Jamf Nation Community

red_beard · ‎07-05-2024

I'm looking to setup, add a domain (DRC WIDA testing) to a configuration profile with "Relaxed Domains" for our iPads. I don't see it anywhere I've looked in Jamf Pro configuration profiles, but Apple and WIDA have references to it. This would allow us finally to not have to manually toggle Cross-Site tracking to "on" on each iPad!!!!

I've setup a custom configuration as described but I'm hoping there is a non-custom method that I'm just missing.

This functionality is supported by a key in the Domains payload CrossSiteTrackingPreventionRelaxedDomains.

From WIDA / DRC Insight

Cross-Website Tracking and Device Supervision

Important: Sites using iPadOS 16.2 and higher no longer need to enable Cross-Website Tracking as
long as the device is supervised and the domains are relaxed following the instructions below. This can be
done using Automated Device Enrollment and MDM software or by using Apple Configurator.
Note:

Sites using iPadOS 16.1.2 and below must still enable Cross-Website Tracking.
Supervision must be enabled for all devices regardless of iPadOS version.

Supervising iPadOS Devices

Supervise a Device Using MDM Software and Relaxing Domains
If you are using MDM software, DRC INSIGHT checks the device serial number and directs you to your
designated MDM server, where you can view and edit your enrollment profile. Once the device is enrolled it
is automatically supervised.
For more information, work with your MDM provider and Apple.

1. In the Domains payload option within your MDM, locate the Cross-site tracking relaxed for domains
field.
• If you do not see this field, you will have to create a custom profile and upload it to your MDM.
2. Enter the following domains to be relaxed:
• <string>DRC-centraloffice.com</string>
• <string>http://drc-centraloffice.com:55222</string>
Note: 55222 is the default port value. Use the same port that you used during COS - SD installation
if you used a custom port.
• <string>DRCedirect.com</string>
• <string>WIDA-ams.us</string>
3. You no longer need to enable Cross-Website Tracking for testing. However, if you receive a content
retrieval error message when you begin a test and think the domains may not be relaxed, enable Cross-
Website tracking in the iPad settings and are able to begin a test then the domains have not been relaxed.

AJPinto · ‎07-05-2024

Looks like Apple gives an example of what the xml should look like. Have you tried making a .mobileconfig and uploading it to Jamf to deploy? Jamf does not have GUI elements for everything you can do with MDM. Just be aware to sign the .mobileconfig as Jamf is well known for breaking key pairs it does not understand when deploying if its not signed.

Cross-Site Tracking Prevention for relaxed domains example - Apple Support

bfrench · ‎07-08-2024

For those of us who are not coders, do I only need to change the Apple example to include the following and save it as a .mobileconfig file to upload?

<key>CrossSiteTrackingPreventionRelaxedDomains</key>

<array>

<string>DRC-centraloffice.com</string>

<string>http://drc-centraloffice.com:55222</string>

<string>DRCedirect.com</string>

</array>

red_beard · ‎07-15-2024

I used iMazing's Profile editor to create one, even though it's very simple as it had the "Relaxed Domain" category that Jamf Pro is missing from its domain section.

wsievers · ‎12-11-2024

So I have just found this thread and I am trying to do this as well and I can't with Jamf Pro. Attached is what I have added to the App Configuration. The Org ID comes to the iPads just fine. But it does not seem like the URLS are being added.

<dict>

<key>ouIds</key>

<key>CrossSiteTrackingPreventionRelaxedDomains</key>

<array>

<string>DRC-centraloffice.com</string>

<string>DRCedirect.com</string>

</array>

</dict>

</plist>

Any insight into this would be appreciated!

Thank you,

Bill

bfrench · ‎12-11-2024

I believe it needs to be in a configuration profile - not the app config. I was able to create one with the Profile Editor mentioned above - but I think I had an issue with the signing of the cert. In the end we only have a few devices that need this setting adjusted so we just make sure staff check it before starting.

wsievers · ‎12-11-2024

I did download the iMazing and added the URLS. When I upload the config profile I do not see them as apart of the configuration. We are trying to get this to work as we test from grades 3-12 and probably about 1500 iPads that need the toggle turned on. This would just help us alleviate a headache for ourselves as well as teachers and students trying to test.

bfrench · ‎12-11-2024

Are you looking for it in the app config? or in the device management on the device itself?

wsievers · ‎12-11-2024

That was a my bad never checking the device itself. I do see the config profile and has the URLS listed there. I am still getting an error saying that content couldn't be retrieved. I have whitelisted all 4 domains as well in content filtering. I am unsure of what to try next to get this working.

gcarmichael · ‎12-12-2024

I noticed that the preceding and trailing <string> </string> was not in the iMazing config. Was it supposed to be? Ive hit this wall (just under 3k ipads deployed for kids starting testing next month) and followed the config profile example above, with and without the string statements.

IT-CKrape · a month ago

I am also trying to configure our devices to use on-site servers without touching every iPad in the district. We utilized the profile editor, imported into JAMF Pro, and I can see the domains on the device, but the error message is still displayed for retrieving data.

