Blocking Apple's iCloud Private Cloud Relay

Have more questions? Submit a request

This article is intended for IT Support


What is Apple's iCloud Private Relay?

iCloud Private Relay (IPR) is a feature new to Apple iOS 15 that can negatively affect your school’s ability to filter devices and meet its compliance obligations.

IPR is a feature new to iOS 15 that, when enabled, obscures the user’s IP address and encrypts their DNS records. Users who have an iCloud+ subscription can enable this feature to attempt to bypass your school’s content filtering rules.

You can find out more about this feature in Apple’s support documentation.

What do I need to do about it?

If you are concerned that IPR will allow students or other users to bypass your content filtering rules, you may need to take action:

  1. Create a new Filter Rule
    1. If your school already has a content filter rule that blocks the VPN and Proxies category, you don’t need to do anything.
    2. If your school doesn’t already block the VPN and Proxies category, create a new Content Filtering Rule that blocks the iCloud Private Relay signature.
  2. Disable IPR using your MDM
    If you manage your school’s iOS devices using a MDM tool, you should use it to disable IPR on all student devices. This is particularly important if you use Connect iOS EDU Supervised Edition.
Caution: This is a new iOS feature and MDM support is limited. We recommend that you temporarily disable automatic device updates for all school-managed iOS devices or contact your MDM provider for advice on how to disable this feature.


What happens to IPR users when I block the iCloud Private Relay signature?

Users may experience loss of internet while their device attempts to negotiate a connection. This may last for up to 10 minutes. When these negotiations fail, the device will tell the user that iCloud Private Relay is disabled and their internet address is available to websites and trackers while on your school’s network.

Can I allow the IPR signature?

Yes, you can allow any signature or category, including the iCloud Private Relay signature. You can also allow the signature only for specific groups of users, such as teachers or IT administrators. However, this will stop those users from being filtered while on your network.

Will my Captive Portal still work for devices using IPR?

Your Captive Portal will still force IPR users to authenticate to your network. However, once they have authenticated, their traffic will be anonymised unless you have a filter rule blocking the iCloud Private Relay signature.

Can IPR be enabled on iOS 14 (and older versions)?

No, IPR is only available on iOS 15.

Will users' personal iOS devices automatically upgrade to iOS 15?

Yes, it’s likely that your users’ personal devices will automatically upgrade to iOS 15. 

Will my school’s managed iOS devices automatically upgrade to iOS 15?

Yes, but only if you have enabled automatic updates. If you’re concerned about the potential impact of this update on your school, we recommend using your MDM tool to disable automatic updates until your tool supports disabling iCloud Private Relay.

Is there a way I can disable iCloud Private Relay without waiting for my MDM?

Workarounds do exist, but Linewize does not recommend their use, as they may not be supported by your MDM tool. Please contact Linewize Support for more information.

Will this impact macOS Monterey?

Yes, however, devices that are managed by the MDM students can be stopped from enabling iCloud Private Relay.

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.