Does anyone know why it is impossible to enable/test Private Relay even with an Apple One Premier subscription? Wouldn't it make sense that during the macOS Beta all users would be able to turn in on? This feature looks good on paper but the barrier to testing makes no sense. Any help greatly appreciated.

Will the new iCloud Private Relay features be manageable via MDM or declarative device management?

There may occur some problems if there are bad users with Private Relay enabled, who visit websites hosted by my servers. My servers are using Fail2ban to ban bad users by their IP-addresses (e. g. ModSecurity blocks hacking attempts -> Fail2ban will block that IP). Now, the list (https://mask-api.icloud.com/egress-ip-ranges.csv) is way too big to whitelist all IP-addresses. How should I handle this in Fail2ban?

I subscribed to apple one (family) recently. With my iPhone and Mac both updated to IOS15 and MacOs12. I want to try iCloud private relay. However it seems like I need to subscribe to iCloud+ individually to use iCloud private relay. So, did Apple one (family) include iCloud+ Private relay?

I formatted the phone and I did not have a backup in icloud Can apple restore the files that were on the phone before the phone was formatted??

Hello there, I would like to know if my users have Private Relay set up. Can I refer to the configuration status of Private Relay from the application or the web?

Hi there, Does anyone know if existing App Transport Security Settings -> Exception Domains will still work after Private Relay enabled? Which means excepted domain still can use http without going through apple proxy? Thanks Tao

I have read the Prepare your Network for iCloud Private Relay. In that I have two queries, We use IP address to limit usage of our app to prevent fraudulent. The video says that more than one user in a city uses the same IP address, so there will be more network calls from same IP. How do I adapt private relay to achieve this case? We show to the user that from which IP address his details are created or updated. Since the IP we get from the Egress proxy is modified, we cannot show the correct IP to the user from which his details are created or updated. And how to solve this after adapting iCloud Private Relay? And also I like to know how broader the IP will be modified from the users' location? I cannot find any document regarding this.

The document and video session mentioned that: Private Relay protects：users' web browsing in Safari / DNS resolution queries /.. Not applicable traffic：Local network connections / Private domains /.. What's the meaning of these above? for example, if I use chrome browser and it has DNS resolution queries, will use Private Relay? or Only in Safari? Local network connections? If my iPhone connect to the Wi-Fi? What's Private domains? Thanks,

I found an IP address being used that was not on the list. https://mask-api.icloud.com/egress-ip-ranges.csv Like this：172.225.46.223 Is the list going to be updated? How often is it updated? Do you plan to inform the public when it is updated?

Hello all, I was wondering if there was a way to have Private Relay resolve DNS queries with the network-provided DNS server instead of the current DNS server Private Relay uses. We are fine with traffic being hidden but would only like to see DNS queries send by clients in order to log and block malicious domains. What actions would we need to take on our network to block the Private Relay DNS server in order to make requests go to the network-provided DNS server? Thanks, Ironbolt89

Hello there, HTTP header enrichment is key to our app, is there a way for an app to send an HTTP request that bypasses Private Relay so it could be enriched for SIM authentication over mobile network?

I noticed that when I'm running an app with an active Network Extension in macOS Monterey (21A5268h), changing the Private Relay state to on or off disrupts internet connectivity. The WiFi menubar icon eventually turns into an exclamation-mark. The only workaround I found is to turn the filter off or to delete it. If the filter is turned on again, Internet connectivity is lost. I've tested this with a pass-through NEFilterDataProvider-based NetworkExtension filter app, but also see this behavior with other network filtering apps such as TripMode which is on the Mac App Store. Is this a bug? I've filed a report (FB9283392) and attached a sample project to it.

As of July 6th until July 13th there are 5 rows that have a 6th column. There are 4 rows that have an extra row (I believe these are cloudflare IPs). 104.28.4.92/32,AU,,Newcastle, Nsw, 104.28.4.91/32,AU,,Newcastle, Nsw, 104.28.4.81/32,LB,,Beirut, Lebanon, 104.28.4.82/32,LB,,Beirut, Lebanon, vs. 146.75.228.14/31,BS,,, 146.75.228.16/31,BS,BS-NP,NASSAU, 146.75.228.18/31,BZ,,, Simple check to show commas per line. The 3 0s are blank lines which most CSV parsers handle gracefully. Most lines have 5 commas, but there are a few with 6. awk -F ',' '{print NF}' egress-ip-ranges.csv | sort | uniq -c 3 0 17675 5 4 6

Hello everyone, With an upcoming feature of Private Relay. The user will be able to cloak theirs information of their origin such as IP address. However, with the current development of local Banking / Financial applications in my country. We are using theirs cellular network IP address to help identify their rights to use the application. Now with the Private relay feature, it will break this mechanic. I'm not sure if anyone can help suggest alternate ways for this to work? Or else perhaps we should go back to use 2FA from SMS instead. Best Regards, Terry

It has been heavily implied but I can't find confirmation anywhere that the "Tracker Only" IP address hiding is actually using the same system. Can that be confirmed? Early testing with Beta2 in the US header bidding market "Tracker Only" doesn't appear to be active despite the sites in question being listed in the Privacy Report as trackers. Is there any clarity on when we would expect that feature to be enabled in the greater ecosystem?

Will there be more details on the egress IP configuration/policy? My team and I have a number of questions (focused mostly on US currently): How often will the egress IPs change? Will there be schedule of when changes will apply or will always be 'live' and it's to geo location providers to poll API frequently to notice changes that have already occured? I notice the mask-api response has cache control of 3600 seconds, does that imply an hourly poll for changes would be acceptable? Will the 'shapes' associated with these regions be published? It's not clear how the assignments might be made (see image below). Some areas have quite granular cities near to each other, others appear to be somewhat randomly selected cities in less dense regions. Is it as simple as Voronoi_diagram or something more complex? It could also be that there is an non-geographic atom underlying this mapping like ZIP but the assignment problem still exists. An explicit mapping would help the industry handle these changes while still preserving user privacy. Are all the egress providers using the same mapping rules and regions? I notice some differences in names between fastly/cloudflare which seems unlikely if they were being provided a list of shapes and names. Can anyone confirm that "Use broader location" will randomly select a random region somewhere in right timezone rather than a broader bucket like "US Eastcoast" (though I did see a blanket "US" IP range)?

Hello. There are several moments in the way how Private Relay feature works which are not clear for me. It's declared, that Ingress proxy knows only client IP, while Egress proxy knows only the server name of the DNS request. At the same time, there is a next slide in the session, which stays that subsequent communication between the client and Egress server happens through Ingress server. The client must share server name with Egress. How is it guaranteed in this configuration, that Ingress server can't read server name while it stays in the middle? I assume it's achieved by TLS secured connection, which is part of HTTP/3 protocol. But this position of Ingress in the middle, in theory means that Ingress can read the secured traffic between the client and Egress. Just the way how it works in MitM attack, because the certificate check on the client side is also controlled by Apple. Could you, please, comment on that? With regards.

The session video mentions an article with host name details and proxy IP ranges. Is that linked somewhere? The article linked from the talk just generically says "here are some laws you can read".

In the following video: https://developer.apple.com/videos/play/wwdc2021/10096 The speaker, Delziel Fernandes mentioned an article listing the IP addresses. Where can I find it ?