How Apple’s iCloud Private Relay creates a shadow IT nightmare

One can make the argument that Apple created the phenomenon of shadow IT when it introduced the iPhone and the App Store. Suddenly managers and individual users had the ability to source their own business software and services, bypassing IT departments completely. And they could do so with devices not connected to a corporate network, preventing IT from even realizing shadow IT was happening in their organizations.

Apple did step in a couple of years later, providing an enterprise mobile device management (MDM) platform that allowed IT some control over devices in their organization. But to be effective, IT still needs to partner with line of business managers and individual users. After all, users can simply use devices not enrolled in MDM if they choose.

Fast forward a decade from the introduction of MDM, and Apple is again creating a potential shadow IT nightmare in the form of iCloud Private Relay.

What is iCloud Private Relay?

iCloud Private Relay is a new privacy feature in iOS 15 (available today but still in beta) for users with paid iCloud accounts, now known as iCloud+ accounts. And it is generally a good consumer privacy protection system.

When enabled, Private Relay encrypts all supported traffic (right now it primarily supports traffic from Safari, but it is planned to expand beyond that) including DNS queries and diverts it to Apple’s ingress server. The ingress server strips out the user’s information and then sends the request to the egress server, which is operated by a third-party content provider. The egress server doesn’t see any information about the user or device; it sees only that the requests come from the ingress server. The egress server strips out the information about the ingress server and forwards the request to the appropriate destination.

That destination server receives no information about the user or the ingress server; it sees only that a request originated from the egress server. It then replies to the egress server, which sends the response to the ingress server as though it were the original destination. The ingress server then sends the reply to the user’s device.

Essentially each server in the chain acts like a proxy server. Since no single point in the chain has access to information about both the device and the destination, it provides a rather good consumer privacy technology.

Not a VPN

There have been some comparisons made between Private Relay and a VPN. The two are completely separate tools.

A virtual private network is a technology used to create a secure tunnel through the internet. This tunnel is primarily used for devices outside a corporate network to connect as though they were located on that network. VPNs can also be used to secure connections when devices are connecting via a public Wi-Fi network, or to make it appear as if a device is someplace else — for connecting from, say, Dubai to the US App Store or Netflix selection, or to avoid content blocking systems.

A VPN does offer privacy, but it is somewhat of an added bonus. The basic functionality and goal of VPNs are rather different from Private Relay.

Why iCloud Private Relay is a problem for enterprises

The problem with Private Relay is that it can divert connections out of the corporate network to Apple’s ingress server. The local network sees nothing but connections to Apple’s ingress server. Since that can include DNS queries along with other forms of traffic, it makes the user’s activity completely opaque to IT admins.

This creates a massive challenge to organizations in regulated industries and schools, where auditing traffic is often a legal requirement. Even outside of those industries, having no idea what a user is doing is still of great concern, particularly if this is happening on a company-owned device.

It’s worth noting that Private Relay is baked into iOS 15 but isn’t enabled by default, although that could change when the service exits beta. Another consideration is that Private Relay is only available to customers who pay for an iCloud+ subscription — though this includes the barebones $0.99 option for 50GB of storage space.

Can IT block Private Relay?

The good news from Apple is that it’s simple to block Private Relay. You simply block the ingress server address on your network. Any Apple device configured to use Private Relay won’t be able to.

The bad news is that users will be told that your network is incompatible with Private Relay and asked if they still want to connect. If they don’t connect, then you’re back with staff that are using the cellular connections of their devices and denying you any information about how they’re using their device with corporate data.

The best option: user engagement

I’ve argued many times that shadow IT is not really a technical problem, it’s an engagement and communication problem. And this situation is no different.

You need to make sure that users understand why they get a message that your network doesn’t support Private Relay, and also let them know that this will not affect their devices outside of work. That requires building trust through communication and transparency — something that ideally most IT departments have been working towards already.