System Preferences -> Security & Privacy -> Privacy -> Advertising
Does anyone know of a way to enable this via plist or conf profile?
Solved
macOS "Limit Ad Tracking"
+9Best answer by MrP
When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.
Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.
#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
# Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
let "count += 1"
echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
sleep 1
killall adprivacyd
killall -SIGHUP cfprefsd
sleep 5
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done
if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fi#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
# Ad Tracking: Limit Ad Tracking
##
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
if [ "$a" == "0" ]; then
echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
sleep 1
killall adprivacyd
killall -SIGHUP cfprefsd
fi
+5any way this can be done via CONFIG profile, as you can with most security and privacy settings. Seems like an omission from the current security payload in JAMF Pro 10.13 ?
+5This doesn't seem to work on macOS Mojave 10.14.6 (18G84)
When Privacy panel is opened, it shows "Limit Ad Tracking" as checked. But only for half a second, then it reverts back to unchecked.
+5I saw this exact same behaviour on Mojave @michael.madsen. I found I had to run the script several times to make it "stick", which is not ideal. Anyone have a better solution ?
+9When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.
Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.
#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
# Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
let "count += 1"
echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
sleep 1
killall adprivacyd
killall -SIGHUP cfprefsd
sleep 5
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done
if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fiThank you @MrP
Just from reading your script, I would say that the 2nd last line:
a=defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking
is unnecessary :-)
+15This preference, though only supported in the Restrictions payload on iOS, can be managed via config profile on macOS. This option has been added to ProfileCreator.
+15To do this in Jamf natively, you can use the following .plist added to the 'Application & Custom Settings' payload with the domain of com.apple.AdLib:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>forceLimitAdTracking</key>
<true/>
</dict>
</plist>Attempting this in Big Sur using 'Application & Custom Settings' Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allowApplePersonalizedAdvertising</key>
<integer>0</integer>
<key>allowIdentifierForAdvertising</key>
<integer>0</integer>
<key>personalizedAdsMigrated</key>
<integer>0</integer>
</dict>
</plist>
That doesn't appear to work. On the machine I can do the following and it works:
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write com.apple.AdLib personalizedAdsMigrated -int 0
What am I missing?
+4Attempting this in Big Sur using 'Application & Custom Settings' Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allowApplePersonalizedAdvertising</key>
<integer>0</integer>
<key>allowIdentifierForAdvertising</key>
<integer>0</integer>
<key>personalizedAdsMigrated</key>
<integer>0</integer>
</dict>
</plist>
That doesn't appear to work. On the machine I can do the following and it works:
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write com.apple.AdLib personalizedAdsMigrated -int 0
What am I missing?
Hi @Gascolator
I was wondering if you managed to get that config profile working, for BigSur.
thanks
+4Attempting this in Big Sur using 'Application & Custom Settings' Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allowApplePersonalizedAdvertising</key>
<integer>0</integer>
<key>allowIdentifierForAdvertising</key>
<integer>0</integer>
<key>personalizedAdsMigrated</key>
<integer>0</integer>
</dict>
</plist>
That doesn't appear to work. On the machine I can do the following and it works:
defaults write com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write com.apple.AdLib personalizedAdsMigrated -int 0
What am I missing?
i think the plist should be in this form, but i am still testing it to make sure it works properly
+5i think the plist should be in this form, but i am still testing it to make sure it works properly
This is what I ended up with.
+15If there are more keys that should be included beyond the single 'forceLimitAdTracking', I'd encourage you to file an issue in https://github.com/ProfileCreator/ProfileManifests so that they can be added to ProfileCreator & iMazing Profile Editor for other admins to use as well
+4Just to confirm, has there been an update to this since 2021? What is the best way to do this in 2023?
+9Just to confirm, has there been an update to this since 2021? What is the best way to do this in 2023?
This is still what we are using,since it still works. Looks like others are using a more simple plist profile that works for them.
##
# Ad Tracking: Limit Ad Tracking
##
count=0
a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
while [[ "$a" == "1" || "$b" == "1" ]] && [[ $count -lt 20 ]]; do
let "count += 1"
echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
sleep 1
killall adprivacyd 2>/dev/null
killall -SIGHUP cfprefsd 2>/dev/null
sleep 5
a=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising)
b=$(defaults read /Users/$user/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising)
done
if [[ "$a" == "1" ]] || [[ "$b" == "1" ]]; then
echo User: Ad Tracking: Setting could not be applied
exiterror
fi
When I first opened my privacy panel, I saw what @michael.madsen reported. However after running again I am unable to reproduce. I suspect there is something in the adprivacyd that is writing the last setting in memory to the files on a timer. This isn't much better, but at least if it doesn't stick, it will keep trying for up to 20 retries until it does, and if it does not, report an error. A much cleaner solution like a CP would be much preferred.
Edit: Upon further testing I was able to see this loop twice before the setting took, so it looks like it is sporadically required to make multiple attempts.
#!/bin/bash
user=`ls -l /dev/console | cut -d " " -f 4`
##
# Ad Tracking: Limit Ad Tracking
##
count=0
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
while [[ "$a" == "0" && $count < 20 ]]; do
let "count += 1"
echo "User: Ad Tracking: Enabling 'Limit Ad Tracking' in 'Security & Privacy'"
sudo -u $user defaults write /Users/$user/Library/Preferences/ByHost/com.apple.preference.security.privacy limitAdTrackingCached -int 0
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking -int 1
sudo -u $user defaults write /Users/$user/Library/Preferences/com.apple.AdLib "AD_DEVICE_IDFA" -string "00000000-0000-0000-0000-000000000000"
sleep 1
killall adprivacyd
killall -SIGHUP cfprefsd
sleep 5
a=`defaults read /Users/$user/Library/Preferences/com.apple.AdLib forceLimitAdTracking `
done
if [ "$a" == "0" ]; then echo Setting could not be applied; exit 1; fiI modified this script to include:
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowApplePersonalizedAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib allowIdentifierForAdvertising -int 0
defaults write /Users/$USER/Library/Preferences/com.apple.AdLib personalizedAdsMigrated -int 0
Periodically I'd check this plist and while forceLimitAdTracking remained 1, the three above would be reset to 1. I modified the script to check if those were set to 0 instead before running the rewrite. They seemed to stick only for the current session and reset between starts. What I ultimately ended up doing was giving it the user immutable flag to prevent rewriting of the file even by owner or super-user if SIP is enabled.
sudo chflags uchg /Users/$USER/Library/Preferences/com.apple.AdLib
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.