diff --git a/group_vars/all b/group_vars/all
index f6d7646..bfa09f4 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -51,7 +51,6 @@ mail:
     sync_on: trusted
 
 network:
-    spoof_mac: True
     conn_check:
         interval: 0
     trusted_uuid:
diff --git a/playbook.yml b/playbook.yml
index aa293f8..942a13c 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -29,7 +29,6 @@
     - { role: unbound, tags: ['unbound'] }
     - { role: openresolv, tags: ['openresolv'] }
     - { role: networkmanager, tags: ['networkmanager'] }
-    - { role: macchiato, tags: ['macchiato'] }
     - { role: ntp, tags: ['ntp'] }
     - { role: firejail, tags: ['firejail'] }
     - { role: tor, tags: ['tor'], when: "tor is defined" }
diff --git a/roles/macchiato/files/macchiato_default.sh b/roles/macchiato/files/macchiato_default.sh
deleted file mode 100644
index 6d531bd..0000000
--- a/roles/macchiato/files/macchiato_default.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-ouiList=(
-    wired_laptop
-    wireless_laptop
-    wireless_usb
-)
diff --git a/roles/macchiato/handlers/main.yml b/roles/macchiato/handlers/main.yml
deleted file mode 100644
index 3c01d08..0000000
--- a/roles/macchiato/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-- name: start macchiato
-  service: name=macchiato.service state=started
-  when: network.spoof_mac == True
diff --git a/roles/macchiato/tasks/main.yml b/roles/macchiato/tasks/main.yml
deleted file mode 100644
index 1ac2105..0000000
--- a/roles/macchiato/tasks/main.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: Install macchiato
-  aur: name=macchiato-git user={{ user.name }}
-  tags:
-    - aur
-
-- name: Configure interfaces for macchiato
-  copy: src=macchiato_default.sh dest=/etc/macchiato.d/{{ item }}.sh
-  with_items: "{{ ansible_interfaces }}"
-
-- name: Enable macchiato
-  service: name=macchiato.service enabled=yes
-  when: network.spoof_mac == True
-  notify:
-    - start macchiato
-
-- name: Disable and stop macchiato
-  service: name=macchiato.service enabled=no state=stopped
-  when: network.spoof_mac == False
diff --git a/roles/networkmanager/tasks/main.yml b/roles/networkmanager/tasks/main.yml
index 697c617..a868e06 100644
--- a/roles/networkmanager/tasks/main.yml
+++ b/roles/networkmanager/tasks/main.yml
@@ -15,6 +15,11 @@
       dest: /etc/NetworkManager/conf.d/20-connectivity.conf
   when: network.conn_check is defined
 
+- name: Push MAC address randomization config
+  template:
+      src: random_mac.conf.j2
+      dest: /etc/NetworkManager/conf.d/20-random_mac.conf
+
 - name: Enable and start NetworkManager
   service:
       name: NetworkManager.service
diff --git a/roles/networkmanager/templates/random_mac.conf.j2 b/roles/networkmanager/templates/random_mac.conf.j2
new file mode 100644
index 0000000..57298b5
--- /dev/null
+++ b/roles/networkmanager/templates/random_mac.conf.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+[device-mac-randomization]
+# Always use a random MAC when scanning wifi networks.
+wifi.scan-rand-mac-address=yes
+
+[connection-mac-randomization]
+# Randomize MAC for every ethernet connection.
+ethernet.cloned-mac-address=random
+# Generate a random MAC for each wifi network and associate the two permanently.
+wifi.cloned-mac-address=stable