Apple recently introduced iCloud Private Relay as an additional benefit for iCloud+ subscribers. The feature routes Safari web browsing (and some other insecure Internet traffic) through a semi-anonymizing service to reduce third parties' ability to profile and track individual users.
However, it may be necessary in some environments to disable iCloud Private Relay. The feature may interfere with management controls, prevent required traffic auditing, or complicate troubleshooting procedures.
Apple provides a guide to prepare your network or service for iCloud Private Relay, but it's also possible to disable the feature using a Restrictions Configuration Profile.
To disable iCloud Private Relay, set the
allowCloudPrivateRelay key to
com.apple.applicationaccess domain. An example full Configuration
Profile is below:
PayloadContent PayloadDisplayName Restrictions PayloadIdentifier com.apple.applicationaccess.E8C72ECD-7122-4C66-853F-3F3467D1AEF5 PayloadType com.apple.applicationaccess PayloadUUID 1953B7E6-DB5C-4FDA-A579-2EE05978F4B6 PayloadVersion 1 allowCloudPrivateRelay PayloadDescription Disables the iCloud Private Relay feature. PayloadDisplayName Disable iCloud Private Relay PayloadIdentifier E31B0811-3164-49CE-BAA9-67075398DE85 PayloadOrganization Company Name PayloadScope System PayloadType Configuration PayloadUUID ECEB2ECA-B16F-41F8-9909-7DD36FA1609C PayloadVersion 1
This profile is also available on GitHub.
Once installed, this profile:
- Stops traffic from routing to
mask-h2.icloud.comat the network level.
- Removes "Private Relay" from the list of services available to enable in System Preferences > Apple ID.
- Removes the "Use iCloud Private Relay" checkbox from the "Network" pane in System Preferences.
Unlike many Configuration Profiles payloads, the
payload is re-evaluated after initial installation.
That means this profile can be pre-installed on systems running macOS versions prior to Monterey. Go ahead and deploy this restriction to your fleet before they upgrade to macOS Monterey so the configuration takes immediate effect. It won't have any effect on macOS Big Sur (or previous systems), but will begin working once the system is upgraded to Monterey.
This restriction does not require Supervision.
I've noted a small bug in macOS Monterey 12.0.1. If the Configuration Profile restricting iCloud Private Relay is installed while the relay is active, the checkbox in System Preferences > Network remains visible.
Private Relay is in fact disabled, and no traffic is routed through the service. The "Private Relay" feature is removed from the listing in System Preferences > Apple ID. This visual bug persists through reboots, but only occurs when the profile is installed while iCloud Private Relay is already running.