2.5.6 Ensure Limit Ad Tracking Is Enabled

Information

Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer to see advertising that is relevant to them and their interests, the detailed information that is collected, correlated, and available to advertisers in repositories via data mining is often disconcerting. This information is valuable to both advertisers and attackers, and has been used with other metadata to reveal users' identities.

Organizations should manage advertising settings on computers rather than allow users to configure the settings.

Apple Information

Ad tracking should be limited on 10.15 and prior.

Rationale:

Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.

Impact:

Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads.

Solution

Graphical Method:
Perform the following steps to set limited ad tracking:

Open System Preferences

Select Security & Privacy

Select Privacy

Select Apple Advertising

Set Personalized Ads to disabled

Terminal Method:
For each needed user, run the following command to enable limited ad tracking:

$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false

example:

$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowApplePersonalizedAdvertising

The key must be set to <false/>

Note: Since the profile method sets a system-wide setting and not a user-level one, the profile method is the preferred method. It is always better to set system-wide than per user.

See Also

https://workbench.cisecurity.org/files/4180