diff --git a/ipn/local.go b/ipn/local.go
index 0616bf55f..b8c9d6da3 100644
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -265,6 +266,11 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			b.prefs.Persist = st.Persist.Clone()
 		}
 	}
+	if temporarilySetMachineKeyInPersist() && b.prefs.Persist != nil &&
+		b.prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
+		b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+		prefsChanged = true
+	}
 	if st.NetMap != nil {
 		b.setNetMapLocked(st.NetMap)
 
@@ -483,6 +489,12 @@ func (b *LocalBackend) Start(opts Options) error {
 
 	b.mu.Lock()
 	prefs := b.prefs.Clone()
+
+	if temporarilySetMachineKeyInPersist() && prefs.Persist != nil &&
+		prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
+		prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+	}
+
 	b.mu.Unlock()
 
 	blid := b.backendLogID
@@ -689,7 +701,16 @@ func (b *LocalBackend) popBrowserAuthNow() {
 //
 // b.prefs must already be initialized.
 // b.mu must be held.
-func (b *LocalBackend) initMachineKeyLocked() error {
+func (b *LocalBackend) initMachineKeyLocked() (err error) {
+	if temporarilySetMachineKeyInPersist() {
+		defer func() {
+			if err != nil {
+				return
+			}
+			b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+		}()
+	}
+
 	if !b.machinePrivKey.IsZero() {
 		// Already set.
 		return nil
@@ -1504,3 +1525,20 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey tailcfg.MachineKey, node
 	nk := prefs.Persist.PrivateNodeKey.Public()
 	return tailcfg.MachineKey(mk), tailcfg.NodeKey(nk)
 }
+
+// temporarilySetMachineKeyInPersist reports whether we should set
+// the machine key in Prefs.Persist.LegacyFrontendPrivateMachineKey
+// for the frontend to write out to its preferences for use later.
+//
+// TODO: remove this in Tailscale 1.3.x (so it effectively always
+// returns false). It just exists so users can downgrade from 1.2.x to
+// 1.0.x.  But eventually we want to stop sending the machine key to
+// clients. We can't do that until 1.0.x is no longer supported.
+func temporarilySetMachineKeyInPersist() bool {
+	//lint:ignore S1008 for comments
+	if runtime.GOOS == "darwin" {
+		// iOS and macOS users can't downgrade anyway.
+		return false
+	}
+	return true
+}