Has anyone tried to code the app in order to enable the DRC toggle switch by default? I am not sure if this is possible, or what the field names would be, but if we can send the Org Unit by app config perhaps the toggle can also be manipulated.

wsievers · 4 weeks ago

Hello everyone,

I was successful in getting this to work. See the attached screen shot, it shows how we had to set it up with Jamf PRO and iMazing Profile creator. This was the response from DRC in my help ticket with them. Also attached below is a screen shot of my iMazing profile I uploaded to Jamf PRO.

You mentioned allowing "domains," please allow the specific URLs on those allowlisting tables from both the WIDA and Pennsylvania Technology User Guides (links provided in previous email) to be as specific as the DRC allowlisting tables specify.

Additionally, I came across this information from another user who was having a similar issue with getting his MDM to properly control their iPadOS 18.1 iPad's Cross-Website Tracking--maybe it will work for your MDM & iPads.

He said, "After adding the new key below to the mobileconfig file, we were able to log into WIDA DRC Insight without error, and did not have to manually enable the “Allow Cross-Website Tracking” toggle on each iPad.

<key>CrossSiteTrackingPreventionRelaxedApps</key>

<array>

<string>com.drc.wbte-ipad.drc</string>

</array>

jr139 · Tuesday

@wsievers Thanks for this! We got things setup in iMazing, uploaded to jamf and deployed to a test device. I can see the domains listed under VPN/Device Management in the Settings app.

I can run the system check and any of the "practice" tests without issues. I think we are good to go, but I did notice that the toggle for "Allow Cross-Website Tracking" under Settings > Apps > DRC Insight is NOT toggled on. Is this toggled on for you after installing the profile @wsievers ?

wsievers · Tuesday

Hello @jr139

By default the installation of DRC App it is turned off. With doing this you should not need to turn it on anymore. This takes place of having to manually toggle that switch for iPads to test. This helped us automate the installation and efficiency of testing with out having to manually touch hundreds of iPads.

I hope this answered your question.

jr139 · Tuesday

Thanks for confirming. I just wanted to check and see if after installing the profile we would physically see that the profile had switched the toggle on or not.

It sounds like we will not see that, and so long as the profile is installed and we can see the profile/domains in VPN/Device Management within settings we should be good to go.

Appreciate your quick reply!

IT-CKrape · 4 weeks ago

CONFIRMED SOLUTION! 😁🎆

THANK YOU SO MUCH!!!

This worked beautifully for us and we were able to get an entire class logged in without checking the box!

bfrench · 4 weeks ago

So is the solution that only the new key is needed? or the new key AND the profile?

wsievers · 4 weeks ago

I had to add the new key to the profile with the URLS and then uploaded it and everything worked.

bfrench · 4 weeks ago

I am not finding the key for Cross Site Tracking Prevention Relaxed Apps in iMazing.

wsievers · 4 weeks ago

I am not sure what to say as that is what I used. I am running version 1.9.2. Maybe it needs an update. I also had the profile saved and reopened it and appended to it.

jr139 · Tuesday

@IT-CKrape, after installing the profile are you seeing the "Allow Cross-Website Tracking" under Settings > Apps > DRC Insight automatically turned on? See my above reply to wsievers.

Thanks for any insight!

IT-CKrape · Tuesday

@jr139 No, I am not seeing the slider under the DRC app altered by this profile installation.

From what I was able to find with DRC documentation, after a certain version of IOS the cross-site tracking slider was no longer necessary, but we have not found this to be the case.

After we installed this profile on our devices, the slider becomes irreverent and the students are simply able to access the content. :-)

Hope this helps!

jr139 · Tuesday

Many thanks for the quick reply! Hard to believe testing season is right around the corner.

IT-CKrape · Tuesday

@jr139 Yeah it is coming up quick!

My district elected to do the Firefly exams that DRC released this year, so we were able to test these profiles / settings in production with the students. I can confirm that they work and that none of our students needed to access the DRC app settings to move the slider.

Since the Firefly exam really doesn't attach to any permanent / historically cached student information, it is a great trial run to ensure functionality if would like that extra peace of mind. :-)

bfrench · 4 weeks ago

My app was up to date but the Preference Manifests were not. After I quit the app a few times I got the pop up to update those lists. Now the key appears in Domains. Will give it a try again

Thanks all.

gcarmichael · 4 weeks ago

Thank you. This seems to have fixed the issue for us as well.

bfrench · 4 weeks ago

Are you using a self signed cert?

wsievers · Tuesday

Hello @bfrench

I am not signing it and letting Jamf deal with that end of things. Sorry for the delay in my response.

meaderp · a week ago

Additionally...

We put the following in the App Configuration in the DRC Insight app itself.

<key>ouIds</key>
<string>YOUR_ORG_ID_NUMBER_FROM_CENTRAL_OFFICE_HERE</string>

This resolved our issues with our iPads

Jamf Nation Community

Relaxed Domains Cross-Site Tracking - No more manually toggling on/off!