I cant find any details on how to disable Advanced Tracking and Fingerprinting Protection via MDM.
Initially sounds a good feature but changes the DNS settings - which we don't want happening.
I don't see any change in DNS with this fingerprinting option. I use an AdGuard DNS server on the LAN and this logs all queries. Safari on iPadOS and iOS is still hitting this DNS server with Fingerprinting on.
However, when Safari is in Private mode, it does seem to use DoH. I've made a MDM profile that specifies my AdGuard DNS server as a DoH server. This overrides any application specific DoH setting.
[Edited by Moderator]
Rarely does Apple allow an org to make a change that would reduce user privacy. You may eventually see an option to enable it, but not to disable it. Similar to how you can deny camera and mic on macOS remotely, but you cannot enable them.
Content filtering and DLP should be implemented using settings other than DNS such as content filtering, full VPN, or per-app VPN. I've implemented this at multiple large organizations. Messing with DNS is manual and can cause issues with connectivity. These other methods can be done through MDM and will avoid the pitfalls caused by setting DNS.
celliott147 wrote:
...but it can break some websites.
It also broke folks that used piHole and AdGuard on their LAN as their ad blocking DNS server. The only way (I've found) to re-establish using your own DNS server is to enable DoH and install a MDM profile on client devices.
It doesn't actually mess with the DNS. It changes the way the device interacts with certain items on websites, namely tracking items. I'm actively working with my internal engineering team on this because it affects our product.
I can tell you from working at an org that leveraged things that broke with the Advanced Tracking and Fingerprint Protection, you are correct, DNS does not change with this enabled. DoH is the protocol. Enabling the protection makes you much less likely to have targeted ads, but it can break some websites.
DNS isn't a setting that is configurable by MDM. Setting it on a device can cause usage issues on other networks such as on Airplanes, at Hotels, and at Conferences. It is not a recommended best practice by Apple.
We seem to be getting a little off track here - all I'm looking for is up-to-date guidance on MDM that includes the new iOS 17 feature, Advanced Tracking and Fingerprinting Protection.
But at least we are in agreement that we don't want to mess with existing DNS settings - which is exactly what this feature does.
Interesting. To be fair we are not seeing the underlying DNS change but it seems it effectively enables a DoH DNS service within the browser which has the same end effect.
Either way - its a feature we would like to switch off and it would be good if Apple could support their corporate users and provide an option to do so.
Thanks but the new feature changes your DNS on your phone and govt agencies / companies use DNS based services to protect their devices.
Advanced Tracking and Fingerprinting Protection in iOS17 vs MDM / Apple Configurator
