Domains MDM payload settings for Apple devices
You can specify marked domains for iPhone and iPad devices and Mac computers enrolled in a mobile device management (MDM) solution. Use the Domains payload to specify which mail domains are marked in Mail on the device, and which web domains’ documents are considered managed in iOS and iPadOS.
The Domains payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.domains
Supported operating systems and channels: iOS, iPadOS, Shared iPad device, Shared iPad user, macOS device, macOS user.
Supported enrolment types: Device Enrolment, Automated Device Enrolment.
Duplicates allowed: False — only one Domains payload can be delivered to a user or device.
You can use the settings in the table below with the Domains payload.
Unmarked email domains
Mail messages that are addressed to domains not in the approved list are marked in red. For example, a user could have theacmeinc.com and group.theacmeinc.com in a list of known domains. If this user addressed a mail message to firstname.lastname@example.org, that address would be marked so users would know the domain theacmeinc.com wasn’t on the approved list.
Managed Safari web domains
Downloads from Safari are considered managed documents if they originate from a managed domain.
Important: To manage documents downloaded from Safari, disable the option “Allow documents from managed sources in unmanaged destinations” in MDM restrictions for iPhone and iPad devices.
AutoFill Safari password domains
Usernames and passwords entered in websites with Safari can be saved if the domain is listed. More than one domain can be listed.
Cross-site tracking relaxed for domains
(iOS 16.2, iPadOS 16.2)
Up to 10 domains can be added for which Cross-Site Tracking Prevention will be relaxed. Domains should be listed as theacmeinc.com, which includes any subdomains (without needing to use *theacmeinc.com)
Cross-site tracking prevention for relaxed domains
The following devices are supported:
Supervised: iPhone, iPad, Mac
Not supervised: Mac
This functionality is supported by a key in the Domains payload
CrossSiteTrackingPreventionRelaxedDomains. This key can be used to define a list of up to 10 websites that will be relaxed. Each domain listed behaves as a wildcard, so “townshipschools.org” will include “a.townshipschools.org” and “b.a.townshipschools.org”. For an example, see Cross-Site Tracking Prevention for relaxed domains example.
Managed domain examples
You can manage specific URLs and subdomains for an iPhone or iPad. Any documents coming from those domains are then considered managed and follow the behaviour of the existing Managed Open In restrictions. Paths following the domain are managed by default. Alternate subdomains aren’t included unless a wildcard is applied. Domains entered in Safari with “www” (for example, www.theacmeinc.com) are treated as .theacmeinc.com.
Shown in settings
Note: Each MDM vendor implements these settings differently. To learn how various Domains settings are applied to your devices and users, consult your MDM vendor’s documentation.