Apple’s iCloud Private Relay service gives users privacy, security, and convenience. It is best seen as a limited form of virtual private network (VPN) that protects a user’s Safari browsing activity from prying eyes. But, is it compatible with your enterprise’s existing VPN systems?

(TL;DR: Yes).

Solid VPN usage statistics are relatively hard to find. Security.org clams that two-thirds of Americans have used a VPN with around 38 million people making regular use of these tools. The move to working from home during the pandemic may have sparked an increase in such use, with 68% of companies beginning to or increasing their use of such services.

The inference is that more businesses than ever before now make use of VPN services, and they will need to know whether these are compatible with iCloud Private Relay.

The short answer is yes, they are compatible. Apple designed it this way.

“Private Relay is designed to provide clear status information and control to the user, and provide appropriate controls to enterprises and network operators that might require the ability to audit all traffic on their network,” the company explains in its recently-published guide to the service.

At its simplest, iCloud Private Relay works by separating a user’s identity from the nature of their Safari web browsing session.

When they make a request to visit a site, the request is sent through two separate internet relays operated by two different entities.

The system is sufficient to support location-personalized web experiences but does not undermine regional content restrictions. So, if you want to watch U.S. Netflix from your luxury pad in Lisbon, Portugal, you’ll need to use a VPN. You should also take care to scrutinize which VPN service you select.

The system has solid TLS 1.3 security to encrypt what happens between the user’s device and the ingress and egress proxies. You can explore Apple’s online dedicated Private Relay pages and its recent document to gain more in-depth insight into the system. This WWDC developer presentation may also be of interest.

It supports existing enterprise security systems (including VPNs) in the following ways:

What this all means is that if you are using a corporate VPN, iCloud Private Relay will ignore the internet transaction. And if you make use of a local network or global proxy server, or forbid use of proxy servers on your network, no protection will be put in place.

Another exception relates to those who use custom-encrypted DNS settings, as the specified DNS server will be used instead of Private Relay.

If your business manages a fleet of devices, Apple has made it possible to enable or disable iCloud Private Relay using your MDM tools. It does this by allowing these systems to install and use management profiles on devices to disable use of iCloud Private Relay on them.

Some industries require businesses to log network traffic, particularly in highly sensitive or heavily regulated sectors. If your business needs to audit network traffic, then it is possible to block access to Private Relay.

In the event use of the service is blocked on your network, a user will receive an error message to let them know they must disable Private Relay for that network or use another network.

Convincing your employees to use your network rather than another may be the biggest security challenge you find in consequence.

With so many employees working remotely, it’s important to understand what iCloud Private Relay does not protect. While it will do a great job of securing a remote user’s browsing traffic when transacted on a public server using Wi-Fi or a wired internet connection, it does not protect traffic sent across cellular networks.

It is also important to note that only Safari sessions are protected. Traffic from apps, emails, or browsers is not. If you and/or your business needs to protect all your online traffic — apps, services, emails and so on — you’ll still need to use a VPN.

The service is pretty relevant. “As a result of its growth in the enterprise, Apple devices are now a bigger security threat target,” Jamf Senior Manager Garrett Denney writes.

Private Relay is available to iCloud+ subscribers running iOS 15, iPad OS 15 or macOS Monterey or later.

To enable it, open Settings (System Preferences on Mac), then open your Apple ID>iCloud section and toggle Private Relay to On. Or toggle it to off to disable the service.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.