC-address lookup equally. There is no entitlement an app can request to get it back.
No. When a sandboxed app launches a child process, the child inherits the same sandbox, so arp returns no usable data. There is no way for a sandboxed app to route around the restriction from inside the sandbox.
Yes. iOS has blocked apps from reading the ARP table since iOS 7, which is why no iPhone network scanner has ever shown MAC addresses. macOS 27 brings the Mac in line with iOS.
MAC addresses are permanent, globally unique hardware identifiers, which makes them a powerful device-tracking and fingerprinting vector for advertisers and data brokers. Apple removed sandboxed apps’ access to them as a privacy protection, consistent with the restriction iOS has had since iOS 7.
IP Broadcaster is a free menu-bar app for macOS, distributed directly from 10base-t.com rather than the App Store, so it is not sandboxed and retains ARP access on macOS 27. It shares your network’s MAC-address data with IP Scanner and IP Scanner Ultra over the local network and iCloud — including the iOS and visionOS versions, which never had native MAC access.
IP Broadcaster is a free menu-bar app that restores MAC-address and manufacturer info to IP Scanner and IP Scanner Ultra on macOS 27, iOS and visionOS.
Learn about IP Broadcaster