US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Troubleshooting

Blocking iCloud Private Relay to Ensure Reliable DNS Filtering

Written by Owen Parry

Updated at January 30th, 2026

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging Troubleshooting
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • CyberFOX Product Roadmap
  • Current Status
+ More

Table of Contents

What This Feature Is Platform-Specific Behavior (DNS Filtering) macOS iOS / iPadOS CyberFOX DNS Filtering Portal Domains Blocked by CyberFOX Recommended Settings for Apple Devices Wi‑Fi Settings iCloud+ Settings Safari Settings Mail App Managing Private Relay via MDM Advanced Use Cases BYOD Environments Compliance-Driven Networks Mixed Apple / Non‑Apple Environments Best Practices Troubleshooting Users See "/Private Relay Is Not Available on This Network/" Websites Fail to Load on macOS/iOS DNS Logs Show Continuous Relay Attempts iCloud Login Behavior Security & Sync Behavior Additional References
CyberFOX DNS Filtering blocks Apple’s iCloud Private Relay by default to maintain accurate DNS policy enforcement, reliable traffic inspection, and full visibility across managed networks. Apple’s relay service encrypts DNS queries and obscures device IP addresses, which prevents CyberFOX from applying filtering rules, logging activity, or ensuring compliance. This article explains how the block works, its impact on Apple devices, recommended configuration settings, and how IT administrators can manage Private Relay through MDM platforms.
 

What This Feature Is

iCloud Private Relay is an Apple privacy service available on macOS and iOS that:

  • Encrypts outbound DNS queries
  • Routes traffic through Apple-managed relay servers
  • Masks device IP addresses and network identifiers
Because traffic is tunneled through Apple’s relay infrastructure, DNS requests bypass CyberFOX DNS Filtering—making reliable categorization, policy enforcement, and security inspection impossible. To preserve network integrity, CyberFOX blocks DNS access to Apple’s Private Relay endpoints.

When Private Relay is enabled and not blocked:

  • DNS filtering policies may be bypassed entirely
  • Security and compliance visibility is lost
  • Websites may fail to load or load partially due to mixed-resolution paths
  • Reporting accuracy becomes fragmented across devices

Platform-Specific Behavior (DNS Filtering)

macOS

  • Devices attempt to resolve relay domains automatically when Private Relay or related privacy features (e.g., Limit IP Tracking) are enabled.
  • When CyberFOX blocks these domains, macOS displays system messages such as "Private Relay is not available on this network."
  • DNS filtering continues normally for all non-relay traffic.

iOS / iPadOS

  • iPhones and iPads attempt similar relay lookups.
  • Users may see notifications in Wi‑Fi settings that Private Relay is disabled by the network.
  • No user action is required—filtering will continue to function.

CyberFOX DNS Filtering Portal

  • No special configuration is needed. Relay domains are blocked globally by default.
  • Administrators may review or confirm the blocks under domain logs if required.

 

Domains Blocked by CyberFOX

CyberFOX prevents DNS resolution to all known Apple relay hosts to ensure DNS queries remain visible and enforceable:

  • mask.icloud.com
  • mask-h2.icloud.com
  • mask-api.icloud.com
  • mask.apple-dns.net

Blocking these domains ensures:

  • Devices cannot establish the encrypted relay channel
  • DNS traffic remains inside CyberFOX’s filtering infrastructure
  • All activity continues to be logged, categorized, and enforced

 

Recommended Settings for Apple Devices

To reduce user confusion and eliminate unnecessary system warnings, CyberFOX recommends disabling the following privacy features on macOS and iOS:

Wi‑Fi Settings

  • Limit IP Address Tracking → Off

iCloud+ Settings

  • Private Relay → Off

Safari Settings

  • Hide IP Address → Off

Mail App

  • Mail Privacy Protection → Off

These features attempt to route DNS traffic through Apple’s relay, but CyberFOX will block it regardless.

Disabling them ensures: 

  • Fewer warning prompts to end users
  • Clearer routing behavior
  • More predictable DNS resolution

 

Managing Private Relay via MDM

Most Mobile Device Management (MDM) platforms provide configuration profiles to disable iCloud Private Relay across all managed Apple devices. This is the recommended enterprise‑grade approach.

Common MDM capabilities include:

  • Enforcing Private Relay = Disabled (global)
  • Restricting iCloud account modifications
  • Restricting network privacy features

Platforms known to support this setting:

  • Jamf Pro / Jamf School
  • Intune (via device restrictions for Apple endpoints)
  • Mosyle
  • Kandji
  • Addigy
IT administrators should follow their MDM vendor’s documentation for deployment. For Jamf specifically, Apple provides a clear configuration guide within the Jamf Community portal.
 

Advanced Use Cases

BYOD Environments

For Bring‑Your‑Own‑Device networks, CyberFOX still blocks relay endpoints, ensuring filtering is enforced regardless of device ownership. Administrators may pair this with a captive portal or onboarding instructions.

Compliance-Driven Networks

Organizations subject to CMMC, HIPAA, SOC2, PCI‑DSS, or similar frameworks must retain visibility into DNS activity. Blocking Private Relay ensures:

  • Logging is complete
  • DNS inspection is not circumvented
  • Auditors receive accurate traffic data

Mixed Apple / Non‑Apple Environments

Private Relay attempts occur only on Apple devices, but blocking these domains has zero negative impact on Windows, Android, Linux, or IoT devices.
 

