Domains MDM payload settings for Apple devices
You can specify marked domains for iPhone, iPad, and Mac devices enrolled in a mobile device management (MDM) solution. Use the Domains payload to specify which mail domains are marked in Mail on the device, and which web domains’ documents are considered managed in iOS and iPadOS.
The Domains payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.domains
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment types: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Domains payload can be delivered to a user or device.
You can use the settings in the table below with the Domains payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Unmarked email domains | Mail messages that are addressed to domains not in the approved list are marked in red. For example, a user could have betterbag.com and group.betterbag.com in a list of known domains. If this user addressed a mail message to anyone@betterbag.com, that address would be marked so users would know the domain betterbag.com wasn’t on the approved list. | No | |||||||||
Managed Safari web domains (iOS, iPadOS) | Downloads from Safari are considered managed documents if they originate from a managed domain. Important: To manage documents downloaded from Safari, disable the option “Allow documents from managed sources in unmanaged destinations” in MDM restrictions for iPhone and iPad devices. | No | |||||||||
AutoFill Safari password domains (Supervised) (iOS, iPadOS) | User names and passwords entered in websites with Safari can be saved if the domain is listed. More than one domain can be listed. | No | |||||||||
Cross-site tracking relaxed for domains (iOS 16.2, macOS 13.1, or later, iPadOS 16.2–17.2) | Up to 10 domains can be added for which cross-site tracking prevention is relaxed. Domains should be listed as betterbag.com, which includes any subdomains (without needing to use *betterbag.com). Important: In iPadOS 16.2 until iPadOS 17.2, it’s necessary to instruct users to visit the embedding site (for example, youtube.com) directly as a first party, to enable to the embedding site to use cookies. In iPadOS 17.2 or later, this step isn’t necessary. | No | |||||||||
Cross-site tracking prevention for relaxed domains
iOS 16.2, iPadOS 16.2, macOS 13.1, or later, have the ability to manage an exception list for cross-site tracking prevention in Safari. As a result, organizations can leave cross-site tracking prevention turned on and benefit from tracking prevention for general browsing but also allow select domains to give third-party embedded resources the ability to use cookies. This is useful, for example, in education, where learning management systems embed content like videos or images stored by third parties, or learning tools offered by third parties and presented in iFrames.
The following devices are supported:
Supervised: iPhone, iPad, Mac
Not supervised: Mac
This functionality is supported by a key in the Domains payload CrossSiteTrackingPreventionRelaxedDomains. This key can be used to define a list of up to 10 websites that will be relaxed. Each domain listed behaves as a wildcard, so “townshipschools.org” will include “a.townshipschools.org” and “b.a.townshipschools.org.” For an example, see Cross-Site Tracking Prevention for relaxed domains example. In this example, if townshipschools.org has embedded content from youtube.com, users must visit youtube.com directly in the browser to allow this embedded domain to use cookies.
Managed domain examples
You can manage specific URLs and subdomains for an iPhone or iPad. Any documents coming from those domains are then considered managed and follow the behavior of the existing Managed Open In restrictions. Paths following the domain are managed by default. Alternate subdomains aren’t included unless a wildcard is applied. Domains entered in Safari with “www” (for example, www.betterbag.com) are treated as .betterbag.com.
Shown in settings | Managed domains | Unmanaged domains |
|---|---|---|
betterbag | betterbag.com/* www.betterbag.com/* | *.betterbag.com hr.betterbag.com |
betterbag.com/docs | betterbag.com/docs/* www.betterbag.com/docs/* | betterbag.com www.betterbag.com hr.betterbag.com/docs |
www.betterbag.com | betterbag.com www.betterbag.com/* www.betterbag.com/docs | hr.betterbag.com |
*.betterbag.com | *.betterbag.com/* | betterbag.com |
*.betterbag.com/docs | *.betterbag.com/docs/* | betterbag.com www.betterbag.com |
Note: Each MDM vendor implements these settings differently. To learn how various Domains settings are applied to your devices and users, consult your MDM vendor’s documentation.