Detections
Analytics

4.5 Review 'iCloud Private Relay' settings

Information

iCloud Private Relay is a service offered by Apple as part of an iCloud+ subscription. It allows users on iOS 15, iPadOS 15, and macOS Monterey to browse the Web more privately by hiding the user's actual IP address.

The service makes use of a multi-hop architecture whereby a user's requests are sent through two separate internet relays, operated by different entities, that replace a user's original IP address.

The user's IP address is visible to the network provider and to the first relay, which is operated by Apple. The DNS records are encrypted, so neither party can see the address of the website the user is trying to visit. The second relay, which is operated by a third-party content provider, generates a temporary IP address, decrypts the name of the website, and connects to the site. By doing so, no single party - including Apple - can view or collect the details of a user's browsing activity or unencrypted activity in applications.

Rationale:

While browsing the Web, information contained in the Web traffic, such as DNS records and IP address, can be seen by a network provider and by any websites visited. This information could be used to determine a user's identity and build a profile of their location and browsing history.

Hiding this information prevents the tracking and profiling of users, resulting in an increased level of privacy while browsing the Web.

Impact:

iCloud Private Relay only protects connections on public internet servers, instructing the device to try to access the servers directly over the local network. Some entities or enterprises, however, might be required to audit all network traffic by policy. In this case, it is possible to block access to Private Relay. Should iCloud Private Relay be blocked, the user will be alerted that they need to either disable the feature or choose another network. In this scenario, users will still be able to use the service when they are not connected to their corporate network.

The fastest and most reliable way to do this is to return a negative answer from the network's DNS resolver, preventing DNS resolution for the mask.icloud.com and mask-h2.icloud.com hostnames necessary for Private Relay traffic.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the device:

Tap Settings.

Tap <_The User's Name_> where Apple ID, iCloud, iTunes & App Store is displayed beneath.

Tap iCloud.

Tap Private Relay.

Enable Private Relay.

See Also

https://workbench.cisecurity.org/benchmarks/15548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1, CSCv7|9.2

Plugin: MDM

Control ID: fd7e020673f30c87e11c0df521e230292328b5d476d7e95a18583d03278e3898