Domains MDM payload settings for Apple devices
You can specify marked domains for iPhone, iPad, and Mac devices enrolled in a mobile device management (MDM) solution. Use the Domains payload to specify which mail domains are marked in Mail on the device, and which web domains’ documents are considered managed in iOS and iPadOS.
The Domains payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.domains
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Domains payload can be delivered to a user or device.
You can use the settings in the table below with the Domains payload.
The following devices are supported:
Supervised: iPhone, iPad, Mac
Not supervised: Mac
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Unmarked email domains | Mail messages that are addressed to domains not in the approved list are marked in red. For example, a user could have betterbag.com and group.betterbag.com in a list of known domains. If this user addressed a mail message to anyone@betterbag.com, that address would be marked so users would know the domain betterbag.com wasn’t on the approved list. | No | |||||||||
Managed Safari web domains (iOS, iPadOS) | Downloads from Safari are considered managed documents if they originate from a managed domain. Important: To manage documents downloaded from Safari, disable the option “Allow documents from managed sources in unmanaged destinations” in MDM restrictions for iPhone and iPad devices. | No | |||||||||
AutoFill Safari password domains (Supervised) (iOS, iPadOS) | User names and passwords entered in websites with Safari can be saved if the domain is listed. More than one domain can be listed. | No | |||||||||
Cross-site tracking relaxed domains (Supervised) (iOS 16.2, macOS 13.1, or later, iPadOS 16.2–17.2) | Up to 10 domains can be added for which cross-site tracking prevention is relaxed. Domains should be listed as betterbag.com, which includes any subdomains (without needing to use *betterbag.com). Important: In iPadOS 16.2 until iPadOS 17.2, it’s necessary to instruct users to visit the embedding site (for example, youtube.com) directly as a first party, to enable to the embedding site to use cookies. In iPadOS 17.2 or later, this step isn’t necessary. | No | |||||||||
Cross-site tracking relaxed apps (Supervised) (iOS 18, iPadOS 18, macOS 18, or later) | Up to 10 apps can be added within which domains specified with the | No | |||||||||
Cross-site tracking prevention relaxed domains
On devices with iOS 16.2, iPadOS 16.2, macOS 13.1, or later, have the ability to manage an exception list for Cross-Site Tracking Prevention in Safari. As a result, organizations can leave Cross-Site Tracking Prevention turned on and benefit from tracking prevention for general browsing but also allow select domains to give third-party embedded resources the ability to use cookies. This is useful, for example, in education, where learning management systems embed content like videos or images stored by third parties, or learning tools (LTI tools) offered by third parties and presented in iFrames.
This functionality is supported by a key in the Domains payload, CrossSiteTrackingPreventionRelaxedDomains. This key can be used to define a list of up to 10 websites that will be relaxed. Each domain listed behaves as a wildcard, so “townshipschools.org” will include “a.townshipschools.org” and “b.a.townshipschools.org.”
For an example, see Relaxed domains example.
Cross-site tracking prevention relaxed apps
On devices with iOS 18, iPadOS 18, macOS 15, or later, you have the ability to specify up to 10 native apps within which specified domains are relaxed. This functionality is supported by the CrossSiteTrackingPreventionRelaxedApps key. The key can be used to define a list of up to 10 apps by bundle ID for which domains (specified with the CrossSiteTrackingPreventionRelaxedDomains key) are relaxed.
For more information, see Relaxed apps example.
If you want to do both relaxed domains and relaxed apps in a single profile, see the combined example.
Managed domain examples
You can manage specific URLs and subdomains for an iPhone or iPad. Any documents coming from those domains are then considered managed and follow the behavior of the existing Managed Open In restrictions. Paths following the domain are managed by default. Alternate subdomains aren’t included unless a wildcard is applied. Domains entered in Safari with “www” (for example, www.betterbag.com) are treated as .betterbag.com.
Shown in settings | Managed domains | Unmanaged domains |
|---|---|---|
betterbag | betterbag.com/* www.betterbag.com/* | *.betterbag.com hr.betterbag.com |
betterbag.com/docs | betterbag.com/docs/* www.betterbag.com/docs/* | betterbag.com www.betterbag.com hr.betterbag.com/docs |
www.betterbag.com | betterbag.com www.betterbag.com/* www.betterbag.com/docs | hr.betterbag.com |
*.betterbag.com | *.betterbag.com/* | betterbag.com |
*.betterbag.com/docs | *.betterbag.com/docs/* | betterbag.com www.betterbag.com |
Note: Each MDM vendor implements these settings differently. To learn how various Domains settings are applied to your devices and users, consult your MDM vendor’s documentation.