Jamf Nation Community

MrP · ‎10-18-2018

System Preferences -> Security & Privacy -> Privacy -> Advertising

Does anyone know of a way to enable this via plist or conf profile?

MrP · ‎07-31-2019

When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.

Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
#   Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
  let "count += 1"
  echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
  sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
  sleep 1
  killall adprivacyd
  killall -SIGHUP cfprefsd
  sleep 5
  a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done

if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fi

View solution in original post

MrP · ‎10-26-2018

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
    ##
    #   Ad Tracking: Limit Ad Tracking
    ##
    a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
    if [ "$a" == "0" ]; then
        echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
        sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
        sleep 1
        killall adprivacyd
        killall -SIGHUP cfprefsd
    fi

RJH · ‎07-23-2019

any way this can be done via CONFIG profile, as you can with most security and privacy settings. Seems like an omission from the current security payload in JAMF Pro 10.13 ?

michael_madsen · ‎07-29-2019

This doesn't seem to work on macOS Mojave 10.14.6 (18G84)
When Privacy panel is opened, it shows "Limit Ad Tracking" as checked. But only for half a second, then it reverts back to unchecked.

RJH · ‎07-31-2019

I saw this exact same behaviour on Mojave @michael.madsen. I found I had to run the script several times to make it "stick", which is not ideal. Anyone have a better solution ?

MrP · ‎07-31-2019

When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.

Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.

#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
#   Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
  let "count += 1"
  echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
  sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
  sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
  sleep 1
  killall adprivacyd
  killall -SIGHUP cfprefsd
  sleep 5
  a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done

if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fi

cspence001 · ‎07-19-2024

I modified this script to include:

defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib personalizedAdsMigrated -int 0

Periodically I'd check this plist and while forceLimitAdTracking remained 1, the three above would be reset to 1. I modified the script to check if those were set to 0 instead before running the rewrite. They seemed to stick only for the current session and reset between starts. What I ultimately ended up doing was giving it the user immutable flag to prevent rewriting of the file even by owner or super-user if SIP is enabled.

sudo chflags uchg /Users/$USER/Library/Preferences/com.apple.AdLib

RJH · ‎08-01-2019

@MrP - that did the job - thanks!

michael_madsen · ‎08-15-2019

Thank you @MrP

Just from reading your script, I would say that the 2nd last line:

a=defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking

is unnecessary :-)

MrP · ‎08-19-2019

@michael.madsen Good catch.

apizz · ‎04-21-2020

This preference, though only supported in the Restrictions payload on iOS, can be managed via config profile on macOS. This option has been added to ProfileCreator.

apizz · ‎04-21-2020

To do this in Jamf natively, you can use the following .plist added to the 'Application & Custom Settings' payload with the domain of com.apple.AdLib:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>forceLimitAdTracking</key>
    <true/>
</dict>
</plist>

Gascolator · ‎05-26-2021

Attempting this in Big Sur using 'Application & Custom Settings' Payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>allowApplePersonalizedAdvertising</key>

<key>allowIdentifierForAdvertising</key>

<key>personalizedAdsMigrated</key>

That doesn't appear to work. On the machine I can do the following and it works:

defaults write com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write com.apple.AdLib personalizedAdsMigrated -int 0

What am I missing?

guliciuk · ‎11-15-2021

Hi @Gascolator

I was wondering if you managed to get that config profile working, for BigSur.

thanks

guliciuk · ‎11-15-2021

i think the plist should be in this form, but i am still testing it to make sure it works properly

Gascolator · ‎11-15-2021

This is what I ended up with.

MrP · ‎03-09-2023

Can you post a copy of that mobileconfig?

apizz · ‎12-17-2021

If there are more keys that should be included beyond the single 'forceLimitAdTracking', I'd encourage you to file an issue in https://github.com/ProfileCreator/ProfileManifests so that they can be added to ProfileCreator & iMazing Profile Editor for other admins to use as well

DanVT · ‎03-09-2023

Just to confirm, has there been an update to this since 2021? What is the best way to do this in 2023?

MrP · ‎03-09-2023

This is still what we are using,since it still works. Looks like others are using a more simple plist profile that works for them.

   ##
    #   Ad Tracking: Limit Ad Tracking
    ##
    count=0
    a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
    b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
    while [[ "$a" == "1" || "$b" == "1" ]] && [[ $count -lt 20 ]]; do
        let "count += 1"
        echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
        sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
        sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
        sleep 1
        killall adprivacyd 2>/dev/null
        killall -SIGHUP cfprefsd 2>/dev/null
        sleep 5
        a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
        b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
    done

    if [[ "$a" == "1" ]] || [[ "$b" == "1" ]]; then
        echo User: Ad Tracking: Setting could not be applied
        exiterror
    fi

DanVT · ‎03-09-2023

Thanks MrP!

Jamf Nation Community

macOS "Limit Ad Tracking"