Jamf Nation Community

johntgeck · ‎08-09-2022

For safety and sanity, we'd like to be able to disable this feature on in our fleet. I couldn't find any documentation on a configuration profile payload or policy setting or even a homebrew script to disable this feature. A config profile would obviously be best as it would prevent the users from re-enabling. An ongoing policy that uses either a script or an actual policy payload would be... fine I guess, but less preferred as between recurring checkins the user could do whatever they wanted.

Does anyone have any resources on this?

talkingmoose · ‎08-09-2022

You mention “for safety and sanity”, but I’m curious what you mean by that? When enabled, this feature protects the end user’s privacy, and it only applies to Internet trackers within the Mail and Safari apps.

Jamf Pro already collects IP address information (both public and internal). What more are you after by trying to disable this feature?

View solution in original post

talkingmoose · ‎08-09-2022

You mention “for safety and sanity”, but I’m curious what you mean by that? When enabled, this feature protects the end user’s privacy, and it only applies to Internet trackers within the Mail and Safari apps.

Jamf Pro already collects IP address information (both public and internal). What more are you after by trying to disable this feature?

johntgeck · ‎08-09-2022

Hah. Of course. I thought it was obfuscating the IP address at a network level, but that wouldn't make any sense. I think I was getting it confused with the "Private wi-fi address" setting on iOS. So this feature is only for those specific applications? How does that look on a network level? Is it running the traffic through a relay after it goes outside of our network or something? If you have a resource on how/what the feature actually does that I can read up on, I would appreciate it.

JevermannNG · ‎09-12-2023

I have the "feeling" that the impact of this setting is deeper. Today it turned out, that a Mac with active "Tracking Limit" Option was not accepted by our Firewall and could not reach our Intranet ...

joshuadent · ‎09-13-2023

This is what I got from JAMF Support:

Thank you for your patience! So, I found something that might help us out here. Please take a look at this article: https://macblog.org/disable-icloud-private-relay/.

It looks like "Limit IP Address Tracking" might be able to be disabled by disabling the iCloud private relay with a configuration profile.

user-EPsPjTlOGX · a month ago

IT blocks access to locally hosted websites and prevents access to external services providers who limit block access by IP address.

talkingmoose · ‎08-09-2022

Just those two apps according to the tiny text below the feature.

I can’t vouch for the accuracy of this post, but it makes sense to me. To limit IP address tracking, Apple would need to relay all Mail and Safari traffic through their servers. And it wouldn’t stop the most common form of tracking for email, which is an embedded personalized tracker in a link.

https://discussions.apple.com/thread/253657312

robmorton · ‎08-18-2022

Actually, just going back to the original question, is there a scripting/profile means to turn it off. If it always worked, it would be fine. It doesn't.

So, only Apple Mail/Safari. With the feature enabled and connected to a Verizon MiFi hotspot "nslookup google.com" from Terminal...

/AppleInternal/Library/BuildRoots/20d6c351-ee94-11ec-bcaf-7247572f23b4/Library/Caches/com.apple.xbs/Sources/bind9/bind9/lib/isc/unix/socket.c:2132: internal_send: fe80::dcaa:ccff:fe30:1e72%5#53: Network is down

Disable the feature and...

[2:35 PM] Scott, Anthony C. (MSFC-IS50)[Leidos, Inc.]

MSLAL0819110336:~ acscott2$ nslookup google.com

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

Name: google.com

Address: 142.250.9.113

Name: google.com

Address: 142.250.9.101

Name: google.com

Address: 142.250.9.100

Name: google.com

Address: 142.250.9.102

Name: google.com

Address: 142.250.9.139

Name: google.com

Address: 142.250.9.138

So back to the original question, how can we disable this in mass.

joshuadent · ‎09-20-2022

Did you ever get anywhere on this? We also need to disable as it is causing DNS issues on our network.

robmorton · ‎10-05-2022

Sadly, nothing. It is really annoying and hits people when they travel since it is a new WiFi.

micb82 · ‎10-04-2022

I have seen issues with NoMAD not working correctly when this is enabled.

akamenev47 · ‎10-20-2022

We see issues with FortiClient AV/web filter + the "Limit IP Address Tracking" checked, had a few successful results when users manually would uncheck the feature and the network issues would stop.

Would be nice to know if there is a way to uncheck this via script, but I have a suspicion - since this is a privacy feature - Apple hid it, as I was unable to find it anywhere in any of the plist files related to Network/WiFi...

Ahoy!

Rhys · ‎12-11-2022

Anyone have any luck finding a solution to this that isn’t just have the end-user disable it?

This feature seems to be much more aggressive in macOS Ventura and iPadOS 16 to the point it’s causing issues with pages loading with an in-line firewall appliance.

Disabling Private Relay can be achieved by a MDM Profile and at the network DNS level, however this feature (Limit IP Address Tracking) functions independently of these. All a profile does is remove it as a configurable option within a user iCloud settings (which isn’t even in use).

robmorton · ‎12-12-2022

I hope everyone that is having this issue is using Feedback Assistant to offer feedback as this is really not a friendly thing for Apple to do. It ends up that they end up being able to stop any site they want using their DNS system over a DNS system of our choice. If it only did what it said it did and only affected Mail and Safari, it would be annoying, but since it affects other programs, it is pretty sleazy. Almost scream spyware.

JevermannNG · ‎09-12-2023

I am pretty sure that this option has a bigger impact on other network services like VPN etc.

robmorton · ‎09-12-2023

Perhaps, but anyway you look at it, when Apple adds a new feature, they need to provide a means to disable it via a profile. I say this as it has been pretty rare for Apple to get it right on the first try for quite some time now.

applebit · ‎09-13-2023

We are experiencing problems that disabling IP address tracking resolves; The problem was minimized for a while however with devices updating to 13.5.1 and 13.5.2 the problems have escalated once again. No command, plist, nor profile seems to be found on the www's and reviewing any preference files and commands is coming up short too.

This is a different solution, however I'll document here for the record: https://www.kolide.com/features/checks/mac-disable-icloud-private-relay

JevermannNG · ‎09-14-2023

Thank you for the links, we will start monitoring the activation of iCloud Private Relay now. It looks like that the Tracking Protection in the network settings only has an impact when Private Relay is active ...?

applebit · ‎09-14-2023

Yes, looks like this is only possible and even questionable under 13.5.2 (I'm still investigating).

Sadly there is also not a way to admin this per SSID which is in the interface.

applebit · ‎09-13-2023

Please review: https://www.kolide.com/features/checks/mac-disable-icloud-private-relay

JevermannNG · ‎09-15-2023

Can anyone confirm that this Config Profile still works under macOS 13.5.2 ? It looks like that the option is still available, at least the activated check box still shows up.

Thank you!

walkeri3rd · ‎10-18-2023

Has there been head way made on this. We are have big issues with Untrusted IPs with Students and Teachers.

JevermannNG · ‎10-19-2023

We use the Configuration Profile from the following site and it solved our issues:

https://www.kolide.com/features/checks/mac-disable-icloud-private-relay#how-to-block-icloud-private-...

Thanks to @applebit for providing the link!

Jamf Nation Community

Disabling the "Limit IP Address Tracking" feature in Monterey?