iCloud Private Relay (iCPR) is a feature provided by Apple designed to enhance online privacy by ensuring that neither the source IP of users' Apple devices nor the websites they visit can be accessed by a single entity.
iCPR currently limits some of Jamf's Security Cloud capabilities. Specifically, when iCPR is enabled on an Apple device, publicly resolvable websites that are accessed via Safari or a third-party app using iCPR cannot be blocked or restricted by:
- Internet content filtering or security capabilities deployed through Secure DNS
- Network access capability (when a device risk exceeds the policy threshold or when Jamf Trust is disabled)
To address this, our Enabling the HTTPS Block Page for Supervised Apple Devices documentation provides steps for administrators to disable iCPR on managed, supervised devices. This ensures that Jamf Security Cloud policies can be fully applied to your organization's devices and keep your users safe.
In addition, with the introduction of iOS 17, iPadOS 17, and macOS Sonoma, Apple is expanding their privacy protections to cover private browsing of unencrypted websites in Safari. The result of this change is that access to publicly resolvable unencrypted (HTTP hosted) websites during a Safari private browsing session also cannot be protected by the Jamf Security Cloud capabilities detailed above. This applies regardless of whether iCPR is turned on or off.
Workaround: Disable the use of Private tabs in Safari by deploying a configuration profile with a content filter set to "Limit Adult Content" to supervised iOS and iPadOS devices.
Jamf is working closely with Apple to improve the way that Jamf security services and iCloud Private Relay work together. As we have additional updates about enhancements to this functionality, we will provide additional communications.
