Information
Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer that when they see advertising it is relevant to them and their interests, the detailed information that is data mining collected, correlated, and available to advertisers in repositories is often disconcerting. This information is valuable to both advertisers and attackers and has been used with other metadata to reveal users' identities.
Organizations should manage advertising settings on computers rather than allow users to configure the settings.
Apple Information
Ad tracking should be limited on 10.15 and prior.
Rationale:
Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.
Impact:
Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads.
Solution
Profile Method:
Create or edit a configuration profile with the following information:
The PayloadType string is com.apple.Safari
The key to include is WebKitPreferences.privateClickMeasurementEnabled
The key must be set to: <true/>
Note: A user can still uncheck this option in the GUI, but it remains on in the background and will show it enabled when re-launching Safari.
Additional Information:
To verify individual users:
Audit:
Graphical Method:
Perform the following steps to verify that allow privacy-preserving measurement of ad effectiveness in Safari is enabled:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Verify that Allow privacy-preserving measurement of ad effectiveness is enabled
or
Open System Settings
Select 'Privacy & Security
Select Profiles
Verify that an installed profile has WebKitPreferences.privateClickMeasurementEnabled set 1
Terminal Method:
Run the following command to verify that allow privacy-preserving measurement of ad effectiveness in Safari is not disabled:
$ /usr/bin/sudo -u <username> /usr/bin/defaults read /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled
1
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults read /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled
1
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.
Note: The default setting is not auditable through the command line. Please turn off the check and re-enable when the GUI does not reflect the audited results, or run the Terminal command(s).
Remediation:
Graphical Method:
Perform the following steps to set Safari to allow privacy-preserving measurement of ad effectiveness:
Open Safari
Select Safari from the menu bar
Select Settings
Select Privacy
Set Allow privacy-preserving measurement of ad effectiveness to enabled
Terminal Method:
Run the following command to enable allow privacy-preserving measurement of ad effectiveness in Safari:
$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true
example:
$ /usr/bin/sudo -u firstuser /usr/bin/defaults write /Users/firstuser/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari WebKitPreferences.privateClickMeasurementEnabled -bool true
Note: To run the Terminal commands, Terminal must be granted Full Disk Access in the Security & Privacy pane in System Preferences.