How to Disable iCloud Private Relay in macOS Monterey

Apple recently introduced iCloud Private Relay as an additional benefit for iCloud+ subscribers. The feature routes Safari web browsing (and some other insecure Internet traffic) through a semi-anonymizing service to reduce third parties' ability to profile and track individual users.

However, it may be necessary in some environments to disable iCloud Private Relay. The feature may interfere with management controls, prevent required traffic auditing, or complicate troubleshooting procedures.

Apple provides a guide to prepare your network or service for iCloud Private Relay, but it's also possible to disable the feature using a Restrictions Configuration Profile.

To disable iCloud Private Relay, set the allowCloudPrivateRelay key to false in the com.apple.applicationaccess domain. An example full Configuration Profile is below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDisplayName</key>
                <string>Restrictions</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.applicationaccess.E8C72ECD-7122-4C66-853F-3F3467D1AEF5</string>
                <key>PayloadType</key>
                <string>com.apple.applicationaccess</string>
                <key>PayloadUUID</key>
                <string>1953B7E6-DB5C-4FDA-A579-2EE05978F4B6</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>allowCloudPrivateRelay</key>
                <false />
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Disables the iCloud Private Relay feature.</string>
        <key>PayloadDisplayName</key>
        <string>Disable iCloud Private Relay</string>
        <key>PayloadIdentifier</key>
        <string>E31B0811-3164-49CE-BAA9-67075398DE85</string>
        <key>PayloadOrganization</key>
        <string>Company Name</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>ECEB2ECA-B16F-41F8-9909-7DD36FA1609C</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>

This profile is also available on GitHub.

Once installed, this profile:

Stops traffic from routing to mask.icloud.com and mask-h2.icloud.com at the network level.
Removes "Private Relay" from the list of services available to enable in System Preferences > Apple ID.
Removes the "Use iCloud Private Relay" checkbox from the "Network" pane in System Preferences.

Requirements

Unlike many Configuration Profiles payloads, the com.apple.applicationaccess payload is re-evaluated after initial installation.

That means this profile can be pre-installed on systems running macOS versions prior to Monterey. Go ahead and deploy this restriction to your fleet before they upgrade to macOS Monterey so the configuration takes immediate effect. It won't have any effect on macOS Big Sur (or previous systems), but will begin working once the system is upgraded to Monterey.

This restriction does not require Supervision.

Caveat

I've noted a small bug in macOS Monterey 12.0.1. If the Configuration Profile restricting iCloud Private Relay is installed while the relay is active, the checkbox in System Preferences > Network remains visible.

iCloud Private Relay checkbox in System Preferences > Network.

Private Relay is in fact disabled, and no traffic is routed through the service. The "Private Relay" feature is removed from the listing in System Preferences > Apple ID. This visual bug persists through reboots, but only occurs when the profile is installed while iCloud Private Relay is already running.