How Apple's iCloud Private Relay powers enterprise VPNs

Apple's iCloud Private Relay service offers privacy, security, and convenience to users, and users are best viewed as a limited form of virtual private network that protects their Safari browsing activity from prying eyes. But is it compatible with an enterprise's existing virtual private network system? The answer is yes. Apple designed it that way.

iCloud Private Relay and Enterprise VPNs

While reliable statistics on VPN usage are hard to find, Security.org estimates that two-thirds of Americans have used a VPN, with about 38 million people using it regularly. The shift to remote work from home during the COVID-19 pandemic has also significantly increased such use, with 68% of businesses starting or increasing their use of such services.

The implication is that more businesses than ever before are using virtual private network services, and they want to know if those services are compatible with iCloud Private Relay.

"iCloud Private Relay is designed to provide clear status information and control for users, and appropriate controls for enterprises and network operators who may need to audit all traffic on their networks," Apple explained in a recent service guide.

How iCloud Private Relay works

In simple terms, iCloud Private Relay works by separating a user's identity from the nature of their Safari web browsing sessions.

When they request access to a website, the request is sent through two separate internet relays operated by two different entities:

• One (the "entry proxy") will process the user's originating IP address, but will not know the name of the website they requested.
• Another "exit proxy" calls the site using an assigned IP address that has nothing to do with the user.
• The idea is that users can't connect directly to the websites they visit and have access to that information.

The system is powerful enough to support a location-personalized web experience, but it doesn’t break regional content restrictions. So if you want to watch American streaming video on Netflix in Lisbon, Portugal, you’ll need to use a VPN. And you should carefully review the VPN service of your choice.

The system has solid TLS1.3 security to encrypt what happens between the user's device and the entry and exit proxies. Users can browse Apple's online dedicated Private Relay page and its recent documentation to learn more about the system.

How iCloud Private Relay supports existing enterprise VPNs

It supports existing enterprise security systems (including virtual private networks) by:

• iCloud Private Relay only protects connections made using public internet servers.
• iCloud Private Relay allows users to directly access local or private servers (such as a company's servers). • If it detects that the server being used is not a public Internet name, it will instruct the device to access the server directly over the local network.
• To prevent spoofing attempts by cyber attackers who might choose to impersonate a local web server to access data, its devices are never allowed to connect directly to names saved in DuckDuckGo's list of known trackers.
• iCloud Private Relay does not attempt to proxy traffic that it identifies as specific to the local network.
• Most hosted network setups used by enterprises are preferred over Private Relay.
• If the device has a VPN installed, traffic through that VPN will not use iCloud Private Relay.
• Likewise, a proxy configuration such as the global proxy will be used instead of iCloud Private Relay.
• If the user's network prohibits the use of proxy servers, iCloud Private Relay will not work.

What all this means is that if you're using a corporate VPN, iCloud Private Relay will ignore internet transactions. If you're using a local network or global proxy server, or if you prohibit the use of proxy servers on your network, it will not provide any protection.

Another exception relates to those using custom encrypted DNS settings, as the specified DNS servers will be used instead of iCloud Private Relay.

What about MDM systems?

If an enterprise manages a group of devices, Apple can enable or disable iCloud Private Relay using its MDM tools. It does this by allowing these systems to install and use a management configuration profile on the device to disable iCloud Private Relay.

What about network auditing?

Some industries require logging of network traffic, especially in highly sensitive or heavily regulated industries. If an enterprise needs to audit network traffic, it can block access to iCloud Private Relay.

If an enterprise blocks the use of the service on its network, users will be notified with an error message letting them know they must disable Private Relay for that network or use another network.

Therefore, convincing employees to use secure networks instead of others may be the biggest security challenge facing enterprises.

What else should you know?

With many employees working remotely from home, it's important to understand what iCloud Private Relay can't protect. iCloud Private Relay works well to protect remote users' browsing traffic when they're working or transacting with public servers using Wi-Fi or a wired internet connection, but it doesn't protect traffic sent over cellular networks.

It is also important to note that only Safari sessions are protected. Traffic from apps, emails, or browsers is not protected. If an enterprise needs to protect all of its online traffic (e.g. apps, services, emails, etc.), a VPN is still required.

"As the use of virtual private networks grows in the enterprise, Apple mobile devices are now a greater target for security threats," wrote Garrett Denney, senior manager at Jamf.

How to Enable and Disable Private Relay

Private Relay is available to iCloud+ subscribers running iOS 15, iPadOS 15, or macOS Monterey or later.

To enable it, open Settings (System Preferences on a Mac), then open the Apple ID > iCloud section and toggle Private Relay to On, or toggle it to Off to disable the service.