I'm looking to setup, add a domain (DRC WIDA testing) to a configuration profile with "Relaxed Domains" for our iPads. I don't see it anywhere I've looked in Jamf Pro configuration profiles, but Apple and WIDA have references to it. This would allow us finally to not have to manually toggle Cross-Site tracking to "on" on each iPad!!!!I've setup a custom configuration as described but I'm hoping there is a non-custom method that I'm just missing. This functionality is supported by a key in the Domains payload CrossSiteTrackingPreventionRelaxedDomains. From WIDA / DRC InsightCross-Website Tracking and Device SupervisionImportant: Sites using iPadOS 16.2 and higher no longer need to enable Cross-Website Tracking aslong as the device is supervised and the domains are relaxed following the instructions below. This can bedone using Automated Device Enrollment and MDM software or by using Apple Configurator.Note:Sites using iPadOS 16.1.2 and below must still enable Cross-Website Tracking.Supervision must be enabled for all devices regardless of iPadOS version.Supervising iPadOS DevicesSupervise a Device Using MDM Software and Relaxing DomainsIf you are using MDM software, DRC INSIGHT checks the device serial number and directs you to yourdesignated MDM server, where you can view and edit your enrollment profile. Once the device is enrolled itis automatically supervised.For more information, work with your MDM provider and Apple.1. In the Domains payload option within your MDM, locate the Cross-site tracking relaxed for domainsfield.• If you do not see this field, you will have to create a custom profile and upload it to your MDM.2. Enter the following domains to be relaxed:• <string>DRC-centraloffice.com</string>• <string>http://drc-centraloffice.com:55222</string>Note: 55222 is the default port value. Use the same port that you used during COS - SD installationif you used a custom port.• <string>DRCedirect.com</string>• <string>WIDA-ams.us</string>3. You no longer need to enable Cross-Website Tracking for testing. However, if you receive a contentretrieval error message when you begin a test and think the domains may not be relaxed, enable Cross-Website tracking in the iPad settings and are able to begin a test then the domains have not been relaxed.

Relaxed Domains Cross-Site Tracking - No more manually toggling on/off!

Looks like Apple gives an example of what the xml should look like. Have you tried making a .mobileconfig and uploading it to Jamf to deploy? Jamf does not have GUI elements for everything you can do with MDM. Just be aware to sign the .mobileconfig as Jamf is well known for breaking key pairs it does not understand when deploying if its not signed.

Cross-Site Tracking Prevention for relaxed domains example - Apple Support

Looks like Apple gives an example of what the xml should look like. Have you tried making a .mobileconfig and uploading it to Jamf to deploy? Jamf does not have GUI elements for everything you can do with MDM. Just be aware to sign the .mobileconfig as Jamf is well known for breaking key pairs it does not understand when deploying if its not signed.

Cross-Site Tracking Prevention for relaxed domains example - Apple Support

For those of us who are not coders, do I only need to change the Apple example to include the following and save it as a .mobileconfig file to upload?

<key>CrossSiteTrackingPreventionRelaxedDomains</key>

<array>

<string>DRC-centraloffice.com</string>

<string>http://drc-centraloffice.com:55222</string>

<string>DRCedirect.com</string>

</array>

I used iMazing's Profile editor to create one, even though it's very simple as it had the "Relaxed Domain" category that Jamf Pro is missing from its domain section.

So I have just found this thread and I am trying to do this as well and I can't with Jamf Pro. Attached is what I have added to the App Configuration. The Org ID comes to the iPads just fine. But it does not seem like the URLS are being added.

<dict>

<key>ouIds</key>

<key>CrossSiteTrackingPreventionRelaxedDomains</key>

<array>

<string>DRC-centraloffice.com</string>

<string>DRCedirect.com</string>

</array>

</dict>

</plist>

Any insight into this would be appreciated!

Thank you,

Bill

I believe it needs to be in a configuration profile - not the app config. I was able to create one with the Profile Editor mentioned above - but I think I had an issue with the signing of the cert. In the end we only have a few devices that need this setting adjusted so we just make sure staff check it before starting.

I did download the iMazing and added the URLS. When I upload the config profile I do not see them as apart of the configuration. We are trying to get this to work as we test from grades 3-12 and probably about 1500 iPads that need the toggle turned on. This would just help us alleviate a headache for ourselves as well as teachers and students trying to test.

Are you looking for it in the app config? or in the device management on the device itself?

That was a my bad never checking the device itself. I do see the config profile and has the URLS listed there. I am still getting an error saying that content couldn't be retrieved. I have whitelisted all 4 domains as well in content filtering. I am unsure of what to try next to get this working.

I noticed that the preceding and trailing <string> </string> was not in the iMazing config. Was it supposed to be? Ive hit this wall (just under 3k ipads deployed for kids starting testing next month) and followed the config profile example above, with and without the string statements.

I am also trying to configure our devices to use on-site servers without touching every iPad in the district. We utilized the profile editor, imported into JAMF Pro, and I can see the domains on the device, but the error message is still displayed for retrieving data.

Has anyone tried to code the app in order to enable the DRC toggle switch by default? I am not sure if this is possible, or what the field names would be, but if we can send the Org Unit by app config perhaps the toggle can also be manipulated.

