Blocking Apple's iCloud Private Relay

Apple’s iCloud private relay is an iOS and macOS feature that your users can enable to try to circumvent your school’s content filtering rules. You can protect your users from using Private Relay to potentially access inappropriate content by taking the following steps. 

Private Relay only applies to users who:

• have iOS 15+ or macOS Monterey (12.6.6) or newer,
• have paid for an iCloud subscription
• have enabled Private Relay, and 
• are using Safari or Apple Mail 

Private Relay can hide their IP addresses and encrypt their DNS records from you. This may prevent School manager from properly filtering their device, or cause School Manager to flag all of their traffic as VPN usage  in your monitoring reports. Private Relay does not obscure content in any other apps on the Apple devices and content from other apps will be filtered and reported.

Disabling Private Relay

If you use the Apple School Manager (ASM) or Apple Business Manager (ABM), Private Relay is not available by default while users are signed in with Managed Apple IDs. 

If you do not use Managed Apple IDs, you can use your MDM or end-point management tool to disable access to Private Relay. 

Select your vendor’s article below. Each MDM vendor has a different name for the functions used to manage iCloud and Private Relay. We have included the name of the function in the link title. Please contact your vendor’s support team if you need further assistance disabling Private Relay.

• Hexnode uncheck “Allow Security and Privacy Settings > Modify an account”
• Jamf “Prevent changes to accounts” 
• Kandji “Activation Lock”
• Meraki “Allow modifying account settings”  
• Microsoft InTune “Block iCloud Private Relay”
   

Blocking Private Relay on BYO Devices  

If your users or guests can connect Bring Your Own (BYO) devices to your school network, you can create a new Filtering Policy to block the Private Relay:

1. Go to Filtering > Content filtering and check for any rules blocking the VPN and Proxies category. If the category is blocked for affected users, you don’t need to take further action.
2. Create a new Content Filtering Rule that blocks the iCloud Private Relay signature for affected users.

FAQ

What happens to Private Relay users when I create a policy to block iCloud Private Relay?

Users may experience internet loss while their device attempts to negotiate a connection. This may last for up to 10 minutes. When these negotiations fail, the device will tell the user that iCloud Private Relay is disabled and their internet address is available to websites and trackers while on your school’s network.

Can I allow the Private Relay signature?

Yes, you can allow any signature or category, including the iCloud Private Relay signature. You can also allow the signature only for specific groups of users, such as teachers or IT administrators. However, this will stop the allowed groups of users from being filtered while on your network.

Will my Captive Portal still work for devices using Private Relay?

If you have a Linewize appliance and are using Captive Portal, users will be challenged to authenticate to your school network even if they have Private Relay enabled. Once they have authenticated, their traffic inside Safari and Apple Mail will be anonymised unless you have a block policy using the iCloud Private Relay signature or Proxies and VPNs category.

Can Private Relay be enabled on iOS 14 (and older versions)?

No, Private Relay is available in iOS/iPadOS 15+ and macOS Monterey (12.6.6) and newer.