Apple @ Work is brought to you by Mosyle, the leader in modern mobile device management (MDM) and security for Apple enterprise and education customers. Over 22,000 organizations leverage Mosyle solutions to automate the management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.
When Apple announced all the new features coming to macOS and iOS at WWDC back in June, one of the new announcements was iCloud+, which encompasses all paid iCloud plans. One aspect of iCloud+ is iCloud Private Relay. Since it changes the network path route, enterprises using Apple need to consider it in their device management. So let’s dive into what impact it’s likely to make.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
The idea behind iCloud Private Relay is to protect privacy when users are on public Wi-Fi networks. For example, if someone is at a coffee shop, sports stadium, or restaurant and uses public Wi-Fi, their IP address is visible to all the websites they visit. This has long been a concern for privacy-focused people as they seek to avoid being tracked across the locations they visit. In addition, these websites can use this location data and user browsing habits to build a personal profile to serve you more targeted ads. Of course, ads aren’t always negative, but people deserve the right to stay anonymous if they desire. Here’s how iCloud Private Relay works from a technical perspective:
When Private Relay is enabled, your requests are sent through two separate, secure internet relays. Your IP address is visible to your network provider and to the first relay operated by Apple. Your DNS records are encrypted, so neither party can see the address of the website you’re trying to visit. The second relay, operated by a third-party content provider, generates a temporary IP address, decrypts the website’s name you requested, and connects you to the site. All of this is done using the latest internet standards to maintain a high-performance browsing experience while protecting your privacy.
How iCloud Private Relay impacts Apple enterprises
From an IT perspective, a device with iCloud Private Relay enabled means the services or locations that a user is viewing and the DNS queries that get them there won’t be visible to your traditional network monitoring solutions.
Depending on the type of organization, you may be in an industry that needs to audit all network traffic, so that might become a concern for you. However, in this early implementation of iCloud Private Relay, only Safari traffic will be affected, so traffic from email apps and corporate file sharing apps will remain unaffected. Apple may expand the use of iCloud Private Relay in the future, but currently, it’s just Safari.
How to block iCloud Private Relay
While there isn’t an MDM control to disable iCloud Private Relay on managed devices at this time, it may come in the future. In the short term, Apple’s advice is to return negative answers from your network’s DNS resolver for Apple’s servers:
When this traffic is blocked, the user will be alerted to disable iCloud Private Relay to access the content. However, Apple does advise that blocking is better than delaying traffic or silently dropping IP packets sent to the Private Relay server, as it can lead to delays with how the devices process and relay traffic.