Apple's iCloud Private Relay service offers users privacy, security, and convenience. It's best viewed as a limited form of virtual private network (VPN) that protects a user's Safari browsing activity from prying eyes. But is it compatible with your company's existing VPN systems?
(TL; DR: Yes).
iCloud Private Relay and Corporate VPN
Solid VPN usage statistics are relatively hard to come by. Security.org states that two-thirds of Americans have used a VPN and around 38 million people use these tools regularly. The shift to working from home during the pandemic may have caused an increase in that use, with 68% of businesses starting or increasing their use of these services.
The implication is that more businesses than ever before are using VPN services and will need to know if they support iCloud Private Relay.
The short answer is yes, they are compatible. Apple designed it that way.
"Private Relay is designed to provide clear status and control information to the user, and provide appropriate controls for enterprises and network operators that may need the ability to audit all traffic on their network," the company explains in its network guide. recently published. Service.
How iCloud Private Relay works
In its simplest form, iCloud Private Relay works by separating a user's identity from the nature of their Safari web browsing session.
When they make a request to visit a site, the request is sent through two separate Internet relays operated by two different entities.
- One (the "inbound proxy") will handle the user's original IP address, but it doesn't know the name of the website they are requesting.
- The other "outbound proxy" uses an assigned IP address that is not related to the user to invoke the site.
- The idea is that people cannot connect directly to the sites they visit and that no one in the chain has access to this information.
The system is sufficient to support personalized web experiences by location, but does not compromise regional content restrictions. So if you want to watch US Netflix from your luxury tablet in Lisbon, Portugal, you'll need to use a VPN. You should also make sure to check the VPN service you select.
The system has strong TLS 1.3 security to encrypt what happens between the user's device and the inbound and outbound proxies. You can explore Apple's dedicated private relay online pages and their recent whitepaper for a more detailed description of the system. This presentation from the WWDC developers may also be interesting.
How iCloud Private Relay is compatible with existing corporate VPNs
It is compatible with existing corporate security systems (including VPNs) in the following ways:
- Private Relay only protects connections made through public Internet servers.
- Private Relay allows users to directly access local or private servers (such as your company's server).
- If it detects that the server being used is not a public Internet name, it will ask the device to access the server directly through the local network.
- In protection against phishing attempts where an attacker can choose to impersonate a local network server to access data, the device never allows direct connections to names on DuckDuckGo's list of known trackers.
- Private Relay will not attempt to proxy traffic that it recognizes as specific to the local network.
- Most managed network setups used by businesses take precedence over private relay
- If a device has a VPN installed, traffic passing through that VPN will not use private relay.
- Also, a proxy configuration, such as a global proxy, will be used instead of Private Relay.
- If your network prohibits the use of proxy servers, iCloud Private Relay won't work.
All of this means that if you're using a corporate VPN, iCloud Private Relay will ignore the internet transaction. And if you use a local network or global proxy server, or prohibit the use of proxy servers on your network, no protection will be implemented.
Another exception is those that use custom encrypted DNS settings, as the specified DNS server will be used instead of private relay.
What about MDM systems?
If your company manages a fleet of devices, Apple has made it possible to turn iCloud Private Relay on or off with its MDM tools. It does this by allowing those systems to install and use management profiles on devices to disable the use of iCloud Private Relay on them.
What about network audits?
Some industries require companies to log network traffic, especially in highly sensitive or heavily regulated industries. If your company needs to audit network traffic, then it is possible to block access to private relay.
In the event that use of the service is blocked on their network, a user will receive an error message informing them to disable private relay for that network or use another network.
As a result, convincing your employees to use your network instead of another may be the biggest security challenge you face.
What else should you know?
With so many employees working remotely, it's important to understand what iCloud Private Relay doesn't protect. While it does a great job of securing a remote user's browsing traffic when it is processed on a public server using Wi-Fi or a wired Internet connection, it does not protect traffic sent over cellular networks.
It's also important to note that only Safari sessions are protected. App, email or browser traffic is not. If you and/or your business need to protect all of your online traffic (apps, services, emails, etc.), you should always use a VPN.
The service is quite relevant. "Because of its growth in business, Apple devices are now a target of increased security threat," writes Garrett Denney, a senior director at Jamf.
How to turn private broadcast on and off
Private Relay is available to iCloud+ subscribers running iOS 15, iPad OS 15, or macOS Monterey or later.
To turn it on, open Settings (System Preferences on Mac), then open your Apple ID > iCloud section and turn on Private Relay. Or turn it off to turn off the service.
Follow me on Twitter or join me at the AppleHolic Bar & Grill and Apple Discussion Groups at MeWe.
Copyright © 2021 IDG Communications, Inc.