Jamf Security Cloud interoperability with Apple iCloud Private Relay


Updated 5 February 2024

iCloud Private Relay is a feature provided by Apple designed to enhance online privacy by ensuring that neither the source IP of users' Apple devices nor the websites they visit can be accessed by a single entity.

Due to the design of this Apple privacy technology and its interaction with DNS, certain blocking capabilities within Jamf Security Cloud were initially limited. To ensure policy effectiveness and uphold user safety, Jamf recommended disabling iCPR.

However, in the latest release, Jamf has worked closely with Apple to adopt a DNS signalling approach that enables Jamf to overcome any previous limitations and ensures seamless interoperability with Apple's iCloud Private Relay. This approach ensures comprehensive user and data protection via Jamf policies, whilst permitting iCloud Private Relay to safeguard users' online privacy on secure sites.

Delivering Jamf Security Cloud capabilities in a compatible mode with iCloud Private Relay has the following impact to how users are restricted access when attempting to visit a site that triggers a Jamf policy block:

  • An Apple native block page is displayed in Safari on iOS 17, iPadOS 17, and macOS 14 devices
  • A blank page is displayed with a network timeout error in other browsers and on earlier Apple versions

Additionally, if notifications are enabled, the browser blocks will prompt a push notification using the Jamf Trust application providing detailed explanations for the denied access. With iCloud Private Relay enabled, users accessing safe content will seamlessly connect over Apple’s Private Relay infrastructure, preserving the privacy of their secure traffic.

For further details on the compatibility of Jamf policies with iCloud Private Relay, see the Block Pages documentation.



New Contributor III

i'm assuming blocking the iCPR on the networking stack would not help on the issue?

New Contributor II
New Contributor II

@Rebry it will help as long as the device is connected via the network with iCPR blocked. Once it switches to another WiFi or cellular network blocking iCPR will not be enforced.