To ensure undesirable websites and content are blocked, Apple iCloud Private Relay must be blocked, as it can bypass filtering.
You can do this by following the instructions below for On-Premise Appliance or moving to Cloud Filter.
Before you begin
The three items below are needed to ensure filtering works as expected once Apple iCloud Private Relay is blocked.
- Prevent QUIC on your devices.
- Block DNS over HTTPS by creating a Web Filter Policy with DNS over HTTPS in the What field, with Block as the Action. DNS over HTTPS (DoH) is a privacy feature that encrypts DNS traffic through HTTPS, making it harder to inspect domains and filter content.
- Where possible, ensure you have HTTPS Inspection policies to Decrypt and Inspect to filter all user traffic. Users must download and install the Certificate from the HTTPS Interception page to ensure they won’t get an HTTPS Certificate error when browsing the web.
Check your existing policies
- Ensure the IP address for Apple iOS Private Relay (17.0.0.0/8) is not in your list of Destination exceptions.
- Ensure the Apple Category is not in your list of Authentication exceptions.
- Ensure you don’t have any Web Filter Policies for the Apple Category with the Action of Do Not Filter.
Block Web Proxies
- Create a Web Filter Policy.
- For the What step, select one of these Categories:
- Web Proxies: Will only block Web Proxies.
- Proxies and VPNs: Will block both Web Proxies and VPNs.
- Select Block as the Action.
- Order your policy above any Allow policies.