You are right that KDF functionalities are used. See this paper here, specifically section 6.1. This article is specifically about vulnerabilities in Apple's offline FindMy application, which was broken and used to track people with bluetooth tracker devices. According to this link https://support.apple.com/en-gb/guide/security/sec6cbc80fd0/web from Apple the two use the same method to "roll" keys.
Initially, each owner device generates a private–public key pair
$(d_0, p_0)$ on the NIST P-224 curve and a 32-byte symmetric key $SK_0$ that together form the master beacon
key. Those keys are never sent out.
This approach makes device tracking hard by regularly changing the contents of the BLE advertisements. In particular, OF uses the concept of rolling keys that can be deterministically derived if one knows the initial input
keys $(d_0, p_0)$ and $SK_0$ but are otherwise unlinkable.
It uses the ANSI X.963 KDF with SHA-256 and a generator $G$ of the NIST P-224 curve:
$$
SK_i=KDF(SK_{i-1},"update",32)
$$
updates the secret key which is 32 bytes long.
$$
(u_i,v_i)=KDF(SK_i,"diversify",72)
$$
derives the anti-tracking keys $u_i,v_i$ from the new symmetric key,
each 36 bytes long.
$$
d_i=(d_0\ast u_i)+v_i,\quad p_i=d_i\ast G
$$
create the advertisement key pair using the anti-tracking keys and the master beacon key $d_0.$ When the device goes missing and cannot connect to WiFi or mobile network it starts transmitting the derived public key $p_i$ for a limited period of time in a bluetooth payload.
The apple doc also suggests the keys are rolled every 15 minutes or so.