Hello everyone,

I was successful in getting this to work. See the attached screen shot, it shows how we had to set it up with Jamf PRO and iMazing Profile creator. This was the response from DRC in my help ticket with them. Also attached below is a screen shot of my iMazing profile I uploaded to Jamf PRO.

You mentioned allowing "domains," please allow the specific URLs on those allowlisting tables from both the WIDA and Pennsylvania Technology User Guides (links provided in previous email) to be as specific as the DRC allowlisting tables specify.

Additionally, I came across this information from another user who was having a similar issue with getting his MDM to properly control their iPadOS 18.1 iPad's Cross-Website Tracking--maybe it will work for your MDM & iPads.

He said, "After adding the new key below to the mobileconfig file, we were able to log into WIDA DRC Insight without error, and did not have to manually enable the “Allow Cross-Website Tracking” toggle on each iPad.

<key>CrossSiteTrackingPreventionRelaxedApps</key>

<array>

<string>com.drc.wbte-ipad.drc</string>

</array>

CONFIRMED SOLUTION! 😁🎆

THANK YOU SO MUCH!!!

This worked beautifully for us and we were able to get an entire class logged in without checking the box!

CONFIRMED SOLUTION! 😁🎆

THANK YOU SO MUCH!!!

This worked beautifully for us and we were able to get an entire class logged in without checking the box!

So is the solution that only the new key is needed? or the new key AND the profile?

I had to add the new key to the profile with the URLS and then uploaded it and everything worked.

I am not finding the key for Cross Site Tracking Prevention Relaxed Apps in iMazing.

I am not sure what to say as that is what I used. I am running version 1.9.2. Maybe it needs an update. I also had the profile saved and reopened it and appended to it.

My app was up to date but the Preference Manifests were not. After I quit the app a few times I got the pop up to update those lists. Now the key appears in Domains. Will give it a try again

Thanks all.

Thank you. This seems to have fixed the issue for us as well.

Are you using a self signed cert?

Additionally...

We put the following in the App Configuration in the DRC Insight app itself.

<key>ouIds</key>
<string>YOUR_ORG_ID_NUMBER_FROM_CENTRAL_OFFICE_HERE</string>

This resolved our issues with our iPads

Hello everyone,

I was successful in getting this to work. See the attached screen shot, it shows how we had to set it up with Jamf PRO and iMazing Profile creator. This was the response from DRC in my help ticket with them. Also attached below is a screen shot of my iMazing profile I uploaded to Jamf PRO.

You mentioned allowing "domains," please allow the specific URLs on those allowlisting tables from both the WIDA and Pennsylvania Technology User Guides (links provided in previous email) to be as specific as the DRC allowlisting tables specify.

Additionally, I came across this information from another user who was having a similar issue with getting his MDM to properly control their iPadOS 18.1 iPad's Cross-Website Tracking--maybe it will work for your MDM & iPads.

He said, "After adding the new key below to the mobileconfig file, we were able to log into WIDA DRC Insight without error, and did not have to manually enable the “Allow Cross-Website Tracking” toggle on each iPad.

<key>CrossSiteTrackingPreventionRelaxedApps</key>

<array>

<string>com.drc.wbte-ipad.drc</string>

</array>

@wsievers Thanks for this! We got things setup in iMazing, uploaded to jamf and deployed to a test device. I can see the domains listed under VPN/Device Management in the Settings app.

I can run the system check and any of the "practice" tests without issues. I think we are good to go, but I did notice that the toggle for "Allow Cross-Website Tracking" under Settings > Apps > DRC Insight is NOT toggled on. Is this toggled on for you after installing the profile @wsievers ?

CONFIRMED SOLUTION! 😁🎆

THANK YOU SO MUCH!!!

This worked beautifully for us and we were able to get an entire class logged in without checking the box!

@IT-CKrape, after installing the profile are you seeing the "Allow Cross-Website Tracking" under Settings > Apps > DRC Insight automatically turned on? See my above reply to wsievers.

Thanks for any insight!

@wsievers Thanks for this! We got things setup in iMazing, uploaded to jamf and deployed to a test device. I can see the domains listed under VPN/Device Management in the Settings app.

I can run the system check and any of the "practice" tests without issues. I think we are good to go, but I did notice that the toggle for "Allow Cross-Website Tracking" under Settings > Apps > DRC Insight is NOT toggled on. Is this toggled on for you after installing the profile @wsievers ?

Hello @jr139

By default the installation of DRC App it is turned off. With doing this you should not need to turn it on anymore. This takes place of having to manually toggle that switch for iPads to test. This helped us automate the installation and efficiency of testing with out having to manually touch hundreds of iPads.

I hope this answered your question.

Are you using a self signed cert?

Hello @bfrench

I am not signing it and letting Jamf deal with that end of things. Sorry for the delay in my response.

Hello @jr139

By default the installation of DRC App it is turned off. With doing this you should not need to turn it on anymore. This takes place of having to manually toggle that switch for iPads to test. This helped us automate the installation and efficiency of testing with out having to manually touch hundreds of iPads.

I hope this answered your question.

Thanks for confirming. I just wanted to check and see if after installing the profile we would physically see that the profile had switched the toggle on or not.

It sounds like we will not see that, and so long as the profile is installed and we can see the profile/domains in VPN/Device Management within settings we should be good to go.

Appreciate your quick reply!

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded