Re: another workaround to this
A better solution IMO is to use VLANs.
With unifi APs, the management IP address is always on the native (untagged) VLAN - and you can assign the wireless SSIDs to other (tagged) VLANs.
Therefore: put the management IP on a separate device management subnet that has no external Internet access - and no outbound access to any of your other networks, for that matter.
Then there's the question of what you do with the management software, which isn't currently implicated in phoning home. I'd suggest you stick that on the same untrusted device network and then you don't have to worry about it. If it's a Debian/Ubuntu box, you can give it access to an apt-cacher proxy so that it can download software updates when you choose, but nothing else.
Biting the hand that feeds IT
