macOS "Limit Ad Tracking"

MrP
Contributor III

System Preferences -> Security & Privacy -> Privacy -> Advertising

Does anyone know of a way to enable this via plist or conf profile?

1 ACCEPTED SOLUTION

MrP
Contributor III

When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.

Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
#   Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
  let "count += 1"
  echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
  sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
  sleep 1
  killall adprivacyd
  killall -SIGHUP cfprefsd
  sleep 5
  a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done

if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fi

View solution in original post

20 REPLIES 20

MrP
Contributor III
#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
    ##
    #   Ad Tracking: Limit Ad Tracking
    ##
    a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
    if [ "$a" == "0" ]; then
        echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
        sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
        sleep 1
        killall adprivacyd
        killall -SIGHUP cfprefsd
    fi

RJH
Contributor

any way this can be done via CONFIG profile, as you can with most security and privacy settings. Seems like an omission from the current security payload in JAMF Pro 10.13 ?

michael_madsen
Contributor

This doesn't seem to work on macOS Mojave 10.14.6 (18G84)
When Privacy panel is opened, it shows "Limit Ad Tracking" as checked. But only for half a second, then it reverts back to unchecked.

RJH
Contributor

I saw this exact same behaviour on Mojave @michael.madsen. I found I had to run the script several times to make it "stick", which is not ideal. Anyone have a better solution ?

MrP
Contributor III

When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.

Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
#   Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
  let "count += 1"
  echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
  sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
  sleep 1
  killall adprivacyd
  killall -SIGHUP cfprefsd
  sleep 5
  a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done

if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fi

cspence001
New Contributor

I modified this script to include:

defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib personalizedAdsMigrated -int 0

Periodically I'd check this plist and while forceLimitAdTracking remained 1, the three above would be reset to 1. I modified the script to check if those were set to 0 instead before running the rewrite. They seemed to stick only for the current session and reset between starts. What I ultimately ended up doing was giving it the user immutable flag to prevent rewriting of the file even by owner or super-user if SIP is enabled. 

sudo chflags uchg /Users/$USER/Library/Preferences/com.apple.AdLib

 

RJH
Contributor

@MrP - that did the job - thanks!

michael_madsen
Contributor

Thank you @MrP

Just from reading your script, I would say that the 2nd last line:

a=defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking

is unnecessary :-)

MrP
Contributor III

@michael.madsen Good catch.

apizz
Valued Contributor

This preference, though only supported in the Restrictions payload on iOS, can be managed via config profile on macOS. This option has been added to ProfileCreator.

apizz
Valued Contributor

To do this in Jamf natively, you can use the following .plist added to the 'Application & Custom Settings' payload with the domain of com.apple.AdLib:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>forceLimitAdTracking</key>
    <true/>
</dict>
</plist>

Gascolator
Contributor

Attempting this in Big Sur using 'Application & Custom Settings' Payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>allowApplePersonalizedAdvertising</key>

<integer>0</integer>

<key>allowIdentifierForAdvertising</key>

<integer>0</integer>

<key>personalizedAdsMigrated</key>

<integer>0</integer>
</dict>
</plist>

That doesn't appear to work. On the machine I can do the following and it works:

defaults write com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write com.apple.AdLib personalizedAdsMigrated -int 0

What am I missing?

adig
New Contributor III

Hi @Gascolator 

I was wondering if you managed to get that config profile working, for BigSur.

thanks

adig
New Contributor III

i think the plist should be in this form, but i am still testing it to make sure it works properly

guliciuk_0-1636973362308.png

 

This is what I ended up with. 

Screen Shot 2021-11-15 at 9.00.24 AM.png

MrP
Contributor III

Can you post a copy of that mobileconfig?

apizz
Valued Contributor

If there are more keys that should be included beyond the single 'forceLimitAdTracking', I'd encourage you to file an issue in https://github.com/ProfileCreator/ProfileManifests so that they can be added to ProfileCreator & iMazing Profile Editor for other admins to use as well

DanVT
New Contributor III

Just to confirm, has there been an update to this since 2021?   What is the best way to do this in 2023?

MrP
Contributor III

This is still what we are using,since it still works.  Looks like others are using a more simple plist profile that works for them.

 

   ##
    #   Ad Tracking: Limit Ad Tracking
    ##
    count=0
    a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
    b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
    while [[ "$a" == "1" || "$b" == "1" ]] && [[ $count -lt 20 ]]; do
        let "count += 1"
        echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
        sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
        sleep 1
        killall adprivacyd 2>/dev/null
        killall -SIGHUP cfprefsd 2>/dev/null
        sleep 5
        a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
        b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
    done

    if [[ "$a" == "1" ]] || [[ "$b" == "1" ]]; then
        echo User: Ad Tracking: Setting could not be applied
        exiterror
    fi

DanVT
New Contributor III

Thanks MrP!