Best Practices

  • Use MDM enforcement rather than user‑level instructions to ensure consistency.
  • Document Private Relay restrictions in your company’s acceptable‑use or security onboarding materials.
  • Regularly review DNS logs for unexpected relay attempts—spikes may indicate misconfigured profiles.
  • Ensure Safari settings are aligned with organizational privacy and security requirements.
  • Test behavior on a macOS and iOS device after making profile changes.
     

Troubleshooting

Users See "/Private Relay Is Not Available on This Network/"

This is expected when CyberFOX blocks relay domains. Confirm the device is still applying DNS filtering normally.

Websites Fail to Load on macOS/iOS

  • Ensure Private Relay, Limit IP Address Tracking, and Hide IP Address are disabled.
  • Confirm the network is not using a secondary DNS resolver.
  • Verify the device is not connected to a VPN that overrides DNS.

DNS Logs Show Continuous Relay Attempts

  • Device likely has Private Relay enabled via user settings.
  • Push an updated MDM profile to force-disable.

iCloud Login Behavior

Private Relay is unrelated to iCloud sync, App Store access, or Apple ID functionality. Blocking relay domains does not affect:

  • Backups
  • App downloads
  • iCloud Drive
  • Apple Mail

 

Security & Sync Behavior

CyberFOX blocks Private Relay specifically to preserve:
 
  • Full DNS visibility
  • Accurate categorization and policy enforcement
  • Complete logging for audits
  • Consistent behavior across managed networks

Apple’s relay does not synchronize with CyberFOX and does not share telemetry. DNS traffic routed through Private Relay cannot be inspected for:

  • Malware domains
  • Phishing indicators
  • C2 activity
  • Content‑filtering rules

Blocking the relay ensures synchronized and predictable filtering behavior for all Apple devices.

 

Additional References

  • Apple Support: About iCloud Private Relay
  • Jamf Community: Troubleshooting iCloud Private Relay

 

dns filtering icloud dns filtering apple relay domains icloud private relay cyberfox dns mask.icloud.com apple privacy settings macos dns ios dns jamf private relay mdm restrictions dns visibility dns policy enforcement safari hide ip limit ip tracking mail privacy protection dns logs relay blocking enterprise apple management network security compliance dns dns inspection dns relay traffic

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • DNS Filtering: Using the Visibility Report
  • CyberFOX DNS Filtering Troubleshooting Guide
Request a Demo
  • Get Pricing
  • Start Trial
  • Contact
  • Support Center
  • Login
Solutions
AutoElevate
  • AutoElevate Overview
  • Remove Admin Privilege
  • Just-in-Time Admin
  • Blocker
Password Manager
  • Password Manager Overview
  • Features
DNS Filtering
  • DNS Filtering Overview
MSPs
IT Departments
  • Overview
  • State and Local Government
  • K-12 Education
  • Manufacturing
  • Higher Education
Resources
  • Resource Center
  • Group Demos
  • Events
  • The Simple 7™
Company
  • About
  • Leadership
  • Culture & Values
  • News & Press
  • Awards
  • Partnerships
  • Referral Program
  • Trust Center
CyberFox Logo

CALL US (813) 578-8200

© 2025 CYBERFOX LLC ALL RIGHTS RESERVED | Privacy Policy | Terms of Service | Sitemap


Knowledge Base Software powered by Helpjuice

//-------------------------------------------------------------------- // RESOLVE DESTINATION URL //-------------------------------------------------------------------- function resolveRedirect(path) { if (STATUS_SLUGS.includes(path)) { return "https://status.cyberfox.com"; } if (REDIRECTS.hasOwnProperty(path)) { return REDIRECTS[path]; } return null; } //-------------------------------------------------------------------- // CLICK HANDLER (Capture Phase) //-------------------------------------------------------------------- document.addEventListener( "click", function (e) { var link = e.target.closest && e.target.closest(LINK_SELECTOR); if (!link) return; // Let modified clicks behave normally (open in new tab, etc.) if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return; // Only left click if (e.button !== 0) return; var href = link.getAttribute("href") || link.href; if (!href || href.startsWith("#")) return; var path = normalizePath(href); var target = resolveRedirect(path); if (!target) return; // Intercept click BEFORE Helpjuice SPA/PJAX e.preventDefault(); e.stopPropagation(); if (e.stopImmediatePropagation) e.stopImmediatePropagation(); window.open(target, "_blank", "noopener"); }, true // capture ); //-------------------------------------------------------------------- // KEYBOARD ACCESSIBILITY (Enter / Space) //-------------------------------------------------------------------- document.addEventListener( "keydown", function (e) { if (e.key !== "Enter" && e.key !== " ") return; var link = document.activeElement.closest && document.activeElement.closest(LINK_SELECTOR); if (!link) return; var href = link.getAttribute("href") || link.href; if (!href || href.startsWith("#")) return; var path = normalizePath(href); var target = resolveRedirect(path); if (!target) return; e.preventDefault(); e.stopPropagation(); if (e.stopImmediatePropagation) e.stopImmediatePropagation(); window.open(target, "_blank", "noopener"); }, true ); })();
Expand