2.6.4 Ensure Limit Ad Tracking Is Enabled


Apple provides a framework that allows advertisers to target Apple users and end-users with advertisements. While many people prefer to see advertising that is relevant to them and their interests, the detailed information that is collected, correlated, and available to advertisers in repositories via data mining is often disconcerting. This information is valuable to both advertisers and attackers, and has been used with other metadata to reveal users' identities.

Organizations should manage advertising settings on computers rather than allow users to configure the settings.

Apple Information

Ad tracking should be limited on 10.15 and prior.


Organizations should manage user privacy settings on managed devices to align with organizational policies and user data protection requirements.


Uses will see generic advertising rather than targeted advertising. Apple warns that this will reduce the number of relevant ads.


Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.applicationaccess

The key to include is allowApplePersonalizedAdvertising

The key must be set to <false/>

Additional Information:

To verify individual users:


Graphical Method:

Perform the following steps to verify that limited ad tracking is set:

Open Privacy & Security

Select Apple Advertising

Verify that Personalized Ads is not enabled


Open System Settings

Select Privacy & Security

Select Profiles

Verify that an installed profile has allowApplePersonalizedAdvertising set to 0

Terminal Method:

For each user, run the following command to verify that ad tracking is limited:

$ /usr/bin/sudo -u <username> /usr/bin/defaults read /Users/<username>/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising



$ /usr/bin/sudo -u firstuser /usr/bin/defaults read /Users/firstuser/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising


$ /usr/bin/sudo -u seconduser /usr/bin/defaults read /Users/seconduser/Library/Preferences/com.apple.AdLib.plist allowApplePersonalizedAdvertising


In this example, firstuser is compliant and seconduser is not.


Graphical Method:

Perform the following steps to set limited ad tracking:

Open Privacy & Security

Select Apple Advertising

Set Personalized Ads to disabled

Terminal Method:

For each needed user, run the following command to enable limited ad tracking:

$ /usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false


$ /usr/bin/sudo -u seconduser /usr/bin/defaults write /Users/seconduser/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false

See Also


Item Details


References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: e39fd646bb16ed9667d51790e68e909351b1fe7276c35566ee97221a9675db27