you need to have WPA2 w/ AES only in your security profiles and apple devices will work again.
I have couple sites with "iphone problem" and some other sites that have apple products, but there is no problem, with the same hardware (wap or wap ac). The problem occurs randomly and present itself as "there is a phone connection to SSID, but there's no internet". You can see sometimes "disassoc sending station leaving" in log. I use WPA2 only everywhere, DHCP lease is 24 hrs. Tried to disable RSTP, IGMP spoofing etc. Tried basically everything - problem is still there. With cheap soap routers like dlink\asus there is no problem, so it's pretty hard to explain a customer why mikrotik is better there. Asked Uldis at Moscow MUM - he need specific data to reproduce in lab environment to deal with this stuff and I understand him, but the problem occurs randomly during the day and there's nothing in log to report to support. And because of that one customer just asks for HP OfficeConnect AP instead of mikrotik, that's sad.
Also there's unresolved problem with Android TVs which keep losing lease and connectivity every 5 min.
If anyone want to dig my config here it is:
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX name=2.4-auto save-selected=yes skip-dfs-channels=yes tx-power=19
add band=5ghz-a/n/ac extension-channel=XXXX name=5-auto save-selected=yes skip-dfs-channels=yes tx-power=22
/caps-man datapath
add arp=enabled bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=no name=datapath-lan
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=WhiteHouse passphrase=12345678
/caps-man configuration
add channel=2.4-auto country=russia3 datapath=datapath-lan distance=indoors guard-interval=any hw-protection-mode=rts-cts hw-retries=15 keepalive-frames=enabled mode=\
ap multicast-helper=full name=WhiteHouse rx-chains=0,1,2 security=WhiteHouse ssid=WhiteHouse tx-chains=0,1,2
add channel=5-auto country=russia3 datapath=datapath-lan distance=indoors guard-interval=any hw-protection-mode=rts-cts hw-retries=15 keepalive-frames=enabled mode=ap \
multicast-helper=full name=WhiteHouse@5 rx-chains=0,1,2 security=WhiteHouse ssid=WhiteHouse@5 tx-chains=0,1,2
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set enabled=yes package-path=/usbflash upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan2
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,an,ac master-configuration=WhiteHouse@5 name-format=identity
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=WhiteHouse name-format=identity