What Apple Admins Need to Know About iCloud Private Relay

iCloud Private Relay is Apple's latest initiative to protect consumer privacy. The service—which debuts as a public beta in macOS Monterey and iOS and iPadOS 15 and will be included with iCloud+ subscriptions—is designed to make it harder for third-parties to track users on local and remote networks.

When a user browses the internet—whether at home, in the office, or a coffee shop—specific details, such as their DNS records and IP address, are visible to network providers and the websites they visit. 

Those providers and websites can collect those details to determine the user’s location and browsing habits. That information can then be used to develop a personal profile of the user’s interests, which can, in turn, help target the user with ads and other marketing vehicles. In a worst-case scenario, if the user’s email is correlated with their device, that information can be used to initiate phishing attacks. 

These kinds of privacy invasions are what iCloud Private Relay is designed to prevent.

What Is Private Relay?

Apple will do so by forwarding internet traffic from macOS, iOS, and iPadOS through two proxy servers: an ingress server run by Apple and an egress server run by a content provider. That traffic will then proceed to the internet address the user initially requested. 

The ingress server can see only the user’s IP address. The egress server can see only the user's request for a specific internet resource. When that request arrives at its destination, the server at that end can’t see anything about its origins; it sees only that the request originated from the egress server. The server responds with the requested resource, which goes back to the egress server, which sends it to the ingress server, and the ingress server delivers the requested content to the user’s device.

The critical thing is that nobody in the chain can see both the user’s IP address and requested resource.

There is one caveat to mention. Some servers use the user’s IP to determine their location to serve up regionally specific content. iCloud Relay doesn’t pass along that specific location but instead maps the user's IP address to a shared address for a city or region. That way, the user can still receive regionally appropriate data.

While not all internet data will be funneled through the Private Relay system, much of it—especially from Safari—will. As a result, much of the user’s internet usage will stay private, even from Apple. 

What Private Relay Is Not

It’s tempting to think of Private Relay as a VPN, but that would be misleading. VPN’s are encrypted tunnels that let devices connect to resources inside a corporate network when they aren’t directly connected to it—from a coffee shop, say. 

When connecting via VPN, the device requests a secure connection from a VPN server. The server authenticates the user and assigns the device an IP address internal to the corporate network. Any traffic to or from the internal network is then automatically routed over the VPN connection. 

In business settings, VPNs offer remote access to corporate network resources using encrypted connections. Because their traffic is encrypted, VPNs do provide some user privacy, but secure remote access is still their primary purpose. Requests for services on the corporate network are still visible to IT.

There are public VPN services that allow consumers to do things like access websites that are blocked from a user’s particular location. In this case, the VPN offers a way to route traffic that would not otherwise be accessible in a given country or region. Again, VPNs provide a level of privacy. But the larger goal is to remotely access regionally demarcated parts of the internet. 

Private Relay isn’t concerned about connecting to remote services. Its focus is solely on providing privacy for users. 

What Private Relay Means to IT

From an IT admin’s viewpoint, Private Relay will mean you’ll start seeing network traffic headed to and from Apple’s ingress server. The services or locations a user is viewing and the DNS queries that get them there won’t be visible to traditional network monitoring solutions. 

This might seem to be a problem for some organizations, particularly in the healthcare, finance, education, and other sectors that need to audit network traffic to adhere to government regulations. But it’s essential to keep a couple of things in mind.

First, while the service is in beta, Apple will only be routing traffic from Safari through the Private Relay system. Apple will likely expand what Private Relay can handle as time goes forward and the system emerges from beta.

Apple’s official advice for organizations that want to disallow Private Relay on their networks is to block the addresses used by the system. When that advice is implemented, the device will inform users and let them connect to the network or select another one instead. 

If your corporate websites require location information to deliver resources, you can set them up to prompt users for that information. If they’re set up to identify users by IP address, they can instead require some kind of login.

Private Relay is all part of Apple’s ongoing effort to protect user privacy. But Apple is also providing ways for network admins to do their jobs—auditing traffic, appropriately filtering content, and so on. While Private Relay might require IT to make some adjustments, those changes will help protect your users and ultimately reduce your own risks.